Congress Currently Has Access to the Phone Dragnet Query Results

/6 Comments/in /by

When Bernie Sanders asked the NSA whether it spied on Members of Congress, Keith Alexander responded, in part,

Among those protections is the condition that NSA can query the metadata only based on phone numbers reasonably suspected to be associated with specific foreign terrorist groups. For that reason, NSA cannot lawfully search to determine if any records NSA has received under the program have included metadata of the phone calls of any member of Congress, other American elected officials, or any other American without that predicate.

Alexander’s response was dated January 10, 2014, one week after the current dragnet order was signed.

It’s an interesting response, because one of the changes made to the dragnet access rules with the January 3 order was to provide Congress access to the data for oversight reasons. Paragraph 3D reads, in part,

Notwithstanding the above requirements, NSA may share the results from intelligence analysis queries of the BR metadata, including United States person information, with Legislative Branch personnel to facilitate lawful oversight functions.

This doesn’t actually mean Sanders (and Darrell Issa, Jerrold Nadler, and Jim Sensenbrenner, who sent a letter on just this issue yesterday) can just query up the database to find out if their records are in there. The legislature can only get query results — it can’t perform queries. And as of last week, all query identifiers have to be approved by the FISC.

Still, they might legitimately ask to see what is in the corporate store, the database including some or all past query results, which may include hundreds of millions of Americans’ call records. And Nadler and Sensenbrenner — as members of the Judiciary Committee — can legitimately claim to play an oversight role over the dragnet.

So why don’t they just ask to shop the corporate store, complete with all the US person data, as permitted by this dragnet order? While they’re at it, why not check to see if the 6 McClatchy journalists whose FOIA NSA just rejected have been dumped into the corporate store? (No, I don’t think giving Congress this access is wise, but since they have it, why not use it?)

Incidentally, this access for legislative personnel is not unprecedented. Starting on February 25, 2010 and lasting through 3 orders (so until October 29, 2010, though someone should check my work on this point) the dragnet orders included even broader language.

Notwithstanding the above requirements, NSA may share certain information, as appropriate, derived from the BR metadata, including U.S. person identifying information, with Executive Branch and Legislative Branch personnel in order to enable them to fulfill their lawful oversight functions…

Of course at that point, most of Congress had no real understanding of what the dragnet is.

Now that they do, Nadler and Sensenbrenner should use the clear provision of the dragnet order as an opportunity to develop a better understanding of what happens to query results and how broadly they implicate average Americans’ privacy.

Update: Added short explanation of corporate store.

Is Hemisphere Creating Problems for the Phone Dragnet?

/2 Comments/in , /by

Screen Shot 2014-02-12 at 4.39.40 PMYou are all probably bored with my repeated posts about why the claim that NSA only collects 30% of US data is probably only narrowly true.

So I won’t discuss how absurd it would be to argue that the terrorist dragnet drawing on the records of at least 3 phone companies was less comprehensive than Hemisphere, the similar AT&T-specific database it makes available to hunt drug crime.

I just want to raise a methodological issue.

In her declaration submitted in support of the suits challenging the Section 215 dragnet, Theresa Shea emphasized something implicit in the Business Records order: the telecoms are only turning over records they already have.

[P]ursuant to the FISC’s orders, telecommunications service providers turn over to the NSA business records that the companies already generate and maintain for their own pre-existing business purposes (such as billing and fraud prevention).

Presumably, AT&T provides precisely this same data to the NSA for its master phone dragnet. That is, to the extent that AT&T compiles this data in particular form, that may well be the form it hands onto NSA.

And that’s interesting for several reasons.

Hemisphere includes not just AT&T call records. It includes records from “CDRs for any telephone carrier that uses an AT&T switch to process a telephone call.” It gets 4 billion call records a day, including international ones and cell ones. As Scott Shane explained,

AT&T operates what are called switches, through which telephone calls travel all around the country. And what AT&T does in this program is it collects all the—what are called the CDRs, the call data records, the so-called metadata from the calls that we’ve heard about in the NSA context. This is the phone number—phone numbers involved in a call, its time, its duration, and in this case it’s also the location. Some are cellphone calls; some are land line calls. Anything that travels through an AT&T switch, even if it’s not made by an AT&T customer—for example, if you’re using your T-Mobile cellphone but your call travels through an AT&T switch somewhere in the country, it will be picked up by this project and dumped into this database.

Which supports the report from last summer that the government can get T-Mobile calls off AT&T’s records. These are the pre-existing records that NSA can come get and they include T-Mobile calls.

There’s another interesting part of that. As I noted the first two phone dragnet orders provided for compensation to the providers, even though the statute doesn’t envision that. That would bring you to November 2006; Hemisphere started in 2007, with funding from ONCDP, the White House Drug Czar. Remember, too, that FBI had the equivalent of Hemisphere onsite until late 2007-2008. That is, one thing Hemisphere does is pay for one provider to store what serves as a good baseline dragnet that can then be handed over to the NSA. That’s significant especially given Geoffrey Stone’s claims that the dragnet is not comprehensive because the cost involved: there should be no cost, but somehow it’s driving decisions.

In any case, as luck would have it, Hemisphere got exposed at the same time as the dragnet.

Hemisphere operates with different legal problems than the NSA phone dragnet. At least with the phone dragnet, after all, AT&T has been compelled to turn over records; with Hemisphere they’re effectively retaining them voluntarily to turn surveillance into a profit center (though they do get compelled on an order-by-order basis). Moreover, AT&T’s far more exposed by the publication on Hemisphere than it is on the NSA dragnet (or perhaps, than even Verizon is under the phone dragnet). The exposure of Hemisphere might make AT&T more hesitant to “voluntarily” retain this data.

Finally, there’as the amicus challenge EFF and ACLU submitted in a criminal case in Northern California notes, Hemisphere includes precisely the data the NSA is struggling with: cell location data.

Hemisphere goes even further than the NSA’s mass call-tracking program, as the CDRs stored in the Hemisphere database contain location information about callers (see Hemisphere Slide Deck at 3, 13), thus implicating the specific concerns raised by five Justices in Jones. See 132 S. Ct. at 955 (Sotomayor, J., concurring) (“wealth of detail about [a person’s] familial, political, professional, religious, and sexual associations” revealed through “trips to the psychiatrist, the plastic surgeon, the abortion clinic,” etc.) (internal quotation marks, citation omitted); id. at 964 (Alito, J., concurring).

The FISC has created all sorts of problems for NSA to store cell location data, most explicitly with Claire Eagan’s order in July specifically prohibiting it.

But here AT&T is, creating the opportunity for the perfect challenge to use Jones to challenge location in a dragnet specifically.

Which is all a way of saying that the tensions with the phone dragnet may not be entirely unrelated from the fact that Hemisphere also got challenged.

Omaha! Omaha! The Alert that Won’t Alert

/5 Comments/in /by

The FISA Court just released the January 3, 2014 phone dragnet order, DOJ’s motion to amend it to meet Obama’s new dragnet terms, and the approval for that.

But those changes are of the least interest in these documents. I’ll explain the loophole to the changes tomorrow.

For now, consider that the NSA reportedly can’t get its automated chaining program to work. In the motion to amend, footnote 12 — which modifies part of some entirely redacted paragraphs describing its new automated alert approved back in 2012 — reads:

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes. Accordingly, this amendment to the Primary Order authorizes the use of this automated query process for development and testing purposes only. No query results from such testing shall be made available for analytic purposes. Use of this automated query process for analytical purposes requires further order of this Court.

PCLOB describes this automated alert this way.

In 2012, the FISA court approved a new and automated method of performing queries, one that is associated with a new infrastructure implemented by the NSA to process its calling records.68 The essence of this new process is that, instead of waiting for individual analysts to perform manual queries of particular selection terms that have been RAS approved, the NSA’s database periodically performs queries on all RAS-approved seed terms, up to three hops away from the approved seeds. The database places the results of these queries together in a repository called the “corporate store.”

It has been 15 months since FISC approved this alert, but NSA still can’t get it working.

I suspect this is the root of the stories claiming NSA can only access 30% of US phone records.

And I think it probably does have to do with cell data and what they get from other programs — just not in the way the reports said it did.

I’ll explain that in a follow-up.

PCLOB Chair David Medine on the 30% Claims

/7 Comments/in /by

As Ken Dilanian pointed out in his story on the claim that NSA only collects 30% of phone records, in his testimony before the House Judiciary Committee, David Medine suggested “virtually all telephone records of every American” are collected — and he suggests these records are collected under Section 215.

Yet his references are more ambiguous than that. He admits that only some telecoms receive Section 215 orders.

The FISC order authorizes the NS A to collect nearly all call detail records generated by certain telephone companies in the United States, and specifies detailed rules for the use and retention of these records.

But then he makes 3 further references to some form of comprehensive collection.

And while eliminating a U.S. nexus to foreign plots can help the intelligence community focus its limited investigatory resources in time – sensitive situations by channeling efforts where they are needed most, our report questions whether the American public should accept the government’s routine collection of all of its telephone records because it helps in cases where there is no threat to the United States.

[snip]

Moreover, when the government collects all of a person’s telephone records, storing them for five years in a government database that is subject to high – speed digital searching and analysis, the privacy implications go far beyond what can be revealed by the metadata of a single telephone call.

[snip]

But while those rules offer many valuable safeguards designed to curb the intrusiveness of the program, in the Board’s view they cannot fully ameliorate the implications for privacy, speech, and association that follow from the government’s ongoing collection of virtually all telephone records of every American. [my emphasis]

With that in mind, I wanted to consider Medine’s answer to Richard Blumenthal’s questions about the 30% claims.

He starts by suggesting that if the claim were true it would not change PCLOB’s analysis.

Blumenthal: Would the apparent revelation that perhaps only a proportion of this telephone data was collected change in any way the conclusions of your report?

Medine: I don’t think we can address in public session the pros and cons of that conclusion but we’d be happy to meet with the committee in private session. But even if the reports are true it still means that hundreds of millions of telephone records are being collected and so, at least it’s my view, that it would not change the recommendations of the board.

The implication from this passage is that PCLOB did not know the collection was partial when they made their recommendations.

Medine’s dodges are more interesting in response to Blumenthal’s suggestion the Government has made false representations to Courts about obtaining all records (though note my comments on the ambiguity of that language here).

Blumenthal: Would it undercut the accuracy of the representations made by the United States Government to the Courts to justify this program?

Medine: Again, I don’t want to comment on that because some of this matter still remains classified and I think there’s more to be said on that but I don’t think it can be said in public session.

It seems that Medine suggests the Government’s claims are more complex than they might appear (though I may be reading into his answer my observation that the claims actually are ambiguous about how the government obtains its complete haystack).

Finally, Medine dodges again wholesale.

Blumenthal: Well, let me put it differently, wouldn’t you agree with me that the United States government has misled the Courts, whether purposefully or inadvertently in justifying this program on the basis that all telephone records are collected?

Medine: Again, I’m not prepared to confirm any of the reports that have been made and so I don’t want to draw any conclusions about representations that were made in court proceedings.

This answer may support the 30% claims more than earlier ones: it suggests Medine might be able to confirm such a claim.

Nevertheless, if the government has misrepresented the program, than so has Medine,

The one explanation that would address all this ambiguity, of course, is if the few providers that do receive orders provide the call records their backbones treat, not just the call records their own customers generate.

NSA’s Single Section 215 Success Would Probably Be Impossible If NSA’s Latest Claims Were True

/3 Comments/in /by

It looks increasingly like the sole Section 215 success the FBI has had would be impossible under the claims about limits to dragnet collection NSA leaked last week.

Last week, four journalists reported that the NSA doesn’t collect cell phone data in its phone dragnet program (they presumably meant, but did not specify, just the Section 215-authorized phone dragnet, which is just a small part of the phone dragnet). (WSJWaPoLAT, NYT) As a result — these reporters claimed — as more and more Americans rely on cell phones, the NSA’s phone dragnet has come to cover just 20 to 30% of the phone data in the US.

As I noted, the claim was particularly curious given that all the major examples in which the NSA has used the phone dragnet involved cell phone users.

Still, even in those cases, it was possible that NSA got the phone records via interim hops. That is, if a land line user whose calls were picked up in the dragnet called two cell phones, those numbers would be identified, though their calls to other cell users would not (again, this is if these recent claims are correct).

All that said, the sole case where the dragnet found someone with ties to terrorism they otherwise would not have identified, San Diego taxi driver Basaaly Moalin, increasingly looks to have been impossible under the terms now claimed by NSA leakers.

That’s because Moalin and his known US-based interlocutor through whom the government says he communicated with Somali warlord Aden Ayro, hawala operator Mohamed Ahmed, both used cell phones, both from T-Moble, according to Moalin’s attorney Joshua Dratel. The government has said it identified Moalin on at least the second hop. If that interim hop was Ahmed, Ahmed’s calls to Moalin would not have been collected, if the NSA’s current claims are true.

Assuming Ahmed was that interim hop, then, the dragnet could not have identified Moalin, at least not under the limits currently claimed by the NSA and the public claims made about the investigation into Moalin.

There are several possible explanations for why the phone dragnet did find him.

First, it’s possible the claims are entirely false, and that the NSA includes T-Mobile in its Section 215 collection. I think that’s unlikely; for a variety of reasons I believe just 3 providers — AT&T, Verizon, and Sprint — get Secondary Orders under the phone dragnet.

It’s possible that an earlier WSJ story (cited by several of these reporters) correctly described how T-Mobile data gets included in the dragnet: via the backbone provider of the networks T-Mobile uses (which, if claims Verizon doesn’t provide cell data are true, would mean AT&T provided it).

The National Security Agency’s controversial data program, which seeks to stockpile records on all calls made in the U.S., doesn’t collect information directly from T-Mobile USA and Verizon Wireless, in part because of their foreign ownership ties, people familiar with the matter said.

The blind spot for U.S. intelligence is relatively small, according to a U.S. official. Officials believe they can still capture information, or metadata, on 99% of U.S. phone traffic because nearly all calls eventually travel over networks owned by U.S. companies that work with the NSA.

[snip]

When a T-Mobile or Verizon Wireless call is made, it often must travel over one of these networks, requiring the carrier to pay the cable owner. The information related to that transaction—such as the phone numbers involved and length of call—is recorded and can then be passed to the NSA through its existing relationships. Additionally, T-Mobile relies on other wireless companies to fill holes in its infrastructure. That shared equipment could allow the government to collect the data.

If that’s the case, however, it means the only way the current claims about the Section 215 dragnet are true is if this collection happens offshore, counting as EO 12333 collection. Which would further mean that even with 20% coverage from domestic production, the NSA still gets most calls in the US.

Finally, it’s possible the dragnet identified Moalin via collection entirely collected overseas. Which would mean the claims he was identified under Section 215 — made repeatedly to Congress (though not, curiously, in declarations in the lawsuits against the dragnet) — would be false. It would also mean his prosecution was based on the foreign collection of US person data under no more than an Executive Order.

Here’s the remarkable thing about those two last possibilities. At least as late as March 2009, the NSA could not distinguish the data source for its dragnet query results. A query result from October 2007, when Moalin was first identified, might not distinguish between EO 12333 and Section 215 in the results — though at least according to FISC orders, the Section 215 data may not have gotten mixed in with the EO 12333 data yet. (By 2011, results came back tagged with XML tags to identify not only what authority the data was collected under, but which SIGAD collection point it had been collected from, though some data points get collected under more than one authority and collection point.)  That means, unless NSA knows for a fact how it collected T-Mobile data back in 2007, it may not know how it found Moalin. And if it found Moalin off an EO 12333 search, NSA would not have needed even Reasonable Articulable Suspicion to search for connections. It is possible that if NSA initiated the search on any Somali but Aden Ayro (Ayro had ties with Al Qaeda beyond just his al-Shabaab membership and therefore would meet RAS guidelines), they would not have had Reasonable Articulable Suspicion that the identifier had ties to Al Qaeda.

In any case, as I laid out, there are a number of ready explanations for how the dragnet identified Moalin even though he and one likely intermediary were using phones purportedly not collected under the dragnet. But those explanations either mean the recent claims about the extent of the dragnet collection are false, or there are many more questions about how Moalin got targeted.

On the Day Ron Wyden Asked Whether NSA Complied with US v. Jones, It Collected 4 Billion Cell Location Records

/10 Comments/in /by

FasciaAs part of my new focus on leaked claims that the NSA can’t collect call call data because of problems stripping out cell location data, I want to look at the two exchanges Ron Wyden and James Clapper have had about cell location data.

First, at the Global Threats Hearing 2 years ago just after the US v. Jones decision ruled GPS tracking a search (watching Ron Wyden discomfit Clapper at Threat Hearings used to be my exclusive beat, you know), they had this exchange.

Wyden: Director Clapper, as you know the Supreme Court ruled last week that it was unconstitutional for federal agents to attach a GPS tracking device to an individual’s car and monitor their movements 24/7 without a warrant. Because the Chair was being very gracious, I want to do this briefly. Can you tell me as of now what you believe this means for the intelligence community, number 1, and 2, would you be willing to commit this morning to giving me an unclassified response with respect to what you believe the law authorizes. This goes to the point that you and I have talked, Sir, about in the past, the question of secret law, I strongly feel that the laws and their interpretations must be public. And then of course the important work that all of you’re doing we very often have to keep that classified in order to protect secrets and the well-being of your capable staff. So just two parts, 1, what you think the law means as of now, and will you commit to giving me an unclassified answer on the point of what you believe the law actually authorizes.

Clapper: Sir, the judgment rendered was, as you stated, was in a law enforcement context. We are now examining, and the lawyers are, what are the potential implications for intelligence, you know, foreign or domestic. So, that reading is of great interest to us. And I’m sure we can share it with you. [looks around for confirmation] One more point I need to make, though. In all of this, we will–we have and will continue to abide by the Fourth Amendment. [my emphasis]

We now have proof (as if Wyden’s hints weren’t enough of a tell, given his track record) that NSA was collecting cell location at the time of Wyden’s question. While the exchange took place after (according to NSA’s public claims) NSA’s domestic experiments with cell data under Section 215 ended, it suggests the actual NSA collection took place outside of Section 215.

As it happens, NSA’s own slide shows that on the day Wyden asked the question — January 31, 2012 — it collected around 4 billion cell location records (it was a slow day that day — NSA had been collecting closer to 5 billion records a day in 2012). That collection presumably would have been conducted under EO 12333.

Given that we know NSA collected around 4 billion cell location records that day, I’m particularly struck by Clapper’s emphasis on two things: First his suggestion that the legal analysis might be different for an intelligence use than for a law enforcement use. Given his claim the IC abided by the Fourth Amendment, I assume he imagines they have a Special Need to suck up all this cell location data that makes such searches “reasonable.”

Also note his reference to “foreign or domestic.” I’m guessing the IC was also busy arguing that, in spite of the US person cell locations they were ingesting, because they were doing so in a foreign location, it didn’t violate the Fourth Amendment.

With all that in mind, consider Wyden’s question to Keith Alexander on September 26, just before Alexander admitted to the past Section 215 experiments as some kind of limited hangout. Read more

Section 215 FISC Orders Specifically Included Mobile Phone IDs Starting in 2008

/2 Comments/in , /by

I’ve been obsessing on when and whether telecoms turn over cell phone data under Section 215 and EO 12333 for the last several days. So I want to point out a change in the FISC orders for the Section 215 phone dragnet starting in 2008.

Here’s how the April 3, 2008 Section 215 FISC order describes the metadata to be turned over to NSA:

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, communications device identifier, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

Here’s how the August 19, 2008 order and (I believe) all subsequent orders describe the metadata to be turned over to the NSA.

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) numbers, International Mobile Station Equipment Identity (IMEI) etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

In both cases, these paragraphs end with a footnote that starts, “The Court understands that the,” followed by redacted language that would probably be very instructive in explaining where and how the telecoms got their data.

The IMSI is a subscriber’s account number — basically the number tied to the SIM card. The IMEI is a phone handset’s ID number. Drone targeting may track both numbers.

Amid claims the NSA doesn’t collect cell phone data, I find it notable that NSA started asking for cell phone identifiers back in 2008. (I find it equally notable that they started asking for IMSI and IMEI on the second docket after NSA put a copy of  the Section 215 data onto the same server as the EO 12333 data). That was also the year that Tempora — under which GCHQ   accessed huge amounts of Internet and phone data off Transatlantic cables, including from Verizon — was first piloted.

I don’t think that proves definitively that NSA was collecting cell phone data (though the WSJ reported last June that it was collecting cell data directly from AT&T and Sprint, with T-Mobile and Verizon data coming from another source). Depending on where providers got the data (on a daily basis, remember) to provide to NSA, they would have the IMSI and IMEI data on phones in contact with their land lines.

But the NSA has been collecting data about cell phones at least since 2008.

Which raises real questions about claims they don’t know how to integrate cell phone data into their database.

Update: To answer Dr. Pitchfork’s question, 4 national journalists reported on Friday that the NSA only “gets” 20 to 30% of US phone data because they don’t get cell data. Even ignoring details like the explicit mention of cell data in the 215 orders, their story doesn’t make any sense. I think the real problem may arise from a recent FISC order and Verizon’s split from Vodaphone.

Is There a 702 Certificate for Transnational Crime Organizations?

/in , /by

Update, 9/8/15: We’ve subsequently learned that in 2015, the third certificate in 2011 was a vaguely defined “foreign government” one, which has been used very broadly (and lied about by the government on multiple occasions). NSA was contemplating a cyber certificate in 2012, but Bates’ 2011 decision may have made the terms of that difficult. 

I joked yesterday that James Clapper did no more than cut and paste to accomplish President Obama’s order of providing a list of acceptable bulk collection. But I’d like to note something about the list of permissible uses of bulk collection.

  1. Espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;
  2. Threats to the United States and its interests from terrorism;
  3. Threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;
  4. Cybersecurity threats;
  5. Threats to U.S. or allied Armed Forces or other U.S. or allied personnel; and
  6. Transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named above.

For months, I have been noting hints that the use of Section 702 — which is one of several kinds of domestic bulk collection — is limited by the number of certifications approved by FISC, which might be limited by FISC’s assessment of whether such certifications establish a certain level of “special need.”

In 2011, it seems clear from John Bates’ opinion on the government’s Section 702 applications, there were 3 certifications.

Screen shot 2013-12-19 at 7.10.00 AM

If there are just 3 certifications, then it seems clear they cover counterterrorism, counterproliferation, and cybersecurity (which is consistent with both ODNI’s public descriptions of Section 702 and the Presidential Review Group’s limits on it), 3 of 6 of the permitted uses of bulk collection.

Furthermore, there’s some history (you’ll have to take my word for this for now, but the evidence derives in part from reports on the use of National Security Letters) of lumping in Counterintelligence and Cybersecurity, because the most useful CI application of bulk collection would target technical exploits used for spying. So if that happens with 702 collection, then 4 of the 6 permissible applications would be covered by existing known certifications.

Threats against Armed Forces would, for the most part, be overseas, suggesting the bulk collection on it would be too. (Though it appears Bush’s illegal program used the excuse of force protection to spy on Iraqi-related targets, potentially even in the US, until the hospital confrontation stopped it.)

Which leaves just transnational crime threats — against which President Obama rolled out a parallel sanctions regime to terrorism in 2011 (though there had long been a regime against drug traffickers) — as the sole bulk collection that might apply in the US that doesn’t have certifications we know about.

Given that at least drug cartels have a far more viable — and deathly — operation in the United States than al Qaeda, I can’t think of any reason why the Administration wouldn’t have applied for a certification targeting TCOs, too (one of Treasury’s designated TCO targets — Russian and East European mobs — would have some overlap with the cyber function, and one — Yakuza — just doesn’t seem like a big threat to the US at all).

And last year’s Semiannual Compliance Assessment may support the argument that there are more than 3 certificates. In its description of the review process for 702 compliance, the report lays out review dates by certifications. Here’s the NSA review schedule:

Screen Shot 2014-02-11 at 9.49.59 AM

This seems to show 4 lines of certifications, one each in August and December, but two in October. Perhaps they re-review one of the certifications (counterterrorism, most likely). But if not, it would seem to suggest there’s now a 4th certification.

Here’s the FBI review schedule (which apparently requires a lot more manual review).

Screen Shot 2014-02-11 at 12.30.28 PM

Given that this requires manual review, I wouldn’t be surprised if they repeated the counterterrorism certifications review (and we don’t know whether all the NSA certifications would be used by FBI). But the redactions would at least allow for the possibility that there is a 4th certification, in addition to the 3 we know about.

Perhaps Obama rolled out TCOs as a 4th certification as he rolled out his new Treasury initiative on it (which would be after the applications laid out by Bates).

Of course, we don’t know. But I think two things are safe to say. First, the use of 702 is tied to certifications by topic. And the public statement about permissible use of bulk collection, it would seem to envision the possibility of a 4th certification covering TCOs, and with it, drug cartels.

Least Surprising Appeal Ever: Back Door Search Edition

/in /by

In thoroughly unsurprising news, DOJ has informed the 7th Circuit it will appeal Judge Sharon Coleman’s decision giving attorneys for Adel Daoud an opportunity to review the FISA materials used to identify him.

While we don’t know what exotic mix of FISA claims the Executive used to identify Daoud and decide to sic a series of undercover operatives on him, we do know Dianne Feinstein raised his case during the FISA Amendments Act debate in 2012; the context suggests NSA may have found Daoud using a back door search.

While DOJ will say they’re objecting to Coleman’s decision because no defense attorney has ever reviewed a FISA warrant before so why start now, the other underlying message they send with this appeal is that they lack confidence that their counterterrorism tools would stand up to adversarial review.

The next time someone says this is all legal, you might remind them that DOJ refuses to test that claim in the traditional venue for doing so, an Article III setting.

Ed Felten on the 30% Collection Claim and Technical Debt

/10 Comments/in /by

Ed Felton has his own take on last week’s claims that the NSA was only collecting 30% of phone data.

He suggests my observation–which he calls an argument–that the dragnet combines data from multiple sources is unlikely because it would pose a great risk to NSA’s credibility.

Theory A: Not under this program: One theory is that the NSA is actually getting a lot of domestic phone call data from another source, so this is another one of the “not under this program” evasions. This would mean the NSA is getting domestic phone call data via some method other than a Section 215 court order. For example, Marcy Wheeler argues that the data is coming from a foreign partner agency.

The argument against this theory is that it assumes the NSA is still willing to deceive the public and policymakers with the “not under this program” maneuver. The price to the agency’s credibility of getting caught in such a trick at this late date would seem to be fairly high.

Of course, on the specific issue of geolocation (which the reports claim is part of the problem) the Administration has always engaged in this game (and was doing so as recently as October), assuring us they don’t collect geolocation under this program.

More importantly, I think Felten misrepresents who might be misinformed. The issue, I believe, is not exclusively about misinformation (though there’s some of that); it’s about classification.

My observation is that the NSA collects a great deal of cell data under EO 12333 authorities  — an observation backed by (among other sources) Snowden-released documents.

The question, then, is how much the NSA and ODNI are willing to talk about EO 12333 activities. And the answer to that has consistently been “unwilling.” As recently as October, James Clapper outright refused to answer an Amy Klobuchar question pertaining to EO 12333 authorities.  When I asked former senior DNI official Jill Rhodes about EO 12333 collection last Friday — referring exclusively to information ODNI had declassified — she would not address that question either. We should assume that Intel Community sources will not discuss issues pertaining to EO 12333 — publicly at least– all the more so when they involve GCHQ involvement. I believe the Intelligence Committees have more information, but even there, Dianne Feinstein is quite clear that they have less oversight on EO 12333 activities than they do on FISA ones.

In addition, it’s worth noting that the only way Administration figures can have told the truth in all statements — both in their explicit claims to the Courts and Congress that they need the entire haystack and in their anonymous claims they only get 30% of phone data under Section 215 is if the haystack incorporates data from other sources as well. Which the public record shows to be the case.

All that said, I do think Felten’s explanation is part of what’s going on. He suggests the NSA may just have never properly solved some of the underlying problems they claim to be facing today.

Why might straightforward technical issues be holding up the program? One reason is that the program might be mired in technical debt.

For those not familiar with the concept, technical debt is a concept from software engineering. If your project has an engineering problem to address, the “right” response is to understand the underlying cause and address it in a careful (yet cost-aware) fashion. Alternatively, you can slap on a quick and dirty “band-aid” solution that makes the problem go away in the short run but leaves the system more fragile and bug-prone. If you opt for the band-aid approach, you are taking on technical debt. Until you pay back the principal by addressing the underlying engineering problem, you will have to keep paying interest on the debt by devoting engineering effort to coping with extra crashes and bugs.

Although prudent managers take on technical debt at times, there is also a trap—as with financial debt—in which the burden of interest payments makes it more difficult to dig yourself out of debt, and your engineering staff spends all their time “putting out fires” rather than improving the product. Worst case, you can’t keep up with interest payments and can only pay the bills (i.e. keep the system alive) by taking on further debt. Then you slide into technical insolvency, where the system never really works right.

Government systems seem to be at higher risk of technical debt or insolvency, for reasons that would require another post to unpack.

This is why I said that some of the absurd claims peddled to the journalists have some grain of truth, such as the claim that crises in 2009 and 2013 prevented the NSA from fixing this problem. The claim is absurd if you believe the issue was seen as important in 2001 when NSA set up the dragnet or between 2006 and 2008 when NSA operated happily under FISC oversight or in 2011 to 2012 when the NSA was, in fact, working on precisely the issues the leaked reports say underlie the difficulties.

But it’s not absurd if the issue has been a problem primarily during those crisis periods when NSA didn’t manage the issue.

And given that we know Verizon was having problems in 2009 pertaining to the mix of foreign and domestic records, I think it’s safe to say that NSA kluged together solutions during the last crisis.

All that said, i suspect it is a technical debt created by legal debt, in part. While I think the issue here arises from legal arbitrage (the interest in doing what ever is most flexible under the law), I do think that may create technical issues (that should be a cinch to solve).