USA Freedumber Will Not Get Better in the “Prosecutors” Committee

/13 Comments/in /by

Having been badly outmaneuvered on USA Freedumber — what was sold as reform but is in my opinion an expansion of spying in several ways — in the House, civil liberties groups are promising a real fight in the Senate.

“This is going to be the fight of the summer,” vowed Gabe Rottman, legislative counsel with the American Civil Liberties Union.

If advocates are able to change the House bill’s language to prohibit NSA agents from collecting large quantities of data, “then that’s a win,” he added.

“The bill still is not ideal even with those changes, but that would be an improvement,” Rottman said.

[snip]

“We were of course very disappointed at the weakening of the bill,” said Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute. “Right now we really are turning our attention to the Senate to make sure that doesn’t happen again.”

[snip]

One factor working in the reformers’ favor is the strong support of Senate Judiciary Chairman Patrick Leahy (D-Vt.).

Unlike House Judiciary Chairman Bob Goodlatte (R-Va.), who only came to support the bill after negotiations to produce a manager’s amendment, Leahy was the lead Senate sponsor of the USA Freedom Act.

The fact that Leahy controls the committee gavel means he should be able to guide the bill through when it comes up for discussion next month, advocates said.

“The fact that he is the chairman and it’s his bill and this is an issue that he has been passionate about for many years” is comforting, Greene said.

I hope they prove me wrong. But claims this will get better in the Senate seem to ignore the recent history of the Senate Judiciary Committee’s involvement in surveillance bills, not to mention the likely vote counts.

It is true Pat Leahy wants real reform. And he has a few allies on SJC. But in recent years, every surveillance-related bill that came through SJC has been watered down when Dianne Feinstein offered an alternative (which Leahy sometimes adopted as a manager’s amendment, perhaps realizing he didn’t have the votes). After DiFi offered reform, Sheldon Whitehouse (who a number of less sophisticated SJC members look to as a guide on these issues) enthusiastically embraced it, and everyone fell into line. Often, a Republican comes in and offers a “bipartisan reform” (meaning conservative Republicans joining with the Deep State) that further guts the bill.

This is how the Administration (shacking up with Jeff Sessions) defeated an effort to rein in Section 215 and Pen Registers in 2009.

This is how DiFi defeated an effort to close the backdoor loophole in 2012.

As this was happening in 2009, Russ Feingold called out SJC for acting as if it were the “Prosecutors Committee,” rather than the Judiciary Committee.

(Note, in both of those cases as well as on the original passage of Section 702, I understood fairly clearly what the efforts to stymie reform would do, up to 4 years before those programs were publicly revealed; I’ve got a pretty good record on this front!)

And if you don’t believe this is going to happen again, tell me why this whip count is wrong:

Screen shot 2014-05-26 at 5.18.49 PM

If my read here is right, the best case scenario — short of convincing Sheldon Whitehouse some of what the government wants to do is unconstitutional, which John Bates has already ruled that it is — is relying on people like Ted Cruz (whose posturing on civil liberties is often no more than that) and Jeff Flake (who was great on these issues in the House but has been silent and absent throughout this entire debate). And that’s all to reach a 9-9 tie in SJC.

Which shouldn’t be surprising. Had Leahy had the votes to move USA Freedom Act through SJC, he would have done so in October.

That was the entire point of starting in the House: because there was such a large number of people (albeit, for the  most part without gavels) supporting real reform in the House. But because reformers (starting with John Conyers and Jerry Nadler) uncritically accepted a bad compromise and then let it be gutted, that leverage was squandered.

Right now, we’re looking at a bill that outsources an expanded phone dragnet to the telecoms (with some advantages and some drawbacks), but along the way resets other programs to what they were before the FISC reined them in from 2009 to 2011. That’s the starting point. With a vote count that leaves us susceptible to further corruption of the bill along the way.

Edward Snowden risked his freedom to try to rein in the dragnet, and instead, as of right now it looks like Congress will expand it.

Update: I’ve moved Richard Blumenthal into the “pro reform” category based on this statement after the passage of USA Freedumber. Thanks to Katherine Hawkins for alerting me to the statement.

Four Reasons USA Freedumber is Worse than the Status Quo

/15 Comments/in /by

In the post-HR 3361 passage press conference yesterday, Jerry Nadler suggested the only reason civil libertarians oppose the bill is because it does not go far enough.

That is, at least in my case, false.

While I have concerns about unintended consequences of outsourcing holding the call data to the telecoms (see my skepticism that it ends bulk collection here and my concerns about high volume numbers here), there are a number of ways that USA Freedumber is worse than the status quo.

These are:

  • The move to telecoms codifies changes in the chaining process that will almost certainly expand the universe of data being analyzed
  • In three ways, the bill permits phone chaining for purposes outside of counterterrorism
  • The bill weakens minimization procedures on upstream collection imposed by John Bates, making it easier for the government to collect domestic content domestically
  • The bill guts the current controls on Pen Register authority, making it likely the government will resume its Internet dragnet

The NSA in your smart phone: Freedumber codifies changes to the chaining process

As I have described, the language in USA Freedumber makes it explicit that the government and its telecom partners can chain on connections as well as actual phone call contacts. While the new automatic search process approved by the FISA Court in 2012 included such chaining, by passing this bill Congress endorses this approach. Moreover, the government has never been able to start running such automatic queries; it appears they have to outsource to the telecoms to be able to do so (probably in part to make legal and technical use of location data). Thus, moving the phone chaining to the telecoms expands on the kinds of chaining that will be done with calls.

We don’t know all that that entails. At a minimum (and, assuming the standard of proof is rigorous, uncontroversially) the move will allow the government to track burner phones, the new cell phones targets adopt after getting rid of an old one.

It also surely involves location mapping. I say that, in part, because if they weren’t going to use location data, they wouldn’t have had to move to the telecoms. In addition, AT&T’s Hemisphere program uses location data, and it would be unrealistic to assume this program wouldn’t include at least all of what Hemisphere already does.

But beyond those two functions, your guess is as good as mine. While the chaining must produce a Call Detail Record at the interim step (which limits how far away from actual phone calls the analysis can get), it is at least conceivable the chaining could include any of a number of kinds of data available to the telecoms from smart phones, including things like calendars, address books, and email.

The fact that the telecoms and subsidiary contractors get immunity and compensation makes it more likely that this new chaining will be expansive, because natural sources of friction on telecom cooperation will have been removed.

Freedumber provides three ways for NSA to use the phone dragnet for purposes besides counterterrorism

As far as we know, the current dragnet may only be used for actual terrorist targets and Iran. But USA Freedumber would permit the government to use the phone dragnet to collect other data by:

  • Requiring only that selection terms be associated with a foreign power
  • Permitting the retention of data for foreign intelligence, not just counterterrorism, purposes
  • Allowing the use of emergency queries for non-terrorism uses

Freedumber permits searches on selection terms associated with foreign powers

On its face, USA Freedumber preserves this counterterrorism focus, requiring any records obtained to be “relevant to” an international terrorist investigation. Unfortunately, we now know that FISC has already blown up the meaning of “relevant to,” making all data effectively relevant.

The judicial approval of the specific selection term, however — the court review that should be an improvement over the status quo — is not that tie to terrorism, but evidence that the selection term is a foreign power or agent thereof.

Thus, the government could cite narcoterrorism, and use the chaining program to investigate Mexican drug cartels. The government could raise concerns that al Qaeda wants to hack our networks, and use chaining to investigate hackers with foreign ties. The government could allege Venezuela supports terrorism and investigate Venezuelan government sympathizers.

There are a whole range of scenarios in which the government could use this chaining program for purposes other than counterterrorism.

Freedumber permits the retention of any data that serves a foreign intelligence purpose

And once it gets that data, the government can keep it, so long as it claims (to itself, with uncertain oversight from the FISC) that the data has a foreign intelligence purpose.

At one level, this is a distinction without a difference from the language that USA Freedumb had used, which required the NSA to destroy the data after five years unless it was relevant to a terrorism investigation (which all data turned over to NSA would be, by definition). But the change in language serves as legislative approval that the use of the data received via this program can be used for other purposes.

That will likely have an impact on minimization procedures. Currently, the NSA needs a foreign intelligence purpose to access the corporate store, but can only disseminate data from it for counterterrorism purposes. I would imagine the changed language of the bill will lead the government to successfully argue that the minimization procedures permit the dissemination of US person data so long as it meets only this flimsy foreign intelligence purpose. In other words, US person data collected in chaining would be circulating around the government more freely.

Freedumber’s emergency queries do not require any tie to terrorism

As I noted, the revisions USA Freedumber made to USA Freedumb explicitly removed a requirement that emergency queries be tied to a terrorism investigation.

(A) reasonably determines that an emergency situation requires the production of tangible things to obtain information for an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to protect against international terrorism before an order authorizing such production can with due diligence be obtained;

That’s particularly troublesome, because even if the FISC rules the emergency claim (certified by the Attorney General) was not legally valid after the fact, not only does the government not have to get rid of that data, but the Attorney General (the one who originally authorized its collection) is the one in charge of making sure it doesn’t get used in a trial or similar proceeding.

In short, these three changes together permit the government to use the phone dragnet for a lot more uses than they currently can.

Freedumber invites the expansion of upstream collection

When John Bates declared aspects of upstream collection to be unconstitutional in 2011, he used the threat of referrals under 50 USC 1809(a) to require the government to provide additional protection both to entirely domestic communications that contained a specific selector, and to get rid of domestic communications that did not contain that specific selector at all. The government objected (and considered appealing), claiming that because it hadn’t really intended to collect this data, it should be able to keep it and use it. But ultimately, that threat (especially threats tied to the government’s use of this data for ongoing FISA orders) led the government to capitulate.

The changes in Freedumber basically allow the government to adopt its old “intentional” claim, reversing Bates’ restrictions. Read more

Why USA Freedumber Doesn’t End (What You and I Think of as) Bulk Collection

/5 Comments/in /by

I fear, reading this Kevin Drum post, that my explanations of why USA Freedumber will not end what you and I think of as bulk collection have not been clear enough. So I’m going to try again.

It is now, with the bill in current form, a 4-part argument:

  • The bill uses the intelligence community definition of bulk collection in its claim to end bulk collection, not the plain English language meaning of it
  • The bill retains the “relevant to” language that got us into this problem
  • The “selection terms” it uses to prevent bulk collection would permit the collection of vast swaths of innocent people’s records
  • Such a reading would probably not rely on any new FISA Court opinion; existing opinions probably already authorize such collection

The intelligence versus the plain English definition of bulk collection

This entire bill is based on the intelligence community definition of bulk collection, not the common English definition of it. As defined by President Obama’s Presidential Policy Directive on SIGINT, bulk collection means,

the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).

Bulk collection, as defined by the intelligence commonly, only means collection that obtains all of a particular type of record: all phone records, all Internet metadata, all credit card records. Anything that stops short of that — all 202 Area Code phone records, all credit card records buying pressure cookers, all Internet metadata for email sent to Yemen — would not count as bulk collection under this definition.

A more commonsense meaning of bulk collection would be the collection of large volumes of data, sweeping up the data of totally innocent people, on which to do further (sometimes technically intrusive) searches to find the data of interest. What we call “Big Data,” for example, would very often not qualify as bulk collection as the intelligence community defines it (perhaps its starts with the health data of everyone born after 1946, for example, or the purchase records from just one online store) but would qualify as bulk collection as you and I would define it.

As I explained in this post, the means USA Freedumber uses to ensure that it does not permit bulk collection is to require the collection start from a “selection term.” Thus, by definition, it cannot be bulk collection because the technical (but not commonsense) definition of bulk collection is that which uses a selection term.

And because they defined it that way, it means that every time some well-intentioned Congressman (it was all men, pushing this bill) boasted that this bill “ends bulk collection” they were only laying a legislative record that would prohibit the intelligence community definition of bulk collection, not the commonsense meaning.

The bill retains the “relevant to” language that gave us bulk collection in the first place

Man, Jim Sensenbrenner must have complained about the way the FISA Court reinterpreted the plain meaning of “relevant to” from the 2006 reauthorization of the PATRIOT Act three or four times in the post-passage press conference. He’s still angry, you see, that a court, in secret, defined the term “relevant to” to mean “any data that could possibly include.”

But this bill does nothing to change that erroneous meaning of the term.

Worse, it relies on it!

For most authorities — the Pen Register (PRTT) authority, the non-call record Section 215 authority, and all National Security Letter authorities –USA Freedumber leaves that language intact. It now requires the use of a selection term, but unlike the new call record language, those authorities don’t require that the selection term be “associated with a foreign power or an agent of a foreign power.” (You can compare the language for traditional Section 215 and the new call records Section 215 at b2B and b2C in this post.)  They don’t even require that the selection term itself be relevant to the investigation!

Thus, so long as there is a selection term — some term to ensure the NSA isn’t grabbing all of a certain kind of record — they’re going to still be able to get that data so long as they can argue that sorting through whatever data they get will yield useful information.

“Specific selection term” is too broad

Now, all that wouldn’t matter if the bill required specific selection terms to be tied to the individual or entity under investigation. Even the USA Freedumb bill didn’t require that.

But the language in USA Freedumber that got passed today makes things worse.

SPECIFIC SELECTION TERM.—The term ‘specific selection term’ means a discrete term, such as a term specifically identifying a person, entity, account, address, or device, used by the Government to limit the scope of the information or tangible things sought pursuant to the statute authorizing the provision of such information or tangible things to the Government.’

Again, note that the selection term only needs to limit the scope of production, not have a tie to the target of the investigation.

And while I actually find comfort from some of these terms — I’d be happy if the financial NSLs could only search on a specific account and the toll record NSL could only get phone records of a specific device (though FBI does use NSLs to get 2 degree separation, so this would return more than just that device’s records). As I’ve said in the past, “entity” is far too broad. It could include al Qaeda — allowing the NSA to obtain all data that might have al Qaeda data within it — or VISA — allowing the NSA to obtain all of that credit card entity’s data.

Read more

95 People Learn to Love the Dragnet

/15 Comments/in /by

Earlier this morning, the House passed HR 3361, which I call the USA Freedumber Act.

The bill passed by a large margin: 303 to 121.

That means that somewhere in the neighborhood of 86 people who voted for Amash-Conyers less than a year ago voted for a bill that in some ways expands what the government can do with phone records. For example, today’s bill endorsed the chaining of identifiers “connected” to a chain seed, rather than just chaining on actual phone calls. The FISA Court had endorsed this kind of chaining back in 2012, but it only recently became public, and the government is likely to be able to do far more of this connection-based chaining with the phone records in telecom custody. That surely includes the use of geolocation to make connections, something the government could not legally do under the current program.

In addition, those 95 people who voted against the dragnet last year today endorsed language that seems to permit — and immunize — the Internet dragnet, which has been found to be illegal. If the government chooses to use this new language (and I doubt they would have stuck it in the bill at the last minute if they didn’t intend to use it), then this bill represents a vast expansion of domestic spying off what those 86 people voted against last year.

To be fair, I doubt most of the people who flip-flopped on the dragnet understand this. Mike Rogers and Bob Goodlatte both made misleading comments during the debate, with Rogers outright lying. Even John Conyers and Jerry Nadler (and especially Sheila Jackson Lee) made comments about the bill that are only narrowly true.

That’s all another good reason to call this thing USA Freedumber. Read more

USA Freedumber Appears to Strengthen RuppRoge’s Affirmative Endorsement of an Internet Dragnet

/8 Comments/in /by

Working on a detailed comparison of the difference between the USA Freedumb and USA Freedumber bills, one of the most alarming changes is the gutting of Pen Register minimization procedures. They took language not only adding minimization procedures to Pen Register orders,

(b) APPLICATION.—Section 402(c) (50 U.S.C. 1842(c)), as amended by section 201 of this Act, is further amended by adding at the end the following new paragraph:

(4) a statement of proposed minimization procedures.

(c) ORDER.—Section 402(d) (50 U.S.C. 1842(d)) is amended—

(1) in paragraph (1), by inserting ‘‘and that the proposed minimization procedures meet the definition of minimization procedures under this title’’

But permitting the court to review whether the government met those minimization procedures.

(h) At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the minimization procedures by reviewing the circumstances under which information concerning United States persons was retained or disseminated.’

They even specified the government had to follow those minimization procedures!

USA Freedumber changed that by letting the Attorney General review what are are now called “privacy procedures.”

(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard non-publicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect  national security, include protections for the collection, retention, and use of information concerning United States persons.

They limit the extent of these “privacy procedures” “to the extent practicable … with the need to protect national security.” That is, they don’t have to follow these “privacy procedures” if it’ll harm national security, and the change seems to show legislative intent to deprive the FISC of any review.

That’s alarming for a number of reasons:

  • From the very beginning of the Internet dragnet, the government claimed FISC had almost no authority over the approval process (much less compliance) on Pen Registers
  • This language comes right out of — but makes worse — the section of Mike Rogers’ RuppRoge bill that affirmatively approves the (re)creation of an Internet dragnet
  • There’s a curious entry in the NSA classification guide showing FBI conducting a PRTT program after the time NSA’s program got shut down

NSA versus FISC

According to a footnote in the 2010 John Bates opinion on the Internet dragnet, when the government first applied to Colleen Kollar-Kotelly for a FISC order to authorize the dragnet, they claimed she had no authority to do anything but rubber stamp the application.

2010 Bates Opinion footnote

We know that, having made that argument, the government got caught in violating the rules Kollar-Kotelly placed on the collection, but then continued to violate the rules for at least 5 more years, until 2009, when it got shut down for a while.

It would seem that the original language in USA Freedom Act would have clarified this issue, and made clear the FISC could exercise real oversight over any PRTT collection.

Adopting RuppRoge’s Internet Dragnet language

This language adopts the nomenclature from the HPSCI’s RuppRoge bill. (See page 18.)

But these “privacy procedures” seem qualitatively worse than the RuppRoge bill in several ways. RuppRoge provides loosey goosey judicial review of the privacy procedures. And it did not include the “extent practicable” language.

Given the background — given the fact that the government has already told the FISC it shouldn’t have real oversight over PRTT — this language seems to lay clear legislative intent that FISC should have no role whatsoever, especially not with minimization procedures (which, after all, is what they fought with the FISC over for at least  years).

The secrecy behind the FBI’s PRTT orders on behalf of NSA

PRTT1

Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.

These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.

But that the FBI PR/TT program — which seems different than these individual orders — was considered TS/SI/NOFORN.

PRTT2

If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level)  — is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.

This is considered one of the most sensitive secrets in the whole FISA package.

PRTT3

Even minimized PRTT data is considered TS/SCI.

PRTT4

Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.

So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.

Except there’s the date.

This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)

That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.

If FBI had a PRTT program active in 2012 that was separate from the NSA PRTT program (I’m not sure that’s the case; it could be they just didn’t update this part of the classification guide), then is it still active? Has the Internet dragnet just moved to FBI?

If so, it’s no wonder why the Intelligence Community would want to guarantee that FISC had no review of it.

Update: Note, too, that the bill removes reporting requirements related to PRTT.

 

Freedumb versus Freedumber

/6 Comments/in /by

I’ve already done a few posts on the USA Freedumber bill, AKA HR 3361. This post shows that the Administration has gotten explicit that the chaining process is now about “connected” identifiers and not necessarily “contacts” between them. And this post shows they’ve added another trough of compensation at which intelligence contractors can feed.

But I realize now it really needs a systematic comparison of the bill with USA Freedumb, the previously gutted manager’s amendment. This will be a working thread.

PDF 3 Freedumber: Includes language explicitly envisioning getting call records outside of the limited method rolled out here.

(including an application for the production of call detail records other than in the manner described in subparagraph (C))

We know they always planned to be able to get historical call records via the old means (though new language in section C makes it clear the systematic program can get historical records too), but I wonder if this is also there to get call detail records from smaller telecoms.

Here’s that historical language:

in the case of an application for the production on a daily basis of call detail records created before, on, or after the date of the application relating to an authorized investigation [my emphasis]

See this post for how they changed the chaining language on PDF 5.

PDF6 : They changed the minimization language to be tied to “foreign intelligence” information. I wrote about it in this post at the Guardian.

PDF 7: They’ve gotten rid of language limiting emergency authorities to terrorist investigations as shown:

(A) reasonably determines that an emergency situation requires the production of tangible things to obtain information for an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to protect against international terrorism before an order authorizing such production can with due diligence be obtained;

The bill keeps the weak prohibition on using stuff that shouldn’t have been gotten under emergency powers (the AG ensures that such data are not used, but then AG is the one who originally thought it’d be kosher in the first place, making the AG the worst person to police its non-usage). So it turns the emergency powers into a bigger loophole.

PDF 11: I noted that they’ve extended compensation beyond just the telecoms to other advisors (AKA Booz). They’ve also given the Booz figures immunity.

(e)(1) No cause of action shall lie in any court against a person who—

(A) produces tangible things or provides information, facilities, or technical assistance pursuant to an order issued or an emergency production required under this section; or

(B) otherwise provides technical assistance to the Government under this section or to implement the amendments made to this section by the USA FREEDOM Act.

PDF 13: Here’s the new definition for Specific Selection Term. I’ll have a post on this later, but suffice it to say that “such as” is the new “relevant to.”

SPECIFIC SELECTION TERM.—The term ‘specific selection term’ means a discrete term, such as a term specifically identifying a person, entity, account, address, or device, used by the Government to limit the scope of the information or tangible things sought pursuant to the statute authorizing the provision of such information or tangible things to the Government.’

I’m not as bugged by “address” or “device” as some others are–I actually think they’re useful. Still, it’s far too broad.

PDF 15: For some reason, Freedumber gives the IC IG 6 months after the DOJ IG finishes his IG report (which retains the gap where 2010 and 2011 are) before he has to submit his report.

Not later than 180 days after the date on which the Inspector General of the Department of Justice submits the report required under subsection (c)(3), the Inspector General of the Intelligence Community  shall submit

These shouldn’t need to be sequential. So I wonder why they did this, if not to delay the required reporting out beyond the beginning of consideration of the sunset.

PDF 18: They can keep on dragnetting up until the moment when the new law goes into effect.

RULE OF CONSTRUCTION.—Nothing in this Act shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.) as in effect prior to the effective date described in subsection (a) during the period ending on such effective date.

So they’re stocking up on data. And why not! You never know what fun new data you’ll get under the new system you need a dragnet for?

PDF 19: The NGO community is really excited about this addition.

SEC. 110. RULE OF CONSTRUCTION.

Nothing in this Act shall be construed to authorize the production of the contents (as such term is defined in section 2510(8) of title 18, United States Code) of any electronic communication from an electronic communication service provider (as such term is defined in section 701(b)(4) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1881(b)(4)) under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.).

I’m not so excited. First, while this language makes it clear the bill does not affirmatively authorized such production, if FISC has already approved it, they don’t need a bill, they’ve got authorization. In addition, I think there are some Internet entities that aren’t included in the definition of electronic communication service providers.’

PDF 20: Wow, they’ve utterly gutted the minimization procedures they had tried to add to Pen Register authority (which had included minimization procedures in applications and allowed the judge to review them). Instead of that we get,

(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect  national security, include protections for the collection, retention, and use of information concerning United States persons.

Which would lead me to believe they either are or intend to resume using this abusively.

PDF 21: THe new bill takes out language trying to cut down on reverse targeting (it had made it illegal if it was a purpose of the acquisition at all). Great. So they’re now legislatively approving reverse targeting.

PDF 21: They changed limits on upstream collection from this:

(B) consistent with such definition, minimize the acquisition, and prohibit the retention and dissemination, of any communication as to which the sender and all intended recipients are determined to be located in the United States and prohibit the use of any discrete, non-target communication that is determined to be to or from a United States person or a person who appears to be located in the United States, except to protect against an immediate threat to  human life.’’.

To this (emphasis mine):

(B) consistent with such definition—

(i) minimize the acquisition, and prohibit the retention and dissemination, of any communication as to which the sender and all intended recipients are determined to be located in the United States at the time of acquisition, consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information; and

(ii) prohibit the use of any discrete communication that is not to, from, or about the target of an acquisition and is to or from an identifiable United States person or a person reasonably believed to be located in the United States, except to protect against an immediate threat to human life.’

The first clause could be read two ways: either to require minimization of data for which recipients were in the US when the data was collected. Or, more likely, they mean to require minimization of data that NSA immediately determines (at the the acquisition) to be in the US. If it’s the latter, it expands upstream collection.

The second clause limits the prohibition on using MCATs (that is, unrelated comms picked up off of targeted comms in the associated inbox) that aren’t targeted to those that involve identifiable US persons. In its discussions with John Bates, the NSA claimed it couldn’t identify which comms were USPs. Which means this would gut the minimization procedures put in place in 2011.

In other words, this language guts John Bates’ efforts to rein in illegal unconstitutional collection of US person content within the US.

PDF 27: As others have noted Freedumber gives the DNI the authority over declassification decisions on significant FISC opinions. It specifies the requirement to apply to any “significant interpretation of the term ‘specific selection term’.”

PDF 33: A reporting requirement on Section 215 is watered down to become a summary of compliance reviews, rather than the reviews themselves.

More troubling still, the same passage eliminates the language requiring reports on PRTT.

(6) any compliance reviews conducted by the Federal Government of electronic surveillance, physical searches, the installation of pen register or trap  and trace devices, access to records, or acquisitions conducted under this Act.’’.

PDF 33-34: Freedumber includes a DNI report of aggregate requests, but only with detail on targets, not on number of people affected (or even number of selectors). This is the cover up report for the dragnets. For NSLs, it also only provides the number of requests for information, but doesn’t break out targets. This may be solely because of the subscriber function but it would seem to permit the hiding of bulk collection under other NSLs. (That is, this may well be worse than current reporting.)

PDF 40: Freedumber shifts reporting requirements pertaining to FISC decisions such that Congress only gets notice of a denied or modified application if it includes a significant construction of law. Given that there’s been a huge increase in modified programs, this would serve to hide the kinds of bulk collection going on. It also takes out a requirement that the government summarize what went on.

In addition, there are changes on transparency the companies can do. I’ll sort that out at another time, but even what is there is not transparent.

New & Improved USA Freedumb Act, with Twice the Contractors Compensated

/3 Comments/in , /by

Somewhere Booz Allen Hamilton Vice Chairman (and former NSA Director) Mike McConnell just said, “Ka-Ching.”

As I noted, the initial manager’s amendment of HR 3361 (AKA USA Freedumb Act) added compensation language to Section 215 that didn’t originally exist.

(j) COMPENSATION.—The Government shall compensate, at the prevailing rate, a person for producing tangible things or providing information, facilities, or assistance in accordance with an order issued or an emergency production required under this section.

In this latest iteration, the compensation has been expanded beyond just the telecoms to anyone else who assists.

(j) COMPENSATION.—The Government shall compensate a person for reasonable expenses incurred for—

(1) producing tangible things or providing information, facilities, or assistance in accordance with an order issued with respect to an application described in subsection (b)(2)(C) or an emergency production under subsection (i) that, to comply with subsection (i)(1)(D), requires an application described in subsection (b)(2)(C); or

(2) otherwise providing technical assistance to the Government under this section or to implement the amendments made to this section by the USA FREEDOM Act.

There’s reason to believe that contractors (AKA Booz!) does some of the triage work on the data currently. So one solution to that problem might be to move those Booz contractors — with their access directly to the raw data of Americans — over to Verizon and AT&T.

Because why shouldn’t NSA contractors be in bed together, wallowing in all your raw data.

Glad to see this bill is improving Intelligence Contractors bottom line, even if it doesn’t improve the dragnet.

The Administration Stops Pretending Phone Dragnet Is Only about Phone Calls

/4 Comments/in /by

The other day, I noted that the language describing contact-chaining had been changed to permit chaining between identifiers that had a “connection” even without any actual phone contact. At a minimum, this permits the government to contact chain on various phones associated with the same person. But in the telecoms hands (which have access to geolocation information the government may not collect under the phone dragnet) it may also mean close proximity.

The Administration made this all more obvious with changes it added to the HR 3361, AKA the USA Freedom (Freedumb) Act. It changed the language on contact chaining from this:

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production;

(II) using the results of the production under subclause (I) as the basis for production; and

(III) using the results of the production under subclause (II) as the basis for production;

To this:

(iii) provide that the Government  may require the prompt production of call  detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii)  as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

(iv) provide that, when produced, such records be in a form that will be useful to the Government;

Now there is actually an important improvement in this language. The new language requires each step return to a call detail record: a phone number or SIM card number, for example. The telecoms can’t use things like geolocation or email addresses in that interim hop, as they might have been able to do under the previous language.

Though the end results may only need to be “a form that will be useful to the Government.” Before, the end results had to be a CDR; this would seem to permit some other kind of result.

And along the way, the Administration has abandoned all pretense that contact-chaining is only about tracking who calls whom. This language makes clear that the chaining is about connections.

As I said, the most obvious kind of “connection” is a burner phone: identifying the new phone of the same target based off the old phones existing call patterns. And, given the big push to outsource the call records to the telecoms, NSA surely intends to use cell location (the telecoms can legally use location, whereas the NSA is not permitted to under current FISA rules).

But those are only the most obvious applications. It would take a great deal of imagination, I think, to anticipate all the kinds of connections the NSA might ask the telecoms to make for them.

David Barron’s ECPA Memo

/4 Comments/in , /by

Last week, I laid out the amazing coinkydink that DOJ provided Sprint a bunch of FISA opinions — including the December 12, 2008 Reggie Walton opinion finding that the phone dragnet did not violate ECPA — on the same day, January 8, 2010, that OLC issued a memo finding that providers could voluntarily turn over phone records in some circumstances without violating ECPA.

Looking more closely at what we know about the opinion, I’m increasingly convinced it was not a coinkydink at all. I suspect that the memo not only addresses FBI’s exigent letter program, but also the non-Section 215 phone dragnet.

As a reminder, we first learned of this memo when, in January 2010, DOJ’s Inspector General issued a report on FBI’s practice of getting phone records from telecom provider employees cohabiting at FBI with little or no legal service. The report was fairly unique in that it was released in 3 versions: the public unclassified but heavily redacted version, a Secret version, and a Top Secret/SCI version. Given how closely parallel the onsite telecom provider program was with the phone dragnet, that always hinted the report may have touched on other issues.

Roughly a year after the IG Report came out, EFF FOIAed the memo (see page 30). Over the course of the FOIA litigation — the DC Circuit rejected their appeal for the memo in January — DOJ provided further detail about the memo.

Here’s how OLC Special Counsel Paul Colborn described the memo (starting at 25):

The document at issue in this case is a January 8, 2010 Memorandum for Valerie Caproni, General Counsel of the Federal Bureau of Investigation (the “FBI”), from David J. Barron, Acting Assistant Attorney General for the Office of Legal Counsel (the “Opinion”). The OLC Opinion was prepared in response to a November 27, 2009 opinion request from the FBI’s General Counsel and a supplemental request from Ms. Caproni dated December 11, 2009. These two requests were made in order to obtain OLC advice that would assist FBI’s evaluation of how it should respond to a draft Report by the Office of Inspector General at the Department of Justice (the “OIG”) in the course of a review by the OIG of the FBI’s use of certain investigatory procedures.In the context of preparing the Opinion, OLC, as is common, also sought and obtained the views of other interested agencies and components of the Department. OIG was aware that the FBI was seeking legal advice on the question from OLC, but it did not submit its views on the question.

The factual information contained in the FBI’s requests to OLC for legal advice concerned certain sensitive techniques used in the context of national security and law enforcement investigations — in particular, significant information about intelligence activities, sources, and methodology.

Later in his declaration, Colborn makes it clear the memo addressed not just FBI, but also other agencies.

The Opinion was requested by the FBI and reflects confidential communications to OLC from the FBI and other agencies. In providing the Opinion, OLC was serving an advisory role as legal counsel to the Executive Branch. In the context of the FBI’s evaluation of its procedures, the general counsel at the FBI sought OLC advice regarding the proper interpretation of the law with respect to information-gathering procedures employed by the FBI and other Executive Branch agencies. Having been requested to provide counsel on the law, OLC stood in a special relationship of trust with the FBI and other affected agencies.

And FBI Record/Information Dissemination Section Chief David Hardy’s declaration revealed that an Other Government Agency relied on the memo too. (starting at 46)

This information was not examined in isolation. Instead, each piece of information contained in the FBI’s letters of November 27, 2009 and December 11, 2009, and OLC’s memorandum of January 8, 2010, was evaluated with careful consideration given to the impact that disclosure of this information will have on other sensitive information contained elsewhere in the United States intelligence community’s files, including the secrecy of that other information.

[snip]

As part of its classification review of the OLC Memorandum, the FBI identified potential equities and interests of other government agencies (“OGAs”) with regard to the OLC memo. … FBI referred the OLC Memo for consultation with those OGAs. One OGA, which has requested non-attribution, affirmatively responded to our consultation and concurs in all of the classification markings.

Perhaps most remarkably, the government’s response to EFF’s appeal even seems to suggest that what we’ve always referred to as the Exigent Letters IG Report is not the Exigent Letters IG Report!

Comparing EFF’s claims (see pages 11-12) with the government’s response to those claims (see pages 17-18), the government appears to deny the following:

  • The Exigent Letters IG Report was the 3rd report in response to reporting requirements of the USA PATRIOT reauthorization
  • FBI responded to a draft of the IG Report by asserting a new legal theory defending the way it had obtained certain phone records in national security investigations, which resulted in the January 8, 2010 memo
  • The report didn’t describe the exception to the statute involved and IG Glenn Fine didn’t recommend referring the memo to Congress
  • In response to a Marisa Taylor FOIA, FBI indicated that USC 2511(2)(f) was the exception relied on by the FBI to say it didn’t need legal process to obtain voluntary disclosure of phone records

Along with these denials, the government reminded that the report “contained significant redactions to protect classified information and other sensitive information.” And with each denial (or non-response to EFF’s characterizations) it “respectfully refer[red] the Court to the January 2010 OIG report itself.”

The Exigent Letters IG Report is not what it seems, apparently.

With all that in mind, consider two more details. First, as David Kris (who was the Assistant Attorney General during this period) made clear in his paper on the phone (and Internet) dragnet, in addition to Section 215, the government obtained phone records from the telecoms under USC 2511(2)(f), the clause in question.

And look at how the chronology maps.

November 5, 2008: OLC releases opinion ruling sneak peak and hot number requests (among other things) impermissible under NSLs

December 12, 2008: Reggie Walton rules that the phone dragnet does not violate ECPA

Throughout 2009: DOJ confesses to multiple violations of Section 215 program, including:

  • An alert function that serves the same purpose as sneak peaks and also violates Section 215 minimization requirements
  • NSA treated Section 215 derived data with same procedures as EO 12333 data; that EO 12333 data included significant US person data
  • One provider’s (which I originally thought was Sprint, then believed was Verizon, but could still be Sprint) production got shut down because it included foreign-to-foreign data (the kind that, according to the OLC, could be obtained under USC 2511(2)(f)

Summer and Fall, 2009: Sprint meets with government to learn how Section 215 can be used to require delivery of “all” customer records

July 9, 2009: Sprint raises legal issues regarding the order it was under; Walton halts production from provider which had included foreign-to-foreign production

October 30, 2009: Still unreleased primary order BR 09-15

November 27, 2009: Valerie Caproni makes first request for opinion

December 11, 2009: Caproni supplements her request for a memo

December 16, 2009: Application and approval of BR 09-19

December 30, 2009: Sprint served with secondary order

January 7, 2010: Motion to unseal records

January 8, 2010: FISC declassifies earlier opinions; DOJ and Sprint jointly move to extend time when Sprint can challenge order; and OLC releases OLC opinion; FISC grants motion (John Bates approves all these motions)

January 11, 2010: DOJ moves (in a motion dated January 8) to amend secondary order to incorporate language on legality; this request is granted the following day (though we don’t get that order)

January 20, 2010: IG Report released, making existence of OLC memo public

This memo is looking less and less like a coinkydink after all, and more and more a legal justification for the provision of foreign-to-foreign records to accompany the Section 215 provision. And while FBI said it wasn’t going to rely on the memo, it’s not clear whether NSA said the same.

Golly. It’d sure be nice if we got to see that memo before David Barron got to be a lifetime appointed judge.

The “Consult with Congress” Stage of USA Freedumb

/11 Comments/in /by

Remember how, in the days after President Obama announced his principles for reforming the dragnet, his Senior Administration Official pretended that any efforts to make the scope of the program worse would come from Congress?

First and very importantly, the conference call left unclear (and most subsequent reporting often didn’t directly address) whether Obama’s plan would apply just to counterterrorism purposes (as the current phone dragnet does) or more broadly (as the House Intelligence Committee RuppRoge proposal does). But SAO is clear: Obama’s plan focuses on specific terrorist groups.

The existing program only allows for queries of numbers associated with specified terrorist groups. Our operational focus is to make sure we preserve that counterterrorism authority in any new legislation. We will continue consulting with Congress on these issues.

This, then, is another way in which the President’s plan is significantly better than the RuppRoge plan — that it sets out to only cover CT, whereas RuppRoge sets out to cover foreign intelligence purposes broadly. Though that “consult with Congress” bit seems to allow the possibility that the White House will move towards broader use for the query system.

Well, it looks like the Administration isn’t so passive after all. They’re working with House leadership to gut the bill.

TROUBLE FOR USA FREEDOM? – House leadership and Obama administration officials met with committee members Sunday to negotiate changes to key NSA reform legislation, parting late in the evening without reaching a final resolution, said a congressional staffer close to the process. Still, it seems clear that the USA FREEDOM Act, approved by the House Judiciary and Intelligence committees little more than a week ago, will not reach the House floor intact. Some passages have been watered down already, the staffer acknowledged, declining to go into specifics. The bill is set for “possible consideration” this week, according to the schedule circulated by House Majority Leader Eric Cantor’s office.

Word of the talks caused some of the bill’s most ardent privacy and civil liberties backers to cry foul and say they could withdraw support. Areas of concern to watchdogs include possible removal of transparency language allowing companies to tell their customers about the broad numbers of lawful intercept requests they receive; and a debate on whether the search terms used by the NSA to search communications records should be narrowly defined in statute.

“The version we fear could now be negotiated in secret and introduced on the House floor may not move us forward on NSA reform,” said human rights organization Access. “I am gravely disappointed if the House leadership and the administration chose to disrupt the hard-fought compromise that so many of us were pleased to support just two weeks ago,” said Kevin Bankston, policy director of the New America Foundation’s Open Technology Institute.

And while it’s not clear these secret changes would broaden the scope outside of counterterrorism (though I think that’s possible already), it does seem clear the Administration is pushing for these changes because the already weak bill is too strong for them.

It’s really hard to conclude this bill was ever an attempt to do anything but outsource one aspect of the dragnet to the telecoms, so as to “legally” access geolocation data, and the rest is an attempt to broaden the dragnet.