How NSA Spies on First Amendment Protected Speech: The EO 12333 Loophole

/3 Comments/in /by

As important as the fact that NSA was illegally watch-listing 3,000 US Persons is what they did once they got caught doing so.

They kept watch-listing them.

As I noted, NSA’s solution to the problem that it had put 3,000 US Persons on its contact-chaining and alert list without doing the First Amendment review required by Section 215 was simply to move them off the list available for use with Section 215 data.

NSA remedied this compliance incident by re-designating all such telephone identifiers as non RAS-approved for use as seed identifiers in early February 2009.

The NSA continued its alert list function after the problems with it were discovered; it just restricted its use to data collected under EO 12333. Which appears to mean these 3,000 US persons would continue to have their communications that came up in EO 12333 collections (which would be collected outside of the country) watch-listed. That wouldn’t give the NSA as much data about their conversations, granted, but they chose to do that rather than affirm that they weren’t watch-listing these people solely because of First Amendment protected activities.

That suggests the NSA could — and may have, in at least some of these cases — spy on Americans’ because of their speech or religion or politics, so long as they did so only using collections for which the First Amendment protections do not attach.

Now, we don’t know whether and how many of those 3,000 people were targeted for their First Amendment activities. But seeing NSA’s behavior here does raise questions about the US person described in this story about the NSA’s efforts to discredit ideological foes of the US.

One of 6 “radicalizers” NSA sought discrediting information on in 2012 is a US person (though living overseas). The NSA used contact chaining to measure the targets’ (limited, in the case of the English speakers) ties to extremists. And then it collected things like their online porn habits.

But the thing is, it appears that the impetus for this porn-sniffing pertained only to the NSA’s very expansive disagreement with the 6 “radicalizers” ideology.

It was about their speech, including the speech of the US person.

It appears the NSA believes its mandate includes spying on Americans for their protected speech, just so long as it does so using their EO 12333 authorities.

Share this entry

Project Minaret 2.0: Now, with 58% More Illegal Targeting!

/6 Comments/in , /by

Screen shot 2014-01-06 at 1.03.11 PM

For weeks, I have been trying to figure out why the NSA, in a training program it created in August 2009, likened one of its “present abuses” to Project Minaret. What “unauthorized targeting of suspected terrorists in the US” had they been doing, I wondered, that was like “watch-listing U.S. people for evidence of foreign influence.”

Until, in a fit of only marginally related geekdom, I re-read the following passage in Keith Alexander’s declaration accompanying the End-to-End review submitted to the FISA Court on August 19, 2009 (that is, around the same time as the training program).

Between 24 May 2006 and 2 February 2009, NSA Homeland Mission Coordinators (HMCs) or their predecessors concluded that approximately 3,000 domestic telephone identifiers reported to Intelligence Community agencies satisfied the RAS standard and could be used as seed identifiers. However, at the time these domestic telephone identifiers were designated as RAS-approved, NSA’s OGC had not reviewed and approved their use as “seeds” as required by the Court’s Orders. NSA remedied this compliance incident by re-designating all such telephone identifiers as non RAS-approved for use as seed identifiers in early February 2009. NSA verified that although some of the 3,000 domestic identifiers generated alerts as a result of the Telephony Activity Detection Process discussed above, none of those alerts resulted in reports to Intelligence Community agencies. 7

7 The alerts generated by the Telephony Activity Detection Process did not then and does not now, feed the NSA counterterrorism target knowledge database described in Part I.A.3 below. [my emphasis]

As I’ll explain below, this passage means 3,000 US persons were watch-listed without the NSA confirming that they hadn’t been watch-listed because of their speech, religion, or political activity.

Here’s the explanation.

Read more

Share this entry

What Michael Flynn’s DIA Imputes to Facts We Know

/16 Comments/in , , /by

Before I point to reasons why we should exercise some caution before we believe a DIA report claiming that Edward Snowden’s entire leak was orchestrated by the Russians, let me lay out the following.

First. until such time as we see evidence that the reported documents somehow inordinately benefit Russia (and/or see evidence that our cooperation with Russia isn’t increasing during the period of Snowden’s asylum there), I’m not much interested in the question. I’m still so busy — both between Snowden document reports and documents declassified in response to FOIAs in a false show of transparency — reading about programs Americans should have known, that I don’t have time or interest in this manufactured sideshow.

Second, I don’t know what Snowden’s relationship with Russia is (and suspect 99% of the people commenting don’t either). The claims Mike Rogers, in particular, made on Sunday are full of Clown Show logic problems, some of which Snowden debunked in a limited rebuttal in an interview with Jane Mayer. Some accusers and defenders are conflating what happened while Snowden was working at NSA and what happened after Snowden got stuck in Moscow. All that said, while we have no evidence of cooperation now, I fully expect Vlaidimir Putin tried all he could to get as much out of Snowden as he could.

I don’t know.

What I do know is that DIA under General Michael Flynn’s leadership seems to be developing a pattern of leaking sensational intelligence conclusions based on apparently bad logic at politically opportune moments.

The accusations against Snowden are from a DIA report that DIA’s Director, Michael Flynn, organized.

The Defense Department report was conducted by the Defense Intelligence Agency in coordination with other intelligence agencies across the government, according to two sources familiar with its findings. A spokesperson for the DIA said Lt. Gen. Michael Flynn, the agency’s director, organized a task force “to assess the potential impact to the Department of Defense from the compromise of this information.” But the spokesman did not say what, if any, conclusions the task force had reached about actual damage caused by documents Snowden took, regardless of whether they’ve been disclosed or not.

Admittedly, the conclusions of it got leaked with apparent White House permission. But it got leaked in the worst manner of Obama Administration asymmetric leaking, which have a history of being rather partial and politically self-serving.

Moreover, the entire orchestrated leak feels a lot like the “leak” last year — during heightened tensions between North and South Korea — of DIA’s conclusion that North Korea had the capability of launching a nuclear weapon on a ballistic missile. Republican Congressman Doug Lamborn, protected by Speech and Debate, revealed a detail that “accidentally” wasn’t redacted in a larger declassified finding. The “leak” fed a lot of fearmongering even as the Obama Administration was trying to temper responses.

A week after the initial leak, James Clapper and Flynn happened to testify before the Senate Armed Services Committee (the entire clip is worthwhile, but the particularly important parts start after 4:00). And in response to some Ted Cruz questions about North Korea, both Clapper and Flynn made it clear that the reason DIA had come to different conclusions than the rest of the Intelligence Community was because of the assumptions it had made. This inflammatory finding arose because of “a difference in how we judge assumptions,” Flynn explained. Clapper (who had spent a week trying to batten down the alarmism) said the debate arose from the “facts we know versus what we impute to those facts.”

That is, DIA had imputed conclusions to facts other agencies hadn’t.

According to its Director, DIA has a difference in how it judges assumptions from other intelligence agencies. And in this case, those who have read the DIA report appear to be repeating allegations remarkably divorced from any evidence, relying on wacky theories rather than real evidence.

Michael Flynn seems to be making a habit of this kind of analysis.

Share this entry

Third Party Booz(e)

/11 Comments/in /by

In Volokh Conspiracy’s new digs at the WaPo, former DHS Assistant Secretary Stewart Baker pushes back on Georgetown Professor Randy Barnett’s call to end the Third Party doctrine in truly remarkable terms.

Randy’s solution to that problem is to overrule a line of Supreme Court cases (Smith v. Maryland) holding that no one has a reasonable expectation of privacy in information they’ve disclosed to a third party. With Smith v. Maryland set aside, the government would need a search warrant to see the metadata.

Overruling Supreme Court precedent is a law professor’s prerogative, but the rest of us don’t have to go along. And in fact the Smith v. Maryland doctrine makes sense, especially compared to Randy’s solution. We all learned no later than the third grade that secrets shared with another are not really secrets. They can be revealed at times and in ways we never expected. It hurts, but it’s a fact of life.

Randy’s solution is a fiction; he wants the courts to deny the facts of life and pretend that we still control information we willingly gave away. [my emphasis]

“We all learned no later than the third grade,” this Snowden critic says, “that secrets shared with another are not really secrets.”

Such secrets “can be revealed at times and in ways we never expected,” Baker warns.

“The facts of life,” prove that we do not “still control information we willingly gave away.”

Baker argues that the Third Party doctrine arises not as a matter of law, but as a matter of fact, the facts of life, that no entity that shares information with another entity can claim that information is secret.

The NSA, of course, willingly gives away information all the time. Huge chunks of that data go to Booz Allen Hamilton, the contractor Snowden worked for. Equally large chunks go to GCHQ. Chunks of that data go to Lockheed and SAIC and a slew of other contractors.

According to Stewart Baker’s facts of life, the NSA has no business expecting this data to remain secret. None. Believing such data is secret defies common third grade logic and the facts of life.

Now that a big defender of the NSA has made the case that the NSA, too, is subject to the Third Party doctrine, perhaps we can move forward on giving the Third Grade treatment to all of their secret programs so we can debate them like adults?

Share this entry

Apparently, US Officials Can’t Get Verizon on the Line

/4 Comments/in /by

The WaPo has a story quoting anonymous US officials warning that it will be impossible to meet President Obama’s direction to find a solution for the phone dragnet by March 28. (Note, this is a circumstance where WaPo really ought to provide a bit more description of who these anonymous sources are, particularly given the likelihood that 1) certain Congressional sources can be expected to sabotage any plan and 2) certain contractors can be expected to try to profit off any changes.)

But I couldn’t get beyond this line without laughing:

No meeting has been scheduled between government officials and the phone companies to discuss the issue, and no decision has been made about approaching the companies to further discuss the possibility of them holding the records.

In a story claiming there are real obstacles to making this move, WaPo reports that no one has talked to Verizon and the other telecoms, nor have they even decided whether to talk to them about holding the records.

That is, one excuse cited by these anonymous and potentially self-interested people is that they have not yet gotten Verizon on the line.

As if establishing communication with a telecom that is supplying “substantially all” of their metadata on a daily basis would be prohibitively difficult.

At least that’s the story they’re telling, behind the veil of anonymity.

Share this entry

FISA Warranted Targets and the Phone Dragnet

/3 Comments/in , /by

The identifiers (such as phone numbers) of people or facilities for which a FISA judge has approved a warrant can be used as identifiers in the phone dragnet without further review by NSA.

From a legal standpoint, this makes a lot of sense. The standard to be a phone dragnet identifier is just Reasonable Articulable Suspicion of some tie to terrorism — basically a digital stop-and-frisk. The standard for a warrant is probable cause that the target is an agent of a foreign government — and in the terrorism context, that US persons are preparing for terrorism. So of course RAS already exists for FISC targets.

So starting with the second order and continuing since, FISC’s primary orders include language approving the use of such targets as identifiers (see ¶E starting on page 8-9).

But there are several interesting details that come out of that.

Finding the Americans talking with people tapped under traditional FISA

First, consider what it says about FISC taps. The NSA is already getting all the content from that targeted phone number (along with any metadata that comes with that collection). But NSA may, in addition, find cause to run dragnet queries on the same number.

In its End-to-End report submission to Reggie Walton to justify the phone dragnet, NSA claimed it needed to do so to identify all parties in a conversation.

Collections pursuant to Title I of FISA, for example, do not provide NSA with information sufficient to perform multi-tiered contact chaining [redacted]Id. at 8. NSA’s signals intelligence (SIGINT) collection, because it focuses strictly on the foreign end of communications, provides only limited information to identify possible terrorist connections emanating from within the United States. Id. For telephone calls, signaling information includes the number being called (which is necessary to complete the call) and often does not include the number from which the call is made. Id. at 8-9. Calls originating inside the United States and collected overseas, therefore, often do not identify the caller’s telephone number. Id. Without this information, NSA analysts cannot identify U.S. telephone numbers or, more generally, even determine that calls originated inside the United States.

This is the same historically suspect Khalid al-Midhar claim, one they repeat later in the passage.

The language at the end of that passage emphasizing the importance of determining which calls come from the US alludes to the indexing function NSA Signals Intelligence Division Director Theresa Shea discussed before — a quick way for the NSA to decide which conversations to read (and especially, if the conversations are not in English, translate).

Section 215 bulk telephony metadata complements other counterterrorist-related collection sources by serving as a significant enabler for NSA intelligence analysis. It assists the NSA in applying limited linguistic resources available to the counterterrorism mission against links that have the highest probability of connection to terrorist targets. Put another way, while Section 215 does not contain content, analysis of the Section 215 metadata can help the NSA prioritize for content analysis communications of non-U.S. persons which it acquires under other authorities. Such persons are of heightened interest if they are in a communication network with persons located in the U.S. Thus, Section 215 metadata can provide the means for steering and applying content analysis so that the U.S. Government gains the best possible understanding of terrorist target actions and intentions. [my emphasis]

Though, as I have noted before, contrary to what Shea says, this by definition serves to access content of both non-US and US persons: NSA is admitting that the selection criteria prioritizes calls from the US. And in the case of a FISC warrant it could easily be entirely US person content.

In other words, the use of the dragnet in conjunction with content warrants makes it more likely that US person content will be read.

Excluding bulk targets

Now, my analysis about the legal logic of all this starts to break down once the FISC approves bulk orders. In those programs — Protect America Act and FISA Amendments Act — analysts choose targets with no judicial oversight and the standard (because targets are assumed to be foreign) doesn’t require probable cause. But the FISC recognized this. Starting with BR 07-16, the first order approved (on October 18, 2007) after the PAA  until the extant PAA orders expired, the primary orders included language excluding PAA targets. Starting with 08-08, the first order approved (on October 18, 2007) after FAA until the present, the primary orders included language excluding FAA targets.

Of course, this raises a rather important question about what happened between the enactment of PAA on August 5, 2007 and the new order on October 18, 2007, or what happened between enactment of FAA on July 10, 2008 and the new order on August 19, 2008. Read more

Share this entry

Scorecard: Snowden-Related Publication of Verizon’s Name — 1. ODNI Publication of Verizon’s Name — 1.

/6 Comments/in , /by

Would you lookee here?

Sometime between the time I published this post — showing ODNI did not redact anything in this passage of the January 20, 2011 phone dragnet primary order
Screen shot 2014-01-20 at 3.20.11 AM

 

… And this afternoon, ODNI swapped out the document such that that passage now looks like this:

Screen shot 2014-01-21 at 3.26.21 PM

I guess maybe James Clapper’s office figured it would be hard to spew their defector propaganda if they themselves had published some of the same material.

We all know how Clapper strives to cover up his own crimes.

Except they did publish it.

Meaning ODNI has caused Verizon’s name to be published in conjunction with the phone dragnet as many times as Edward Snowden has. I wait with bated breath for the ill-considered “Traitor!!!” cries to be directed against Clapper.

Update: To be clear, as I noted on this post, I didn’t find this particular redaction error (I’ve got some more … interesting ones). Michael alerted me to it on Twitter. I just decided to point out that ODNI had tried to cover this up.

Share this entry

Once Again, Pew Misunderstands the Dragnet

/4 Comments/in /by

Screen shot 2014-01-21 at 11.03.56 AMBack in July, I pointed out that Pew’s analysis of a poll on the dragnet had falsely suggested 70% of participants were misinformed on the dragnet when in fact the polling outfit was.

A big chunk of Pew’s readers seem to have a more accurate understanding of the program than Pew’s pollsters.

Consider two of its three headline findings: that 70% use data for purposes other than terrorism and that 63% believe the government is collecting more than metadata.

The first question was asked like this:

Do you think this government data collection effort is only being used to investigate terrorism, or do you think the government uses this data for purposes other than terrorism investigations?

The second question was phrased like this:

Just your impression, does this government program only collect data such as phone numbers and e-mail addresses, or is it also collecting what’s actually being said in the calls and e-mails?

The thing is, both of these questions are true: The government collects content under Section 702, including the incidentally collected content of Americans (which they can go back and search on later). And the 702 program collects information for counter-proliferation, cybersecurity, and other foreign intelligence purposes (the metadata program is reportedly limited to terrorism … if you believe all of Iran is a terrorist organization).

That said, only some of the “other purposes” Pew readers cited — such as gathering information for other crimes, and for national security — match the ones the government admits to. They also name political targeting and general control.

While their report on recent polling is more subtle, they again appear to misunderstand the dragnet. Their headline stat is that approval of surveillance continues to go down. Even there, they suggest — still!! — that all this surveillance only targets terrorism and not (in a practice that is potentially far more intrusive to your average non-Muslim American) cybersecurity as well. (Update: The specific question was “Overall, do you approve or disapprove of the government’s collection of telephone and internet data as part of anti-terrorism efforts?”)

Then they seem befuddled that most respondents who followed Obama’s Friday speech closely don’t think the “reforms” he rolled out will have much affect, one way or another.

NSA Changes Have Little Impact

Obama’s proposed changes to the NSA’s data collection program did not register widely with the public. Just 49% say they heard about the proposed changes, with little difference across partisan groups.

Among those that did hear about the proposals, large majorities of Republicans (86%) and independents (78%) say these changes will not make much difference when it comes to protecting people’s privacy. Among Democrats who have heard of the changes, 56% say they won’t make much difference.

There is little concern that the changes to the NSA’s surveillance activities will hurt the government’s ability to fight terrorism. Overall, 79% of those who have heard about the proposals say they won’t make much difference in the government’s ability to fight terrorism; this view is shared by 85% of independents, 77% of Democrats and 75% of Republicans.

Admittedly, this is mostly just a read of the impact of Obama’s speech, without an assessment of the content of it. Yet it (especially the headline) seems to imagine that Obama rolled out substantive changes, especially affecting Americans. As I have noted, some of the changes he did make do no more than reinstitute current practice, without providing any new enforcement mechanism. But ultimately it is a far read that Obama preserved the dragnet.

So it is actually welcome that most non-partisan Democrats who watched closely understand that.

Share this entry

And Now the Counterproliferation Excuse to Expand the Dragnet

/1 Comment/in /by

The other day I noted how Obama’s speech set up terrorism, in the context of war, to justify the structure of the dragnet, then slipped cybersecurity into that framework without distinguishing what should be significantly different frameworks. Steven Aftergood reports that, in a new Defense Science Board report, DOD is attempting to do the same with counterproliferation. They recommend, in part, expanding the dragnet to the CP function.

The advances in persistent surveillance, automated tracking, rapid analyses of large and multi-source data sets, and open source analyses to support conventional warfighting and counterterrorism have not yet been exploited by the nuclear monitoring community…. New intelligence, surveillance, and reconnaissance (ISR) technologies, demonstrated in recent conflicts, offer significant promise for monitoring undesirable nuclear activity throughout the free world.”

The National Security Agency, among others, has pointed the way, the reportsuggested. A newly integrated global awareness system for counterproliferation should “build on lessons and experiences of successful national security capabilities, such as… NSA’s counterterrorism capabilities….”

“The ‘big data’ technologies for extracting meaning from vast quantities of data that are being developed commercially in the information technology (IT) industry, and for other purposes in DoD and the IC, need to be extended and applied to nuclear monitoring.”

Don’t get me wrong. I’m not suggesting counterproliferation is not a totally legitimate intelligence objective.

But I find their claims that the threat of non-state actions is brand new, now, in 2014.

In short, for the first time since the early decades of the nuclear era, the nation needs to be  equally concerned about both “vertical” proliferation (the increase in capabilities of existing  nuclear states) and “horizontal” proliferation (an increase in the number of states and non‐ state actors possessing or attempting to possess nuclear weapons).

After all, the threat of non-state proliferation had been identified before 9/11, and it served as the rationale for a lot of what we have done since then. Has DSB been asleep for the last 15 years?

Moreover, counterproliferation has been built into the dragnet from the start, and was explicitly carved out in the 2008 FISA Amendments Act. It’s fairly safe to presume that counterproliferation has always been one of the certifications under which FAA operates. It’s already part of the dragnet.

Finally, some of the novel kinds of proliferation that are likely of greatest concern — Pakistan and Saudi Arabia and friends — already should fall under the aegis of counterterrorism spying anyway.

Is there a reason DSB is calling to expand a dragnet for CP purposes when the dragnet supposedly already includes it?

Share this entry

The Privacy Problems (?) of Outsourcing the Dragnet

/8 Comments/in , /by

Both Ed Felten

I am reminded of the scene in Austin Powers where Dr. Evil, in exchange for not destroying the world, demands the staggering sum of “… one MILLION dollars.” In the year 2014, billions of records is not a particularly large database, and searching through billions of records is not an onerous requirement. The metadata for a billion calls would fit on one of those souvenir thumb drives they give away at conferences; or if you want more secure, backed up storage, Amazon will rent you what you need for $3 a month. Searching through a billion records looking for a particular phone number seems to take a few minutes on my everyday laptop, but that is only because I didn’t bother to build a simple index, which would have made the search much faster. This is not rocket science.

And Tim Edgar have started thinking about how to solve the dragnet problem.

One helpful technique, private information retrieval, allows a client to query a server without the server learning what the query is.  This would allow the NSA to query large databases without revealing their subjects of interest to the database holder, and without collecting the entire database.  Recent advances should allow such private searches across multiple, very large databases, a key requirement for the program.  The use of these cryptographic techniques would make the need for a separate consortium that holds the data unnecessary.  I discussed this in more detail in my testimonybefore the Senate Select Committee on Intelligence last fall.  Seny Kamara of Microsoft Researchpoints out these techniques were first outlined over fifteen years ago, while the state of the art is outlined in “Useable, Secure, Private Search” from IEEE Security and Privacy.

But I want to consider something both point to that President Obama said in his speech which both Felten and Edgar consider.

Relying solely on the records of multiple providers, for example, could require companies to alter their procedures in ways that raise new privacy concerns.

I’m admittedly obsessed by this, but one processing step the NSA currently uses on dragnet data seems to pose particularly significant privacy concerns: the data integrity role, in which high volume numbers — pizza joints, voice mail access numbers, and telemarketers, for example — are “defeated” before anyone starts querying the database.

This training module from 2011 (and therefore before some apparent additions to the data integrity role, as I’ll lay out in a future post) describes three general technical roles, the first of which would be partly eliminated if the telecoms kept the data.

  • Ensuring production meets the terms of the order and destroying that which exceeds it (5)
  • Ensuring the contact-chaining process works as promised to FISC (much of this description is redacted) (7)
  • Ensuring that all BR and PR/TT queries are tagged as such, as well as several other redacted tasks (this tagging feature was added after the 2009 problems) (9)

The first and third are described as “rarely coming into contact with human intelligible” metadata (the first function would likely see more intelligible data on intake of completed queries from the telecoms). But — assuming a parallel structure across these three descriptions — the redacted description on page 8 suggests that the middle function — what elsewhere is called the data integrity function — has “direct and continual access and interaction” with human intelligible metadata.

And indeed, the 2009 End-to-End Review and later primary orders describe the data integrity analysts querying the database with non-RAS approved identifiers to determine whether they’re high volume identifiers that should be taken out of the dragnet.

Those analysts are not just accessing data in raw form. They’re making analytic judgments about it, as this description from the E-2-E report explains.

As part of their Court-authorized function of ensuring BR FISA metadata is properly formatted for analysis, Data Integrity Analysts seek to identify numbers in the BR FISA metadata that are not associated with specific users, e.g., “high volume identifiers.” [Entire sentence redacted] NSA determined during the end-to-end review that the Data Integrity Analysts’ practice of populating non-user specific numbers in NSA databases had not been described to the Court.

(TS//SI//NT) For example, NSA maintains a database, [redacted] which is widely used by analysts and designed to hold identifiers, to include the types of non-user specific numbers referenced above, that, based on an analytic judgment, should not be tasked to the SIGINT system. Read more

Share this entry