FISA Archives - Page 96 of 179

Leahy-Sensenbrenner Would Shut the Section 702 Cybersecurity Loophole

November 7, 2013/4 Comments/in Cybersecurity, FISA /by emptywheel

I’m going to have a few posts on the Leahy-Sensenbrenner bill, which is the most likely way we’ll be able to rein in NSA spying. In addition to several sections stopping bulk collection, it has a section on collection of US person data under FISA Amendments Act (I’ll return to the back-door loophole later).

But I’m particularly interested in what it does with upstream collection. It basically adds a paragraph to section d of Section 702 that limits upstream collection to two uses: international terrorism or WMD proliferation.

(C) limit the acquisition of the contents of any communication to those communications—

(i) to which any party is a target of the acquisition; or

(ii) that contain an account identifier of a target of an acquisition, only if such communications are acquired to protect against international terrorism or the international proliferation of weapons of mass destruction.;

And adds a definition for “account identifier” limiting it to identifiers of people.

(1) ACCOUNT IDENTIFIER.—The term ‘account identifier’ means a telephone or instrument number, other subscriber number, email address, or username used to uniquely identify an account.

I believe the effect of this is to prevent NSA from using Section 702 to conduct cyberdefense in the US.

As I have noted, there are reasons to believe that NSA uses Section 702 for just 3 kinds of targets:

International terrorism
WMD proliferation
Cybersecurity

There are many reasons to believe one primary use of Section 702 for cybersecurity involves upstream collection targeted on actual pieces of code (that is, the identifier for a cyberattack, rather than the identifier of a user). As an example, the slide above, which I discuss in more detail here, explains that one of the biggest Section 702 successes involves preventing an attacker from exfiltrating 150 Gigs of data from a defense contractor. The success involved both PRISM and STORMBREW, the latter of which is upstream collection in the US.

In other words, the government has been conducting upstream collection within the US to search for malicious code (I’m not sure how they determine whether the code originated in a foreign country though given that they refuse to count domestic communications collected via upstream collection, I doubt they care).

So what these two sections of Leahy-Sensenbrenner would do is 1) limit the use of upstream collection to terrorists and proliferators, thereby prohibiting its use for cybersecurity, and 2) define “account identifier” to exclude something like malicious code.

There’s one more interesting aspect of this fix. Unlike many other sections of the bill, it doesn’t go into effect right away.

EFFECTIVE DATE.—The amendments made by subsections (a) and (b) shall take effect on the date that is 180 days after the date of the enactment of this Act.

The bill gives the Executive 6 months to find an alternative to this use of Section 702 — presumably, to pass a cybersecurity bill explicitly labeled as such.

Keith Alexander and others have long talked about the need to scan domestic traffic to protect against cyberattacks. But it appears — especially given the 6 month effective date on these changes — they’re already doing that, all in the name of foreign intelligence.

Senate Intelligence Swiss Cheese on OLC Memos

November 7, 2013/5 Comments/in Drones, FISA, Torture /by emptywheel

Great news!

After a member of the President’s party had to hold up that President’s nominee to head the CIA just to get Office of Legal Counsel memos authorizing the killing of an American citizen with no due process, the Senate Intelligence Committee has moved to force the Administration to turn over OLC memos in the future.

Terrible news!

The language is full of ginormous loopholes that would allow the Executive Branch to avoid sharing all the memos they’re already withholding.

Here’s what it says.

(1) REQUIREMENT TO PROVIDE LIST OF OPINIONS TO CONGRESS.—Except as provided in subsections (b) and (c), not later than 180 days after the date of the enactment of this Act and annually thereafter, the Attorney General, in coordination with the Director of National Intelligence, shall provide to the congressional intelligence committees a listing of every opinion of the Office of Legal Counsel of the Department of Justice that has been provided to an element of the intelligence community.

(2) CONTENT.—Each listing submitted under paragraph (1) shall include—

(A) as much detail as possible about the subject of each opinion;

(B) the date the opinion was issued;

(C) a listing of each recipient agency;

(D) whether the opinion has been made available to Congress or a specific committee of Congress, including the identity of each such committee; and

(E) for any opinion that has not been made available to Congress or a specific committee of Congress, the basis for such withholding.

(b) EXCEPTION FOR COVERT ACTION.—If the President determines that it is essential to limit access to a covert action finding under section 503(c)(2) of the National Security Act of 1947 (50 U.S.C. 3093(c)(2)), the

President may limit access to information concerning such finding that is subject to disclosure under subsection (a) to those members of Congress who have been granted access to the relevant finding under such section 503(c)(2).

(c) EXCEPTION FOR INFORMATION SUBJECT TO EXECUTIVE PRIVILEGE.—If the President determines that a particular listing subject to disclosure under subsection (a) is subject to an executive privilege that protects against such disclosure, the Attorney General shall not be required to disclose such opinion or listing if the Attorney General notifies the congressional intelligence committees, in writing, of the legal justification for such assertion of executive privilege prior to the date by which the opinion or listing is required to be disclosed.

Basically, this language requires the Attorney General to give the Intelligence Committees — not the public, not all of Congress, not even the Judiciary Committees — an annotated list — not the actual opinions! — of all the OLC memos written for an element of the Intelligence Community (which would presumably exclude the White House) in a given year.

There are two exceptions to this rule.

DOJ doesn’t have to include memos on covert operations — like torture, illegal domestic wiretapping, or drone killing — that have only been briefed to a subset of the committee, such as the Gang of Four. This would allow the White House to continue to hide all the OLC memos about which there have been contentious fights in the past, including the roughly seven OLC memos on targeted killing they’re still (as far as we know) sitting on.

And DOJ doesn’t have to include memos “subject to” executive privilege (it’s not clear he has to formally invoke executive privilege, mind you). If the limitation on this language wouldn’t already have done so, this would allow the White House to hide memos like the torture memos addressed to the White House rather than CIA or DOD.

Seriously, the annotated list mandated for the Intelligence Committees ought to be the standard mandated for the public, with provision to hide secret stuff. Which is close to the standard earlier Presidents had abided by.

So what this basically does is enshrine the status quo, in which the President doesn’t have to tell the American people what his lawyers say the law is.

Did CIA Take Its Phone Dragnet Business to AT&T When FISC Enforced the Rules?

November 7, 2013/2 Comments/in FISA, PATRIOT /by emptywheel

One important takeaway from Charlie Savage’s report that the CIA pays AT&T $10 million for phone records to hunt (the story goes, though I don’t buy it) terrorists is that CIA can replicate part of what the NSA’s phone dragnet does by working with just one company.

The C.I.A. supplies phone numbers of overseas terrorism suspects, and AT&T searches its database and provides records of calls that may help identify foreign associates, the officials said. The company has a huge archive of data on phone calls, both foreign and domestic, that were handled by its network equipment, not just those of its own customers.

[snip]

Most of the call logs provided by AT&T involve foreign-to-foreign calls, but when the company produces records of international calls with one end in the United States, it does not disclose the identity of the Americans and “masks” several digits of their phone numbers, the officials said.

Still, the agency can refer such masked numbers to the F.B.I., which can issue an administrative subpoena requiring AT&T to provide the uncensored data.

Granted, this program primarily gets foreign and only with minimization foreign to US call records (the Section 215 dragnet gets foreign to US and US to US, but we know from some of the 2009 violations that it also collects foreign to foreign under other programs). AT&T’s switches may not carry enough of the domestic traffic to provide US to US calls. But it does seem to accomplish what the I Con say is the primary purpose of the phone dragnet: to identify if Americans are talking to terrorists overseas and if so, who they are.

Interestingly, the story suggests that CIA has its own program because it is more efficient — precisely the reason NSA says it needs its own database.

The C.I.A. program appears to duplicate work performed by the N.S.A. But a senior American intelligence official, while declining to address whether the AT&T alliance exists, suggested that it would be rational for the C.I.A. to have its own program to check calling patterns linked to overseas terrorism suspects.

With on-the-ground operatives abroad seeking to disrupt terrorist activities in “time-sensitive threat situations,” the official said, the C.I.A. requires “a certain speed, agility and tactical responsiveness that differs” from that of other agencies. “That need to act without delay is often best met when C.I.A. has developed its own capabilities to lawfully acquire necessary foreign intelligence information,” the official said. [my emphasis]

If AT&T is so efficient at this function, then why can’t the NSA just rely on it?

Though it’s not clear whether AT&T offers more speed to CIA because CIA can get it directly, without having to go through oversight mechanisms the NSA must comply with, or because AT&T is just quicker than the NSA.

The few details about the history of the program may provide a hint.

The history of the C.I.A. program remains murky. It began sometime before 2010, and was stopped at some point but then was resumed, according to the officials.

“Sometime before 2010” may well be 2009, when Judge Walton stopped the practice by which both FBI and CIA were accessing phone dragnet results directly. That is, what we may be seeing is CIA replicating its own program, without FISA oversight, in response to losing more direct access under a program inadequately overseen (before 2009) by FISC.

Finally, let’s go back to the claim that CIA uses this solely to find terrorists. In his no comment comment in the story, CIA spokesperson Dean Boyd reminds that CIA also serves a counterintelligence function. So at a minimum, I’d be they’re using this to find potential spies in the US, in addition to terrorists.

But CIA’s mission is far broader than terrorism. And the phone dragnet program is limited — if however expansively — to use with counterterrorism targets. So one other reason CIA may do this (and probably FBI and NSA, in their own forms) is to target other kinds of targets.

Note, too, that by having AT&T do this analysis rather than NSA, CIA may also be able to conduct kinds of analysis on the call records that NSA can’t do with the phone dragnet (though the 2009 files make it clear it can with its non Section 215 collection).

At the very least, this story presents new challenges to I Con claims that it can’t accomplish its objectives without holding a database of every phone based relationship in the US.

But it also reminds us that the spooks will find other ways of getting the information they want, many of which have even less oversight than the phone dragnet.

Charles McCullough Too Busy Investigating Leakers to Investigate the Dragnet

November 6, 2013/5 Comments/in FISA, Leak Investigations /by emptywheel

As I noted back in September, Patrick Leahy and a bunch of other Senators asked the Intelligence Community Inspector General Charles McCullough to investigate the dragnet.

In particular, we urge you to review for calendar years 2010 through 2013:

the use and implementation of Section 215 and Section 702 authorities, including the manner in which information – and in particular, information about U.S. persons – is collected, retained, analyzed and disseminated;

applicable minimization procedures and other relevant procedures and guidelines, including whether they are consistent across agencies and the extent to which they protect the privacy rights of U.S. persons;

any improper or illegal use of the authorities or information collected pursuant to them; and

an examination of the effectiveness of the authorities as investigative and intelligence tools.

McCullough just answered.

No.

“At present, we are not resourced to conduct the requested review within the requested timeframe,” wrote McCullough, before adding he and other agency inspectors general are weighing now whether they can combine forces on a larger probe.

Leahy had asked McCullough to finish in what was then 15 months, December 2014, which would make it available for the PATRIOT Reauthorization due the next year.

Note, McCullough gave the same answer he and NSA’s IG gave when Ron Wyden asked how many Americans get caught up in the dragnet.

Not enough resources.

Mind you, he apparently has enough resources to do this:

Finally, we began to implement a program to lead IC-wide administrative investigations into unauthorized disclosures of classified information (i.e., “leak”) matters.

[snip]

The Investigations Division reviewed hundreds of closed cases from across the IC. Going forward, the division will engage in gap mitigation for those cases where an agency does not have the authority to investigate (multiple agencies or programs) or where DOJ declined criminal prosecution. The division will conduct administrative investigations with IG Investigators from affected IC elements to maximize efficiencies, expedite investigations, and enhance partnerships.

[snip]

The Investigations Division is reviewing 375 unauthorized disclosure case files.

But not enough resources to review a massive dragnet affecting every American in time to have results before the dragnet gets reauthorized.

Update: And apparently the Senate Intelligence Committee just told ODNI to investigate more leaks and pre-leaks.

Empowering the Director of National Intelligence to improve the government’s process to investigate (and reinvestigate) individuals with security clearances to access classified information;

Lawfare Uses Incomplete Facts about Abdulmutallab Trial to Attack Dirty Wars

November 5, 2013/11 Comments/in Drones, FISA /by emptywheel

I’m going to take a break from noting how Lawfare ignores the public record on NSA spying — both of past failures to inform Congress, and of Intelligence Community lies about having done so — to note how Lawfare ignores the public record on drone killing.

On Sunday, Lawfare posted a long review of Jeremy Scahill’s book Dirty Wars. While it is not entirely negative, it stakes a claim on what the public record shows to argue that Scahill glossed over what a dangerous man Anwar al-Awlaki was. Yet the review itself ignores key details in the public record.

First, full disclosure. I’m friends with Scahill, and he acknowledged me in the book. But given that I’m not quoted, I suspect he acknowledged me because I’ve followed certain aspects of the narrative he covered — especially the evidence in the Umar Farouk Abdulmutallab case and the shoddy OLC case to support Awlaki’s killing — in more detail than most other reporters.

It’s for that reason that I find the review to be so problematic.

After spending two paragraphs praising the on-the-ground reporting Scahill did, Lawfare reviewer Nick Basciano complains,

Scahill simply skips over facts that don’t promote his narrative of Awlaki. One such example comes in Awlaki’s relationship with Umar Farouk Abdulmutallab, the “Christmas Day Bomber” who attempted to detonate almost three ounces of PETN aboard Northwest flight 253 on its descent to Detroit. A publically-available and widely-cited sentencing memorandum for Abdulmutallab describes how Awlaki housed Abdulmutallab in Yemen and took him to AQAP’s primary bomb-maker, Ibrahim Al Asiri. There, they “discussed a plan for martyrdom mission” and Awlaki himself gave the bombing plot “final approval and instructed Defendant Abdulmutallab on it.” Awlaki’s “last instructions,” the memorandum continues, “were to wait until the airplane was over the United States and then to take the plane down.” Without dealing with this evidence from the Abdulmutallab trial, Scahill admits that Awlaki was only “in touch” with Abdulmutallab, insisting that “no conclusive evidence [was] presented, at least not publicly, that Awlaki had played an operational role in any attacks.” Why such a relevant piece of evidence isn’t included in Scahill’s retelling of the Abdulmuttallab plot is unclear, but it isn’t the only instance of turning a blind eye to evidence linking Awlaki’s directly to terrorism.

~~The trial, of course, took place several weeks after the final event of Scahill’s narrative, the killing of Abdulrahman al-Awlaki~~ [Correction: The trial took place on October 11 and 12, 2009, before Abdulrahman’s death. But as I note, the narrative presented there differs in key ways from the one Basciano adopts]. The sentencing took place several months later. That doesn’t mean Scahill couldn’t have included the evidence from “the trial.” But it was not part of the narrative arc Scahill told in the book.

Moreover, Basciano’s description ignores the reporting Scahill did do on Awlaki’s role in Abdulmutallab’s attempted attack, reporting based on talking to people who knew of Abdulmutallab’s movements in Yemen.

A local trial leader from Shabwah, Mullah Zabara, later told me he had seen the young Nigerian at the farm of Fahd al-Quso, the alleged USS Cole bombing conspirator. “He was watering trees,” Zabara told me. “When I saw [Abdulmutallab], I asked Fahd, ‘Who is he?'” Quso told Zabara the young man was from a different part of Yemen, which Zabara knew was a lie. “When I saw him on TV, then Fahd told me the truth.”

Awlaki’s role in the “underwear plot” was unclear. Awlaki later claimed that Abdulmutallab was one of his “students.” Tribal sources in Shabwah told me that al Qaeda operatives reached out to Awlaki to give religious counseling to Abdulmutallab, but that Awlaki was not involved in the plot. While praising the plot, Awlaki said he had not been involved with its conception of planning. (318)

After having complimented Scahill’s efforts to speak to people on the ground, Basciano did not mention that he had done so, too, in regards to the Abdulmutallab attack.

Moreover, if Scahill had used the material released in relation to the trial, the evidence would be much muddier than Basciano lays out. Read more →

DiFi’s “Surveillance” Dictionary Makes Her Beloved Phone Dragnet Illegal

November 4, 2013/6 Comments/in FISA, PATRIOT /by emptywheel

Ut oh.

Dianne Feinstein’s been writing op-eds again.

This one mostly rehashes the old arguments.

There’s the claim that stopping a guy less dangerous than Peter King once was is worth creating a database of all the phone-based relationships in the United States.

In fact, since its inception, this program has played a role in stopping roughly a dozen terror incidents in the United States. And it continues to contribute to our safety.

There’s the claim her deceitful legislation would make things better. (See here, here, here, here, and here for some details of why it will make things worse.)

On Oct. 31, the Senate Intelligence Committee took the first step to restore that confidence and bridge the gap between preventing terrorism and protecting civil liberties by passing the bipartisan Foreign Intelligence Surveillance Act Improvements Act.

And there’s the claim that “drip, drip, drip” and a higher standard of honesty that government officials has the ability to erode the mighty US military’s credibility.

This drip, drip, drip of disclosures – often without proper context and frequently just plain wrong – has eroded the confidence of the American people in the dedicated men and women of our intelligence community and the strong legal and constitutional protections already in place to prevent improper behavior.

But those arguments have all gotten stale by now.

What’s truly amusing is DiFi’s attempt to rebut the well-deserved mockery for her claim that creating a database of every phone-based relationship in the US to catch just two people with terrorist ties does not constitute surveillance.

This is not a surveillance program.

Merriam-Webster’s dictionary defines “surveillance” as “the act of carefully watching someone or something especially in order to prevent or detect a crime.”

In the case of the call-records program, neither individuals nor their phone conversations are being listened to. No one is being monitored. And no one is being watched under the call-record program.

Nevermind that Merriam-Webster provides this, as an example:

government surveillance of suspected terrorists

What’s so funny about DiFi’s op-ed is her desperate reliance on Merriam-Webster to defuse mockery.

Because — as I’ve noted — if the Administration had to rely on Merriam-Webster for their own definitional claims, it would destroy their claims that “substantially all” phone records in the United States are “relevant” — that is, “having significant and demonstrable bearing on the matter at hand” — to the hunt for terrorists.

To create this dragnet, after all, the Administration has had to blow up the meaning of “relevant” beyond all meaning. And they had to dig up an old British tome for this particular, all-important definition?

So I looked up how the American Merriam-Webster online dictionary defines “relevant.” Here are the first two definitions:

a : having significant and demonstrable bearing on the matter at hand

b : affording evidence tending to prove or disprove the matter at issue or under discussion <relevant testimony>

“Having significant and demonstrable bearing on the matter and hand.” Not, “possibly maybe having a teeny fraction bearing on the matter and hand.” But a “significant and demonstrable bearing” on a terrorist investigation, in context.

The same dictionary that DiFi clings to to justify her “surveillance” claim also shows why her beloved dragnet is illegal, a stretch of the word “relevant” so absurd that only old Englishmen would buy it.

So which is it DiFi? Your “not-surveillance” claim, or your dragnet?

Raj De and the Back-Door Loophole

November 4, 2013/8 Comments/in FISA /by emptywheel

As I already noted, NSA General Counsel lied in today’s PCLOB hearing when he said the use of Section 215 to conduct a phone dragnet had the indicia of legitimacy because Congress twice reauthorized the PATRIOT after the executive had given it full information.

We know that the 2010 freshman class — with the exception of the 7 members who served on the Judiciary or Intelligence Committees — did not have opportunity to learn the most important details about the phone dragnet before reauthorizing PATRIOT in 2011. And it appears DOJ withheld from the Judiciary and Intelligence the original phone dragnet opinion — and they clearly withheld significant FISC materials on it — until August 2010, after PATRIOT had been reauthorized the first time. I trust Ben Wittes, who wants to prevent Jim Sensenbrenner from commenting on NSA’s secrecy because he’s dishonest about his own role, applies a similar standard to Raj De.

But I was even more interested in the way De answered Center for Democracy and Technology’s Jim Dempsey’s question about the back-door loophole in which NSA searches on incidentally collected US person data (starting at 2:09:00). Dempsey asked whether NSA needed something like the Reasonably Articulable Suspicion before it searched incidental US person data. De treated the question as nonsensical, given that when you collect on a particular phone number in the criminal context you don’t need to ignore what you find.

In other words, the NSA has a lower standard for access this content than they do for accessing the metadata of our phone calls.

Curiously, though, De tried to tout the minimization of both 702 and EO 12333 collection to present this as reasonable.

By minimization, Dempsey asked, you mean you keep it.

De insisted that no, there’s minimization at each step of the process.

I get how he was trying to use this blatant dodge. I get that the NSA assumes they can take everything so long as they’re careful about how they sent it around.

But make no mistake. NSA searches on the data before it gets minimized.

Here’s how this year’s Semiannual Compliance Review, submitted by the Attorney General and Director of National Intelligence, describes this practice.

NSA’s querying of unminimized Section 702-acquired communications using United States person identifiers (page 7)

Here’s how John Bates referred to the practice, based on a submission the NSA had made itself (though before De was writing the documents), in his October 3, 2011 opinion.

The government has broadened Section 3(b)(5) to allow NSA to query the vast majority of its Section 702 collection using United States-Person identifiers, subject to approval pursuant to internal NSA procedures and oversight by the Department of Justice. Like all other NSA queries of the Section 702 collection, queries using United States-person identifiers would be limited to those reasonably likely to yield foreign intelligence information. (page 22-23)

Bates justifies this practice by pointing to another agency’s (almost certainly FBI) use of the practice, which he describes as,

an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information.

The NSA has restrictions about circumstances in which they can share this data (which arguably will be expanded under Dianne Feinstein’s FakeFISAFix). But they allow the NSA to share this data if it is “foreign intelligence,” evidence of a crime, and evidence of a threat to life-which-to-NSA-means-property.

They can sweep up entire countries worth of Internet traffic. They can sweep up entire mailboxes overseas. And then go in, without a warrant, and “discover” evidence of crime.

DOJ Did Not Fulfill Legally Required Disclosure on Section 215 to Congress Until After PATRIOT Reauthorization

November 4, 2013/6 Comments/in FISA, PATRIOT /by emptywheel

In the Guardian’s superb summary of the importance of the NSA leaks, Zoe Lofgren challenges the claims that Congress has received all the documents NSA claims it has gotten.

I do serve on the Judiciary Committee and various statements have been made that the Judiciary Committee members were told about all of this and those statements are untrue, not the facts, we have not been provided the documents that the Agency said that we were.

In a Privacy and Civil Liberties Oversight Board today, NSA General Counsel Raj De and ODNI General Counsel Robert Litt both repeated such claims (these are from my notes on twitter; I’ll check my transcription later). De said that Section 215 “had all indicia of official legitimacy” which in part came because it was “twice reauthorized by Congress with full information from exec.” And Litt said they are “by statute required to provide copies [of FISC documents] to both houses. They got materials relating to this [Section 215] program.”

Obviously, we know De is wrong, and he must know it, because a sufficiently large block of Congressmen never had the opportunity to read the Executive’s official notice to make the difference in the 2011 reauthorization. His statement is a clear lie.

But I’m just as interested in Litt’s claim (which would rely on notice to the Judiciary and Intelligence Committees).

This most recent I Con dump provides some evidence that illuminates Lofgen’s implicit dispute of Litt’s claims. Remember this paragraph, which is one of the most specific claims about what notice the Administration gave to Congress about using Section 215 to authorize the phone dragnet.

Moreover, in early 2007, the Department of Justice began providing all significant FISC pleadings and orders related to this [Section 215] program to the Senate and House Intelligence and Judiciary committees. By December 2008, all four committees had received the initial application and primary order authorizing the telephony metadata collection. Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees.

As I noted in this post, the specific language (in bold) regarding the first, May 2006, authorization of the phone dragnet at least suggested, in this context, there wasn’t an opinion at all, as did a lot more evidence. But recent reporting strongly suggests there was (see this post where I argue this is likely the phone dragnet opinion).

Government lawyers have told the ACLU that they are withholding at least two significant FISC opinions — one from 2008 and one from 2010 — relating to the Patriot Act’s Section 215, or “business records” provision.

This would seem to indicate that Congress was not provided the original 2006 opinion (as distinct from the application and primary order) “by December 2008.”

With that mind, consider this document released by the I Con, an August 16, 2010 memo from Office of Legislative Affairs Assistant Attorney General Ronald Weich to the Chairs of the Judiciary and Intelligence Committees.

Pursuant to section 1871 of United States Code Title 50, we are providing the Committees with copies of the remaining decisions, orders, or opinions issued by the Foreign Intelligence Surveillance Court, and pleadings, applications, or memoranda of law associated therewith, that contain significant constructions or interpretations of any provision of FISA during the five-year period ending July 10, 2008. See 50 U.S.C. § 1871(c)(2). We have provided similar materials for the same time period.

Now remember, while ODNI made a big show of releasing these documents, they released them as part of the ACLU’s FOIA for documents on Section 215 and all the documents released pertain to Section 215. I Con describes the memo as referring to “several documents to the Congressional Intelligence and Judiciary Committees relating to NSA collection of bulk telephony metadata under Section 501 of the FISA, as amended by Section 215 of the USA PATRIOT Act,” confirming they pertain to Section 215.

The Patriot Act was reauthorized in February 2010.

At a minimum, this suggests the White Paper provided in August may have been highly misleading. When it said “Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees,” it did not mean that by December 2008, the four oversight committees had all the significant opinions in hand. Even assuming the Weich brief was correct, which Lofgren’s comment suggests it might not be, they didn’t get around to handing over opinions pertaining to Section 215 going back to July 10, 2003 until August 2010. That period — July 10, 2003 to July 10, 2008 — would cover both the July 2004 Colleen Kollar-Kotelly opinion authorizing using the Pen Register/Trap and Trace to collect Internet metadata, and the May 2006 opinion authorizing the phone dragnet. While we don’t know that the Kollar-Kotelly opinion was withheld until 2010, the language of the White Paper (which suggests the opinion itself was not provided) strongly suggests the May 2006 one was.

The law requiring such disclosure, 50 U.S.C. § 1871(c)(2), was part of the FISA Amendments Act, so had been in place for a full year by the time the PATRIOT Act reauthorization got started, yet DOJ didn’t get around to complying with it until 2 years after the law passed. And the law specifically requires disclosure of both the PR/T&T and the Section 215 authorities.

The possibility that DOJ did not turn over the original phone dragnet opinion is utterly damning given David Kris’ suggestion that the initial approval of the phone dragnet — the 2006 opinion — may have been erroneous.

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch.

[snip]

The briefings and other historical evidence raise the question whether Congress’s repeated reauthorization of the tangible things provision effectively incorporates the FISC’s interpretation of the law, at least as to the authorized scope of collection, such that even if it had been erroneous when first issued, it is now—by definition—correct.

David Kris at least entertains the possibility that the original May 2006 opinion was “erroneous,” but points to Congress’ reauthorization of the PATRIOT Act to claim it had incorporated FISC’s interpretation of the law.

But now we know that DOJ did not provide all of FISC’s significant opinions pertaining to Section 215 to the key oversight committees until August 16, 2010, over two years after they were obligated to do so — and the plain language of the White Paper strongly suggests that DOJ did not provide the key May 2006 opinion to the oversight committees.

This doesn’t yet prove that DOJ withheld the May 2006 opinion that Kris suggests might be “erroneous” until after Congress reauthorized the PATRIOT Act. But it strongly suggests that is the case.

Update: PATRIOT Act Reauthorization line moved per Anonster’s suggestion.

Update: Added the language I Con used to describe the documents handed over in August 2010.

Anonymous Aide Pushback Strengthens Case that DiFi Bill Supports Backdoor Searches

November 2, 2013/12 Comments/in FISA /by emptywheel

Ellen Nakashima wrote a truly remarkable article on the DiFi Fake FISA Fix, in which she quotes the following critics of the bill:

Sen. Ron Wyden (D-Ore.)

Elizabeth Goitein, co-director of the Brennan Center for Justice’s Liberty and National Security Program

Julian Sanchez, a research fellow at the CATO Institute

And quotes the following defenders of the bill and/or surveillance:

Committee Chairman Dianne Feinstein (D-Calif.)

Committee staff, including a committee aide, who was not permitted to speak on the record

Several former senior Justice Department officials, who were not permitted by their current employers to speak on the record

DiFi’s sole on the record comment, by the way, was stating that she would do “everything I can” to preserve the phone dragnet.

And in this article in which surveillance defenders hide behind anonymity, SSCI aides make the following case about the backdoor search “protections” in DiFi’s Fake FISA Fix (concerns about which I raised here).

Wyden and privacy advocates are also concerned that the bill would place in statute authority for NSA to search without a warrant for Americans’ e-mail and phone call content collected under a separate FISA surveillance program intended to target foreigners overseas. That is what Wyden has called a “back-door search loophole.”

Aides note the bill restricts the queries to those meant to obtain foreign intelligence information. They say that there have been only a “small number” of queries each year. Such searches are useful, for instance, if a tip arises that a terrorist group is plotting to kill or kidnap an American, officials have said. [my emphasis]

Take a look at the language pertaining to this issue in the past. Last year’s FAA conference report from the very same Committee described the issue as, “querying information collected under Section 702 to find communications of a particular United States person.” And when Ron Wyden and Mark Udall busted Keith Alexander for making false claims, they suggested the issue was about “allow[ing] the NSA to deliberately search for the records of particular Americans.” And when John Bates approved the NSA and CIA’s use of the practice in 2011, he described it as “query[ing] the vast majority of its Section 702 collection using United States-Person identifiers.” That’s almost precisely the way the Administration referred to it in its Compliance Report this year: “querying of unminimized Section 702-acquired communications using United States person identifiers” (see page 7).

That is, in every reference to this practice I can think of, nothing suggests the practice is limited to searching for US person identifiers in the content of communications. Indeed, the report from this very same committee last year made it clear the practice pertained to searching for the communications written by Americans, not those written about them. And the easiest way to find communications written by Americans is to search on US person identifiers in the metadata of communications.

But the bill specifically excludes searching for US person identifiers in the metadata of communications from its protections. That is, in addition to not prohibiting the searching of US person identifiers to protect life, body, and probably property, and for law enforcement purposes, the bill specifically leaves unrestricted looking up someone’s email or phone number to pull up all their communications from the collection of Section 702-acquired data.

And in their discussion of what the bill protects, these anonymous aide bill defenders describe its use to find people talking about Americans — the kidnapped American whose abductors refer to him by his IP address or phone number in their email. They appear to refer to searching for US person identifiers in the content of communications (which is all the bill protects anyway), not in its metadata. Communications about Americans, not by them. Which is not how all the previous descriptions of this practice describe it.

But the dead giveaway, the tell that this is a big scam to provide the appearance of limits while at the same time enshrining and possibly expanding the warrantless searching of “incidentally” collected US person content, is where the aides say this:

“There have only been a ‘small number’ of queries each year.”

Hahahaha! Have you missed the number of times NSA has said it would be impossible for them to count the number of Americans whose data has been searched in such a way?! NSA has spent well over a year making that claim, and DiFi has shielded that claim every step of the way.

So when DiFi’s anonymous aides make the claim that the queries protected by the law have only been used a few times a year — indeed, when they make the claim they can be and have been counted at all — they make it crystal clear the protections in the law do not pertain to the vast majority of the searches on US person data that has been collected “incidentally” under Section 702 which — the NSA assures us — cannot be counted.

What DiFi and her aides — by their own anonymous and perhaps inadvertent admission — plan to protect is a tiny fraction of the searches on US person data collected under Section 702, the countable fraction of the practice that NSA can’t or won’t count without incurring resource problems.

OK. Thanks anonymous DiFi aides. I wasn’t sure we had cause to worry. But now you’ve made it crystal clear what is going on.

Drowning in Haystacks

November 2, 2013/17 Comments/in FISA /by emptywheel

The NYT and Guardian have similar stories out today describing the sheer breadth of NSA’s spying. The Guardian describes how NSA gleefully embraced change because it presented more opportunities for SIGINT collection.

n one of the leaked ‘State of the Enterprise’ documents from 2007, an NSA staff member says: “The constant change in the world provides fertile ground for discovering new targets, technologies and networks that enable production of Sigint.”

The official happily embraces this: “It’s becoming a cliché that a permanent state of change is the new standard. It is the world we live in – navigating through continuous whitewater.”

It’s an environment in which the NSA thrives, the official says. And adds: “Lucky for us.”

And both present the plight of someone analyzing Lashkar-e-Taiba who couldn’t read the intelligence because it was all Farsi and Arabic.

One N.S.A. officer on the Lashkar-e-Taiba beat let slip that some of his eavesdropping turned out to be largely pointless, perhaps because of the agency’s chronic shortage of skilled linguists. He “ran some queries” to read intercepted communications of certain Lashkar-e-Taiba members, he wrote in the wiki, but added: “Most of it is in Arabic or Farsi, so I can’t make much of it.”

Both, too, present how detailed our intelligence from Afghanistan has been — though the NYT noted, it doesn’t seem to have brought us success.

We are collecting enormous amounts of data, but it’s not clear what good it’s doing us.

Meanwhile, remember this. The intelligence community keeps missing Congress’ mandated deadlines to install insider detection software — including in the Hawaii location from which Snowden took his files. Given Snowden’s success, it’s safe to assume paid assets of foreign governments have gotten some of it as well. The reason we’re not protecting all this intelligence is because we don’t have the bandwidth to run the software.

Collecting all this data — particularly if we can’t even analyze much of it — has costs. One cost is in the tradeoff we’ve made in keeping it secure.

Our haystacks our drowning us.