In Which Ben Wittes Proves Ben Wittes Is NAKED

/12 Comments/in , /by

160 days ago, Jim Sensenbrenner released a letter to Eric Holder expressing concern about the way DOJ had interpreted Section 215. In it, he did some creative editing to hide that he had had an opportunity to learn about that interpretation before he voted to reauthorize the PATRIOT Act.

160 days ago, I was (I believe) the first person to point out that obfuscation.

In those 160 days, I have also documented the serial lies and obfuscations of people like Keith Alexander, James Clapper, Robert Mueller, Mike Rogers, Valerie Caproni, Dianne Feinstein, Raj De, and Robert Litt. (one, two, three, four, five, six, seven, eight, nine, ten, eleven, twelve, thirteen, fourteen, fifteen, sixteen, seventeen, eighteen, nineteen, twenty, twenty-one, twenty-two, twenty-three, twenty-four, twenty-five, twenty-six, twenty-seven, twenty-eight, twenty-nine, thirty, thirty-one, thirty-two, thirty-three; trust me, this is just a quick survey). The most recent of these lies came last week when Raj De and Robert Litt claimed Congress had been fully informed about the authorities they were voting on, a claim which the Executive Branch’s own record proves to be false.

In spite of the clear imbalance between the lies NSA critics have told and those NSA apologists have told, Ben Wittes has made it a bit of a hobby to use Sensenbrenner’s single (egregious) lie to try to discredit NSA critics (without, of course, pointing out the serial, at times even more egregious, lies NSA apologists were telling). Of late, Wittes has harangued that, because he told a lie 160 days ago, Sensenbrenner is operating in bad faith when he criticizes NSA’s programs now. (See also this post.)

I have never questioned the good faith of Senators Patrick Leahy, Ron Wyden, or Rand Paul. They are legislators with a perspective. That’s how Congress works.

Rep. James Sensenbrenner is a different matter.

Since the bulk metadata program broke, the former chairman of the House Judiciary Committee has been on a campaign of denunciation of both agency activity under the Patriot Act—the law he helped write. And he has been denouncing the administration for having misled him about how Section 215 is being used too. He has done so with a breathtaking dishonesty that puts him in a different category from those members who have a policy dispute with the administration. [my emphasis]

Mind you, Wittes did not examine the content of Sensenbrenner’s more recent claims. Had he done so, he might have realized that the record supports Sensenbrenner’s complaints, even if the messenger for those complaints might be less than perfect.

It ignored restrictions painstakingly crafted by lawmakers and assumed a plenary authority never imagined by Congress. Worse, the NSA has cloaked its operations behind such a thick cloud of secrecy that, even if our trust was restored, Congress and the American people would lack the ability to verify it.

Note, we’re still learning the full extent of how the Executive Branch blew off limits placed on the PATRIOT authorities.

Wittes might even have noted Sensenbrenner’s apparent commitment to do his own job better.

“I hope that we have learned our lesson and that oversight will be a lot more vigorous,” Sensenbrenner said.

Even ignoring Wittes’ remarkable double standard, in which he suggests Sensenbrenner’s one lie should disqualify him from speaking on this topic forever while Clapper and Alexander’s seeming addiction to lies apparently shouldn’t even be mentioned in polite company, a highly regarded expert recently laid out new evidence for why Sensenbrenner has good reason to be angry, regardless of his role in passing PATRIOT in 2001 or 2006 or 2010 or even 2011.

The expert?

Ben Wittes.

Read more

Lavabit and The Definition of US Government Hubris

/8 Comments/in , , , , , , , , , , , , , , /by

Graphic by Darth

Graphic by Darth

Well, you know, if you do not WANT the United States Government sniffing in your and your family’s underwear, it is YOUR fault. Silly American citizens with your outdated stupid piece of paper you call the Constitution.

Really, get out if you are a citizen, or an American communication provider, that actually respects American citizen’s rights. These trivialities the American ethos was founded on are “no longer operative” in the minds of the surveillance officers who claim to live to protect us.

Do not even think about trying to protect your private communications with something so anti-American as privacy enabling encryption like Lavabit which only weakly, at best, even deigned to supply.

Any encryption that is capable of protecting an American citizen’s private communication (or even participating in the TOR network) is essentially inherently criminal and cause for potentially being designated a “selector“, if not target, of any number of searches, whether domestically controlled by the one sided ex-parte FISA Court, or hidden under Executive Order 12333, or done under foreign collection status and deemed “incidental”. Lavabit’s Ladar Levinson knows.

Which brings us to where we are today. Let Josh Gerstein set the stage:

A former e-mail provider for National Security Agency leaker Edward Snowden, Lavabit LLC, filed a legal brief Thursday detailing the firm’s offers to provide information about what appear to have been Snowden’s communications as part of a last-ditch offer that prosecutors rejected as inadequate.

The disagreement detailed in a brief filed Thursday with the U.S. Court of Appeals for the Fourth Circuit resulted in Lavabit turning over its encryption keys to the federal government and then shutting down the firm’s secure e-mail service altogether after viewing it as unacceptably tainted by the FBI’s possession of the keys.

I have a different take on the key language from Lavabit’s argument in their appellate brief though, here is mine:

First, the government is bereft of any statutory authority to command the production of Lavabit’s private keys. The Pen Register Statute requires only that a company provide the government with technical assistance in the installation of a pen- trap device; providing encryption keys does not aid in the device’s installation at all, but rather in its use. Moreover, providing private keys is not “unobtrusive,” as the statute requires, and results in interference with Lavabit’s services, which the statute forbids. Nor does the Stored Communications Act authorize the government to seize a company’s private keys. It permits seizure of the contents of an electronic communication (which private keys are not), or information pertaining to a subscriber (which private keys are also, by definition, not). And at any rate it does not authorize the government to impose undue burdens on the innocent target business, which the government’s course of conduct here surely did.

Second, the Fourth Amendment independently prohibited what the government did here. The Fourth Amendment requires a warrant to be founded on probable cause that a search will uncover fruits, instrumentalities, or evidence of a crime. But Lavabit’s private keys are none of those things: they are lawful to possess and use, they were known only to Lavabit and never used by the company to commit a crime, and they do not prove that any crime occurred. In addition, the government’s proposal to examine the correspondence of all of Lavabit’s customers as it searched for information about its target was both beyond the scope of the probable cause it demonstrated and inconsistent with the Fourth Amendment’s particularity requirement, and it completely undermines Lavabit’s lawful business model. General rummaging through all of an innocent business’ communications with all of its customers is at the very core of what the Fourth Amendment prohibits.

The legal niceties of Lavabit’s arguments are thus:

The Pen Register Statute does not come close. An anodyne mandate to provide information needed merely for the “unobtrusive installation” of a device will not do. If there is any doubt, this Court should construe the statute in light of the serious constitutional concerns discussed below, to give effect to the “principle of constitutional avoidance” that requires this Court to avoid constructions of statutes that raise colorable constitutional difficulties. Norfolk S. Ry. Co. v. City of Alexandria, 608 F.3d 150, 156–57 (4th Cir. 2010).

And, later in the pleading:

By those lights, this is a very easy case. Lavabit’s private keys are not connected with criminal activity in the slightest—the government has never accused Lavabit of being a co-conspirator, for example. The target of the government’s investigation never had access to those private keys. Nor did anyone, in fact, other than Lavabit. Given that Lavabit is not suspected or accused of any crime, it is quite impossible for information known only to Lavabit to be evidence that a crime has occurred. The government will not introduce Lavabit’s private keys in its case against its target, and it will not use Lavabit’s private keys to impeach its target at trial. Lavabit’s private keys are not the fruit of any crime, and no one has ever used them to commit any crime. Under those circumstances, absent any connection between the private keys and a crime, the “conclusion[] necessary to the issuance of the warrant” was totally absent. Zurcher, 436 U.S., at 557 n.6 (quoting, with approval, Comment, 28 U. Chi. L. Rev. 664, 687 (1961)).

What this boils down to is, essentially, the government thinks the keys to Lavabit’s encryption for their customers belong not just to Lavabit, and their respective customers, but to the United States government itself.

Your private information cannot be private in the face of the United States Government. Not just Edward Snowden, but anybody, and everybody, is theirs if they want it. That is the definition of bullshit.

[Okay, big thanks to Darth, who generously agreed to let us use the killer Strangelovian graphic above. Please follow Darth on Twitter]

The Phone Dragnet Did Not (and May Still Not) Meet the PATRIOT Act’s Minimization Requirements

/3 Comments/in , /by

While a number of the changes to Section 215 passed just before the government started relying on it to create a database of all phone-based relationships in the United States watered down the law, one provision made the law stricter.

The 2006 Reauthorization required the Attorney General to establish minimization procedures for the data collected under the program.

(g) Minimization Procedures and Use of Information- Section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) is further amended by adding at the end the following new subsections:

(g) Minimization Procedures-

(1) IN GENERAL- Not later than 180 days after the date of the enactment of the USA PATRIOT Improvement and Reauthorization Act of 2005, the Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this title.

(2) DEFINED- In this section, the term `minimization procedures’ means–

(A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 101(e)(1), shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and

(C) notwithstanding subparagraphs (A) and (B), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.

(h) Use of Information- Information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title concerning any United States person may be used and disclosed by Federal officers and employees without the consent of the United States person only in accordance with the minimization procedures adopted pursuant to subsection (g). No otherwise privileged information acquired from tangible things received by the Federal Bureau of Investigation in accordance with the provisions of this title shall lose its privileged character. No information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title may be used or disclosed by Federal officers or employees except for lawful purposes.’.

But from the very start, the FISA Court and the Administration set out to ignore this requirement. After all, well before anyone did any analysis about the foreign intelligence value of the phone dragnet data, the FBI disseminated all of it, by having the telecoms hand it over directly to the NSA. And phone numbers are US person identifiers (best demonstrated by NSA’s use of phone numbers as identifiers to conduct searches in other contexts).

Thus, before any Agency even touched the data, the phone dragnet scheme violated this provision by disseminating non-publicly available information about US person identifiers on every single American without their consent.

According to FISC’s original Section 215 phone dragnet order, the NSA only had to abide by the existing SID-18 minimization procedures.

[D]issemination of U.S. person information shall follow the standard NSA minimization procedures found in the Attorney General-approved guidelines (U.S. Signals Intelligence Directive 18). [link added]

And the FBI only applied the minimization procedures it used to fulfill the statute after the NSA had already run queries on it.

With respect to any information the FBI receives as a result of this Order (information that is passed or “tipped” to it by NSA), the FBI shall follow as minimization procedures the procedures set forth in The Attorney General’s Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (October 31, 2003). [link added]

Even after this initial order, the Attorney General did not comply with the mandate to come up with minimization procedures specific to Section 215. Instead, then Attorney General Alberto Gonzales just adopted four sections of the National Security Investigations Guidelines.

In analysis included in a 2008 review of the FBI’s use of Section 215, DOJ Inspector General Glenn Fine deemed this measure to fall short of the statute’s requirements.

These interim minimization procedures use general hortatory language stating that all activities conducted in relation to national security investigations must be “carried out in conformity with the Constitution.” However, we believe this broad standard does not provide the specific guidance for minimization procedures that the Reauthorization Act appears to contemplate.

[snip]

[T]he Reauthorization Act required the Department to adopt “specific procedures” reasonably designed to “minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” We believe that the interim procedures do not adequately address this requirement, and we recommend that the Department continue its efforts to construct specific minimization procedures relating to Section 215 orders, rather than rely on general language in the Attorney General’s NSI Guidelines.

As I’ll show in a follow-up post, presumably in response to Fine’s report, Attorney General Michael Mukasey adopted new, arguably even more general guidelines to fulfill this requirement, the AG Guidelines for Domestic FBI Operations. (I strongly suspect the August 20, 2008 FISC opinion the government won’t release authorizes the language that would appear in those Guidelines).

But the implications of this have more immediate significance.

After all, the only known American who got busted based on a Section 215 tip, Basaaly Moalin, argues for a new trial tomorrow. And he was tipped based on dissemination that took place in 2007 — that is, before DOJ even tried to address these problematic minimization procedures. He was tipped based on dissemination that — under the letter of the PATRIOT Act — should never have happened.

Update: With regards to Moalin’s case, this seems pertinent.

As of early December 2007, the [Director of National Intelligence] working group [trying to harmonize defintions] had not defined “U.S. person identifying information.

This means that, at the time he was identified in the dragnet, the entire intelligence community was still fighting over whether phone numbers constituted US person identifying information entitled to additional protection.

Update: In an address to the EU Parliament, Jim Sensenbrenner accuses NSA of ignoring civil liberty protections in the PATRIOT Act.

“I firmly believe the Patriot Act saved lives by strengthening the ability of intelligence agencies to track and stop potential terrorists, but in the past few years, the National Security Agency has weakened, misconstrued and ignored the civil liberty protections we drafted into the law,” he said, adding that the NSA “ignored restrictions painstakingly crafted by lawmakers and assumed a plenary authority we never imagined.”

The Opportunity Cost of the Global Dragnet

/16 Comments/in , , /by

Back in 2006-7, I wrote a series of posts in which I considered the opportunity cost of the Iraq War at a time when our hegemonic position was already clearly in decline. In the years leading up to the Iraq War, I believe Dick Cheney assessed the current energy regime on which our global power was based, and chose to reinvest in that already-crumbling basis of power: oil, reserve currency, global policeman by invading Iraq. What could have happened if we invested the trillion dollars we spent on losing a war in Iraq and instead invested in alternative energy? (An earlier, lost to history version of the post also considered fostering new leadership to deal with climate change.)

As the elites slowly realize we failed on a similarly catastrophic scale in our 5-year bailout of banks, we might expand the earlier question and ask what could have happened if we had invested those trillions, too, rather than propping up the banks that cement our global financial hegemony.

The debate over international privacy rights still ignores domestic privacy rights

It’s from that perspective that I read with interest the debate between David Cole, Orin Kerr, Kenneth Roth, and Ben Wittes over whether we ought to extend the privacy protections Americans enjoy to the rest of the world (or, at least, to citizens of allied countries). (See Cole, Kerr, Cole, Kerr, Roth, Wittes)

As a threshold matter, I think all are missing a key point. I believe the dragnet surveillance we conduct overseas right now clearly violates the Constitution. The NSA is knowingly collecting vast amounts of US person data (that it refuses to count even the domestically acquired dragnet collection hints at how much it’s collecting). And once they collect that vast, uncounted quantity of US person data, the NSA and FBI do not even require RAS before accessing the content of Americans’ communications.

In short, because the government didn’t make the same adjustments for increasingly globalized technology internationally they made in 2008 for domestic collection (the FISA Amendments Act permitted foreign collection domestically, but didn’t deal with the increasing amounts of domestic collection internationally it was doing), the NSA has basically eliminated all privacy protections for any of the significant amounts of US person communications that transit outside of the country.

So their debate should not just consider whether we ought to extend privacy protections to the French in France, but whether Americans retain their constitutional protections as their communications transit France.

The squandered opportunity of American Internet hegemony

But I also think the terms of debate International law (Cole and Roth) versus domestic sovereignty (Kerr) miss an equally important point. What obligations and best practices should the US have adopted as the world’s Internet hegemon?

Kerr sums up the International/domestic split this way:

I suspect that our differences reflect our priors, which in turn are based on two different conceptions of government. I tend to see governments as having legitimacy because of the consent of the governed, which triggers rights and obligations to and from its citizens and those in its territorial borders. As I understand David, he has more of a global view of government, by which governments are accountable to all humans worldwide. I suspect that difference leads us to talk past each other a bit. Consider David’s question: “Would we be satisfied to give the French authority to pick up all of our communications simply on a showing that we were not French and not living in France?” Under my conception of government, the question doesn’t make sense. Because we don’t have any rights vis-a-vis the French government, we can’t “give the French authority” to do anything or have any valid claim to satisfy.

While I’m sympathetic to both perspectives, to a point, I actually think they miss something. The US is not just any country. It has been, for the last 20 years, the world’s sole hegemon. And being the hegemon — as opposed to the coercive world empire, which is a much more expensive proposition — requires a similar kind of consent as that of your garden variety nation-state.

This is the point laid out in Henry Farrell and Martha Finnemore’s brilliant essay on American hypocrisy.

Of course, the United States is far from the only hypocrite in international politics. But the United States’ hypocrisy matters more than that of other countries. That’s because most of the world today lives within an order that the United States built, one that is both underwritten by U.S. power and legitimated by liberal ideas. Read more

Is the Government Hiding FISC’s “Erroneous” 215 Opinion Until After Basaaly Moalin’s Hearing for a New Trial?

/4 Comments/in , /by

As I mentioned in this post, the government is due to turn over the remaining documents in the ACLU FOIA for Section 215 documents on November 18. Among the documents it may release is a February 24, 2006 FISC opinion. This may be the only comprehensive opinion written to authorize the Section 215 dragnet … and if it’s not, no comprehensive opinion authorized the opinion until August 29, 2013.

In short, that release will answer a lot of questions about what former Assistant Attorney General David Kris suggests may have been an erroneous decision authorizing the entire phone dragnet. We’ll learn more November 18.

But that won’t help Basaaly Moalin, who on Wednesday, November 13, will argue he should have a new trial in light of disclosures that the government only started wiretapping him after being tipped by the Section 215 dragnet. If the Judge in his case, Jeffrey Miller, decides he doesn’t merit a new trial, then he will be sentenced on November 18. And then, later that same day, the government will release what could be evidence that the very foundations of the Section 215 dragnet that caught Moalin are “erroneous.”

That seems to be the way things have gone for Moalin since June 18, when the government pushback on the Snowden leaks first led Moalin to learn his entire prosecution rested on the Section 215 dragnet, and since August 28, when Moalin first started pushing for a delay in sentencing so he could push for a new trial.

Back in July, the ACLU demanded the government turn over all responsive documents by August 12. That would have brought the release of all documents a month before Moalin’s then-scheduled sentencing. Instead, the government asked to have until September 15, the day before the date scheduled for his sentencing. That request would have been almost two weeks after the 60 day extension James Clapper asked for on July 5, 2013.

On August 16, Judge Pauley set up this production schedule.

The Government will review the Foreign Intelligence Surveillance Court (FISC) Opinions at issue and release any segreable information not exempt under FOIA by September 10, 2013. The Government will review a second tranche of documents and release any segreable information not exempt under FOIA by October 10, 2013. The Government will review the remaining documents at issue, excluding the FISC orders in the final row of the Government’s Vaughn index, and release any segreable information not exempt under FOIA by 10/31/2013. The parties will submit a status report to the Court by 11/8/2013.

The October 10 and 31 dates got pushed back because of the shut-down (which, of course, was not DOJ’s fault).

But the results has been to limit the argument Moalin should be able to make. In the Motion for a new trial (submitted on September 5), for example, Moalin’s team relies on the October 3, 2011 John Bates opinion (released on August 21) rather than the slew of documents showing systemic problems with the very program that tipped Moalin admitted in 2009 (released September 10). The government even taunts them about it in their Response.

Defendants’ reliance on an October 3, 2011 FISC Opinion is misplaced. The opinion documented the FISC’s judicial review of the Government’s Certifications of Collection and Interception pursuant to Section 702 of FISA and is hence irrelevant here were Section 702 is not at issue.

Of course. But the only reason the defendants weren’t able to make the very same argument — that the NSA had almost no meaningful controls over the querying they were doing of the Section 215 dragnet — and make it with collection closer to the time when the dragnet tipped Moalin is because ODNI sat on the Section 215 disclosures until after Moalin submitted his motion.

Of particular concern is the delay in revealing details of contact chaining (and that at the time Moalin was tipped, it was possible to chain a fourth hop in). The defense clearly focused on the government’s admission that Moalin had been indirectly in contact with Aden Ayro. That’s a point the government almost entirely ignored in their response. Add in that the government is still largely hiding how it uses the phone dragnet to find burner phones (and the evidence the government used Moalin’s calls with Ayro to find the warlords new phone after he had ditched an old one), and the defense was only given delayed access to some of the details that might best undermine the case that such indirect contacts might constitute probable cause for a FISA warrant.

The defense integrated some of the revelations about the 2009 disclosures in their reply, submitted October 10. That left unavailable the documents released on October 28, some of which showed the government in violation of FISA Amendment’s Act’s requirement to provide all significant FISC opinions on the topic at hand to the Intelligence and Judiciary Committees. Those documents would also present additional challenges to the legitimacy of the two reauthorizations of the dragnet since 2006.

Now, maybe this is just coincidental, that the one person who might challenge his conviction through the use of Section 215 would be prevented from using documents that might show the program itself is “erroneous.”

But as people like Dianne Feinstein squawk that the program is “legal,” they’d be well advised to consider the remarkable way that Moalin was deprived of the documents that might allow a challenge to the law as erroneous from the very start.

Drone Strikes on the NYT’s Claim to Have Improved

/6 Comments/in , , /by

NYT Public Editor Margaret Sullivan attempts to tell the story of why the NYT held the illegal wiretap story before the 2004 election. Amid comments from the main players, she effectively admits that the NYT only published in 2005 because James Risen’s A State of War was about to come out.

Michael V. Hayden, who was the director of the N.S.A. and later the director of the Central Intelligence Agency, told me in an interview that he argued strenuously against publication, right up until the moment when The Times decided to go ahead. His rationale: “That this effort was designed to intercept threatening communication” and to prevent another terrorist attack.

In the end, The Times published the story with a couple of guns held to its head: First, the knowledge that the information in the article was also contained in a book by Mr. Risen, “State of War,” whose publication date was bearing down like a freight train. Second, at the end, the word of a possible injunction against publishing, Mr. Risen said, provided a final push: “It was like a lightning bolt.” (Mr. Hayden said that would not have happened: “Prior restraint was never in the cards.”)

Like a game of chicken played on a high wire, it remains “the most stressful and traumatic time of my life,” Mr. Risen recalls. Although The Times later said that further reporting strengthened the story enough to justify publishing it, few doubt that Mr. Risen’s book was what took an essentially dead story and revived it in late 2005. “Jim’s book was the driving force,” Mr. Lichtblau said.

Sullivan doesn’t mention another part of the story: that shortly after the NYT accused Risen of violating their ethics policy because he did not tell the NYT his book covered topics he had reported on for the paper — not just the illegal wiretap program, but also MERLIN, the attempt to stall the Iranian nuclear program by dealing them faulty blueprints. He had apparently told them he was writing a book on George Tenet.

When that news broke in early 2006, I concluded that Risen probably used the threat of scooping the NYT, and a nondisclosure agreement, to actually get the illegal wiretap program into the paper.

Let’s assume for a moment I’m correct in understanding the NYT spokesperson to be suggesting that Risen violated those ethical guidelines by publishing this book. Here’s the scenario such an accusation seems to spell out. (Speculation alert.) Risen attempted to publish both the NSA wiretap story and the Iran nuclear bomb story in 2004. NYT editors refused both stories. Then, in 2005 Risen takes book leave (and I should say that the NYT’s book leave policy is one of the best benefits it offers its writers), misleading his editors about the content of the book. Once he returns, his editors hear rumors that the book actually features the NSA wiretap story. Only in the face of imminent publication of the book do they reconsider publishing the wiretap story. Read more

Three Theories Why the Section 215 Phone Dragnet May Have Been “Erroneous” from the Start

/6 Comments/in , /by

Update, 1/6/14: I just reviewed this post and realize it’s based on the misunderstanding that the February 24 OLC opinion is from last year, not 2006. That said, the analysis of the underlying tensions that probably led to the use of Section 215 for the phone dragnet are, I think, still valid. 

According to ACLU lawyer Alex Abdo, the government may provide more documents in response to their FOIA asking for documents relating to Section 215 on November 18. Among those documents is a February 24, 2006 FISA Court opinion, which the government says it is processing for release.

That release — assuming the government releases the opinion in any legible form — should solve a riddle that has been puzzling me for several weeks: whether the FISA Court wrote any opinion authorizing the phone dragnet collection before its May 24, 2006 order at all.

The release may also provide some insight on why former Assistant Attorney General David Kris concedes the initial authorization for the program may have been “erroneous.”

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch.

[snip]

The briefings and other historical evidence raise the question whether Congress’s repeated reauthorization of the tangible things provision effectively incorporates the FISC’s interpretation of the law, at least as to the authorized scope of collection, such that even if it had been erroneous when first issued, it is now—by definition—correct. [my emphasis]

That “erroneous” language comes not from me, but from David Kris, one of the best lawyers on these issues in the entire country.

And the date of the opinion — February 24, 2006, 6 days before the Senate would vote to reauthorize the PATRIOT Act having received no apparent notice the Administration planned to use it to authorize a dragnet of every American’s phone records — suggests several possible reasons why the original approval is erroneous.

Possibility one: There is no opinion

The first possibility, of course, is that my earlier guess was correct: that the FISC court never considered the new application of bulk collection, and simply authorized the new collection based on the 2004 Colleen Kollar-Kotelly opinion authorizing the Internet dragnet. In this possible scenario, that February 2006 opinion deals with some other use of Section 215 (though I doubt it, because in that case DOJ would withhold it, as they are doing with two other Section 215 opinions dated August 20, 2008 and November 23, 2010).

So one possibility is the FISA Court simply never considered whether the phone dragnet really fit the definition of relevant, and just took the application for the first May 24, 2006 opinion with no questions. This, it seems to me, would be erroneous on the part of FISC.

Possibility two: FISC approved the dragnet based on old PATRIOT knowing new “relevant to” PATRIOT was coming

Another possibility is that the FISA Court rushed through approval of the phone dragnet knowing that the reauthorization that would be imminently approved would slightly different language on the “relevance” standard (though that new language was in most ways more permissive). Thus, the government would already have an approval for the dragnet in hand at the time when they applied to use it in May, and would just address the “relevance” language in their application, which we know they did.

In this case, the opinion would seem to be erroneous because of the way it deliberately sidestepped known and very active actions of Congress pertaining to the law in question.

Possibility three: FISC approved the dragnet based on new PATRIOT language even before it passed

Another possibility is that FISC approved the phone dragnet before the new PATRIOT language became law. That seems nonsensical, but we do know that DOJ’s Office of Intelligence Policy Review briefed FISC on something pertaining to Section 215 in February 2006.

After passage of the Reauthorization Act on March 9, 2006, combination orders became unnecessary for subscriber information and [one line redacted]. Section 128 of the Reauthorization Act amended the FISA statute to authorize subscriber information to be provided in response to a pen register/trap and trace order. Therefore, combination orders for subscriber information were no longer necessary. In addition, OIPR determined that substantive amendments to the statute undermined the legal basis for which OIPR had received authorization [half line redacted] from the FISA Court. Therefore, OIPR decided not to request [several words redacted] pursuant to Section 215 until it re-briefed the issue for the FISA Court. 24

24 OIPR first briefed the issue to the FISA Court in February 2006, prior to the Reauthorization Act. [two lines redacted] [my emphasis]

Still, this passage seems to reflect an understanding, at the time DOJ briefed FISC and at the time that the FISC opinion was written that the law was changing in significant ways (some of which made it easier for the government to get IDs along with the Internet metadata it was collecting using a Pen Register).

This would seem to be erroneous for timing reasons, in that the judge issued an opinion based on a law that had not yet been signed into law, effectively anticipating Congress.

The looming threat of Hepting v. AT&T and Mark Klein’s testimony

Which brings me to why. The 2009 Draft NSA IG Report describes some of what went on in this period.

After the New York Times article was published in December 2005, Mr. Potenza stated that one of the PSP providers expressed concern about providing telephone metadata to NSA under Presidential Authority without being compelled. Although OLC’s May 2004 opinion states that NSA collection of telephony metadata as business records under the Authorization was legally supportable, the provider preferred to be compelled to do so by a court order.

As with the PR/TT Order, DOJ and NSA collaboratively designed the application, prepared declarations, and responded to questions from court advisors. Their previous experience in drafting the PRTT Order made this process more efficient.

The FISC signed the first Business Records Order on 24 May 2006. The order essentially gave NSA the same authority to collect bulk telephony metadata from business records that it had under the PSP. And, unlike the PRTT, there was no break in collection at transition.

But the IG Report doesn’t explain why the telecom(s) started getting squeamish after the NYT scoop.

It doesn’t mention, for example, that on January 17, 2006, the ACLU sued the NSA in Detroit. A week after that suit was filed, Attorney General Alberto Gonzales wrote the telecoms a letter giving them cover for their cooperation.

On 24 January 2006, the Attorney General sent letters to COMPANIES A, B, and C, certifying under 18 U.S.C. 2511 (2)( a)(ii)(B) that “no warrant or court order was or is required by law for the assistance, that all statutory requirements have been met, and that the assistance has been and is required.”

Note, this wiretap language pertains largely to the collection of content (that is, the telecoms had far more reason to worry about sharing content). Except that two issues made the collection of metadata particularly sensitive: the data mining of it, and the way it was used to decide who to wiretap.

More troubling still to the telecoms, probably, came when EFF filed a lawsuit, Hepting, on January 31 naming AT&T as defendant, largely based on an LAT story of AT&T giving access to the its stored call records.

But I’m far more interested in the threat that Mark Klein, the AT&T technician who would ultimately reveal the direct taps on AT&T switches at Folsom Street, posed. Read more

Was Adel Daoud Targeted Off of a Back Door Search of Traditional FISA Collection?

/9 Comments/in /by

Daoud Adel is a 20-year old US citizen from suburban Chicago who was charged last year in an FBI sting in which he allegedly tried to set off a car bomb outside a night club. Last year, during the debate on FISA Amendments Act reauthorization, Dianne Feinstein named his case directly, suggesting he had been busted using the legislation before the Senate. His legal team first demanded the FAA material she suggested existed back in May. And in September, they requested discovery for materials relating to FAA.

The government, however, strongly suggests none of the communications used to charge him were collected under FAA. It even suggests he misunderstands the meaning of DiFi’s comment.

Any discovery based on the FAA is unwarranted here because the FAA is simply not at issue in this case. As the Government explained in a previous filing, it “does not intend to use any such evidence obtained or derived from FAA-authorized surveillance in the course of this prosecution.” (DE 49, at 2).

[snip]

The defendant’s claim that the Government should disclose “the nature of the FAA surveillance in this case even, for instance[,] Defendant’s communications themselves were not intercepted” is perplexing. (DE 52, at 15 n.11). If Daoud’s communications were not intercepted, or his facilities not targeted, he would not be aggrieved and have no basis to challenge the collection. The Government sees no legal relevance to his broad discovery request.

Moreover, the defendant has also made multiple claims, in this motion and others, based on his interpretation of a single public remark. While the Government appreciates the defendant’s position in litigating FISA-related matters, it offers that the defendant may misunderstand this public remark, which is not a revelation that has any legal implication.

[snip]

As the Government has explained, this case singularly involves “traditional” FISA surveillance. [my emphasis]

Soapbox Orator’s comments in response to one of my posts on back door searches led me to examine the government’s response closely and I now suspect Daoud may have been identified using a back door search on traditional FISA collection.

Much of this debate centers on comments DiFi made on December 27, 2012, which seemed to suggest the 8 cases she named involved FAA.  But those comments were in response to comments Ron Wyden had just made. In that speech Wyden described (among other problems with FAA) back door searches.

The fact is, once the government has this pile of communications, which contains an unknown but potentially very large number of Americans’ phone calls and e-mails, there are surprisingly few rules about what can be done with it.

For example, there is nothing in the law that prevents government officials from going to that pile of communications and deliberately searching for the phone calls or e-mails of a specific American, even if they do not have any actual evidence that the American is involved in some kind of wrongdoing, some kind of nefarious activity.

Read more

The Leahy-Sensenbrenner Language on Back Door Searches Improves But Doesn’t Eliminate the Back Door

/8 Comments/in , /by

As the top Intelligence Community lawyers have made clear, the IC maintains it can search US person data incidentally collected under Section 702 without any suspicion, as well as for the purposes of making algorithms, cracking encryption, and to protect property.

The Leahy-Sensenbrenner bill tries to rein in this problem. And its fix is far better than what we’ve got now. But it almost certainly won’t fix the underlying problem.

Here’s what the law would do to the “Limitations” section of Section 702. The underlined language is new.

(b) Limitations

(1) IN GENERAL.—An acquisition

(A) may not intentionally target any person known at the time of acquisition to be located in the United States;

(B) may not intentionally target a person reasonably believed to be located outside the United States if a significant purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;

(C) may not intentionally target a United States person reasonably believed to be located outside the United States;

(D) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and

(E) shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.

(2) CLARIFICATION ON PROHIBITION ON SEARCHING OF COLLECTIONS OF COMMUNICATIONS OF UNITED STATES PERSONS.—

(A) IN GENERAL.—Except as provided in subparagraph (B), no officer or employee of the United States may conduct a search of a collection of communications acquired under this section in an effort to find communications of a particular United States person (other than a corporation).

Read more

The Intelligence Community’s Wide Open, Unprotected Back Door to All Your Content

/2 Comments/in , , /by

PCLOB has posted the transcript from the first part of its hearing on Monday. So I want to return to the issue I raised here: both Director of National Intelligence General Counsel Robert Litt and NSA General Counsel Raj De admit that there are almost no limits on Intelligence Community searches of incidentally collection US person data (we know that FBI, NSA, and CIA have this authority, and I suspect National Counterterrorism Center does as well).

This discussion starts when PCLOB Chair David Medine asks whether the IC would consider getting a warrant before searching on incidentally collected data.

MR. MEDINE: And so turning to the protections for U.S. persons, as I understand it under the 702 program when you may target a non-U.S. person overseas you may capture communications where a U.S. person in the United States is on the other end of the communication. Would you be open to a warrant requirement for searching that data when your focus is on the U.S. person on the theory that they would be entitled to Fourth Amendment rights for the search of information about that U.S. person?

MR. DE: Do you want me to take this?

MR. LITT: Thanks, Raj. Raj is always easy, he raises his hands for all the easy ones.

MR. DE: I can speak for NSA but this obviously has implications beyond just NSA as well.

MR. LITT: I think that’s really an unusual and extraordinary step to take with respect to information that has been lawfully required.

I mean I started out as a prosecutor. There were all sorts of circumstances in which information is lawfully acquired that relates to persons who are not the subject of investigations. You can be overheard on a Title III wiretap, you can overheard on a Title I FISA wiretap. Somebody’s computer can be seized and there may be information about you on it.

The general rule and premise has been that information that’s lawfully acquired can be used by the government in the proper exercise of authorities.

Now we do have rules that limit our ability to collect, retain and disseminate information about U.S. persons. Those rules, as know, are fairly detailed. But generally speaking, we can’t do that except for foreign intelligence purposes, or when there’s evidence of a crime, or so on and so forth. But what we can’t do under Section 702 is go out and affirmatively use the collection authority for the purpose of getting information about U.S. persons. Once we have that information I don’t think it makes sense to say, you know, a year later if something comes up we need to go back and get a warrant to search that information. [my emphasis]

Litt compares finding incidental information on a laptop, presumably seized using a warrant, with searching for incidental information on a digital collection that includes very few limits on specificity. Remember, NSA can and has claimed a targeted “facility” may mean all the Internet traffic from a particular country or at least a region of a country. This is petabytes of data obtained with a directive, not gigabytes obtained with a specific warrant.

Read more