Dianne Feinstein Opens the Tech Back Door to the Dragnet Database Even Wider

/2 Comments/in , /by

I’ve been writing for months about the great big loophole providing access to the phone dragnet database.

Basically, the NSA needs someone to massage the dragnet data before analysts do queries on it, to take out high frequency call numbers (telemarketers and pizza joints), and probably to take out certain protected numbers, like those of Members of Congress. (Note, that the NSA has to do this demonstrates not only that all their haystack claims are false, but also leaves the possibility they’ll remove numbers that actually do have intelligence value.)

The problem of course, is that this means there is routine access to the database of all phone-based relationships in the United States that does not undergo normal oversight. We know this is a problem because we know NSA has found big chunks of this data in places where it doesn’t belong, as it discovered on February 16, 2012 when it found over 3,000 call records that had been stashed and kept longer than the 5 years permitted by the FISA Court.

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

The bill the Intelligence Committee passed out of committee yesterday not only codifies this practice, but exempts this practice from the explicit limits placed on other uses of this database.

Here’s how it describes this access.

(D) LIMITED ACCESS TO DATA.—Access to information retained in accordance with the procedures described in subparagraph (C) shall be prohibited, except for access—

[snip]

(iii) as may be necessary for technical assurance, data management or compliance purposes, or for the purpose of narrowing the results of queries, in which case no information produced pursuant to the order may be accessed, used, or disclosed for any other purpose, unless the information is responsive to a query authorized under paragraph (3).

Note, I’ve never seen this access described in a way that would include “narrowing the results of queries” before. I’m actually very curious why a tech would need to directly access the database, presumably after a query has already been run, to narrow it. Isn’t that contrary to the entire haystack theory?

In any case, the rest of the bill relevant to the phone dragnet effectively exempts this access from almost all of the oversight it codifies.

The requirement for a written record of the Reasonable Articulable Suspicion and identity of the person making the query does not apply (see 2 A and B). Since no record is made, the FISA Court doesn’t review these queries (6A) and these queries don’t get included in the public reporting (b)(3)(C)(i). I don’t see where the bill requires any record-keeping of this access.

The requirement that the data be kept secure specifically doesn’t apply.

SECURITY PROCEDURES FOR ACQUIRED DATA.—Information acquired pursuant to such an order (other than information properly returned in response to a query under subparagraph (D)(iii)) shall be retained by the Government in accordance with security procedures approved by the court in a manner designed to ensure that only authorized personnel will have access to the information in the manner prescribed by this section and the court’s order. [my emphasis]

And the requirement that personnel accessing the database for these purposes (4) be limited and specially trained doesn’t apply.

A court order issued pursuant to an application made under subsection (a), and subject to the requirements of this subsection, shall impose strict, reasonable limits, consistent with operational needs, on the number of Government personnel authorized to make a determination or perform a query pursuant to paragraph (1)(D)(i).

The only limit that appears to apply to the queries from this data management access of the database is the 5 year destruction.

Now, I think the FISA Court made tentative bids to limit some of the activities in 2009. But this language seems to undermine some of the controls the Court has placed on this access (including audits).

In short, in a purported bid to raise confidence about the NSA creating a database of every phone-based relationship in the United States, the Intelligence Committee has actually codified a loosening of access to the database outside the central purpose of it. It permits a range of people to access the database for vaguely defined purposes, it permits them to move that data onto less secure areas of the network, and it doesn’t appear to require record-keeping of the practice.

But what could go wrong with permitting tech personnel — people like Edward Snowden — access to data with less oversight than that imposed on analysts?

Update: Added the language from the 2012 violation to show how clueless the NSA was about finding this data just lying around and its inability to determine where it came from.

Feinstein’s Fake Fix May Expand Use of the Phone Dragnet

/7 Comments/in , /by

Dianne Feinstein and 10 other Senate Intelligence Committee members approved a bill yesterday that purports to improve the dragnet but actually does almost nothing besides writing down the rules the FISA Court already imposed on the practice.

I’ll have far more on DiFi’s Fake Fix later, but for now, I want to point to language that could dramatically expand use of the phone dragnet database, at least as they’ve portrayed its use.

Here’s how, in June, DiFi described the terms on which NSA could access the dragnet database.

It can only look at that data after a showing that there is a reasonable, articulable that a specific individual is involved in terrorism, actually related to al Qaeda or Iran. At that point, the database can be searched. [my emphasis]

Here are the terms on which her Fake Fix permits access to the database.

there was a reasonable articulable suspicion that the selector was associated with international terrorism or activities in preparation therefor. [my emphasis]

The bill passed yesterday does not require any tie to al Qaeda (or Iran!). An association with al Qaeda (and Iran!) is one possible standard for accessing the database. But it also permits use of the data if someone is “associated with activities in preparation” for international terrorism.

Does that include selling drugs to make money to engage in “terrorism”? Does that include taking pictures of landmark buildings? Does that include accessing a computer in a funny way?

All of those things might be deemed “activities in preparation” for terrorism. And this bill, as written, appears to permit the government to access the database of all the phone-based relationships in the US based not on any known association with al Qaeda (and Iran!), but instead activities that might indicate preparation for terrorism but might also indicate mild nefarious activity or even tourism crossing international borders.

Why Swim Upstream Overseas?

/12 Comments/in , /by

Screen shot 2013-10-30 at 1.23.18 PMIn 2011, when John Bates declared the existing upstream collection illegal, he didn’t stop the practice. Instead, he imposed new minimization procedures on part of the collection (just that part that included transactions including communications that were completely unrelated to the search terms used). He required that collection be segregated. And he wrung assurances from NSA they wouldn’t do things — like search on data collected via upstream collection — that they could do with data collected under PRISM.

In short, it was actually a pretty permissive ruling, allowing the NSA to continue to collecting upstream data, at least for the terms and purposes they had claimed they were using it for.

So why go to the trouble of stealing data from Google and Yahoo links overseas instead of through PRISM — a question The Switch asks here — and upstream collection here?

Obviously, one of the problem is encryption. The graphic above makes it very clear NSA/GCHQ are trying to avoid Google’s default and Yahoo’s available SSL protection. Which mean they can’t do the same kind of upstream collection on encrypted content.

Now it’s clear from the aftermath of the 2011 ruling — in the way Google and Yahoo had to invest a lot to keep responding to new orders — that PRISM collection in the US is tied in some way to that upstream collection. Julian Sanchez suggests Google and Yahoo may now be unwilling to do keyword (actually key-selector, since some of these would be code) searches. And that may be the case (though it’s hard to see how they could refuse an order requiring that, given that the telecoms were responding to similar orders).

There are a few other possibilities, though.

First, remember that NSA wanted to continue its collection practice as it existed, with no changes. It considered appealing Bates’ decision. And it resisted his demands they clean up existing illegally collected data.

So it may be they simply continued doing what they were doing by stealing this data overseas. But that would only make sense if MUSCULAR dates to 2012, when Bates imposed new restrictions.

It’s also possible some of the restrictions he imposed wouldn’t allow NSA to accomplish what it wanted to. Two possibilities are his requirement that NSA segregate this collection. Another is his refusal to let NSA search “incidentally” collected data.

A third possibility is that other FISC restrictions — such as limits on how many contact chains one could do on Internet metadata (WaPo makes it clear this collection includes metadata) — provided reason to evade FISC as well.

Finally, I wonder whether the types of targets they’re pursuing have anything to do with this. For a variety of reasons, I’ve come to suspect NSA only uses Section 702 for three kinds of targets.

  • Terrorists
  • Arms proliferators
  • Hackers and other cyber-attackers

According to the plain letter of Section 702 there shouldn’t be this limitation; Section 702 should be available for any foreign intelligence purpose. But it’s possible that some of the FISC rulings — perhaps even the 2007-8 one pertaining to Yahoo (which the government is in the process of declassifying as we speak) — rely on a special needs exception to the Fourth Amendment tied to these three types of threats (with the assumption being that other foreign intelligence targets don’t infiltrate the US like these do).

Which would make this passage one of the most revealing of the WaPo piece.

One weekly report on MUSCULAR says the British operators of the site allow the NSA to contribute 100,000 “selectors,” or search terms. That is more than twice the number in use in the PRISM program, but even 100,000 cannot easily account for the millions of records that are said to be sent back to Fort Meade each day.

Given that NSA is using twice as many selectors, it is likely the NSA is searching on content outside whatever parameters that FISC sets for it, perhaps on completely unrelated topics altogether. This may well be foreign intelligence, but it may not be content the FISC has deemed worthy of this kind of intrusive search.

That’s just a wildarsedguess. But I do think it possible FISC has already told the NSA — whether it be in the 2011 opinion, opinions tied to the Internet dragnet problems (which themselves may have imposed limits on just this kind of behavior), or on the original PAA/FAA opinions themselves — that this collection violated the Fourth Amendment.

In which case the prediction Russ Feingold made back in 2007 — “So in other words, if they don’t like what we [or the FISA Court] come up with, they can just go back to Article II” — would prove, as so many Feingold comments have, prescient.

How Does NSA (and Its Partners) Catch More Terrorists in Europe with Less Metadata?

/12 Comments/in , /by

In follow-up to yesterday’s I Con, Le Monde reports that France’s spy agency, DGSE and the US, established a data sharing arrangement in 2011-2012 via which France provides call data to the US. It notes that part of the data the US gets comes from the French (apparently, Le Monde has better mastery of the conjunction than American National Security journalists) and that French citizens, as well as other targets, are included.

I suspect this is where the global dragnet may proceed: where we learn, country by country, that the US has side deals with partners, in addition to massive collections done largely (in Europe, anyway) by GCHQ, that allows it access to a lot of metadata.

But there’s something missing.

The US can, so long as it gets away with it, collect as much metadata as it can from France and other foreign countries. In the US, it has to work through the courts (well, that’s the law, one the Bush Administration flouted for 5 years).

And yet, the US collects far more metadata in the US than it does in France. In the last month of 2012, the US (and its partners, including GCHQ and DGSE) collected 70.3 million pieces of metadata in France, or roughly 1.07 piece of metadata on every French person. According to the Guardian, Boundless Informant shows the NSA (and its partners) collected 2.89 billion pieces of data in the month ending March 2013, or roughly 9.32 pieces of metadata on every American. And all that’s apparently before you consider the billions or trillions of pieces of metadata collected in the phone dragnet (which of course collects on “substantially all” the 310 million Americans (though in France, investigators can access phone metadata more readily).

That is, legally, the NSA (and its partners, including GCHQ) are not bound by legal limits on what they collect. But it collects more on Americans than it does on the French.

And yet … NSA finds more terrorists in Europe than in America.

More terrorists, less metadata.

I am sure this is a matter of comparing oranges to orange bouncey balls. Different times of the year, different numbers of terrorists in the country, different complementary tools and investigative skills. That is, there are nuances in all this data that neither the Snowden document recipients nor the NSA are going to be able to explain anytime soon. But they both seem to agree Boundless Informant does provide some picture of how much data the NSA (and its partners) collect where. And that does seem to show that NSA collects relatively more in the US than it does in Europe.

If that’s the case, then why is having a complete haystack of metadata here in the US pursuant to the Section 215 dragnet necessary? Doesn’t the European case show you can find even more terrorists without it?

John Bates Intervened in the Phone Dragnet Problems

/7 Comments/in , /by

Yesterday, I Con the Record released more records in response to the ACLU FOIA for records on the Section 215 program (though once again, they didn’t mention the FOIA).

Three of the documents provide more data points for a notable progression I laid out in this post, in which Reggie Walton appears to have shut down some collection from one telecom on July 9, 2009, reapproved it (including retroactively) on September 3, 2009, just in time for the Intelligence Community to claim Section 215 collection was central to the Najibullah Zazi investigation.

First, a July 2, 2009 notice to Walton provided the End-to-End review “for the Court’s information.” It had been completed on June 25 and provided to the Intelligence and Judiciary Committees on June 30. It was also included in the formal DOJ filing to Walton on August 19, which left the impression that DOJ had held it for two months before sharing it with the court. But this notice makes it clear Walton received a copy with only a slight delay (and the day before they delivered the first weekly report he had demanded). It also makes it clear he had gotten it, and probably read it, before whatever action he took on July 9. What may be the problematic collection (see page 15-16) apparently got reported to FISC before May 29 (no mention of a formal notice is included, though it seems to be addressed in the May 29 order). But there are other violations (such as the sharing described on page 17 that may involve Homeland Security) that appear to have been newly disclosed with this report.

In a second document — a September 10 notice to just the Senate Intelligence Committee (?!) that Judge Walton had reauthorized the bulk collection program on September 3 — reveals that on August 4, FISC Chief Judge John Bates had written Eric Holder a letter raising concerns. The notice portrays a September 1 demonstration for Walton, Bates, and Judge Thomas Hogan (who I believe was the only other FISC judge from the DC Circuit at the time) apparently at NSA as a response to Bates’ concerns. But the description of the demonstration also notes that,

The information was presented in the context of a current operation that concerns a potential threat to the U.S. homeland.

Remember, this was before (by 2 days) the Zazi investigation started. So this must reference something else, though it certainly didn’t sound all that urgent.

In any case, while it is unclear who got Bates involved (after all, it could have been the Administration, complaining that some of its production had been cut off), it is noteworthy he was involved, which provides a little more background to the frustration he expressed in his October 3, 2011 opinion accusing the government of signifiant misrepresentations on 3 occasions.

Finally, on October 21, in what must have been part of the PATRIOT Act reauthorization push, National Counterterrorism Center’s Michael Leiter and the NSA’s Assistant Deputy Director for Counterterrorism addressed the House Intelligence Committee. Along with their case for the program and a heavily glossed description of the problems with it (which they indicate had already been noticed in some form to the Committee), they described how tips from the dragnet “have contributed directly to the following specific cases,” plural. It includes an entirely unredacted description of the dragnet’s role in the Zazi investigation (without, for example, disclosing FBI already knew of Adis Medunjanin through travel documents to Pakistan where he and Zazi trained with terrorists). And it includes a shorter description of what must be at least one other case, which is entirely redacted. It’s possible, after all, that that second “success” (which is so credible we can’t know about it) is the ongoing threat referred to in the September 10 notice, which NSA used to scare FISC into reauthorizing the dragnet.

One more detail about the notice to HPSCI. It fails to mention that, less than 3 weeks after he reauthorized the dragnet, Walton learned — from DOJ, not NSA — of further information sharing violations. In other words, the HPSCI witnesses falsely portrayed the problems as fixed, when there were pending violations still being discussed between NSA and FISC.

There’s nothing enormous in these revelations, but they do add to the understanding of how grave FISC took these violations to be, and how partial was Congressional briefing on them.  Read more

Obama Throws Top Spying Partner, Verizon, at ObamaCare

/5 Comments/in , /by

For the record, I hope the Administration finds a way to fix the ObamaCare website. While ObamaCare is a mix of good (Medicaid expansion, Medicare tweaks, MLR, some weakly enforceable limits on insurers) and bad (cost, corporate incentives, Caddy tax, insurance over care), if it fails it will set back efforts to improve health coverage in this country.

But I do take some of the warnings about how difficult it will be to fix the site seriously.

All that said, I’m not sure this is the “best and brightest” group of consultants Obama should have chosen to “surge” the website fix.

An informed source in the telecommunications industry said Verizon’s Enterprise Solutions division has been asked by the Department of Health and Human Services to improve the performance of the HealthCare.gov site, which is a key component of the Affordable Care Act. The source spoke on condition of anonymity because the announcement had not been made official.

HHS office said Sunday the department would reach outside its government contractors to civilian companies that might be able to solve HealthCare.gov’s problems more quickly.

“Our team is bringing in some of the best and brightest from both inside and outside government to scrub in with the team and help improve HealthCare.gov,” an HHS blog post said on Sunday.

HHS did not respond to a request for confirmation about Verizon. The company also declined to comment.

It makes sense for HHS to seek Verizon’s help, said Aneesh Chopra, the Obama administration’s former chief technology officer and now a senior fellow at the Center for American Progress. “There is an existing ‘best and brightest’ available to call in,” Chopra said. “Verizon is one of those already under contract.”

Even assuming Verizon is among the most competent entities in doing this kind of fix, there are the optics.

Verizon is, after all, the entity that charges millions of Americans inflated rates even as it turns over data on all their phone based relationships on a daily basis. In addition, along with AT&T and Sprint, Verizon helps the government copy and scan up to 75% of US Internet content in search of secret selectors.

Verizon is, then, one of the worst examples of the dangerous marriage between big corporate and big government. Which perhaps makes it an appropriate entity to be tied to ObamaCare, but not one that will help ObamaCare’s credibility.

On the 12th Day of Christmas, the NSA Gave to Me … 12 “Terrorism Supporters”

/4 Comments/in , , /by

Dianne Feinstein is writing op-eds again. Of course, I’m not actually recommending you read her defense of the phone dragnet program — though I do recommend this rebuttal of her claims from ACLU’s Mike German.

In other words, the problem was not that the government lacked the right tools to do its job (it had ample authority to trace Mihdhar’s calls). The problem was that the government apparently failed to use them.

But I do want to look at how DiFi dances around the debunked claims about all the plots the dragnet have stopped.

Since its inception, this program has played a role in stopping roughly a dozen terror plots and identifying terrorism supporters in the U.S.

Her claim is grammatically false, of course. Of the 2 known of these 12 cases where Section 215 was useful, with just one — when it was used to identify an unknown phone of one already identified accomplice of Najibullah Zazi — was a plot actually stopped. In the other, all Section 215 did was identify a supporter of terrorism, Basaaly Moalin. And even there, the FBI itself believed Moalin sent money to al-Shabaab not so much to support terrorism, but to support expelling (US backed) Ethiopian invaders of Somalia.

So while she could say that on 12 occasions Section 215 has helped stop a plot or identified terrorism supporters, what she has said is — surprise surprise! — a lie.

But I am rather amused at how close DiFi gets to arguing a dragnet of every Americans’ phone based relationships is worthwhile because it has found 12 guys who support, but do not engage in, terrorism.

Docket Inflation at the FISA Court?

/2 Comments/in , /by

Screen shot 2013-10-18 at 3.17.36 PMAs I noted in my last post, I’m a bit alarmed by the docket numbers we’re seeing out of the FISC court. The order released today appears to be the 158th docket for the year.

Compare that to the docket numbers from 2009, as revealed in the orders Reggie Walton issued while trying to clean up NSA’s act. His November 5, 2009 order appears to be just the 15th docket for the year, as compared to Mary McLaughlin’s October order being the 158th.

We’re running at 10 times the pace we were 4 years ago.

The thing is, while the comparison does make this year seem especially bad, it actually seems to be part of a longer trend. Here’s the numbers of NSLs and Section 215 orders the FISC has issued since 2005.

Screen shot 2013-10-18 at 4.17.42 PM

 

 

Before we knew how extensive the phone dragnet was, these numbers suggested some of the NSL production got moved into the secret interpretations of Section 215 after 2010 (which is about the same time Ron Wyden and Mark Udall got especially shrill about it).

While that may or may not explain the big jump between 2009 — when the Walton numbers are perfectly consistent — and 2011, it’s not the phone dragnet driving the numbers. That has only been responsible for something like 6 dockets in any given year, and more often just 4 (for example, even in 2009, the multiple iterations were just additional entries to the docket tied to that quarter’s order).

I thought, too, the Boston Marathon attack might explain higher numbers for this year. But we might even come in slightly lower than we did last year.

Which is another way of noting how deceitful these numbers are. Any single NSL could include more than one American. We know at least some of the Section 215 orders include every American.

So how many records might these entail of each one could represent every American?

Mary McLaughlin Repeats Claire Eagan’s Error

/3 Comments/in /by

FISC just released the opinion accompanying the most recent Section 215 phone dragnet order.

(Note: does it concern anyone besides me that FISC is now up to 158 dockets for Business Records production this year??)

In it, Judge Mary McLaughlin repeats the very same error Claire Eagan made.

Although the definition of relevance set forth in Judge Egan’s decision is broad, the Court is persuaded that that definition is supported by the statutory analysis set out in the August 29 Opinion. That analysis is reinforced by Congress’ s re-enactment of Section 215 after receiving information about the government’s and the FISA Court’s interpretation of the statute.

As I’ve noted over and over and over, the public record shows that the notice on Section 215 did not actually meet the terms of Eagan’s opinion.

Eagan says,

The ratification presumption applies here where each Member was presented with an opportunity to learn about a highly-sensitive classified program important to national security in preparation for upcoming legislative action. [my emphasis]

Not only did the vast majority of Members have to go out of their way to learn about this program, 19% in fact had no way of learning everything they needed to know about it. Therefore, the ratification presumption fails, and that legal basis crumbles.

Each member was not presented with such an opportunity — certainly not one identified as such.

Now, perhaps FISC’s clerks are incompetent and haven’t even scanned the Google alerts on the issues before them (McLaughlin did finally address US v. Jones, so maybe it’s just a very slow Google alert?).

But this points to the problem with FISC’s lack of an adversary. Because anyone coming before the court would presumably help out FISC’s clerks by pointing them to the many many many reports of how inadequate this notice really was.

Instead, they keep repeating the same mistake over and over — and proving the claims about being a rubber stamp.

12 Years Later, DOJ Is Still Struggling Through Dragnet Discovery Issues

/5 Comments/in , , /by

As I noted earlier, Charlie Savage describes how, after Don Verrilli made false representations to the Supreme Court about whether defendants get an opportunity to challenge FISA Amendments Act derived evidence, it set off a discussion in DOJ about their discovery obligations.

Mr. Verrilli sought an explanation from national security lawyers about why they had not flagged the issue when vetting his Supreme Court briefs and helping him practice for the arguments, according to officials.

The national security lawyers explained that it was a misunderstanding, the officials said. Because the rules on wiretapping warrants in foreign intelligence cases are different from the rules in ordinary criminal investigations, they said, the division has long used a narrow understanding of what “derived from” means in terms of when it must disclose specifics to defendants.

In national security cases involving orders issued under the Foreign Intelligence Surveillance Act of 1978, or FISA, prosecutors alert defendants only that some evidence derives from a FISA wiretap, but not details like whether there had just been one order or a chain of several. Only judges see those details.

After the 2008 law, that generic approach meant that prosecutors did not disclose when some traditional FISA wiretap orders had been obtained using information gathered through the warrantless wiretapping program. Division officials believed it would have to disclose the use of that program only if it introduced a recorded phone call or intercepted e-mail gathered directly from the program — and for five years, they avoided doing so.

For Mr. Verrilli, that raised a more fundamental question: was there any persuasive legal basis for failing to clearly notify defendants that they faced evidence linked to the 2008 warrantless surveillance law, thereby preventing them from knowing that they had an opportunity to argue that it derived from an unconstitutional search? [my emphasis]

It’s not entirely true that only judges learn if there are a series of orders leading up to a traditional FISA that incriminates a person. For example, we know it took 11 dockets and multiple orders to establish probable cause to wiretap Basaaly Moalin, the one person allegedly caught using Section 215. We also know there was a 2-month delay between the time they identified his calls with (probably) Somali warlord Aden Ayrow and the time they started wiretapping him under traditional FISA. Even before that point, Ayrow would have been — and almost certainly was — a legal FISA Amendments Act target. Meaning it’d be very easy for the government to watch Moalin’s side of their conversations in those two months to develop probable cause — or even to go back and read historical conversations (note, Ken Wainstein may have signed some of the declarations in question, which would make a lot of sense if they took place during the transition between Attorneys General earlier in 2007).

But Moalin’s attorneys didn’t — and still haven’t — learned whether that’s what happened. (Note, I’m overdue to lay out the filings in the case since I last covered it; consider it pending.)

Read more