Chronicle of the Phone Dragnet

/4 Comments/in /by
  1. Howard, Malcolm BR 06-05 (5/24/06)
    • One group (al Qaeda) originally approved, a second (or more) added via amendment in August 2006)
    • Footnote 1 asserting most calls domestic to domestic (redacted thereafter)
    • Probably just 2 providers (plural custodians, but short redaction)
    • Includes compensation paragraph dropped with third order
    • Footnote 2: 2 numbers per day
    • Only 7 people authorized to sign off on RAS: Signals Intelligence Directorate Program Manager for Counterterrorism Special Projects; the Chief or Deputy Chief, Counterterrorism Advanced Analysis Division; or one of the four specially authorized Counterterrorism Advanced Analysis Shift Coordinators in the Analysis and Production Directorate of the Signals Intelligence Directorate
    • Classification mark redacted
  2. Howard, Malcolm BR 06-08 (8/18/06)
    • Begin large footnote modifying names of (now 2) organizations cleared for RAS
    • 8 authorizers (plus addition of “production” to SID Program Manager), addition 5th CT Shift Coordinator
    • Add language approving RAS for FISA targets
    • Classification based on application; declassification of President
    • 2 (4 pages and 15 pages) Orders of unknown subject (10/31/06)
  3. Scullin, Frederick, BR 06-12 (11/15/06)
    • Compensation paragraph dropped
    • Footnote 2 changed to 3 numbers a day
    • Mandate review every 90 days
    • Add at least 2 spot checks every 90 days
    • Congressional notification regarding implementation of Section 215 authority (1/25/07)
    • 43 total BR orders in 2006
  4. Broomfield, Robert, BR 07-04 (2/02/07)
    • Add exception to FISC authorization for RAS for FISA docket 06-2081
    • Internal Executive Branch email message and attached document regarding implementation of Section 215 authority (3/9/07)
  5. Gorton, Nathaniel, BR 07-10 (5/03/07)
  6. Gorton, Nathaniel, BR 07-14 (7/23/07)
    • Replace docket 06-2081 exception to FISA language w/docket 07-449 [see also]
  7. Vinson, Roger, BR 07-16 (10/18/07)
  8. Howard, Malcolm, BR 08-01 (1/4/08?)
    • Footnote 5 notes that “for analytical efficiency” “a copy of data” from phone dragnet data will be stored on same server as [EO 12333 and foreign collected] data
    • Move spot check language to FISC l
    • NSA management cancels monthly due diligence meetings (1/08)
    • DOJ IG Report on Section 215, including 2 classified sections that presumably include the dragnet (though only for 2006), as well as notice of failure to meet statute’s minimization requirement (3/08)
  9. Kollar-Kotelly, Colleen, BR 08-04 (4/3/08)
    • Approval for training new NSA analysts?
    • 31 newly trained NSA analysts query BR database using 2,373 identifiers without knowing they were doing so (4/08)
    • Internal memo addressed to NSD/OI officials including Matthew Olsen in anticipation of filing to FISC (6/6/08)
  10. Zagel, James, BR 08-07 (6/26/08)
    • NSA shifts the servers the reports are retained on (no word about the records themselves) (7/29/08)
    • Disabling of hyperlink allowing CIA, FBI, and NCTC to access BR metadata directly (Note, ETE report says this happened in “Summer 2008 timeframe”) (7/08)
    • Distribution of Data Integrity Analysts’ defeat list changes (probably expands) in some way (8/08)
    • NSA tells FISC about tool to find correlations (8/18/08)
  11. Zagel, James, BR 08-08 (9/19/08?)
    • AG Guidelines for Domestic FBI Operations (9/28/08)
    • Notice of April violations (10/17/08)
    • Start date for audit as part of E-2-E (11/1/08)
    • 27,090 identifiers allowed to be contact chained, as subsequently reported (11/2/08)
    • (12/1/08) BR 06-05 and 6 other docket orders first provided to Congressional oversight committees
    • Start date for 2 analysts doing 280 queries using non-RAS identifiers (12/10/08)
  12. Walton, Reggie, BR 08-13 (12/11/08)
    • Begin requirement of consultation w/DOJ
    • Supplemental opinion assess legality under 2702/2703 (12/12/08)
    • Notice on “alert” violation; 1,935 of 17,835 identifiers RAS approved (1/15/09)
    • End date for 2 analysts making 280 queries for non-RAS identifiers (1/23/09)
    • Notice of violation on 280 non-RAS queries (1/26/09)
    • Order for more information regarding 1/15/09 notice on “alert” violation (1/28/09)
    • Supplemental notice about failed attempt to kluge the automatic notice (2/3/09)
    • Memo providing more info on violations (2/12/09)
    • Notice of violation on query tool (2/26/09)
    • Notice of domestic identifiers being queried w/o RAS review (3/4/09)
    • 13 total BR orders in 2008
  13. Walton, Reggie, BR 09-01 (3/5/09)
    • Notice that “data integrity” analysts sharing non user emails beyond BR cleared analysts (5/8/09)
  14. Walton, Reggie, BR 09-06 (5/29/09)
    • Secondary order to provider (Verizon?) excludes foreign-to-foreign data
    • Supplemental order (both dockets) on sharing outside of NSA (5/29/09)
    • Notification of chaining on correlated numbers (6/15/09)
    • Notification of access by CIA, FBI, NCTC (6/16/09)
    • Supplemental order in both dragnets (6/22/09) [See PR/TT version]
    • End-to-End report (6/25/09)
    • Notification that NSA following USSID 18 instead of minimization procedures (6/26/09)
    • Notification of unminimized results shared with unidentified recipient (GCHQ?) (6/29/09)
    • End-to–End report shared with FISC (7/2/09)
  15. Walton, Reggie (?) BR 09-09 (7/8/09) [see also]
    • New group approved via primary order pp. 5-7
    • Order specifically mentions NSA failure to follow BR-specific minimization procedures
    • Order requires briefing on legal requirements of dragnet (10)
    • Order requires consultation with DOJ, including on automated queries (14)
    • Requires explanation why NSA disseminated out of NSA, can’t remove credit card info (16-17)
    • Order requires weekly reports
    • Approval for data integrity analysts’ use of non-user specific identifiers
    • 4 new roles approved to approve disseminations
    • Notice of ability to obtain fourth hop contact number (8/4/09)
    • Submission with E-2-E (8/19/09)
  16. Walton, Reggie, BR 09-13 (9/3/09)
    • Order regarding new dissemination violations (9/25/09)
    • Briefing materials for FISC regarding implementation of Section 215 authority (9/18/09)
  17. Walton, Reggie (?) BR 09-15 (10/30/09) [See also]
    • Supplemental opinion on historical queries and dissemination (11/05/09)
    • Briefing materials for government personnel pertaining to implementation of Section 215 authority (11/18/09)
  18. Walton, Reggie (?) BR 09-19 [see also]
  19. Walton, Reggie, BR 10-10 (2/26/10)
  20. Walton, Reggie, BR 10-17 (5/14/10)
  21. Walton, Reggie, BR 10-49 (8/04/10)
  22. Walton, Reggie, BR 10-70 (10/29/10)
  23. Bates, John, BR, 11-07 (1/20/11)
  24. Feldman, Martin, BR 11-57 (4/13/11)
  25. Bates, John, BR 11-107 (6/22/11)
  26. ~9/20/11?
  27. BR-11-191 12/11? [see also]
  28. ~1/29/12?
  29. ~4/29/12?
  30. ~7/28/12?
  31. ~10/26/12?
  32. ~1/25/13?
  33. Vinson, Roger, BR 13-80, (4/25/13)
  34. Eagan, Claire, BR 13-109, (7/18/13)
  35. McLaughlin, Mary, BR 13-158 (10/11/13)
  36. Hogan, Thomas, BR 14-01 (1/3/14)
    • Congress can access database to perform oversight
    • Supplement gives FISC review over RAS and limits to 2 hops (2/5/14)
    • Order denying motion to preserve data (3/7/14)
    • Order approving preservation of data (3/12/14)
    • Order requiring explanation for material misstatement regarding preservation orders (3/21/14)
  37. ? (3/28/14)

Why Did 3 Top DOJ Officials Feed Their Dog DOJ’s Homework?

/9 Comments/in /by

DOJ has submitted what it claims is an explanation for why it materially misstated facts to Reggie Walton in discussions about destroying phone dragnet data. (See this post and this post for background.)

As you recall, Walton had read EFF’s emails closely enough to realize that EFF had asked Civil Division lawyers why they had claimed there was no protection order when they believed they had one.

A review of the E-mail Correspondence indicates that as early as February 26, 2014, the day after the government filed its February 25 Motion, the plaintiffs in Jewel and First Unitarian indeed sought to clarify why the preservation orders in Jewel and Shubert were not referenced in that motion. E-mail Correspondence at 6-7. The Court’s review of the E-mail Correspondence suggests that the DOJ attorneys may have perceived the preservation orders in Jewel and Shubert to be immaterial to the February 25 Motion because the metadata at issue in those cases was collected under what DOJ referred to as the “President’s Surveillance Program” (i.e., collection pursuant to executive authority), as opposed to having been collected under Section 215 pursuant to FISC orders — a proposition with which plaintiffs’ counsel disagreed. Id at 4. As this Court noted in the March 12 Order and Opinion, it is ultimately up to the Northern District of California, rather than the FISC, to determine what BR metadata is relevant to the litigation pending before the court.

As the government is well aware, it has a heightened duty of candor to the Court in ex parte procedings. See MODEL RULES OF PROF’L CONDUCT R. 3.3(d) (2013). Regardless of the government’s perception of the materiality of the preservation orders in Jewel andShubert to its February 25 Motion, the government was on notice, as of February 26, 2014, that the plaintiffs in Jewel and First Unitarian believed that orders issued by the District Court for the Northern District of California required the preservation of the FISA telephony metadata at issue in the government’s February 25 Motion. E-mail Correspondence at 6-7. The fact that the plaintiffs had this understanding of the preservation orders–even if the government had a contrary understanding–was material to the FISC’s consideration of the February 25 Motion. The materiality of that fact is evidenced by the Court’s statement, based on the information provided by the government in the February 25 Motion, that “there is no indication that nay of the plaintiffs have sought discovery of this information or made any effort to have it preserved.” March 7 Opinion and Order at 8-9.

The government, upon learning this information, should have made the FISC aware of the preservation orders and of the plaintiffs’ understanding of their scopre, regardless of whether the plaintiffs had made a “specific request” that the FISC be so advised. Not only did the government fail to do so, but the E-mail Correspondence suggests that on February 28, 2014, the government sought to dissuade plaintiffs’ counsel from immediately raising this issue with the FISC or the Northern District of California. E-mail Correspondence at 5.

DOJ’s excuse for not telling Walton EFF believed they had a protection order is roughly as follows:

1. Notwithstanding a past comment about preservation orders in the matters before Judge Walton, the government claims EFF’s suits are unrelated to the phone dragnet.

[T]he Government has always understood [EFF’s suits] to be limited to certain presidentially authorized intelligence collection activities outside FISA, the Government did not identify those lawsuits, nor the preservation order issued therein, in its Motion for the Second Amendment to Primary Order filed in the above-captioned Docket number on February 25, 2014. For the same reasons, the Government did not notify this Court of its receipt of plaintiffs’ counsel’s February 26, 2014, e-mail.

Note, to sustain this claim, the government withheld both the state secrets declarations that clearly invoke the FISC-authorized dragnets as part of the litigation, even though the government’s protection order invokes it repeatedly, as well as Vaughn Walker’s preservation order which is broader than DOJ’s own preservation plan. Thus, they don’t give Walton the things he needs to be able to assess whether DOJ’s actions in this matter were remotely reasonable.

2. It explains that it never provided EFF with its own 2007 preservation plan (which did not meet the terms of Walker’s order) until March 17, 2014 because Stellar Wind — but not the FISC-authorized programs that the preservation plan excluded — was classified until December 2013.

A classified submission was necessary at that time [in 2007] because the existence of the presidentially-authorized program was classified and remained so until December 2013.

Note, it doesn’t mention that 19 days passed between the time EFF formally raised concerns about the protection order and the date DOJ actually provided the declassified protection plan to them, during which time, it appears, NSA destroyed one of the most damning half year’s worth of data in the program’s history (which I’ll return to in a later post).

3. In spite of EFF telling DOJ their earlier suits were relevant (and not having received the preservation plan which could have been declassified in December), DOJ claims they didn’t think they were relevant so it didn’t tell FISC about EFF’s beliefs.

Because the Government’s Motion for Second Amendment already had sought relief from this Court based on a list of BR metadata pursuant to FISC authorization, see Motion for Second Amendment at 3-5, counsel did not appreciate — even after receiving the email from plaintiffs’ counsel in Jewel — that it would be be important to notify this Court about Jewel and Shubert or the email from counsel for the Jewel plaintiffs about those cases with which the Government disagreed. Rather, counsel viewed any potential dispute about the scope of Jewel and Shubert preservation orders as a mater to be resolved, if possible, by the parties to those cases (though a potential unclassified explanation to plaintiffs’ counsel) or, failing that, by the district court.

Note what DOJ is not mentioning here? That EFF has a Section 215 lawsuit too, and that its understanding of the impact on that suit may have been influenced by the Shubert and Jewel protection orders.

4. DOJ’s Civil Division lawyers did not forward EFF’s email to DOJ’s National Security Division lawyers, they claim, because the Civil Division lawyers did not agree with EFF’s interpretation of the protection order.

For these reasons, counsel did not think to forward the email from Jewel Plaintiffs’ counsel to the attorneys with primary responsibility for interaction with this Court before the Court ruled on the Motion for Second Amendment. The Department wishes to assure the Court that it has always endeavored to maintain close coordination within the Department regarding civil litigation matters that involve proceedings before this Court, and will take even greater care to do so in the future.

5. DOJ told EFF to hold off formally alerting any Court in the belief that it could tell EFF about the preservation plan which could have been declassified in December but did not get declassified until 10 days after FISC issued its initial order requiring DOJ to destroy data, and that would solve everything.

In particular, the request in its February 28 email that counsel for the Jewel plaintiffs “forbear from filing anything with the FISC, or [the district court], until we have further opportunity to confer” was a good faith attempt to avoid unnecessary motions practice in the event that the issue could be worked out among the parties through the Government’s provision of an unclassified explanation concerning its preservation in Jewel and Shubert.

Read more

DOJ Doesn’t Want You to Know about Any Inspire-related FISA Surveillance Programs

/10 Comments/in /by

I have written repeatedly about the case of Adel Daoud (see these two posts). The FBI caught him in a sting in 2012 where they had him perform bombing a night club. He was 18 at the time he caught.

While the government immediately informed Daoud they would use evidence derived from FISA against him, subsequent information — both comments Dianne Feinstein made during the debate about renewing the FISA Amendments Act and in further details we’ve gotten about back door searches — have suggested there might be something exotic about his targeting. (I have speculated he got identified via a back door search off a traditional FISA tap on someone — or something — else.)

On Monday, the government submitted its appeal of Judge Sharon Coleman’s decision.

DOJ complains that Judge Sharon Coleman did not reveal the classified things she finds so problematic about this case

Hilariously, key to their appeal is that Coleman didn’t lay out what it was she saw in the FISA materials she reviewed that led her to grant Daoud’s lawyer review of the underlying application materials.

Rather than address the specific facts of this case, the district court ordered disclosure because it believed that resolving the legality of the FISA collection is “best made in this case as part of an adversarial proceeding.” Id. at 5; SA 5. The court noted that “the adversarial process is integral to safeguarding the rights of all citizens” and quoted the Supreme Court’s language that the Sixth Amendment “right to the effective assistance of counsel is thus the right of the accused to require the prosecution’s case to survive the crucible of meaningful adversarial testing.” Id.

[snip]

For FISA and its procedures to have meaning, the need for disclosure must stem from unique, case-specific facts, and not a general preference that would apply to all FISA litigation. After all, the statute mandates that courts review the FISA applications and orders in camera and ex parte before even contemplating disclosure. Thus, a court cannot order disclosure of FISA materials unless it concludes, based on facts specific to the FISA applications in that case, that it cannot accurately resolve the legality of the collection without such disclosure.

The legislative history of FISA reinforces the conclusion that disclosure cannot be “necessary” absent a case-specific reason that would justify a departure from the default ex parte process.

Think about this. The government is arguing Coleman was wrong to grant Daoud’s lawyers review — which would effectively allow a lawyer to conduct a secret review of the FISA application — without explaining in a court opinion what is so unique about this case that it merits such a review.

To do so, she’d either have to reveal the secrets the government says Daoud’s lawyers can’t review, even in secret. Or she’d have to issue a partially classified opinion that would deprive Daoud’s lawyers of an opportunity to support her decision on appeal.

DOJ complains that Coleman did not think their secret declarations they insist are persuasive are persuasive

DOJ is also angry that Coleman was not sufficiently impressed by their plea of national security, insisting that their sworn declarations were “persuasive” even though she obviously was not persuaded.

The “need-to-know” prerequisite matters all the more here because, as persuasively articulated in the sworn declarations from the Attorney General of the United States and the FBI’s Acting Assistant Director for Counterterrorism, these FISA applications deal with exceptionally sensitive issues with profound national security implications.

[CLASSIFIED MATERIAL REDACTED]

The district court’s order ignored these declarations and brushed aside the considered judgment of two senior executive branch officials who carefully concluded—based on the particular facts of this case—that disclosure may lead to an unacceptable risk of compromising the intelligence gathering process and undercut the FBI’s ongoing ability to pursue national security investigations. If permitted to stand, the district court’s order would impose upon the government a lose-lose dilemma: disclose sensitive classified information to defense counsel—an option unlikely to be sanctioned by the owners of that information—or forfeit all FISA-derived evidence against the defendant, which in many cases may be critical evidence for the government.

In other words, in spite of FISA’s clear provision allowing for review in certain circumstances, DOJ maintains that judges must accept whatever classified declarations they submit even if — as Coleman said — they’re not at all persuasive.

And while the government’s complaints are, in significant part, about ensuring that allowing defendants to review these applications doesn’t begin to happen more frequently, this is also a bid to ensure that any Title III review of FISA warrants remains narrowly limited to whether,

  • FISA rightly found probable cause that the target of the FISA warrant was an agent of a foreign power
  • The certifications submitted in support of the warrant complied with FISA’s requirements
  • FISA information was appropriately minimized

The last bullet, which I suspect is the most important one in this case, will measure not whether minimization meets the standards required under the Fourth Amendment, but whether DOJ (or rather NSA and/or FBI) followed the rules approved by FISA. And limiting the review to whether the government met the minimization procedures approved by FISA brackets off the question of whether this use of FISA abided the Fourth Amendment.

Elsewhere, DOJ describes the case they need to make differently.

A court reviewing the applications would have no difficulty determining that they established probable cause to believe that the target was an agent of a foreign power and that a significant purpose of the collection was to obtain foreign intelligence information.

That’s significant because if this does involve a back door search, it raises questions about the degree to which the government collects this data, at this point, just to find young Muslim men to catch in stings.

More bread-crumbs pointing to targeting off Inspire

Which is particularly important given the bread-crumbs in the opinion pointing to the targeting of Daoud off some kind of collection targeted at Inspire, AQAP’s magazine.

Read more

James Clapper Continues to Cover Up FBI’s Back Door Searches on US Targets

/6 Comments/in /by

Screen shot 2014-04-02 at 12.37.27 PMIn their stories catching up to my past reporting on the Semiannual Compliance Report‘s discussion of backdoor searches, the Guardian and NYT focus on NSA and (in the case of the NYT) CIA. Neither mentions that the FBI also does such back door searches, and has had the authority to do so longer than the foreign intelligence agencies.

That may be because Ron Wyden always focuses on the NSA, and as a result James Clapper mentioned the NSA in his letter to Wyden.

The public record makes clear that FBI has this authority. A footnote to one of the paragraphs describing oversight over NSA and CIA’s back door searches explains that “FBI’s minimization procedures had already provided that agency the ability,” followed by redacted descriptions.

Screen Shot 2014-04-02 at 1.14.49 PM

When Bates approved back door searches in his October 3, 2011 opinion, he pointed to FBI’s earlier (and broader) authorities to justify approving it for NSA and CIA. While the mention of FBI is redacted here, at that point it was the only other agency whose minimization procedures had to be approved by FISC, and FBI is the agency that applies for traditional FISA warrants.

[redacted] contain an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information. See [redacted]. In granting [redacted] applications for electronic surveillance or physical search since 2008, including applications targeting United States persons and persons in the United States, the Court has found that the [redacted] meet the definitions of minimization procedures at 50 U.S.C. §§ 1801(h) and 1821(4). It follows that the substantially-similar querying provision found at Section 3(b)(5) of the amended NSA minimization procedures should not be problematic in a collection that is focused on non-United States persons located outside the United States and that, in aggregate, is less likely to result in the acquisition of nonpublic information regarding non-consenting United States persons.

So since 2008, FBI has had the ability to do back door searches on all the FISA-authorized data they get, including taps targeting US persons.

When I saw ODNI’s tweets (above) admitting to back door searches, I realized that ODNI treated classification of FBI’s back door searches differently than it did CIA and NSA’s. In addition to the redactions in the footnote above, it also redacted its description of the review of FBI’s back door searches.

Screen Shot 2014-04-02 at 2.08.52 PM

Indeed, Clapper’s letter only admits to back door searches of data collected on foreign targets, not American ones.

As reflected in the August 2013 Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702, which we declassified and released on August 21, 2013, there have been queries, using U.S. person identifiers, of communications lawfully acquired to obtain foreign intelligence by targeting non U.S. persons reasonably believed to be located outside the U.S. pursuant to Section 702 of FISA.

Yet Bates makes it clear (even though the reference to FBI is redacted) that FBI can even back door search data collected in the United States on US persons.

Given how little we know about back door searches, it’s hard to know which is worse. As Bates notes, there will likely be more Americans’ records accessible via a back door search off an American target. But at least in that case, FISC has found there is probable cause to believe the target is a foreign agent or terrorist. Under Section 702, the Agencies can collect data on people without that same level of proof, and do so in much greater volume. Certainly, Ron Wyden and Mark Udall seem primarily concerned about the Section 702 targeting (which includes the FBI, as the Compliance report makes clear).

Still, Clapper’s greater secrecy about FBI’s back door searches makes me worried they are in some way even worse.

James Clapper Confirms VADM Mike Rogers Needlessly Obfuscated in Confirmation Hearing

/7 Comments/in /by

On Friday, James Clapper finally provided Ron Wyden an unclassified response to a question he posed on January 29, admitting that the NSA conducts back door searches. (via Charlie Savage)

As reflected in the August 2013 Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702, which we declassified and released on August 21, 2013, there have been queries, using U.S. person identifiers, of communications lawfully acquired to obtain foreign intelligence by targeting non U.S. persons reasonably believed to be located outside the U.S. pursuant to Section 702 of FISA.

It has taken just 9 months for Clapper to admit that, contrary to months of denials, the NSA (and FBI, which he doesn’t confirm but which the Report makes clear, as well as the CIA) can get the content of Americans’ communications without a warrant. But Clapper’s admission that this fact was declassified in August should disqualify Vice Admiral Mike Rogers from confirmation as CyberComm head (I believe he started serving as DIRNSA head, which doesn’t require confirmation, yesterday). Because it means Rogers refused to answer a question the response to which was already declassified.

Udall: If I might, in looking ahead, I want to turn to the 702 program and ask a policy question about the authorities under Section 702 that’s written into the FISA Amendments Act. The Committee asked your understanding of the legal rationale for NASA [sic] to search through data acquired under Section 702 using US person identifiers without probable cause. You replied the NASA–the NSA’s court approved procedures only permit searches of this lawfully acquired data using US person identifiers for valid foreign intelligence purposes and under the oversight of the Justice Department and the DNI. The statute’s written to anticipate the incidental collection of Americans’ communications in the course of collecting the communications of foreigners reasonably believed to be located overseas. But the focus of that collection is clearly intended to be foreigners’ communications, not Americans. But declassified court documents show that in 2011 the NSA sought and obtained the authority to go through communications collected under Section 702 and conduct warrantless searches for the communications of specific Americans. Now, my question is simple. Have any of those searches been conducted? Rogers: I apologize Sir, I’m not in a position to answer that as the nominee. Udall: You–yes. Rogers: But if you would like me to come back to you in the future if confirmed to be able to specifically address that question I will be glad to do so, Sir. Udall: Let me follow up on that. You may recall that Director Clapper was asked this question in a hearing earlier this year and he didn’t believe that an open forum was the appropriate setting in which to discuss these issues. The problem that I have, Senator Wyden’s had, and others is that we’ve tried in various ways to get an unclassified answer — simple answer, yes or no — to the question. We want to have an answer because it relates — the answer does — to Americans’ privacy. Can you commit to answering the question before the Committee votes on your nomination? Rogers: Sir, I believe that one of my challenges as the Director, if confirmed, is how do we engage the American people — and by extension their representatives — in a dialogue in which they have a level of comfort as to what we are doing and why. That is no insignificant challenge for those of us with an intelligence background, to be honest. But I believe that one of the takeaways from the situation over the last few months has been as an intelligence professional, as a senior intelligence leader, I have to be capable of communicating in a way that we are doing and why to the greatest extent possible. That perhaps the compromise is, if it comes to the how we do things, and the specifics, those are perhaps best addressed in classified sessions, but that one of my challenges is I have to be able to speak in broad terms in a way that most people can understand. And I look forward to that challenge. Udall: I’m going to continue asking that question and I look forward to working with you to rebuild the confidence. [my emphasis]

I assume that now that Clapper has given him the okay to discuss unclassified topics with Congress, Rogers will now provide a forthright answer, all the while claiming he was ignorant about the answer at the time (fine! then make me DIRNSA because I know more about it!). But Rogers’ response went far beyond such an answer. He refused — not just in the hearing but even after it — to commit to answering a question with a completely unclassified answer. And as I pointed out in this post, his written answers were even more obfuscatory. I don’t get a vote. But I think this should disqualify him as a nominee.

Update: Here’s the exchange in Rogers’ questions for the record on back door searches.

What is your understanding of the legal rationale for NSA to search through data acquired under section 702 using U.S. Persons identifiers without probable cause?

Information acquired by NSA under Section 702 of FI SA must be handled in strict accordance with minimization procedures adopted by the Attorney General and approved by the Foreign Intelligence Surveillance Court. As required by the statute and certifications approving Section 702 acquisitions, such activities must be limite d to targeting non-U.S. persons reasonably believed to be located outside the United States . NSA’s Court-approved procedures only permit searches of this lawfully acquired data using U.S. person identifiers for valid foreign intelligence purposes and under the oversight of the Department of Justice and Office of Director of National Intelligence.

Keith Alexander’s Bubble Floats into the Sunset of Defense Contractor Sinecures

/11 Comments/in /by
Screen shot 2013-11-27 at 11.11.07 AM

In a training program developed in 2009, the NSA itself identified abuses it likened to Projects Shamrock and Minaret.

Today, LAT has an extremely friendly exit interview with Keith Alexander that nevertheless depicts the now-retired General as hopelessly lost inside a bubble far removed from those who paid his salary. It depicts Alexander confusing objections to what NSA’s leaders have ordered with what the presumably honorable people who implement those decisions.

But something else seems likely to shape the legacy of the NSA’s longest-serving director, who retired Friday: something that Alexander failed to anticipate, did not prepare for and even now has trouble understanding.
Thanks to Edward Snowden, a former NSA contractor, the world came to know many of the agency’s most carefully guarded secrets. Ten months after the disclosures began, Alexander remains disturbed, and somewhat baffled, by the intensity of the public reaction.
“I think our nation has drifted into the wrong place,” he said in an interview last week. “We need to recognize that those who are working to protect our nation are not the bad people.

I find it particularly troubling that Alexander sees in skepticism about authority the nation “drifting into the wrong place.”

The profile goes on to convey Alexander’s laughable belief that what has been depicted since June is the model of oversight.

When Snowden’s disclosures began, Alexander and his deputies knew they were in for a storm. But they felt sure the American public would be comforted when they learned of the agency’s internal controls and the layers of oversight by Congress, the White House and a federal court.
“For the first week or so, we all had this idea that we had nothing to be ashamed of, and that everyone who looked at this in context would quickly agree with us,” Inglis said.
Instead, polls show, many Americans believe that the NSA is reading their emails and listening to their phone calls. A libertarian group put an advertisement in the Washington transit system calling Alexander, a 62-year-old career military officer, a liar. U.S. technology companies are crying betrayal.

Side note: it would be useful if LAT noted that in fact the disclosures do show that the NSA is conducting warrantless back door searches on US person emails, rather than using the conjunction “instead” suggesting this impression is false. And that’s all before you get into the vast collection overseas and upstream for which NSA refuses to count US person data.

I’m particularly interested in Alexander’s attempt to distinguish this scandal from the scandals of the 1970s.

He sees a fundamental difference between the intelligence abuses uncovered by Congress in the 1970s — including revelations that the NSA spied without warrants on domestic dissidents — and the programs exposed by Snowden.
“What the Church and Pike committees found” nearly 40 years ago was “that people were doing things that were wrong. That’s not happening here,” Alexander said, referring to the panels headed by Sen. Frank Church (D-Idaho) and Rep. Otis Pike (D-N.Y.) that examined intelligence-agency activities in that era.

As I have noted repeatedly, 4 years into Alexander’s tenure, the NSA itself likened some of its abuses to Projects Shamrock and Minaret. So perhaps Alexander should at least cede that under his leadership, the NSA was also doing things that it itself considered to be analogues to those earlier scandals (and yes, they violated the law and limits of the programs in question).

Even the LAT conducts a soft fact check of Alexander’s claim that the President’s Review Group and PCLOB found a model of oversight.

Outside reviews, including one released in December by a presidential task force, he said, found that “lo and behold, NSA is doing everything we asked them to do, and if they screw up, they self-report.”
The task force reported it found “no evidence of illegality or other abuse of authority for the purpose of targeting domestic political activity.” But it also noted “serious and persistent instances of noncompliance” with privacy and other rules. Even if unintentional, those violations “raise serious concerns” about the NSA’s “capacity to manage its authorities in an effective and lawful manner,” the report said.

I’d go further, too, and point out that this self-reporting only came with the greater involvement of DOJ’s National Security Division, after years of NSA not reporting these violations. Even months into one of those incidents, the NSA was failing to report its violations to the FISC without NSD involvement.

But perhaps the most egregious example of Alexander’s bubble comes in his assessment of the Snowden leaks themselves.

The ease with which Snowden removed top-secret documents also embarrassed an agency that is supposed to be the first line of defense against cyberattacks.
In July, Alexander offered to resign, but the White House turned him down, he said. He didn’t think holding other senior officials accountable would be right because a massive theft of documents by a systems administrator could not have been foreseen, he added.

Are you kidding me? First, how is it that the NSA couldn’t anticipate the large scale exfiltration of documents via removable media in the 3 years after Chelsea Manning did so? And why didn’t NSA comply with requirements to implement software to prevent just that, the kind of software Alexander insists his agency should have on our private communications? But note what else doesn’t get mentioned, as Alexander rides off into the sunset of generous defense contractor sinecures? Not only didn’t Alexander hold his subordinates responsible, but he didn’t hold Booz responsible, the company under whose lucrative eyeballs Snowden did this work.

As of Friday, the Bubble General is gone into retirement. While I fully expect soon-to-be Admiral Mike Rogers to be just as aggressive in hiding the scope of his programs and doing what he can because he can, I do hope he is not this detached from the reality in which he works.

Why Does NSA Get a Pass on the Boston Marathon Attack?

/7 Comments/in /by

In addition to a motion claiming the FBI asked Tamerlan Tsarnaev to become an informant during their investigation of him in 2011, Dzhokhar Tsarnaev’s lawyers submitted a motion requesting notice of whether the government intends to submit as evidence or has in its possession surveillance information that would be helpful to Dzhokhar’s defense.

This motion is not going anywhere.

The government would generally be obliged to turn this over only if they planned to use it (or evidence derived from it, in the still very attenuated way they define such things) in trial. And as the defense notes in the motion, any surveillance that might exist would most likely be of Dzhokhar’s family, especially his brother, not him. Moreover, the defense points to Amnesty v. Clapper to invoke the government’s admission that it collects data not just in FISA-authorized programs, but also in EO 12333 ones.

And, although we do not reach the question, the Government contends that it can conduct FISA-exempt human and technical surveillance programs that are governed by Executive Order 12333. See Exec. Order No. 12333,

Yet there is no established obligation to notice such evidence, as there is for FISA.

All that said, to justify their demand, the defense notes the government’s non-response to three past attempts to get such information. And they note two passages from the recently released House Homeland Security Committee report on the bombing to justify their renewed claim.

This threat assessment included a check of “U.S. government databases and other information to look for such things as derogatory telephone communications, possible use of online sites associated with the promotion of radical activity, associations with other persons of interest, travel history and plans, and education history.” Id. at 12. The report also states that, according to FBI officials in Moscow, “electronic communication” between Tamerlan and a jihadist named William Plotnikov “may have been collected.”

If any “derogatory” telephone communications had been discovered, presumably the assessment into Tamerlan wouldn’t have been closed after less than 4 months, as the report makes clear it was (the Russian notice was March 4, 2011; the FBI set an alert on Tamerlan on March 22, 2011; the FBI closed the assessment on June 24, 2011). Ditto if Tamerlan had significant online activity “associated with the promotion of radical activity” (he would have, after his return from Russia). So for the moment assume nothing significant came of these searches, which are attributed to the FBI. Nevertheless, these comments at least nod to databases that may be, or may be derived from, NSA databases.

The possible intercept between Tamerlan and Plotnikov may have dated to a year after the FBI’s assessment, although this NBC report, which seems to have been based on an unredacted report, suggests it predated the warnings. In any case, it’s almost certainly a Russian intercept, not an NSA one: the paragraph reporting it (see the partly redacted paragraph on page 15) is one of just a few in this report classified FGI, indicating it derives from foreign government intelligence. If the FBI (and later, CIA) did learn that Tamerlan had come up in incriminating intercepts with Plotnikov in 2011, that’s something the NSA presumably could have replicated (and would be solidly within NSA’s interpretation of permissible taps under reverse targeting restrictions as laid out in the most recent PCLOB hearing, even assuming such tasking were done under FAA).

Dzhokhar’s defense doesn’t deal with what I consider a far more intriguing mention, undoubtedly because it remains heavily redacted (see page 32-34). This one deals with the second Russian alert later that fall — it is another FGI paragraph and footnote — this time to the CIA. It reveals that in providing a warning reported to be largely the same as one sent 6 or 7 months earlier, the CIA version of the Russian warning used the wrong year of birth and transliterated his name differently. There was some other difference in this alert as well (this would be described in the sentence at 33-34, which the following sentence on the name and date inaccuracy add to). And while much of this heavily redacted discussion involves the mechanics of data sharing, what is clear is CIA added Tamerlan (with the wrong birth date and transliteration) to two more databases than FBI had, TIDES (a kind of centralized database) and TSDB (a centralized terrorist screening database) based on some reason to be suspicious. Just as significantly, according to NBC (which also spoke to a “US intelligence official,” though it doesn’t attribute this specific claim at all), CIA also passed on this information to several other agencies. “On Oct. 19, 2011, the CIA shared information on Tsarnaev with the National Counterterrorism Center (NCTC), DHS, the State Department and the FBI.”

Take a step back here and consider this claim. First, NBC’s source (or the unredacted report) would have you believe a legal alien in the US got added to the TSDB for alleged ties with extremists in Russia without NSA also getting notice of it. It would also have you believe that any further checks done into Tamerlan at this time never stumbled over the grisly Waltham murder committed just weeks earlier, or Tamerlan’s odd behavior afterwards. Tamerlan was getting added to databases, but no one made a Request for Information about the underlying claims involving people who could be legally targeted in Russia to the NSA, at least as far as the public story goes.

And note what doesn’t appear in the House report, but which does appear in Dzhokhar’s indictment?

Inspire magazine is an English language online publication of al-Qaeda in the Arabian Peninsula. Volume One of Inspire magazine, which is dated summer 2010, contains detailed instructions for constructing IEDs using pressure cookers, explosive powder from fireworks, shrapnel, adhesive, and other materials. IEDs constructed in this manner are designed to shred flesh, shatter bone, and cause extreme pain and suffering, as well as death.

[snip]

At a time unknown to the Grand Jury, but before on or about April IS, 2013, DZHOKHAR A. TSARNAEV downloaded to his computer a copy of Volume One of Inspire magazine, which includes instructions on how to build IEDs using pressure cookers or sections of pipe, explosive powder from fireworks, and shrapnel, among other things.

There are codes within Inspire that could and presumably are targeted under NSA’s upstream collection, meaning if such downloads in any way crossed key international switches, they might have been identified and tracked, along with metadata identifying Dzhokhar’s computer.

And yet, in spite of all these potential bread crumbs the NSA might have had, no one has thought to ask NSA whether they did. The HHSC didn’t ask NSA for information, And the joint IG report on the attacks did not include NSA’s IG.

Don’t get me wrong. I’m actually sympathetic to the idea that even the most diligent effort cannot prevent every attack. I’m not endorsing doing any more domestic collection than NSA already does — though what it does, it does precisely to identify people like Tamerlan, people who have conversations with known extremists overseas. According to both NSA and FBI’s rules, neither would have needed even Reasonable Articulable Suspicion into Tamerlan — though they clearly had that — to do a back door search on, say, Plotnikov’s communications. I’m also not saying this would make a lick of difference in Dzhokhar’s trial (though the allegation is that his computer, not Tamerlan’s, is the one with Inspire on it).

But if we’re going to do drawn out assessments every time we miss a terrorist attack, shouldn’t we also be assessing the actions or inactions of the people who run massive dragnets ostensibly because they’ll identify people like Tamerlan? If we’re going to have this dragnet — and if NSA is going to justify it by pointing to terrorism — shouldn’t we be assessing its role in actually preventing terrorism?

Ron Wyden, Refusing to Play Prosecutor, Says We Need to Ban Dragnet Collection of Purchase Records

/18 Comments/in /by

Meet the Press continues to spew absolute idiocy regarding the Snowden leaks. In an attempt to get Ron Wyden to call Edward Snowden a criminal today, Chuck Todd suggested because Wyden is a Senator he has the authority to decide who gets prosecuted or not.

Todd: Where are you on Snowden? Is he whistleblower? Is he a criminal? And if he’s brought back to the United States, should charges be brought up against him?

Wyden: Chuck, I decided a long time ago if somebody was charged criminally I wasn’t going to be just doing running commentary. But the bottom line is this is a debate that shouldn’t have started that way, it should have started with the House leadership– [interrupting]

Todd: But did he commit a crime? Did he commit a crime?

Wyden: I think that’s something for lawyers–

Todd: You’re in the United States Senate! You have the–you can’t tell me whether he committed a crime?!

Wyden: I’m not a prosecutor, I’m not a prosecutor. And I can tell you years ago in the House I asked the Tobacco executives whether nicotine was addictive, they were under oath, they said no, and the prosecutors said they couldn’t prove intent. Here’s what the bottom line is for me. The American people deserve straight information from the intelligence leadership. If the American people don’t get it, you can bet there’ll be other situations like this.

It must be tedious for Todd that the Fifth and Sixth Amendments might inhibit his ability to sow controversy on a Sunday show, but they nominally exist in this country.

And the rush to force Wyden to convict Snowden led him to ignore what Wyden actually said.

When Todd asked Wyden, the Senator described some other things that needed fixed. In addition to ending the bulk collection of phone records right away, Wyden said,

  • We’ve got to fix this back door search loophole in the Foreign Intelligence Surveillance Act
  • We ought to ban all dragnet surveillance on law abiding Americans–not just phone records, but also medical records, purchases and others

Todd interrupted Wyden as he talked about back door searches to prove he didn’t know what the fuck Wyden was talking about (he believed it entailed getting records without court review in an emergency). Later, having been told that the government was reading the emails of innocent Americans without a warrant and possibly collecting bulk records of their purchases, but proven ignorant about what that means, he asked Wyden if there was anything else that would make us feel insecure about our privacy.

Ron Wyden implied today that the government is collecting bulk records of our purchases (almost certainly in search of our beauty supply and pressure cooker purchases).

But revealing critical details like this is not what Chuck Todd believes Senators are for. Their job is to determine guilt or innocence on the Sunday shows.

Newly-Released Dragnet Order Suggests Spike in 215 Orders May Include Financial Records

/1 Comment/in /by

I Con the Record reissued less classified versions of two Section 215 orders: the March 2, 2009 one that sharply restricted the phone dragnet without much new declassified, and the June 22, 2009 one that dealt, in part, with FBI and CIA access to the data in both the Internet and phone dragnet, showing both those parts unclassified in the same order (previously the government had released two separate versions — phone, Internet — with different things declassified).

The only new document was a November 23, 2010 order, modeled closely on a December 12, 2008 one. The earlier one had judged that the Stored Communication Act’s limits on collection did not preclude the use of Section 215 to collect phone records. This one judged that the Right to Financial Privacy Act did not preclude the use of Section 215 to collect financial records. Both opinions basically find that because those laws permit the use of National Security Letters to obtain such records without judicial review, clearly it’s okay to obtain the same records with judicial review under Section 215.

Of course, we know that in the phone context — and so presumably also in the financial records context — the use of Section 215 also entailed bulk, potentially comprehensive collection. While some bulk collection occurred under NSLs, especially for phone records (we know that because that’s the only category of NSL that doesn’t get accounted individually in public records), and while we assume bulk collection occurred under Bush’s illegal program via other means, moving a new kind of record under Section 215 may represent the institutionalization of bulk collections of another type of document.

Aside from revealing that this order pertained to financial records, we don’t know much about the underlying order. The order says the records were provided to the FBI (though WSJ and NYT reported CIA used Section 215 to get money order records). It uses “financial records” in scare quotes, so it is possible it is something beyond just bank records. And the fact that it was stamped by John Bates (then the presiding judge) suggests it may have been regarded as rather significant.

All that said, this opinion doesn’t necessarily mark November 2010 as the date the government started using Section 215 to collect (presumably bulk) financial records. After all, the government collected phone records for over 2 years before answering the seemingly obvious question of whether doing so violated other laws. I suspect they did so in 2008 in response to questions then DOJ Inspector General Glenn Fine kept raising about Section 215. And it is perhaps instructive that Fine was, in November 2010, working on a new Section 215 review, one that has since been delayed, in part by ODNI and DOJ refusal to declassify a number of documents, for 1,371 days.

Perhaps it’s just a remarkable coinkydink, but Fine resigned 6 days after this FISC ruling was issued.

Two more details about this. First, as I have shown, DOJ appears to have been hiding details about Section 215 from Congress during this period, though the only financial records they would have been obliged to disclose were tax records.

In addition, the number Section 215 orders started going up drastically in 2010, along with the number of orders the FISC modified to require minimization procedures.

Nevertheless, the reports show us two new things.

Screen shot 2013-11-22 at 8.52.29 AM

First, while we knew the number of modifications has gone up significantly in the last three years (we now know that many of the modifications in 2009 had to do with phone dragnet violations), the latest reports ODNI released say this:

The FISC modified the proposed orders submitted with forty-three such applications in 2010 (primarily requiring the Government to submit reports describing implementation of applicable minimization procedures).

The FISC modified the proposed orders submitted with 176 such applications in 2011 (requiring the Government to submit reports describing implementation of applicable minimization procedures).

I’ve suggested that 176 modified applications may suggest the government has as many as 44 bulk collection programs, which would be renewed every three months  (or, alternately, a whole lot more specific bulk collection orders).

That is, this rise in what are almost certainly bulk collection orders came around the same time as FISC “Bates-stamped” the collection of financial records with Section 215.

Finally, consider one more thing. Last year, 26 Senators raised concerns about credit card records; last week’s RuppRoge House Intelligence Committee dragnet fix doesn’t prohibit the bulk collection of credit card records (their list, I now realize, is based off the list of sensitive records currently written into Section 215). Credit card records are covered under FRPA.

So while it would be a wildarsed guess, it would not be unreasonable to guess that some of this spike in bulk collection involved credit card records, approved by this November 2010 opinion.

Any bets we’ll finally get that DOJ IG Report on Section 215, showing that’s what they’ve been doing?

More Clarity and Lack Thereof in the Obama Dragnet Reform

/1 Comment/in /by

A Senior Administration Official has clarified two remaining questions I had about the President’s plan to reform the dragnet.

First and very importantly, the conference call left unclear (and most subsequent reporting often didn’t directly address) whether Obama’s plan would apply just to counterterrorism purposes (as the current phone dragnet does) or more broadly (as the House Intelligence Committee RuppRoge proposal does). But SAO is clear: Obama’s plan focuses on specific terrorist groups.

The existing program only allows for queries of numbers associated with specified terrorist groups. Our operational focus is to make sure we preserve that counterterrorism authority in any new legislation. We will continue consulting with Congress on these issues.

This, then, is another way in which the President’s plan is significantly better than the RuppRoge plan — that it sets out to only cover CT, whereas RuppRoge sets out to cover foreign intelligence purposes broadly. Though that “consult with Congress” bit seems to allow the possibility that the White House will move towards broader use for the query system.

I also wondered — particularly given Verizon’s quick statement arguing it should not have to perform analysis for the government — who would do the data integrity analysis required to narrow the query results to those genuinely in contact with a selector, rather than ordering from the same pizza joint. Here, SAO was less clear, in part, punting the issue to Congress and “stakeholders” like Verizon.

Under the President’s proposal, the government would seek court orders compelling the companies to provide technical assistance to ensure the information can be queried, to run the queries, and to give the records back to the government in a usable format and on a timely basis. As additional questions arise with respect to the proposal, we look forward to working through them with Congress and relevant stakeholders to craft legislation that embodies the key attributes of this new approach. [my emphasis]

As a reminder, here’s Verizon General Counsel Randal Milch’s full statement:

This week Congressmen Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) released the “End Bulk Collection Act of 2014”, which would end bulk collection of data related to electronic communications. The White House also announced that it is proposing an approach to end bulk collection. We applaud these proposals to end Section 215 bulk collection, but feel that it is critical to get the details of this important effort right. So at this early point in the process, we propose this basic principle that should guide the effort: the reformed collection process should not require companies to store data for longer than, or in formats that differ from, what they already do for business purposes. If Verizon receives a valid request for business records, we will respond in a timely way, but companies should not be required to create, analyze or retain records for reasons other than business purposes. [my emphasis]

Verizon — probably the most important provider for this to work (because AT&T already gives the government what it wants and because it’s got the most upside growth) — doesn’t want to be forced to change the format in which they keep their data, and it doesn’t want to do analysis. But this response seems to say it wants to receive sound query results from Verizon, which would require that analysis first.

RuppRoge, as you’ll recall, offers NSA assistance (presumably including Booz NSA contractors working onsite at Verizon) to providers to do this work. As written, the White House proposal does not.

While this is an obscure issue (I may be the only one writing on it!), it has a direct impact on how many completely Americans get sucked into the NSA and subjected to the full range of its analytical tools. And it seems to be a key point of disagreement between the White House and perhaps the most important telecom provider.