Does Acting National Security Division Head John Carlin Know about FISA Sections 703 and 704?

/3 Comments/in , /by

There were several curious exchanges in today’s hearing for Acting National Security Division AAG John Carlin to become the official AAG.

I’ll start with this exchange. (After 1:01, my transcription)

Udall: I want to talk about Executive Order 12333, with which you’re familiar. I understand that the collection, retention, or dissemination of information about US persons is prohibited under Executive Order 12333 except under certain procedures approved by the Attorney General. But this doesn’t mean that US person information isn’t mistakenly collected or obtained and then disseminated outside these procedures, so take this example. Let’s say the NSA’s conducting what it believes to be foreign to foreign collection under EO 12333 but discovers in the course of this collection that it also incidentally collected a vast trove of US person information. That US person collection should now have FISA protections. What role does the NSD have in overseeing any collection, retention, or dissemination of US person information that might occur under that executive order?

Carlin: Senator, so, generally the intelligence activities that NSA would conduct under its authorities pursuant to EO 12333 would be done pursuant to a series of guidelines that were approved by the Attorney General and then ultimately implemented through additional policies and procedures by NSA. But the collection activities that occur pursuant to 12333, if there was incidental collection, would be handled through a different set of oversight mechanisms than the Departments–by the Office of Compliance, the Inspector General there, the General Counsel there, and the Inspector General and General Counsel’s office for the Intelligence Community writ large, as well as reporting to these committees as appropriate.

Udall: So you don’t see a role for NSD in ensuring that that data is protected under FISA?

Carlin: Under FISA, no, under FISA we would have a direct role, so if it was under, if it was collection that was pursuant to the FISA statutes, so collection targeted at US persons, for example, or collection targeted at certain non-US persons overseas that was collected domestically such as pursuant to the 702 collection program. That would fall within the scope of the National Security Division. That’s information that — and oversight that we conduct through our oversight section in conjunction with the agencies. We would have the responsibility in terms of informing, of working with them to inform the court if there were any compliance incidents and making sure those compliance incidents were addressed.

Udall: My time’s obviously expired, but I think you don’t understand where I’m coming from here. One is to make sure the DOJ and you in your capacity have the most accurate information so you can represent United States of America and our citizens in the best possible way, and secondly that you have an additional role to play in providing additional oversight. Those are all tied to having information that’s factual, that’s based on what happened, and I’m going to continue to look for ways possible to make sure that’s what does happen, whether it’s under the auspices of the IC or the DOJ. You all have a responsibility to protect the Bill of Rights.

Udall asks Carlin about a “vast trove” of US person data collected under the guise of EO 12333, and asks whether NSD would have a role in protecting it under FISA.

Carlin responds by saying NSD wouldn’t have any role; only NSA and ODNI have oversight over EO 12333 compliance with the Attorney General approved guidelines.

At first, I thought Udall didn’t get Carlin’s point — that this data would get no FISA protection. (Earlier in the hearing, Dianne Feinstein had even pointed out EO 12333 collection gets less oversight, and suggested maybe NSD should play a role in EO 12333 compliance.)

But upon review, Udall may have been suggesting something else (I have a question in with his office seeking clarity on this point).

By all appearances, this was content, not metadata (under SPCMA, metadata collection is considered fair game).

US person content cannot be collected overseas — not intentionally at least — outside the purview of FISA sections 703 and 704.

And while admittedly I have yet to meet a lawyer who has been able to explain precisely how those statutes work, and while the White House has given particularly crazy answers on this point, it seemed that Carlin couldn’t even conceive of a way that US person content collected overseas would be protected under FISA.

He may simply be reflecting NSA policy that if they collect US person content overseas under EO 12333, they call it incidental and therefore never have to consider the FISA implications. And that may well be what the letter of the law provides (in which case I’m sure NSA never ever exploits that loophole, nosirree bob).

But he seemed completely unfamiliar with the concept that, under FISA Amendments Act, US persons do get FISA protection overseas.

Really?

Update: According to Udall’s spokesperson, he wasn’t specifically thinking of 703 and 704, but asking whether this data “should” fall under FISA and therefore under NSD’s oversight.

 

In Sworn Declaration about Dragnet, NSA Changes Its Tune about Scope of “This Program”

/7 Comments/in , /by

I’ve been tracking the sudden effort on the part of NSA to minimize how much of the call data in the US it collects (under “this program,” Section 215).

That effort has, unsurprisingly, carried over to its sworn declarations in lawsuits.

Along with the response in the First Unitarian Church of Los Angeles v. NSA suit the government filed last Friday (this is the EFF-backed suit that challenges the phone dragnet on Freedom of Association as well as other grounds), NSA’s Signals Intelligence Director Theresa Shea submitted a new declaration about the scope of the program.

Ostensibly, Shea’s declaration serves to explain the “new” “changes” Obama announced last month, which the FISA Court approved on February 4. As I have noted, in one case the “change” simply formalized NSA”s existing practice and in the other it’s probably not a big change either.

In addition to her explanation of those “changes,” Shea included this language about the scope of the dragnet.

Although there has been speculation that the NSA, under this program, acquires metadata relating to all telephone calls to, from, or within the United States, that is not the case. The Government has acknowledged that the program is broad in scope and involves the collection and aggregation of a large volume of data from multiple telecommunications service providers, but as the FISC observed in a decision last year, it has never captured information on all (or virtually all) calls made and/or received in the U.S. See In re Application of the FBI for an Order Requiring the Production of Tangible Things from [Redacted], Dkt. No. BR13-109 Amended Mem. Op. at 4 n.5 (F.I.S.C. Aug. 29, 2013) (publicly released, unclassified version) (“The production of all call detail records of all persons in the States has never occurred under under this program.“) And while the Government has also acknowledged that one provider was the recipient of a now-expired April 23, 2013, Secondary Order from the FISC (Exhibit B to my earlier declaration), the identities of the carriers participating in the program (either now, or at any time in the past) otherwise remain classified. [my emphasis]

Shea appears to be presenting as partial a picture of the dragnet as she did in her prior declaration, where she used expansive language that — if you looked closely — actually referred to the entire dragnet, not just the Section 215 part of it.

Here, she’s selectively citing the declassified August 29, 2013 version of Claire Eagan’s July 19, 2013 opinion. The latter date is significant, given that the day the government submitted the application tied to that order, NSA General Counsel Raj De made it clear there were 3 providers in the program (see after 18:00 in the third video). These are understood to be AT&T, Sprint, and Verizon.

Shea selectively focuses on language that describes some limits on the dragnet. She could also note that Eagan’s opinion quoted language suggesting the dragnet (at least in 2011) collected “substantially all” of the phone records from the providers in question, but she doesn’t, perhaps because it would present problems for her “virtually all” claim.

Moreover, Shea’s reference to “production of all call detail records” appears to have a different meaning than she suggests it has when read in context. Here’s what the actual language of the opinion says.

Specifically, the government requested Orders from this Court to obtain certain business records of specified telephone service providers. Those telephone company business records consist of a very large volume of each company’s call detail records or telephony metadata, but expressly exclude the contents of any communication; the name, address, or financial information of any subscriber or customer; or any cell site location information (CSLI). Primary Ord. at 3 n.l.5

5 In the event that the government seeks the production of CSLI as part of the bulk production of call detail records in the future, the government would be required to provide notice and briefing to this Court pursuant to FISC Rule 11. The production of all call detail records of all persons in the United States has never occurred under this program. For example, the government [redacted][my emphasis]

In context, the reference discusses not just whether the records of all the calls from all US telecom providers (AT&T, Sprint, and Verizon, which participated in this program on the date Eagan wrote the opinion, but also T-Mobile and Cricket, plus VOIP providers like Microsoft, owner of Skype, which did not) are turned over, but also whether each provider that does participate (AT&T, Sprint, and Verizon) turns over all the records on each call. The passage makes clear they don’t do the latter; AT&T, Sprint, and Verizon don’t turn over financial data, name, or cell location, for example! And since we know that at the time Eagan wrote this opinion, there were just those 3 providers participating, clearly the records of providers that didn’t use the backbone of those 3 providers or, in the case of Skype, would be inaccessible, would be missed. So not all call detail records from the providers that do provide records, nor records covering all the people in the US. But still a “very large volume” from AT&T, Sprint, and Verizon, the providers that happen to be covered by the suit.

And in this declaration, instead of using the number De used last July, Shea instead refers to “multiple telecommunications service providers,” which could be 50, 4, 3, or 2, or anywhere in between. Particularly given her “either now, or at any time in the past” language, this suggests the number of providers participating may have changed since July.

Which brings me to the two other implicit caveats in her statement.

First, she suggests (ignoring the time ODNI revealed Verizon’s name a second time) that the only thing we can be sure of is that Verizon provided all its domestic data for the 3 months following April 23, 2013.

Actually, we can be fairly sure that at least until January 3, Verizon still participated. That’s because the Primary Order approved on that date still includes a paragraph that — thanks to ODNI’s earlier redaction fail — we know was written to ensure that Verizon didn’t start handing over its foreign call records along with its domestic ones.

Screen Shot 2014-02-25 at 9.33.00 AM

Though curiously, the way in which DOJ implemented the Obama-directed changes — the ones that Shea’s declaration supposedly serves to explain — involved providing substitute language affecting a huge section of the Primary Order, without providing a new Primary Order itself. So we don’t know whether ¶1(B) — what I think of as the Verizon paragraph — still exists, or even whether it still existed on February 4, when Reggie Walton approved the change.

Which is particularly interesting given that Shea’s declaration just happened to be submitted on the date, February 21, when a significant change in Verizon’s structure may have affected how NSA gets its data. (That date was set in December by a joint scheduling change.)

One way or another, Shea’s claim that the dragnet doesn’t collect all or even virtually all phone records is very time delimited, certainly allowing the possibility that the scope of the dragnet has changed since the plaintiffs filed this suit on July 16, 3 days before Eagan explicitly excluded cell location data from the dragnet collection, which is the reason NSA’s leak recipients now give for limits on the scope of the program.

The claim is also — as claims about the Section 215 always are — very program delimited. In her statement claiming limits on how much data the NSA collects, Shea makes 2 references to “this program” and quotes Eagan making a third. She’s not saying the NSA doesn’t collect all the phone data in the US (I don’t think they quite do that either, but I think they collect more US phone data than they collect under this program). She’s saying only that it doesn’t collect “virtually all” the phone data in the US “under this program.”

Given her previously expansive declaration (which implicitly included all the other dragnet collection methods), I take this declaration as a rather interesting indicator of the limits to the claims about limits to the dragnet.

“It’s Tough on My Family:” A Tale of Two Teachers

/9 Comments/in /by

“It’s tough on my family,” James Clapper said in an interview with the Daily Beast of observations he’s a liar. Especially his son, who is a high school teacher (though Clapper didn’t explain why his profession led his son to internalize accusations made against him).

The charges against his integrity bother Clapper. “I would rather not hear that or see that,” he said. “It’s tough on my family, I will tell you that. My son is a high school teacher and he has a tendency, or he is getting over it, to internalize a lot of this.”

And yet this man who thinks it unfair to question a public servant’s integrity after he lies blatantly, who has no idea why Edward Snowden did what he did, why he leaked proof that the NSA was collecting the phone records of most Americans, why Snowden leaked evidence of bulk collection (that includes Americans) overseas, why he leaked details on the NSA’s corruption of encryption.

Which made me think of a different teacher, Zaimah Abdur-Rahim, one of the plaintiff’s in the suit Judge William Martini dismissed last week.

Abdur-Rahim taught at the girls school surveilled by the NYPD — the school, which was accredited by the state of NJ — was actually in her home — and now teaches at another of the schools scoped out by the cops.

Zaimah Abdur-Rahim resides at [address removed]. She is currently a math teacher at Al Hidaayah Academy (“AHA”), a position she has held since 2010. A record of the NYPD’s surveillance of AHA appears in the Newark report, which includes a photograph and de scription of the school . Abdur-Rahim was also the principal of Al Muslimaat Academy (“AMA”), a school for girls grades five through twelve, from 2002 through 2010. Like AHA, a record of the NYPD’s surveillance of AMA appears in the Newark report, including a photograph, the address, and notations stating, among other things, that the school was located in a private house and that the ethnic composition of the school was African American.

Abdur-Rahim has been unfairly targeted and stigmatized by the NYPD’s surveillance of AHA, where she is currently employed, and AMA, where she was last employed, as part of the Department’s program targeting Muslim organizations. She reasonably fears that her future employment prospects are diminished by working at two schools under surveillance by law enforcement. Moreover, the Newark report’s photograph of AMA is also Abdur-Rahim’s home, where she has lived since 1993 with her husband and, at various times, her children and grandchildren. The fact that a photograph of h er home appears on the internet in connection with the NYPD’s surveillance p rogram that the City of New York has since publicly exclaimed is necessary for public safety, has decreased the value of the home and diminished the prospects for sale of the home.

I’m betting that having her home and places of work surveilled by the cops is tough on Abdur-Rahim’s family, far tougher than it is for Clapper’s son to internalize complaints by the citizens he serves about the demonstrable obfuscation by his father.

There is no evidence that the NSA programs defended by Clapper ever specifically targeted Abdur-Rahim, though in this era of information sharing it is conceivable that NYPD identified potential targets (especially mosques) using data obtained indirectly from NSA.

But the entire system Clapper defends — in which communication ties between individuals serve, by themselves, as cause for further investigation — foments a logic that questions the integrity of great many members of the Muslim community. They get swept up in a dragnet (or exposed to infiltrators selected in part by using the dragnet) that targets them not because of what they said publicly in front of television cameras, which is why Clapper’s integrity is under question, but simply because they are 2 or 3 degrees away from someone subjected to a virtual stop-and-frisk.

Imagine how the sons and daughters of the real live teachers targeted by Clapper’s dragnet must internalize the presumption of a lack of integrity or even worse? Imagine how much worse it must be when the suspicion comes not from actual actions taken, lies told, but from ties to a community?

Clapper’s plea for his own reputation here is ill-placed. It actually convinces me we’re relying on the wrong evidence for questioning his integrity.

Because his actions, particularly over the past 4 years, involved questioning the integrity of many people based on far, far less evidence than is now being wielded against him. But when he and his employees at the National Counterterrorism Center question someone’s integrity, in secret, with little recourse for appeal, there may be consequences, like losing the ability to fly, or receiving extra scrutiny when they do try to fly.

And he still doesn’t get the problem with that. He still doesn’t understand why his “so-called” domestic surveillance –and the foreign surveillance that also sucks up Americans — is so much worse than being held to account for lies you tell Congress.

El Chapo

/4 Comments/in , /by

Screen Shot 2014-02-22 at 5.21.44 PMToday, they announced the capture of Chapo Guzmán.

According to Mexico’s el Universal, Sinaloa Cartel boss Chapo Guzmán was captured by authorities at 6:40 AM (it’s unclear whether this is Mexico City or Mazatlán time, which are an hour and two behind ET, respectively; and the local Sinaloa press says the operation started at 3:30 AM).

The AP broke the story at 10:52 AM, sourcing to a US official. At around 11:00 (presumably, Mexico City time), Mexico’s Attorney General Jesús Murillo Karam announced the capture — he attributed the delay to taking time to confirm Guzmán’s identity.

And around that same time, President Enrique Peña Nieto tweeted out congratulations to Mexico’s security services for the capture.

As of right now, I’ve seen no comment from the White House on the capture, even though the DEA were said to be heavily involved.

There have been two pictures circulating relating to the arrest: a KSM-style picture of Guzmán at least partially undressed, and pictures taken in full daylight of him being transferred, fully dressed, to a helicopter by masked men wearing Mexican Navy uniforms.

I lay out these details because I have been wondering for some time why, alone among the world leaders spied on by the NSA, Peña Nieto never complained all that loudly. When Speigel first reported the spying, it suggested the US was trying to determine how seriously Peña Nieto — then still a candidate — meant his campaign promises to change the war on drugs. But according to Dana Priest, subsequent to the start of that spying, upon being presented with the range of our spying in Mexico, the President ended much of that “cooperation.”

The new administration has shifted priorities away from the U.S.-backed strategy of arresting kingpins, which sparked an unprecedented level of violence among the cartels, and toward an emphasis on prevention and keeping Mexico’s streets safe and calm, Mexican authorities said.

Some U.S. officials fear the coming of an unofficial truce with cartel leaders. The Mexicans see it otherwise. “The objective of fighting organized crime is not in conflict with achieving peace,” said Eduardo Medina Mora, Mexico’s ambassador to the United States.

[snip]

U.S. officials got their first inkling that the relationship might change just two weeks after Peña Nieto assumed office Dec. 1. At the U.S. ambassador’s request, the new president sent his top five security officials to an unusual meeting at the U.S. Embassy here. In a crowded conference room, the new attorney general and interior minister sat in silence, not knowing what to expect, next to the new leaders of the army, navy and Mexican intelligence agency.

In front of them at the Dec. 15 meeting were representatives from the U.S. Drug Enforcement Administration (DEA), the CIA, the FBI, the Office of the Director of National Intelligence and other U.S. agencies tasked with helping Mexico destroy the drug cartels that had besieged the country for the past decade.

The Mexicans remained stone-faced as they learned for the first time just how entwined the two countries had become during the battle against narco-traffickers, and how, in the process, the United States had been given near-complete entree to Mexico’s territory and the secrets of its citizens, according to several U.S. officials familiar with the meeting

Four months after that meeting, Peña Nieto involved his government in the information sharing process between the US and Mexico, and he reportedly kicked out Americans working in Mexican fusion centers.

Medina Mora, the Mexican ambassador, said in an interview that his nation considers U.S. help in the drug war “a centerpiece” of Mexico’s counternarcotics strategy. But the Mexican delegation in Washington also informed U.S. authorities that Americans will no longer be allowed to work inside any fusion center, including the one in Monterrey. The DEA agents and retired military contractors there will have to go.

Mind you, it’s clear that this change in strategy didn’t really come about — or if it has, the US has accelerated its own work without the Mexicans — as can be seen by the string of Guzmán associates who’ve been rolled up in recent weeks.

There were further hints of Mexico’s close cooperation when James Clapper, at a recent hearing, refused to elaborate in public session on an answer suggesting that Mexico was cooperating as closely as ever. And this response — in a background briefing in advance of President Obama’s trip to Toluca last week — makes it clear the Americans believe cooperation is still ongoing.

Q I was wondering, since we’re on the topic of messages, and you’ve already outlined the main topics of the summit, what sort of message is the President going to give the Mexican President Peña Nieto with the ongoing violence in Michoacán and whether or not they’re going to talk about new initiatives or somehow renewing the — or expanding the Merida initiative to combat drug traffickers down there. So in other words, what sort of deliverables can we expect from this summit? Thank you.

SENIOR ADMINISTRATION OFFICIAL: Thanks for that question. First of all, we have a very good and effective security relationship with Mexico and we have a for a number of years now, including with this administration. Certainly our shared security interests are going to be a part of the conversation. As President Obama made very clear in his initial meeting with President Peña Nieto, we stand by to help in any way we can and to cooperate as determined by the government of Mexico as it develops its security posture and deals with security concerns and judicial reform in Mexico.

You mentioned the Merida programs; those are continuing. And there’s a process in place between our two governments to develop priorities for cooperation. There’s a greater emphasis on the judicial cooperation now and finding ways to work together in that field. With respect to Michoacán, certainly we’re following closely what is happening there and stand by the government of Mexico as it confronts challenges there and elsewhere. [my emphasis]

And now Chapo is in custody, reportedly as a result of several weeks of cooperation between the DEA and Mexico’s Navy.

We shall see whether this time he stays in custody, and if so, in which country.

The American Bar Association: Since NSA Is Committed to the Rule of Law, It MUST Respect Attorney-Client Privilege

/6 Comments/in /by

It has taken the American Bar Association almost a week to respond to the reports that Mayer Brown’s communications with the government of Indonesia got collected by Australia’s SIGINT service.

In a rather stilted letter, it suggests that if the NSA is an agency that respects the rule of law than surely it must respect Attorney-Client privilege.

While we realize that, under U.S. law, NSA is prohibited from conducting surveillance against American citizens or U.S. based law firms or other organizations without a warrant, it is our understanding that NSA may be authorized, under certain circumstances, to intercept the communications of U.S. citizens and organizations if they are in contact with foreign intelligence targets abroad, subject to specific minimization rules designed to protect their privacy. We were encouraged by recent NSA statements indicating that as a general matter, the agency’s Office of General Counsel typically is consulted when issues of potential attorney – client privilege a rise and that it often recommends that certain steps be taken to protect the privileged information. Having you further clarify the principles and policies in this area would be extremely helpful to the legal community.

The ABA understands the critical role that NSA plays in gathering intelligence information and protecting our national security, and we acknowledge that during the course of these activities, it is inevitable that certain communications between U.S. law firms and their clients may be collected or otherwise obtained by the agency. However, irrespective of the accuracy of the recent press reports, we would like to work with NSA on this issue and urge the agency not to actively seek confidential communications between U.S. law firms and their clients. In addition , if NSA obtains such confidential information inadvertently — or such information is obtained by foreign intelligence services or others and then shared with NSA — we would expect NSA to respect the privilege and take all appropriate steps to ensure that any such privileged information is not further disseminated to other agencies or any other third parties.

We know that NSA, as a federal agency committed to the rule of law, recognizes the attorney – client privilege, and thus the agency should act in a manner consistent with the principles underlying the privilege. Therefore, we respectfully request that you clarify and explain NSA’s current policies and practices that are designed to protect the attorney – client privileged status of information that it collects or receives, and whether these policies and practices were followed with respect to the alleged interception of privileged communications between the U.S. law firm and its overseas client referenced above. [my emphasis]

One example of the stilted form of the letter is the way in which this organization of 400,000 lawyers could so badly overstate the protections NSA Vanee Vines described in the report.

An N.S.A. spokeswoman said the agency’s Office of the General Counsel was consulted when issues of potential attorney-client privilege arose and could recommend steps to protect such information.

“Such steps could include requesting that collection or reporting by a foreign partner be limited, that intelligence reports be written so as to limit the inclusion of privileged material and to exclude U.S. identities, and that dissemination of such reports be limited and subject to appropriate warnings or restrictions on their use,” said Vanee M. Vines, the spokeswoman.

Vines didn’t say NSA’s General Counsel “often recommends” additional minimization for attorney-client communications; she said only that it could.

Which leaves the nation’s lawyers essentially asking, pretty please, would the NSA not do what its own minimization procedures — and the recent history of several lawyers representing alleged terrorists — clearly show it is permitted to do, which is spy on Attorney-Client communications (targeted, of course, at the alleged terrorist).

Anyone surprised that it took allegations that a big corporate firm — and not just defense attorneys — got sucked into the dragnet, before ABA wrote a letter?

Did GCHQ and NSA Lose an Eye Today?

/in /by

As the business press is crowing, Vodaphone and Verizon are officially divorced.

After pulling off the $130 billion sale, Vodafone will drop from the world’s second-biggest phone company to the fourth, measured by market value, behind China Mobile Ltd., AT&T Inc. and Verizon Communications Inc. (VZ), data compiled by Bloomberg showed. Vodafone’s weighting in share indexes such as the FTSE 100 in London will be cut approximately in half.

Shareholders will get a return of about 102 pence ($1.70) per share. That’s about $23.9 billion in cash and about $58.6 billion in Verizon Communications shares.

Vodafone’s shares rose 2.8 percent to 236.10 pence at 2:45 p.m. in London. Verizon slipped 0.3 percent to $47.97 in New York.

“This is a great day for Verizon,” Verizon CEO Lowell McAdam said in a statement. “The new Verizon now has full ownership of the U.S. wireless industry leader in network performance, profitability and cash flow.”

The deal will help Vodafone pay off debt and help fund 7 billion pounds of additional network investments by March 2016, adding high-speed broadband and wireless coverage across its largest markets.

And rejoicing was heard on both sides of the Atlantic!

Curiously, though, I seem to be the only one asking what seems to be an obvious question: how will this high level British-US breakup affect the Five Eyes dragnet?

Particularly given reports that Verizon is (was?) one of 7 Tempora providers, I wonder whether splitting with Vodaphone has permitted Verizon to withdraw from compliance with GCHQ data requests.

Back in 2006, USA Today’s report that the NSA had a database of all of AT&T, Verizon, and BellSouth’s phone records caused one of the telecoms to refuse to turn over data without being legally obligated (and for a number of reasons, it is unlikely AT&T was the provider that demanded an order).

The publication of the Verizon Secondary Order on June 5, 2013 exposed Verizon far more than that 2006 story. And it exposed Verizon uniquely, in a way AT&T and Sprint hadn’t been exposed. ODNI exacerbated that exposure further when it released another document with Verizon’s name unredacted.

If I were Verizon, I would be doing nothing more than the government(s) legally requred me to do. And as of today, Verizon may have one less government with the ability to make such requirements.

Update: On March 4, Verizon’s General Counsel said the Vodaphone/Verizon split will have no effect on Verizon’s obligations to the US.

NSA’s Data Retention Oddities

/1 Comment/in /by

NSA’s defenders are enjoying this one: WSJ says that NSA may temporarily have to expand the phone dragnet (it really means retain more data) because of all the lawsuits to end it.

A number of government lawyers involved in lawsuits over the NSA phone-records program believe federal-court rules on preserving evidence related to lawsuits require the agency to stop routinely destroying older phone records, according to people familiar with the discussions. As a result, the government would expand the database beyond its original intent, at least while the lawsuits are active.

No final decision has been made to preserve the data, officials said, and one official said that even if a decision is made to retain the information, it would be held only for the purpose of litigation and not be subject to searches.

There is actually a precedent for this. In 2009, as NSA was trying to clean up its alert list and other violations, it told the FISA Court it might not be able destroy all the alert notices because of ongoing litigation.

With respect to the alert process, after this compliance matter surfaced, NSA identified and eliminated analyst access to all alerts that were generated from the comparison of non-RAS approved identifiers against the incoming BR FISA material. The only individuals who retain continued access to this class of alerts are the Technical Director for NSA’s Homeland Security Analysis Center (“HSAC”) and two system developers assigned to HSAC. From a technical standpoint, NSA believes it could purge copies of any alerts that were generated from comparisons of the incoming BR FISA information against non-RAS approved identifiers on the alert list. However, the Agency, in consultation with DoJ, would need to determine whether such action would conflict with a data preservation Order the Agency has received in an ongoing litigation matter.

Though I can’t think of any follow-up confirming whether NSA believed this massive violation should or should not be retained in light of ongoing litigation.

As EFF’s Cindy Cohn notes in the WSJ article, if NSA should be retaining data, it should date back to when a judge first issued a preservation order.

Cindy Cohn, legal director at the Electronic Frontier Foundation, which also is suing over the program, said the government should save the phone records, as long as they aren’t still searchable under the program. “If they’re destroying evidence, that would be a crime,” she said.

Ms. Cohn also questioned why the government was only now considering this move, even though the EFF filed a lawsuit over NSA data collection in 2008.

In that case, a judge ordered evidence preserved related to claims brought by AT&Tcustomers. What the government is considering now is far broader.

Though when I saw reference to the litigation in the 2009 filing, I wondered whether it might be either the al-Haramain suit or one of the dragnet suits, potentially including EFF’s suit.

Here’s what confuses me about all this data retention business.

If the NSA is so cautious about retaining evidence in case of a potential crime, then why did it just blast away the 3,000 files of phone dragnet information they found stashed on a random server, which may or may not have been mingled in with STELLAR WIND data it found in 2012? Here’s how PCLOB describes the data and its destruction, which differs in some ways from the way NSA described it to itself internally.

In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit.

According to the NSA, they didn’t know how or why or when the data ended up where it wasn’t supposed to be or even if it had really been retained past the age-off date.

Heck, those 3,000 files potentially mixed up with STELLAR WIND data seem like precisely the kind of thing EFF’s Jewel suit might need to access.

But it’s all gone!

One final detail. Here’s how WSJ says the system currently ages off data.

As the NSA program currently works, the database holds about five years of data, according to officials and some declassified court opinions. About twice a year, any call record more than five years old is purged from the system, officials said.

This is not how witnesses have consistently described the age-off system. It adds up to 6 months on the age-off, in what appears to be non-compliance with the unredacted parts of the phone dragnet orders.

Update: Adding one more thing. WSJ suggests NSA may have to keep the data because it might help some of the plaintiffs get standing. The only way that’s true is if NSA stopped getting Verizon cell data from Verizon starting in 2009.

For most of the plaintiffs, standing should be no problem They’re Verizon Business Service customers. But Larry Klayman is just a cell phone customer. A 5-year age off (ignoring the semi-annual purge detail) would mean they’d be getting rid of data collected in February 2009, just as NSA was working through the violations and before the May 29, 2009 order for Verizon to stop handing over its foreign data (also before Reggie Walton shut down Verizon production for a 3 month period later in 2009). I’m not sure I buy all that, but it is the only way standing might depend on data retention.

Between Two Ends of the WikiLeaks Investigation: Parallel Constructing the FBI’s Secret Authorities

/19 Comments/in , , /by

Two pieces of news on the government’s investigation of WikIleaks came out yesterday.

At the Intercept, Glenn Greenwald reported:

  • In 2010, a “Manhunting Timeline” described efforts to get another country to prosecute what it called the “rogue” website
  • In a targeting scenario dating to July 25, 2011, the US’ Targeting and General Counsel personnel responded to a question about targeting WikiLeaks’ or Pirate Bay’s server by saying they’d have to get back to the questioner
  • In 2012, GCHQ monitored WikiLeaks — including its US readers — to demonstrate the power of its ANTICRISIS GIRL initiative

Screen Shot 2014-02-19 at 9.42.54 AM
Also yesterday, Alexa O’Brien reported (and contextualized with links back to her earlier extensive reporting):

  • The grand jury investigation of WikiLeaks started at least as early as September 23, 2010
  • On January 4, 2011 (21 days after the December 14, 201 administrative subpoena for Twitter records on Appelbaum and others), DOJ requested Jacob Appelbaum’s Gmail records
  • On April 15, 2011, DOJ requested Jacob Appelbaum’s Sonic records

Now, as O’Brien lays out in her post, at various times during the investigation of WikiLeaks, it has been called a Computer Fraud and Abuse investigation, an Espionage investigation, and a terrorism investigation.

Which raises the question why, long after DOJ had deemed the WikiLeaks case a national security case that under either the terrorism or Espionage designation would grant them authority to use tools like National Security Letters, they were still using subpoenas that were getting challenged and noticed to Appelbaum? Why, if they were conducting an investigation that afforded them all the gagged orders they might want, were they issuing subpoenas that ultimately got challenged and exposed?

Before you answer “parallel construction,” lets reconsider something I’ve been mulling since the very first Edward Snowden disclosure: the secret authority DOJ and FBI (and potentially other agencies) used to investigate not just WikiLeaks, but also WikiLeaks’ supporters.

Back in June 2011, EPIC FOIAed DOJ and FBI (but not NSA) for records relating to the government’s investigation of WikiLeaks supporters.

EPIC’s FOIA asked for information designed to expose whether innocent readers and supporters of WikiLeaks had been swept up in the investigation. It asked for:

  1. All records regarding any individuals targeted for surveillance for support for or interest in WikiLeaks;
  2. All records regarding lists of names of individuals who have demonstrated support for or interest in WikiLeaks;
  3. All records of any agency communications with Internet and social media companies including, but not limited to Facebook and Google, regarding lists of individuals who have demonstrated, through advocacy or other means, support for or interest in WikiLeaks; and
  4. All records of any agency communications with financial services companies including, but not limited to Visa, MasterCard, and PayPal, regarding lists of individuals who have demonstrated, through monetary donations or other means, support or interest in WikiLeaks. [my emphasis]

In their motion for summary judgment last February, DOJ said a lot of interesting things about the records-but-not-lists they might or might not have and generally subsumed the entire request under an ongoing investigation FOIA exemption.

Most interesting, however, is in also claiming that some statute prevented them from turning these records over to EPIC, they refused to identify the statute they might have been using to investigate WikiLeaks’ supporters.

All three units at DOJ — as reflected in declarations from FBI’s David Hardy, National Security Division’s Mark Bradley, and Criminal Division’s John Cunningham – claimed the files at issue were protected by statute.

None named the statute in question. All three included some version of this statement, explaining they could only name the statute in their classified declarations.

The FBI has determined that an Exemption 3 statute applies and protects responsive information from the pending investigative files from disclosure. However, to disclose which statute or further discuss its application publicly would undermine interests protected by Exemption 7(A), as well as by the withholding statute. I have further discussed this exemption in my in camera, ex parte declaration, which is being submitted to the Court simultaneously with this declaration

In fact, it appears the only reason that Cunningham submitted a sealed declaration was to explain his Exemption 3 invocation.

And then, as if DOJ didn’t trust the Court to keep sealed declarations secret, it added this plaintive request in the motion itself.

Defendants respectfully request that the Court not identify the Exemption 3 statute(s) at issue, or reveal any of the other information provided in Defendants’ ex parte and in camera submissions.

DOJ refuses to reveal precisely what EPIC seems to be seeking: what kind of secret laws it is using to investigate innocent supporters of WikiLeaks.

Invoking a statutory exemption but refusing to identify the statute was, as far as I’ve been able to learn, unprecedented in FOIA litigation.

The case is still languishing at the DC District.

I suggested at the time that the statute in question was likely Section 215; I suspected at the time they refused to identify Section 215 because they didn’t want to reveal what Edward Snowden revealed for them four months later: that the government uses Section 215 for bulk collection.

While they may well have used Section 215 (particularly to collect records, if they did collect them, from Visa, MasterCard, and PayPal — but note FBI, not NSA, would have wielded the Section 215 orders in that case), they couldn’t have used the NSA phone dragnet to identify supporters unless they got the FISC to approve WikiLeaks as an associate of al Qaeda (update: Or got someone at NSA’s OGC to claim there were reasons to believe WikiLeaks was associated with al Qaeda). They could, however, have used Section 215 to create their own little mini WikiLeaks dragnet.

Read more

AT&T’s “Transparency” Report: Polite Requests Versus Demands

/5 Comments/in /by

Screen Shot 2014-02-18 at 1.40.24 PMI want to make two more points about AT&T’s “Transparency” Report which, as I mentioned earlier, shows how deceitful “transparency” reports can be.

First, compare the number of subpoenas AT&T shows, total, compared to the rough numbers provided for requests to AT&T under Hemisphere for the prior year.

In 2012, 3 cities — Atlanta, Houston, and  Los Angeles — submitted a total of 2,770 requests to Hemisphere. In 2012 to 2013 (see the following slide), 7 HIDTAs plus two parts of the Southwest Border HIDTA submitted 838 requests to Hemisphere. While I suspect other HIDTAs also have access to Hemisphere, those numbers are still just a tiny fraction of the total subpoenas AT&T got the following year — using the larger number, just slightly more than 1% of the 223,659 criminal subpoenas AT&T received in 2013.

Even assuming the number is 3 times that across all DEA requests, that seems like a miniscule number, probably even a miniscule number of the requests submitted in drug investigations.

We are to believe, then, that AT&T keeps up this database just to feed as what might be less than 4% of its total requests?

Which is one reason I suspect Hemisphere is also serving other purposes.

And that, of course actually assumes (I’m in a generous mood) that AT&T receives a subpoena for all its Hemisphere requests, in spite of references in the Hemisphere presentation to emails and despite the past history of AT&T (or another telecom) providing phone records in response to requests on Post-It notes.

Which makes me really wonder, given another little detail in AT&T’s “Transparency” Report, whether AT&T responds to as data requests, rather than formal demands.

Here are the categories for the data requests it gets:

  • National Security Demands
  • Total U.S. Criminal & Civil Litigation Demands
  • Location Demands
  • Emergency Requests
  • International Demands [my emphasis]

Remarkably, AT&T has just 22 International Demands, counting both law enforcement and URL blocking. Verizon, by contrast, got 2,396 law enforcement demands and 1,663 block requests, though some of that may reflect Vodapone exposure and it also implies there were other requests that it funneled through MLAT processing.

I raise this because, in his paper on the dragnet, David Kris repeatedly suggested the NSA gets some bulk metadata via voluntary production of foreign data.

Alternative methods of collection would include non-bulk FISA orders, or what prior NSA Directors in the past have referred to as “vacuum cleaner” surveillance outside the ambit of FISA, under Executive Order 12333 and its subordinate procedures, such as DOD 5240-1.R, and perhaps voluntary production if not otherwise prohibited by law. See NSA End-to-End Review at 15; August 2013 FISC Order at 10 n.10 (“The Court understands that NSA receives certain call detail records pursuant to other authority, in addition to the call detail records produced in response to this Court’s Orders.”); cf. 18 U.S.C. § 2511(2)(f) otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”).(“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”).

If AT&T is voluntarily providing data in response to requests, without insisting on getting a demand, it might explain some of the numbers (not to mention its far greater skew towards subpoenas rather than warrants, as compared to Verizon — though this “demand” “request” language necessarily appears at Verizon, too).

Don’t get me wrong: if AT&T wants to just give out customer information in response to data requests without asking for a demand, I’ll just assume it’s being polite to those in authority. But if it is, those requests should be in its transparency report too.

Would We Have Accepted the Dragnet if NSA Had to Admit It Could Have Prevented 9/11?

/8 Comments/in /by

Screen shot 2014-02-18 at 10.16.30 AMI’m going to return to Glenn Greenwald’s latest showing details of how the NSA treated WikiLeaks and, to a lesser degree, Anonymous (as well as Alexa O’Brien’s update on the investigation into WikiLeaks) later.

If GCHQ does this kind of tracking, how did Five Eyes miss the Tsarnaev brothers?

But for now I want to look at one slide covering GCHQ’s AntiCrisis monitoring approach (see slide 34), which in this case is focused on WikiLeaks. It shows how GCHQ has the ability — and had it in 2012 — to monitor particular websites. It shows GCHQ can monitor the visitors of a particular website, where they’re coming from, what kind of browsers they use. None of that is, in the least surprising. But given those capabilities, it would be shocking if GCHQ weren’t doing similar monitoring of AQAP’s online magazine Inspire, with the added benefit that certain text strings in each Inspire magazine would make it very easy to track copies of it as it was downloaded, even domestically via upstream collection. And for the UK, this isn’t even controversial; even possessing Inspire in the UK can get you imprisoned.

Given that that’s the case, why didn’t GCHQ and NSA find the Tsarnaev brothers who — the FBI has claimed but provided no proof — learned to make a bomb from the Inspire release that GCHQ or NSA hacked? Why isn’t NSA reviewing why it didn’t find the brothers based on cross-referencing likely NSA tracking of Inspire with its FBI reporting on Tamerlan Tsarnaev?

I used to not believe NSA should have found the Tsarneavs. But now that I’ve seen all the nifty tools we’ve learned NSA and, especially, GCHQ have, they really do owe us an explanation for why they didn’t find the Tsarnaev brothers, one of whom was already in an FBI database, and who was allegedly learning to make a pressure cooker bomb from a document that surely gets tracked by the NSA and its partners.

Speaking of NSA failures…

Which brings me back to James Clapper’s interview with Eli Lake.

Clapper said the problems facing the U.S. intelligence community over its collection of phone records could have been avoided. “I probably shouldn’t say this, but I will. Had we been transparent about this from the outset right after 9/11—which is the genesis of the 215 program—and said both to the American people and to their elected representatives, we need to cover this gap, we need to make sure this never happens to us again, so here is what we are going to set up, here is how it’s going to work, and why we have to do it, and here are the safeguards… We wouldn’t have had the problem we had,” Clapper said.

“What did us in here, what worked against us was this shocking revelation,” he said, referring to the first disclosures from Snowden. If the program had been publicly introduced in the wake of the 9/11 attacks, most Americans would probably have supported it. “I don’t think it would be of any greater concern to most Americans than fingerprints

Now, I’ll have to review the latest declarations in Jewel, but I think Clapper’s statement — that the genesis of today’s phone dragnet dates to 9/11 —  goes slightly beyond what has been admitted, because it ties today’s phone dragnet program back to the PSP phone dragnet program. Ron Wyden has tried to make the tie between the illegal program and the current one clear for months. Clapper has now inched closer to doing so.

But I also want to take issue with Clapper’s claim that if NSA had presented a “gap” to Members of Congress and the public after 9/11 we would have loved the dragnet.

Had we known of the errors and territorialism that permitted 9/11, would we have agreed to any of this?

I do so, in part, because the claim there was a “gap” is erroneous and has been proven to be erroneous over and over. Moreover, that myth dates not to the days after 9/11, but to misrepresentations about the content of the 9/11 Commission report 3 years later. Note, too, that (as has happened with Inspector Generals reviews of the Boston Marathon attack) the Commission got almost no visibility into what NSA had against al Qaeda.

More importantly, had NSA gone to the public with claims about gaps it did and didn’t have before 9/11, we would likely have talked not about providing NSA more authority to collect dragnets, but instead, about the responsibility of those who sat on intelligence that might have prevented 9/11.

As Thomas Drake and the other NSA whistleblowers have made clear, the NSA had not shared intelligence reports that might have helped prevent 9/11.

I found the pre- and post-9/11 intelligence from NSA monitoring of some of the hijackers as they planned the attacks of 9/11 had not been shared outside NSA. Read more