How FISA Dockets (Appear To) Work and Why Snowden Likely Got Few or No PayPal Documents

/12 Comments/in , , /by

Because Bill Binney made an observation about the high docket number of the phone dragnet order released this year, Sibel Edmonds has decided that Glenn Greenwald is hiding a bunch of Edward Snowden documents to protect Pierre Omidyar showing PayPal cooperated with NSA.

Here’s what Binney said, according to him.

Unfortunately, Sibel attributes some of her words to me. I do not know that PAYPAL is involved – only that financial data is being used by NSA. And, based on the “BR” number 13/80 on the Verizon court order to give records to NSA, I estimated that this program involved 78 companies. These would include: telecom’s, internet service providers, banks/finance/credit cards, travel, plus others. So, there’s a lot of business data being collected by NSA and the FBI. In the future, if I am to be quoted, I will have to I will have to insist on a pre-publication review. [my emphasis]

Now, like Peter Kofod, I don’t doubt that PayPal gives a ton of data to the national security state (more on what probably happens below).

But Binney’s comment appears to be based on a misunderstanding of how the FISA docket numbering works (though not one that changes his observation that “there’s a lot of business data being collected by NSA and the FBI”): that each docket pertains to a different company.

Given the filings we’ve seen from voluminous years — particularly 2009 — it is clear that DOJ uses one docket for all providers on a particular order. For example, 3 of the 4 docket numbers used for the phone dragnet in 2009 were 08-13, 09-06, and 09-13. For the entire 3 month period the primary order covers, all the orders and correspondence related to that primary order bears the original docket number. Even in the case where Judge Walton cut off and then resumed production (see 09-13 above) from just one provider got handled in that docketing system. The now public FISC docket appears to continue this practice, with BR 13-109 and BR 13-158 including all the correspondence on a particular order (in addition, there are the Misc dockets for lawsuits, and the 2007 docket tied to Protect America Act for the Yahoo challenge).

And over the years, the list of providers included on the dockets appears to have gotten much longer. Here’s the redacted list of providers from the original 2006 order:

Screen shot 2013-12-13 at 7.51.09 PM

Here’s the redacted list of providers from the most recent order:

Screen shot 2013-12-13 at 7.54.25 PM

 

The additional providers are probably smaller providers, as well as VOIP providers.

So just 4 and on rare occasions 5 of the Section 215 (“BR”) docket numbers in any given year (and, for the life of the program, just 4 of the PR/TT docket numbers) covered all the providers.

But that may, in fact, mean far more companies are getting Section 215 orders, even bulk orders. As I laid out in this post, the numbers of Section 215 orders have gone up in the last several years (Julian Sanchez has speculated that previously some of this collection was done via National Security Letter, which is a pretty good bet).

Section 215 orders

And as they’ve gone up, the FISA Court has been modifying far more orders — it modified 86% of the orders in 2011. It has been modifying orders to add minimization procedures (it modified 176 orders in 2011 to add minimization requirements). Given that you only need to have significant minimization procedures if you’re getting a lot of innocent people’s data, and given that these orders would also be on a 90-day cycle, that may mean there were 44 bulk collection programs in 2011.

But, as Binney said, that’s going to include a lot of different kinds of companies. We know they’ve used Section 215 to collect precursor chemical purchase records. They likely cover credit cards records, other financial records, gun purchases, health and medical records, and other computer records. There have even been questions about using Section 215 to collect URL search terms.

PayPal is one possible or even likely recipient of these, but only one out of a bunch. Read more

Will DOJ’s 1,265-Day Old Section 215 Review Be Squelched By Past Classifications?

/8 Comments/in , /by

DOJ’s Inspector General Michael Horowitz released his annual list of challenges today (which includes a focus on prison problems). In his section on national security and civil liberties he spends 4 paragraphs calling for more information sharing before he turns to civil liberties. In that section, he once again promises the report on the use of Section 215 his office has been working on for 1,265 days.

But he adds something new. He suggests this report may be limited by whether or not DOJ and ODNI declassify sections of the past reports.

The OIG’s ongoing reviews also include our third review of the Department’s requests for business records under Section 215 of the Foreign Intelligence Surveillance Act (FISA), as well as our first review of the Department’s use of pen register and trap-and-trace devices under FISA.  Although the full versions of our prior reports on NSLs and Section 215 all remain classified, we have released unclassified versions of these reports, and we have requested that the Department and the Office of the Director of National Intelligence (ODNI) conduct declassification reviews of the full classified versions.  The results of any declassification review may also affect how much information we will be able to publish regarding our pending reviews when they are complete.

As I have noted in the past, the 2008 report includes two appendices on then-secret uses of Section 215, one of which almost certainly pertains to the phone dragnet. In addition, it includes a sharply critical section on DOJ’s failure to institute new minimization procedures specific to Section 215 (which would dramatically affect its use for the phone dragnet).

Now Horowitz is saying that, unless DOJ and ODNI declassify these past reports, he won’t be able to present in unclassified form all the findings in his current report (which covers the period through 2009, and therefore the violations discovered in that year).

Horowitz suggests something similar is going on with DOJ IG’s work on content collection as well. Both a report he did last year on the FISA Amendments Act (which may suggest the FBI has not always abided by its targeting and minimization procedures) and Glenn Fine’s DOJ-specific review on the illegal wiretap program remain classified.

The OIG has also conducted oversight of other programs designed to acquire national security and foreign intelligence information, including the FBI’s use of Section 702 of the FISA Amendments Act (FAA), which authorizes the targeting of non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information.  The OIG’s 2012 review culminated in a classified report released to the Department and to Congress that assessed, among other things, the number of disseminated FBI intelligence reports containing a reference to a U.S. person identity and the FBI’s compliance with the targeting and minimization procedures required under the FAA.  Especially in light of the fact that Congress reauthorized the FAA for another 5 years last session, we believe the findings and recommendations in our report will be of continuing benefit to the Department as it seeks to ensure the responsible use of this foreign intelligence tool.  This report also was included in our request to the Department and ODNI for a declassification review, as was the full, classified version of our 2009 report on the President’s Surveillance Program, which described certain intelligence-gathering activities that took place prior to the enactment of the FAA. [my emphasis]

Elsewhere, Horowitz alludes to the Snowden leaks. Clearly, much of what appears in the 2009 and 2012 reports has been covered in leaks and releases to Congress. And yet, it seems, someone is stalling the declassification of DOJ IG’s work.

What has DOJ’s IG found that Eric Holder and James Clapper are trying to hide?

Did DOJ Prosecute Basaaly Moalin Just to Have a Section 215 “Success”?

/3 Comments/in , /by

At yesterday’s Senate Judiciary Committee hearing on the dragnet, the government’s numbers supporting the value of the dragnet got even worse. At one point, Pat Leahy asserted that the phone dragnet had only been useful in one case (in the last hearing, there had been a debate over whether it had been critical in one or two cases).

Leahy (after 1:09:40): We’ve already established that Section 215 was uniquely valuable in just one terrorism case, not the 54 that have been talked about before.

In a follow up some minutes later, Keith Alexander laid out numbers that explain how the Administration had presented that 1 case as 12 in previous claims.

Alexander (at 1:21:30): As you correctly stated, there was one unique case under 215 where the metadata helped. There were 7 others where it contributed. And 4 where it didn’t find anything of value, and we were able to tell the FBI that.

That is, to publicly claim that the phone dragnet has been useful in 12 cases, the Administration included 7 cases where — as with the Najibullah Zazi case — it proved to be a tool that provided non-critical information available by other means, and 4 cases where it was useful only because it didn’t show any results.

To fluff their numbers, the Administration has been counting cases where the phone dragnet didn’t show results as showing results of no results.

With sketchy numbers like that, it’s high time for a closer examination of the details — and the timing — of the Basaaly Moalin prosecution, the only case (Alexander now agrees) where the phone dragnet has been critical.

As a reminder, Moalin was first identified via the dragnet — probably on a second hop away from Somali warlord Aden Ayro — in October 2007.  They used that and probably whatever tip they used to investigate him in 2003 to get a FISA warrant by December 20, 2007. Only 2 months later, February 26, 2008, was al-Shabaab listed as a foreign terrorist organization. Ayro was killed on May 1, 2008, though the government kept the tap on Moalin through December 2008, during which period they collected evidence of Moalin donating money (maybe 3 times as much as he gave to al-Shabaab-related people) to a range of people who had nothing to do with al-Shabaab. A CIPA stipulation presented at the trial revealed that during this period after the inculpatory conversations, Moalin’s tribe and Shabaab split and Moalin’s collections supported other entities in Somalia.

1. Money collected for the Ayr sub-clan was given to individuals including Abukar Suyare (Abukar Mohamed) and Fare Yare, who were associated with the Ilays charity.

2. Money collected by the men in Guracewl on behalf of the Ayr sub-clan was given to a group that was not as-Shabaab. [sic]

3. There was a dispute between al-Shabaab, the Ayr clan and Ilays over the administration pf [sic] of Galgaduud regions.

4. Members of the Ilays charity and the Ayr sub-clan, including Abukar Suryare, were opposed to the al-Shabaab and were Ayrow’s enemies.

On April 8, 2009, FBI would search the hawala used to send money based entirely on Moalin’s case. Yet on April 23, 2009, according to a document referenced but not provided to Moalin’s defense, the FBI concluded that Moalin not only no longer expressed support for al-Shabaab, but that he had only ever supported it because of tribal loyalties, not support for terrorism.

The San Diego FIG assesses that Moalin, who belongs to the Hawiye tribe/Habr Gedir clan/Ayr subclan, is the most significant al-Shabaab fundraiser in the San Diego Area of Operations (AOR). Although Moalin has previously expressed support for al-Shabaab, he is likely more attentive to Ayr subclan issues and is not ideologically driven to support al-Shabaab. The San Deigo FIG assesses that Moalin likely supported now deceased senior al-Shabaab leader Aden Hashi Ayrow due to Ayrow’s tribal affiliation with the Hawiye tribe/Habr Gedir clan/Ayr subclan rather than his position in al-Shabaab. Moalin has also worked diligently to support Ayr issues to promote his own status with Habr Gedir elders. The San Diego FIG assesses, based on reporting that Moalin has provided direction regarding financial accounts to be used when transferring funds overseas that he also serves as a controller for the US-based al-Shabaab fundraising network.

The intercepts on which the prosecution was based support this. They show that Moalin’s conversations with Ayro and others focused on fighting the (American-backed) Ethiopian invaders of his region, not anything outside of Somalia.

Read more

In Naming Its Man of the Year, Time Proves It Doesn’t Even READ the News

/15 Comments/in , /by

I’m probably fairly lonely among my crowd to be satisfied that Time picked Pope Francis over Edward Snowden to be Person of the Year. Not only do I prefer that the focus remain on the reporting on NSA than revert back to caricatures like Time creates of Snowden as a “Dark Prophet” reading Dostoevsky. The Pope’s criticism of — above all — inequality may have as much or more impact on people around the globe as Snowden’s criticism of the surveillance state.

Would that both the Catholic Church and the United States live up to the idealist claims they purport to espouse.

But reading the profile Time did of Snowden, I can’t help but suspect they picked the Pope out of either fear or ignorance about what Snowden actually revealed. Consider this paragraph, which introduces a section on the lies NSA has told.

The NSA, for its part, has always prided itself on being different from the intelligence services of authoritarian regimes, and it has long collected far less information on Americans than it could. The programs Snowden revealed in U.S. ­surveillance agencies, at least since the 1970s, are subject to a strict, regularly audited system of checks and balances and a complex set of rules that restrict the circumstances under which the data gathered on Americans can be reviewed. As a general rule, a court order is still expected to review the content of American phone calls and e-mail ­messages. Unclassified talking points sent home with NSA employees for Thanksgiving put it this way: “The NSA performs its mission the right way—­lawful, compliant and in a way that protects civil liberties and privacy.” Indeed, none of the Snowden disclosures published to date have revealed any ongoing programs that clearly violate current law, at least in a way that any court has so far identified. Parts of all three branches of government had been briefed and had given their approval.

It’s full of bullshit. There’s the claim that NSA collects far less on Americans than it could. Does that account for the fact that, in the Internet dragnet and upstream collection programs, it collected far more than it was authorized to? Those same programs prove that surveillance can go on for (in the case of the Internet dragnet) 5 years before anyone realizes it has been violating the law — not exactly the definition of a regularly audited system. And, with its claim that “all three branches of government have been briefed,” Time must have missed Dianne Feinstein’s admission that the stunning sweep of the programs conducted under EO 12333 (which also collect US person data) don’t get close scrutiny from her committee (and none from the FISA Court).

But this claim most pisses me off:

As a general rule, a court order is still expected to review the content of American phone calls and e-mail ­messages.

Journalistic outlet Time must have missed where NSA’s General Counsel Raj De, in a public hearing, testified that NSA doesn’t even need Reasonable Articulable Suspicion — much less a court order — to read the content of Americans’ data collected incidentally under the FISA Amendment Act’s broad sweep, to say nothing of the even greater collection of data swept up under 12333. To support this demonstrably false claim, Time then points to the similarly false talking points the NSA sent home at Thanksgiving. It points to the NSA’s talking points just two paragraphs before Time lays out how often NSA has lied, both describing the government as actively misleading…

At the time Snowden went public, the American people had not just been kept in the dark; they had actively been misled about the actions of their government.

And then describing the specific lies of Keith Alexander and James Clapper.

The NSA lies, and lies often. But Time points to the NSA’s own lies to support its bad reporting.

At the same time, Time dances around the many things the US does that make us less secure. For example, it gives credence to the nonsense claim that Snowden singlehandedly prevented us from pressuring China into stopping hacking of us.

While in Hong Kong, Snowden gave an interview and documents to the South China Morning Post describing NSA spying on Chinese universities, a disclosure that frustrated American attempts to embarrass China into reducing its industrial-espionage efforts against U.S. firms.

This repeats the anachronistic claims and silence about US cyberwar that Kurt Eichenwald made in Newsweek.

And Time says Bullrun — a program that involves inserting vulnerabilities into code — “decodes encrypted messages to defeat network security,” which also minimizes the dangerous implications of NSA’s hacking.

If Time had actually read the news, rather than wax romantic about Russian literature, it might report that NSA in fact does collect vast amounts of and can the read incidentally collected content of most Americans. It might describe the several times NSA has been found to be violating the law, for years at a time. It might explain that many of these programs, because they operate solely under the President’s authority, might never get court review without Snowden’s leaks. And Time might bother to tell readers that, in some ways at least, the NSA makes us less safe because it prioritizes offensive cyberattacks (and not just on China) over keeping American networks safe.

As I said, I could have been happy about either a Pope Francis or an Edward Snowden selection. But as it is, Time might better call their scheme “Caricature of the Year,” because at least in their Snowden profile, they’re not actually presenting the news.

Three-Hopping the Corporate Store, in Theory

/6 Comments/in , /by

Stanford University has been running a project to better understand what phone metadata can show about users, MetaPhone, in which Android users can make their metadata available for analysis.

They just published a piece that suggests we could be underestimating the intrusiveness of the government’s phone dragnet program. That’s because most assumptions about degrees of separation consider only human contacts, and not certain hub phone numbers that quickly unite us.

A common approach for calculating these figures has been to simply assume an average number of call relationships per phone line (“degree”), then multiply out the number of hops. If a single phone number has average degree d, and the NSA can make h hops, then a single query gives expected access to about dh complete sets of phone records.34


We turned to our crowdsourced MetaPhone dataset for an empirical measurement. Given our small, scattershot, and time-limited sample of phone activity, we expected our graph to be largely disconnected. After all, just one pair from our hundreds of participants had held a call.

Surprisingly, our call graph was connected. Over 90% of participants were related in a single graph component. And within that component, participants were closely linked: on average, over 10% of participants were just 2 hops away, and over 65% of participants were 4 or fewer hops away!

In spite of the fact that just 2 of its participants had called each other, the fact that so many people had called TMobile’s voicemail number connected 17% of participants at two hops.

Already 17.5% of participants are linked. That makes intuitive sense—many Americans use T-Mobile for mobile phone service, and many call into voicemail. Now think through the magnitude of the privacy impact: T-Mobile has over 45 million subscribers in the United States. That’s potentially tens of millions of Americans connected by just two phone hops, solely because of how their carrier happens to configure voicemail.

And from this, the piece concludes that NSA could get access to a huge number of numbers with just one seed.

But our measurements are highly suggestive that many previous estimates of the NSA’s three-hop authority were conservative. Under current FISA Court orders, the NSA may be able to analyze the phone records of a sizable proportion of the United States population with just one seed number.

This analysis doesn’t account for one thing: NSA uses Data Integrity Analysts who take out high volume numbers — numbers like the TMobile voice mail number.

Here’s how the 2009 End-to-End review of the phone dragnet described their role.

As part of their Court-authorized function of ensuring BR FISA metadata is properly formatted for analysis, Data Integrity Analysts seek to identify numbers in the BR FISA metadata that are not associated with specific users, e.g., “high volume identifiers.” Read more

Phone and Internet Associations Are Both Terror Group Membership and a Chance Encounter in a Dance Hall

/5 Comments/in , /by
Screen shot 2013-11-25 at 12.59.34 PM

The sole discussion of First Amendment considerations in this undated training (it’s probably between early 2008 and 2011) is one page with a list of protected activities.

As I noted last week, from the start of the dragnet programs, neither the Court nor the government appear to have considered the implications dragnet analysis had for Freedom of Association.

Several of the training documents released last week — notably this August 29, 2008 NSA Memo — suggest the NSA reconsidered the associational implications of the dragnet in 2008. Nevertheless, in a document that appears to reflect an August 20, 2008 effort to protect associations, the NSA continued to use at least some associations as evidence of terrorist affiliation.

The rules on dragnet queries changed on August 20, 2008

As I noted some weeks ago, the government has withheld at least 3 FISC opinions pertaining to Section 215; one of the withheld opinions is dated August 20, 2008. This memo, written 9 days later, lays out the legal standard for contact-chaining for both the phone and Internet dragnet programs as described in two 2008 dockets.

Specifically, the memo elaborates on the legal standard applicable to the contact-chaining activities in which SID offices engage pursuant to Business Records Order 08-08 (as well as subsequent Orders for the production of telephony records)1 as well as to the contact chaining activities in which SID analysts engage pursuant to the Pen Register and Trap and Trace Order 08-110 (as well as subsequent Pen/Trap Orders ).

The documents must be the most recent, given the way the memo applies this standard to orders going forward. And it replaces an earlier memo, written just months after the start of the phone dragnet.

OGC memorandum dated October 13, 2006, same subject, is canceled. This memorandum updates the prior memorandum to reflect changes in the Foreign Intelligence Surveillance Court (FISC) authorizations specifically authorizing access to the data acquired under the Orders for analysis related to [redacted — probably describes terrorism subjects] The substantive guidance concerning the application of the “reasonable articulable suspicion” standard with respect to the authorizations remains unchanged.

All of which strongly suggests this memo served to incorporate whatever changes the August 2008 opinion made into NSA practice.

The change in the rules pertain to the treatment of association

The structure of the memo — along with the footnote’s explanation that the standards for Reasonable Articulable Suspicion  (cited above) have not changed — suggest that what did change pertains to Association.

After an introductory section, the memo has this structure:

A. Summary of the [RAS] Standard

B. Association with [redacted — probably terrorist targets]

C. First Amendment Considerations

D. Summary

In other words, the memo seems to assess the impact of an August 20, 2008 FISC opinion commenting on the degree to which First Amendment protected activity may serve as proof of a tie (an association) to a terrorist organization.

Regardless of what the FISC said, association is the same thing as membership

Before I lay out the logic dismissing any associational concerns presented by using phone contacts to assume a tie to terrorism, let me get to the punch line. After explaining that simply lobbying a member of Congress to “cut off funding for U.S. troops in Iraq” does not prove an association with terrorism (though some other NSA documents suggest it may have been regarded as such at one time), the memo explains that in some circumstances direct contact can do so.

But, as we have already made clear, we do not read the Order to preclude under all circumstances the conclusion that a number is associated with [redacted — probably terrorist groups] solely on the basis of its communications [redacted] and, more specifically, based on its contacts with numbers about which NSA has the appropriate level of suspicion. Our conclusion is supported by First Amendment law, as we discuss below.

In a footnote on that same page, the memo makes a breathtaking conflation of “member” and “associated with” a terrorist group.

We note also that the very object of the overall effort supported by these Orders is to determine whether or not particular individuals are members of or are associated with the terrorist organizations named in the Orders. Thus, under these Orders, simply by being a member of a named group one becomes subject to government scrutiny. [my emphasis]

That is, NSA sets out to argue that, regardless of whatever that FISC opinion states, association with a terrorist group (provided that they engage in direct contact) amounts to membership in it.

And here’s how that analysis ends up. Read more

Was DOJ Hiding a Section 215 Gun Registry from Congress?

/14 Comments/in , /by

Among other documents, ODNI released  on Monday all the Attorney General Reports on Section 215 use from 2005 to 2011 (2006200720082009201020112012).

This is the classified version of a report that also gets released in unclassified form as part of a larger report to Congress on FISA numbers (20052006200720082009201020112012; ODNI did not release the report covering 2012 because it lay outside the scope of ACLU’s FOIA). And the paragraph of each of these reports that lays out the following information remains redacted in all of them.

(3) the number of such orders either granted, modified, or denied for the production of each of the following:

(A) Library circulation records, library patron lists, book sales records, or book customer lists.

(B) Firearms sales records.

(C) Tax return records.

(D) Educational records.

(E) Medical records containing information that would identify a person.

Nevertheless, the reports show us two new things.

Screen shot 2013-11-22 at 8.52.29 AM

First, while we knew the number of modifications has gone up significantly in the last three years (we now know that many of the modifications in 2009 had to do with phone dragnet violations), the latest reports ODNI released say this:

The FISC modified the proposed orders submitted with forty-three such applications in 2010 (primarily requiring the Government to submit reports describing implementation of applicable minimization procedures).

The FISC modified the proposed orders submitted with 176 such applications in 2011 (requiring the Government to submit reports describing implementation of applicable minimization procedures).

Julian Sanchez had speculated that’s what was going on in a post (I can’t find the link right now) noting that NSL use had halved while Section 215 use had gone up. Remember, too, the government has not released a 2010 opinion on Section 215 that may explain why the FISC got much more involved in policing the government’s minimization.

Still, it is almost certain that the need to double check government minimization stems from bulk collections. If those bulk collections were also on a 90-day renewal cycle, then we might be looking at 44 bulk collection programs in 2011.

One more thing. As was reflected in the ACLU Vaughn Index, it appears DOJ never provided these reports to Congress starting with the report covering 2008. It did do so for the report covering 2011, but the report isn’t dated, so it’s not clear it was done in April 2012, when it should have been provided to Congress. Furthermore, that production was cc’ed to John Bates, which the tardy August 16, 2010 production of FISC opinions also was, which makes me wonder whether Bates had to force the Executive to fulfill the requirements in the PATRIOT Reauthorization (both these reports and the pre-2008 “significant constructions of law” requirement stems from the 2006 reauthorization). [4/19/14 correction: The “significant constructions of law” stems from the FISA Amendments Act]

Now, maybe DOJ was just being lazy in not fulfilling the clear legal requirement. But given that it seems to have had no problem fulfilling the requirement for unclassified numbers during the same period, I wonder whether DOJ just didn’t want to reveal that it was collecting on one or more of the specified categories, such as firearms sales records (though I’ve long wondered whether DOJ was also collecting DNA records).

Read more

By “Application” the Administration Didn’t Mean “Memorandum of Law”

/1 Comment/in , /by

This is a very minor point.

But, perhaps to rebut my observation that the government withheld significant constructions of law from the oversight committees until after the PATRIOT Act was reauthorized in 2010, ODNI released these this July 22, 2009 document, approving the unsealing of the original application for the phone dragnet so it could be shared with the Judiciary and Intelligence Committees as mandated by the FISA Amendments Act over a year earlier.

That makes it clear the oversight committees did have the application, at least, before they started discussions to reauthorize PATRIOT.

But it also shows several other things.

It shows how misleading the White Paper was when it implied the oversight committees had everything by December 2008.

Moreover, in early 2007, the Department of Justice began providing all significant FISC pleadings and orders related to this program to the Senate and House Intelligence and Judiciary committees. By December 2008, all four committees had received the initial application and primary order authorizing the telephony metadata collection. Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees. [my emphasis]

It seems that reference to “application” in the White Paper referred only to the formal application, absent the underlying legal memorandum revealing just how radical this request was, which the Executive Branch withheld for another 7 months (even as the program was showing serial violations).

It also shows that the government took over a year after FAA required this sharing before it actually shared the document.

And it shows that, while we don’t know what the government withheld for over another year, the government was still withholding substantive information from Congress until after PATRIOT was reauthorized in February 2010.

Unlike some of the documents released by the government, the original Colleen Kollar-Kotelly opinion doesn’t reveal when it got released to Congress. I wonder when the Executive decided to share that?

Update: I may have spoken too soon. FISC unsealed this, but I don’t see the submission recorded on the Vaughn indices. Will update soon.

Update: Here’s what the ACLU Vaughn Index (there are differences with the EFF Vaughn Index, but not on this point) shows as far as Congressional submissions of pre-FAA material.

  • October 3, 2008, 31 pages of post FAA matters, all apparently on Section 215
  • October 3, 2008, 31 pages of post FAA matters, all apparently on Section 215 (may be duplicate entry — see entries 13 and 82)
  • December 1, 2008, at least 1084 pages of pre FAA matters, 378 of which pertain to Section 215
  • August 16, 2010, 236 pages of Section 215 matter plus more on other topics, pre FAA matters
  • February 4, 2011, 39 pages, all apparently on Section 215, unclear whether this is pre or post FAA materials

In other words, if the Vaughn Index is accurate, FISC unsealed this opinion on July 22, 2009, but the Executive Branch didn’t provide it to the oversight committees until August 16, 2010.

Wrong Agency, Wrong Minimization: Two More Ways the Original Phone Dragnet Application Violated the Law

/12 Comments/in , /by

In addition to everything else several of us have been pointing out in the original Internet metadata opinion and the phone metadata application, there are two more problems with the phone dragnet.

They’re using the wrong agency and the wrong minimization procedures.

Section 215 reads, in part:

[T]he Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things [my emphasis]

Here’s who signed the application that kicked off the phone dragnet program:

Screen shot 2013-11-19 at 3.02.54 PM

 

This is probably the lesser of these two problems. After all, the law permits the FBI Director to delegate this, and delegating the application to your boss is probably perfectly fine. Though it is a bit of a conflict if the boss in question was, in part, trying to legalize a program that had operated under his purview when he worked at the White House.

The problem becomes bigger still given that there’s no explanation of how it is that an NSA declaration serves as backup for an application to obtain data for the NSA, the use of which is limited to FBI. At least in what we get (which, remember, is what got produced to Congress, not what got submitted to the Court), there’s no discussion of that process.

The other problem is a bit more complicated. As I described last week, the 2006 Reauthorization of the PATRIOT Act included a new requirement that the Attorney General develop minimization procedures for Section 215.

(1) IN GENERAL- Not later than 180 days after the date of the enactment of the USA PATRIOT Improvement and Reauthorization Act of 2005, the Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this title.

(2) DEFINED- In this section, the term `minimization procedures’ means–

(A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 101(e)(1), shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance;

This post describes how DOJ basically blew off that requirement and — at least according to former DOJ Inspector General Glenn Fine — instead used existing procedures that didn’t meet the terms of the law.

Given that this application passed just 2 months after the Reauthorization, this dragnet application was probably one of the earliest Section 215 applications submitted after the Reauthorization so there might have been a discussion about this new requirement anyway. But in this case, the new requirement should have posed an additional problem. The data went not to FBI, but immediately to NSA, an enormous database of non-publicly available of information pertaining to US persons, handed off without a hint of minimization first.

Here’s how the application dealt with minimization procedures.

NSA will apply the existing (Attorney General approved) guidelines in United States Signals Intelligence Directive 18 (1993) … to minimize the information reported concerning U.S. persons.

USSID 18 is supposed to be less restrictive than FBI minimization procedures (though FBI data gets shared freely with other agencies).

There’s not only no discussion in this application of how USSID 18 meets the terms of the law, but there’s no discussion of what it means that NSA basically got unminimized data for which FBI is, by law, the proper recipient, which should be the most voluminous minimization violation ever.

And yet … the application doesn’t even acknowledge this problem at all.

Freedom of Association: From Six Degrees of Kevin Bacon to Three Degrees of Terry Stop

/4 Comments/in , /by

One thing the July 24, 2004 Colleen Kollar-Kotelly opinion and the May 23, 2006 phone dragnet application reveal is that the government and the court barely considered the First Amendment Freedom of Association implications of the dragnets.

The Kollar-Kotelly opinion reveals the judge sent a letter asking the government about “First Amendment issues.” (3) Way back on 57, she begins to consider First Amendment issues, but situates the in the querying of data, not the creation of a dragnet showing all relationships in the US.

In this case, the initial acquisition of information is not directed at facilities used by particular individuals of investigative interest, but meta data concerning the communications of such individuals’ [redacted]. Here, the legislative purpose is best effectuated at the querying state, since it will be at a point that an analyst queries the archived data that information concerning particular individuals will first be compiled and reviewed. Accordingly, the Court orders that NSA apply the following modification of its proposed criterion for querying the archived data: [redacted] will qualify as a seed [redacted] only if NSA concludes, based on the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are facts giving rise to a reasonable articulable suspicion that a particularly known [redacted] is associated with [redacted] provided, however, that an [redacted] believed to be used by a U.S. person shall not be regarded as associated with [redacted] solely on the basis of activities that are protected by the First Amendment to the Constitution. For example, an e-mail account used by a U.S. person could not be a seed account if the only information thought to support the belief that the account is associated with [redacted] is that, in sermons or in postings on a web site, the U.S. person espoused jihadist rhetoric that fell short of “advocacy … directed to inciting or producing imminent lawless action and … likely to incite or produce such action.” Brandnberg v. Ohio

By focusing on queries rather than collection, Kollar-Kotelly completely sidesteps the grave implications for forming databases of all the relationships in the US.

Then, 10 pages later, Kollar-Kotelly examines the First Amendment issues directly. She cites Reporters Committee for Freedom of the Press v. AT&T to lay out that in criminal investigations the government can get reporters’ toll records. Predictably, she says that since this application is “in furtherance of the compelling national interest of identifying and tracking [redacted terrorist reference], it makes it an easier case. Then, finally, she cites Paton v. La Prade to distinguish this from an much less intrusive practice, mail covers.

The court in Paton v. La Prade held that a mail cover on a dissident political organization violated the First Amendment because it was authorized under a regulation that was overbroad in its use of the undefined term “national security.” In contrast, this pen register/trap and trace surveillance does not target a political group and is authorized pursuant to statute on the grounds of relevance to an investigation to protect against “international terrorism,” a term defined at 50 U.S.C. § 1801(c). This definition has been upheld against a claim of First Amendment overbreadth. [citations omitted]

Of course, a mail cover is not automated and only affects the targeted party. This practice, by contrast, affects the targeted party (the selector) and anyone three hops out from him. Thus, even if those people are, in fact, a dissident organization (perhaps a conservative mosque), they in effect become criminalized by the association to someone only suspected — using the Terry Stop standard (the same used with stop-and-frisk) — of ties (but not even necessarily organizational ties) to terrorism.

Here’s how it looks in translation, in the 2006 application:

It bears emphasis that, given the types of analysis the NSA will perform, no information about a telephone number will ever be accessed or presented in an intelligible form to any person unless either (i) that telephone number has been in direct contact with a reasonably suspected terrorist-associated number or is linked to such a number through one or two intermediaries. (21)

So: queries require only a Terry Stop standard, and from that, mapping out everyone who is three degrees of association — whose very association with the person should be protected by the First Amendment — is fair game too.

Imagine if Ray Kelly had the authority to conduct an intrusive investigation into every single New Yorker who was three degrees of separation away from someone who had ever been stop-and-frisked. That’s what we’re talking about, only it happens in automated, secret fashion.