Keith Alexander’s Ignorance By Design

/8 Comments/in , /by

Oops! Forgot to encourage you all to support this work with a donation

One of the most publicized lines from yesterday’s FOIA disclosures comes from Keith Alexander’s declaration to Reggie Walton on how the Section 215 dragnet went so horribly awry. He claims — without explaining the basis for his knowledge — that no one knew how all this worked.

Furthermore, from a technical standpoint, there was no single person who had a complete technical understanding of the BR FISA system architecture. (Alexander 19)

The comment comes amidst a section that discusses not system architecture, but simple legal compliance, in which Alexander describes how,

  • NSA’s lawyers consistently gave incorrect data to FISC over 3 years time
  • NSA’s lawyers exempted a whole class of data — that not yet “archived” — from the plain meaning of the law

At the beginning of this particular section, he says his knowledge comes from,

Reviews of NSA records and discussions with relevant NSA personnel (Alexander 16)

But at the beginning of Alexander’s declaration, he states his statements,

are based on my personal knowledge, information provided to me by my subordinates in the course of my official duties, advice of counsel, and conclusions reached in accordance therewith. (Alexander 2)

That is, for the declaration overall, Alexander says he only spoke to “counsel” and other NSA people in “the course of [his] official duties,” and there only with subordinates. Admittedly, all NSA personnel should be his subordinates, but it is curious he doesn’t describe the NSA personnel he spoke with as such.

That’s important, because throughout this section, Alexander’s statements are caveated with “it appears” introductions.

… the inaccurate description of the BR FISA alert list initially appears to have occurred to a mistaken belief …(Alexander 17)

… Therefore, it appears there was never a complete understanding among the key personnel who reviewed the report … (Alexander 18)

… Nevertheless, it appears clear in hindsight from discussions with the relevant personnel as well as reviews of NSA’s internal records that the focus was almost always on whether analysts were contact chaining the Agency’s repository of BR FISA data in compliance … (Alexander 18)

Now perhaps Alexander spoke to the people who actually knew what went on. It turns out they would, in significant part, be lawyers. Counsel.

Though that’s rarely reflected in his descriptions. In perhaps just one sentence, he makes an assertion about what the SIGINT Directorate and the OGC [counsel] “realized,” though note he doesn’t specify a single human subject for that realization.

Or perhaps he spoke only to “relevant personnel” who provided him information in the course of his normal duties.

But one thing is clear: he either doesn’t claim actual knowledge about the subject he is addressing beyond what actually got documented, the most important topic in his declaration. Or he does, but for some reason he was, in this matter alone, uncomfortable asserting that as a clear fact.

Yet somehow, having spoken to remarkably few people, he somehow feels confident claiming no one knew about the entire architecture (an irrelevant issue to the legal and management problem at hand)?

I would suggest Alexander’s lawyers [counsel!] — the very people who provided false information to the court and false advice to NSA personnel — might have a good deal more certainty about what happened than Alexander. But somehow they managed to avoid making sworn declarations to the court about those subjects.

Update: The list of people who knew about this stuff on Alexander 25-26 is of particular interest. Two OGC lawyers and 3 program managers had access to both what was allowed to analysts and what was reported to the court (though Alexander helpfully notes, “[t]his does not mean that an individual who was on distribution for the reports was actually familiar with the contents of the reports.”

Alexander also says he had conversations with the people on distribution of the original email drafting language for the court.

Alexander goes on to note there were a lot of people that knew of how the alerts worked but, “[b]ased on information available to me, I conclude it is unlikely that this category of personnel knew how the Agency had described the alert process to the Court.”

 

Imagine the Informants You Can Coerce When You Can Spy on Every Single American

/23 Comments/in , , , /by

Please consider supporting my fundraiser so I can continue to do this kind of work. 

Two years ago, I noted a chilling exchange from a 2002 FISA suit argued by Ted Olson. Laurence Silberman was trying to come up with a scenario in which some criminal information might not have any relevance to terrorism. When he suggested rape, Olson suggested we might use evidence of a rape to get someone to inform for us.

JUDGE SILBERMAN: Try rape. That’s unlikely to have a foreign intelligence component.

SOLICITOR GENERAL OLSON: It’s unlikely, but you could go to that individual and say we’ve got this information and we’re prosecuting and you might be able to help us.

It’s chilling not just because it suggests rapists have gone free in exchange for trumping up terrorist cases for the government, but because it makes clear the kinds of dirt the government sought using — in this case — traditional FISA wiretaps.

Now consider this passage from the government’s 2009 case that it should be able to sustain the Section 215 dragnet.

Specifically, using contact chaining [redacted] NSA may be able to discover previously unknown terrorist operatives, to identify hubs or common contacts between targets of interest who were previously thought to be unconnected, and potentially to discover individuals willing to become U.S. Government assets.

Remember, while the government downplayed this fact, until Barack Obama won the 2008 election, the government permitted analysts to contact chain off of 27,090 identifiers, going deeper than 3 hops in. That very easily encompasses every single American.

The ability to track the relationships of every single American, and they were using it to find informants.

In the 7 years since this program (now allegedly scaled back significantly, but still very very broad) has existed, the dragnet has only helped, however indirectly, to capture 12 terrorists in the US (and by terrorist, they also include people sending money to protect their country against US-backed invasion).

Which means the real utility of this program has been about something else.

The ability to track the relationships of every single American. And they were using it to find informants.

Even while the number of terrorists this program discovered has been minimal, the number of FBI informants has ballooned, to 15,000. And those informants are trumping up increasingly ridiculous plots in the name of fighting terrorism.

The ability to track the relationships of every single American (or now, a huge subset of Americans, focusing largely on Muslims and those with international ties). And they were (and presumably still are) using it to find informants.

Update: Note how in Keith Alexander’s description of the alert list, the standard to be on it is “the identifier is likely to produce information of foreign intelligence value” that are “associated with” one of the BR targets (Alexander 33). This is very similar to the language Olson used to justify getting data that didn’t directly relate to terrorism.

Also note this language (Alexander 34):

In particular, Section 1.7(c) of Executive Order 12333 specifically authorizes NSA to “Collect (including through clandestine means), process, analyze, produce, and disseminate signals intelligence information for foreign intelligence and counterintelligence purposes to support national and departmental missions.” However, when executing its SIGINT mission, NSA is only authorized to collect, retain or disseminate information concerning United States persons in accordance with procedures approved by the Attorney General.

Again, this emphasizes a foreign intelligence and CI purpose for collection that by law is limited to terrorism. Which could mean they think they can collect info to coerce people to turn informant.

The AG guidelines on informants are, not surprisingly, redacted.

How Many People Are Included in Contact Chaining with 27,090 Numbers?

/18 Comments/in , /by

I’ve decided that if I could have a nickel for every time I’ve said “I told the apologists so” as I’ve read these documents, I’d be Warren Buffet. But I don’t get a nickel for predicting the NSA is as bad as it is. So I could use your help to keep doing what I do. 

One of the most stunning revelations from ODNI’s conference call with Officials Who Can’t Be Quoted Because They Might Be Lying is that only 11% of the numbers the NSA was comparing daily business record collections against should have been included.

Those numbers are presented in the government’s first response to Reggie Walton’s order for more information.

In short, the system was designed to compare both SIGINT and BR metadata against the identifiers on the alert list but only to permit alerts generated from RAS-approved identifiers to be used to conduct contact chaining [redacted] of the BR metadata. As a result, the majority of telephone identifiers compared against the incoming BR metadata in the rebuilt alert list were not RAS-approved. See id. at 4, 7-8. For example, as of January 15, 2009, the date of NSD’s first notice to the Court regarding this issue, only 1,935 of the 17,835 identifiers on the alert list were RAS-approved. (10-11)

This means that every day, the NSA was comparing names they thought maybe might could be terrorist numbers, as well as numbers they actually had reason to believe actually were, with all the phone records in the US to see if Americans were talking to these people. [Update: And to clarify, the 89% on the list who were “compared” to the daily business record take weren’t contact chained — NSA just checked to see if they should look further.]

As I said, per the Officials Who Can’t Be Quoted Because They Might Be Lying who gave today’s conference call, that’s as bad as it gets.

But it appears to get worse.

You see, as NSA was confessing all this to DOJ’s National Security Division, they were also cleaning up their lists (the January 15 numbers come from a week after NSD first got involved). And it appears that before they started their confessional process (in the days before Obama took over from George Bush), they had far more people on their list. And they were contact-chaining those numbers.

At the meeting on January 9, 2009, NSA and NSA also identified that the reports filed with the Court have incorrectly stated the number of identifiers on the alert list. Each report included the number of telephone identifiers purported on the alert list. See, e.g., NSA 120-Day Report to the FISC (Dec. 11, 2008), docket number BR 08-08 (Ex. B to the Government’s application in docket number BR 08-13), at 11 (“As of November 2, 2008, the last day of the reporting period herein, NSA had included a total of 27,090 telephone identifiers on the alert list . . . .”). In fact, NSA reports that these numbers did not reflect the total number of identifiers on the alert list; they actually represented the total number of identifiers included on the “station table” (NSA’s historical record of RAS determinations) as currently RAS-approved) (i.e., approved for contact chaining [redacted]

This appears to mean the NSA could (they don’t say whether they did) conduct chaining two or three degrees deep on all these potential maybe might could be terrorists.

If those 27,090 talked to 10 people in the US, and those 270,090 people in the US regularly talked to 40 people in the US, and those people talked to 40, then it would potentially incorporate 433 millio–oh wait! That’s more people than live in the US!

That is, there’s a potential that, by contact chaining that many people, this actually represented a comprehensive dragnet of all the networked relationships in the US until the days before Obama became President.

And they lied to Reggie Walton about it as they got their first real legal review of the program.

But honest, all this was really just unintentional.

Update: Later in the filing, the government admits they were doing more than 3 hops until early 2009.

Second, NSA is implementing software changes to its system that will limit to three the number of “hops” permitted from a RAS-approved seed identifier.

This means those 27,090 identifiers that were in use on November 1, 2008 (at which point it became clear Obama would win the election) could have been contact chained far deeper into American contacts. This makes it very likely that that “contact chaining” actually did include everyone in the US.

Shorter NSA: That We Discovered We Had No Fucking Clue How We Use Our Spying Is Proof Oversight Works

/18 Comments/in , /by

It’s fundraising week. Please donate if you can.

James Clapper’s office just released a bunch of documents pertaining to the Section 215 dragnet. It reveals a whole slew of violations which it attributes to this:

The compliance incidents discussed in these documents stemmed in large part from the complexity of the technology employed in connection with the bulk telephony metadata collection program, interaction of that technology with other NSA systems, and a lack of a shared understanding among various NSA components about how certain aspects of the complex architecture supporting the program functioned.  These gaps in understanding led, in turn, to unintentional misrepresentations in the way the collection was described to the FISC.  As discussed in the documents, there was no single cause of the incidents and, in fact, a number of successful oversight, management, and technology processes in place operated as designed and uncovered these matters.

More candidly it admits that no one at NSA understood how everything works. It appears they’re still not sure, as one Senior Official Who Refused to Back His Words admitted,

“I guess they have 300 people doing compliance at NSA.”

“I guess” is how they make us comfortable about their new compliance program.

Ultimately, this resulted them in running daily Section 215 collection on a bunch of numbers that–by their own admission–they did not have reasonable articulable suspicion had some time to terrorism. When they got caught, that number consisted of roughly 10 out of 11 of the numbers they were searching on.

The rest of this post will be a working thread.

Update: Here is the Wyden/Udall statement. It strongly suggests that the other thing the government lied about — as referenced in John Bates’ October 3, 2011 opinion — was the Internet dragnet.

With the documents declassified and released this afternoon by the Director of National Intelligence, the public now has new information about the size and shape of that iceberg. Additional information about these violations was contained in other recently-released court opinions, though some significant information – particularly about violations pertaining to the bulk email records collection program – remains classified.

 

In addition to providing further information about how bulk phone records collection came under great FISA Court scrutiny due to serious and on-going compliance violations, these documents show that the court actually limited the NSA’s access to its bulk phone records database for much of 2009. The court required the NSA to seek case-by-case approval to access bulk phone records until these compliance violations were addressed. In our judgment, the fact that the FISA Court was able to handle these requests on an individual basis is further evidence that intelligence agencies can get all of the information they genuinely need without engaging in the dragnet surveillance of huge numbers of law-abiding Americans.

The original order required NSA to keep the dragnet on “a secure private network that NSA exclusively will operate.” Yet on the conference call, the Secret-Officials-Whose-Word-Can’t-Be-Trusted admitted that some of the violations involved people wandering into the data without knowing where they were. And an earlier violation made it clear in 2012 they found a chunk of this data that tech people had put on their own server.

The order also requires an interface with security limitations. Again, we know tech personnel access the data outside of this structure.

That order also only approves 7 people to approve queries. That number is now 22.

(9) We need to see a copy of the first couple of reports NSA gave to FISC with its reapplications to see how things got so out of control.

(10) This approval was signed by Malcom Howard. Among other things he was in the White House during the Nixon-Ford transition period.

The original authorization for 215 was a hash. Reggie Walton got involved in 2008 and cleaned it up (though not convincingly) in this supplemental order. He relies, significantly, on the “any tangible thing” language passed in 2006. (2-3)

Read more

Microsoft, Google, as Unimpressed as I Am with I Con’s New Data Release Promise

/1 Comment/in , /by

I showed earlier that the Director of National Intelligence’s promise to release certain information — much of which they’re already obligated to release — wasn’t all that impressive. As part of that, I noted that the DNI wasn’t providing data specific to each provider.

Moreover, the government doesn’t, apparently plan to release the number Google and Yahoo would like it to release, numbers which likely show how much more enthusiastic the well-lubricated telecoms are about providing this material than the less-well lubricated Internet providers. That is, the government isn’t going to (or hasn’t yet agreed to) provide numbers that show corporations have some leeway on how much of our data they turn over to the government.

It turns out, Microsoft and Google agree with me that the promised new release is none too impressive.

More importantly, they view it as a refusal — after serial delays from the government — to release that provider specific and content type specific information they want to release.

Yesterday, the Government announced that it would begin publishing the total number of national security requests for customer data for the past 12 months and do so going forward once a year.  The Government’s decision represents a good start.  But the public deserves and the Constitution guarantees more than this first step.  Read more

The New I Con: “Total Number of Orders and Targets”

/1 Comment/in , /by

The I Con people, in another attempt to feign transparency, have announced they will release “new” numbers.

Consistent with this directive and in the interest of increased transparency, the DNI has determined, with the concurrence of the IC, that going forward the IC will publicly release, on an annual basis, aggregate information concerning compulsory legal process under certain national security authorities.

Specifically, for each of the following categories of national security authorities, the IC will release the total number of orders issued during the prior twelve-month period, and the number of targets affected by these orders:

  • FISA orders based on probable cause ( Titles I and III of FISA, and sections 703 and 704).
  • Section 702 of FISA
  • FISA Business Records (Title V of FISA).
  • FISA Pen Register/Trap and Trace ( Title IV of FISA)
  • National Security Letters issued pursuant to 12 U.S.C. § 3414(a)(5), 15 U.S.C. §§ 1681u(a) and (b), 15 U.S.C. § 1681v, and 18 U.S.C. § 2709.

Only, this is, as I Con transparency always is, less than meets the eye.

To start with, the I Cons already release much of this due to statutory requirements. It releases the number of FISA orders on probable cause (and the number rejected), the number of business records, and the National Security letters, as well as the number of US persons included in those NSLs.

If I understand this correctly, the only thing new they’ll add to this information is the number of people “targeted” under the Section 215. In other words, they’ll tell us they’ve used fewer than 300 selectors in the previous year to conduct up-to three hop link analysis which in reality mean thousands or even millions might be affected (to say nothing of the hundreds of millions whose communications might be affected by virtue of being collected). But they won’t tell us how many people got included in those two or three hops.

Furthermore, in the absence of knowing what else they’re using Section 215 for, the meaning of these numbers will be hidden — as it already was when the government told us (last year) it had submitted 212 Section 215 applications, without telling us several of those applications collected every American’s phone records.

The same is true of the Pen Register/Trap and Trace provision. The government has told us they’re no longer using it to collect the Internet metadata of all Americans. But what are they using it to do? Are they (in one theory posited since the Snowden leaks started) using it to collect key information from Internet providers? Given the precedents hidden at the FISA Court, we’re best served to assume there is some exotic use like this, meaning any number they show us could represent a privacy threat far bigger than the number might indicate.

Then, finally, there’s Section 702, which will be new information. The October 3, 2011 John Bates opinion tells the NSA collects 250 million communications a year under Section 702; the August 2013 Compliance Assessment seems to support (though it redacts the numbers) the NSA targeting 63,000 to 73,000 selectors on any given day. In other words, those numbers are big. But that doesn’t tell us, at all, how many US persons get sucked up along with the targeted selectors. That number is one the NSA refuses to even collect, though Ron Wyden has asked them for it. Usually, when the NSA refuses to count something, it is because doing so would demonstrate how politically (and potentially, Constitutionally) untenable it is.

Moreover, the government doesn’t, apparently plan to release the number Google and Yahoo would like it to release, numbers which likely show how much more enthusiastic the well-lubricated telecoms are about providing this material than the less-well lubricated Internet providers. That is, the government isn’t going to (or hasn’t yet agreed to) provide numbers that show corporations have some leeway on how much of our data they turn over to the government.

So, ultimately, this seems to be about providing two or three new numbers, in addition to what the government is legally obliged to provide, yet without providing any numbers on how many Americans get sucked into this dragnet.

They will provide the “total number of orders and targets.” But they’re not going to provide the information we actually want to know.

NSA’s Inspector General Appears to Be Disappearing 299 Deliberate Violations a Year

/17 Comments/in , /by

Bloomberg is getting a lot of attention for reporting the results of a still-classified (and unleaked) NSA Inspector General audit showing that NSA averages one rule violation a year.

Some National Security Agency analysts deliberately ignored restrictions on their authority to spy on Americans multiple times in the past decade, contradicting Obama administration officials’ and lawmakers’ statements that no willful violations occurred.

[snip]

The incidents, chronicled in a new report by the NSA’s inspector general, provide more evidence that U.S. agencies sometimes have violated legal and administrative restrictions on domestic spying, and may add to the pressure to bolster laws that govern intelligence activities.

The inspector general documented an average of one case per year over 10 years of intentionally inappropriate actions by people with access to the NSA’s vast electronic surveillance systems, according to an official familiar with the findings. The incidents were minor, the official said, speaking on the condition of anonymity to discuss classified intelligence. [my emphasis]

Now, perhaps the IG is using the rule laid out by Barton Gellman saying that intentionally inappropriate action that serves “the mission” isn’t an intentionally inappropriate action.

If they are performing the mission that the NSA wants them to perform, and nevertheless overstep their legal authority, make unauthorized interceptions or searches or retentions or sharing of secret information, that is not abuse, that’s a mistake.

But this seems to be another example of NSA’s funny math.

Because the NSA’s own internal count of such violations suggests there would be closer to 300 such violations a year (counting just those deemed a lack of due diligence). The 772 violations for the S2 Directorate in the first quarter of 2011 represented 89% of all NSA’s violations that quarter; if their 68 due diligence violations represented 89% of all due diligence violations (S2’s rate for due diligence violations is lower than the two other categories broken out), you’d expect 76 each quarter, or just over 300 a year.

So whereas the NSA is telling itself that there are 300 examples a year where someone doesn’t follow rules — not because they don’t know them (those are training violations) or because they make a data entry error (those are human error), but something else — it is telling Congress there is just one example a year.

Poof! Magic math.

Update: If Kimberly Dozier got it too, it’s an official leak.

They apparently don’t fire people who use all these spy tools to spy on their exes.

Two U.S. officials said one analyst was disciplined in years past for using NSA resources to track a former spouse. The officials spoke on condition of anonymity because they were not authorized to speak publicly.

Keith Alexander’s Dinner Theater

/8 Comments/in , , /by

A bunch of people have been discussing Stanford Professor Jennifer Granick’s account of a dinner she had with NSA Director and CyberComander Keith Alexander. The main storyline describes how, three weeks ago, Lying Keith promised Granick that seeing the Primary Order for the Section 215 dragnet would make her more comfortable with the program.

It didn’t work out how Lying Keith might have liked.

I had a chance to read the Primary Order the next day, and rather than reassure, it raised substantial concerns.  First, it did not set forth any legal basis for the phone record collection, which Christopher Sprigman and I have argued is illegal.  Second, it confirmed that the FISA court does not monitor compliance with its limitations on the collection program, a problem that, according to a former FISA court judge, is endemic to NSA surveillance programs.

If that weren’t already enough, seeing the FISA Court order released earlier this week, with its revelation that — at least until 2009 — the safeguards on the dragnet program never functioned at all, really ruined Alexander’s efforts to make her feel better.

I remembered our conversation about the Primary Order yesterday while reading the newly declassified FISA court opinion that tangentially raised the phone records surveillance program.  According to the court in 2011, NSA was flagrantly disregarding the dictates of the Primary Order anyway:

[T]he Court concluded that its authorization of NSA’s bulk acquisition of telephone call detail records … in the so-called “big business records” matter “ha[d] been premised on a flawed depiction of how the NSA uses [the acquired] metadata” and that “[t]his misperception by the FISC existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government’s submissions and despite a government-devised and Court-mandated oversight regime.” … Contrary to the government’s repeated assurances, NSA had been routinely running queries of the metadata using querying terms that did not meet the required standard for querying.  The Court concluded that this requirement has been “so frequently and systemically violated that it can fairly be said that this critical element of the overall … regime has never functioned effectively.” (Footnote 14)

How does a good man sit across you from the dinner table and assure you the government is properly constrained, when in reality it lies and disregards even the most anemic purported safeguards?

Granick is far more polite than I am — because my conclusion here would be “a good man doesn’t spin you like this.”

But there’s one further bit of spin she doesn’t mention explicitly. Alexander — as he has done repeatedly since Snowden’s documents started leaking — pretended this was all about terrorism.

I have no doubt that Gen. Alexander loves this country as much as I do, or that his primary motivation is to protect our nation from terrorist attacks. “Never again,” he said over dinner.

[snip]

The General seemed convinced that if only I knew what he knew, I would agree with him. He urged me to visit Pakistan, so that I would better understand the dangers America faces.  I responded that one of my longest-standing friends has relatives there and visits regularly, maybe she would take me.  I did not miss his point, and he did not miss mine.

I’m not saying this isn’t, partly, about terrorism. But if that’s all he’s doing, Alexander can roll up his CyberCommand, all the programs targeting Iran, and more generalized cyberdefense: the things that, until these leaks, were considered more urgent issues. Once again, Alexander wants to use terror terror terror to justify a dragnet that (for the content side) targets far more broadly than just terror.

I asked Granick about this, and she said Alexander said “surprisingly little” about cybersecurity — perhaps just a comment about the applying the rules of armed conflict to cyberwar.

As with his audience at BlackHat, Alexander here was talking to someone that Stanford considers an expert on cybercrime and cybersecurity. All differences of opinion about the phone dragnet aside, he should have spent his dinner with Granick discussing ways to accomplish the objectives of cybersecurity most effectively.

[A]s we go into cyber and look at–for cyber in the future, we’ve got to have this debate with our country. How are we going to protect the nation in cyberspace?

… Alexander claimed when speaking to a group that stood to get rich off of cybersecurity.

And yet, once again, when presented an opportunity to have that debate with one of the experts he needs to win over, Alexander cowered from the debate.

NSA Has a Database Problem

/26 Comments/in , /by

Back in 2009 when the government released what we now know is a FISA Court of Review decision ordering Yahoo to cooperate in PRISM, I questioned a passage of the decision that relied on the government’s claim that it doesn’t keep a database of incidentally collected conversations involving US persons.

In this post, I just want to point to a passage that deserves more scrutiny:

The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26)

To translate, if the government collects information from a US citizen (here or abroad), a legal permanent US resident, a predominantly US organization, or a US corporation in the course of collecting information on someone it is specifically targeting, it it claims it does not keep that in a database (I’ll come back and parse this in a second). In other words, if the government has a tap on your local falafel joint because suspected terrorists live off their falafels, and you happen to call in a take out order, it does not that have in a database.

There are reasons to doubt this claim.

In the rest of the post, I showed how a response from Michaels Mukasey and McConnell to Russ Feingold’s efforts to protect US person incidental collection during the FISA Amendments Act had made it clear having access to this incidentally collected data was part of the point, meaning the government’s reassurances to the FISCR must have been delicate dodges in one way or another. (Feingold’s Amendments would have prevented 3 years of Fourth Amendment violative collection, by the way.)

Did the court ask only about a database consisting entirely of incidentally collected information? Did they ask whether the government keeps incidentally collected information in its existing databases (that is, it doesn’t have a database devoted solely to incidental data, but neither does it pull the incidental data out of its existing database)? Or, as bmaz reminds me below but that I originally omitted, is the government having one or more contractors maintain such a database? Or is the government, rather, using an expansive definition of targeting, suggesting that anyone who buys falafels from the same place that suspected terrorist does then, in turn, becomes targeted?

McConnell and Mukasey’s objections to Feingold’s amendments make sense only in a situation in which all this information gets dumped into a database that is exposed to data mining. So it’s hard to resolve their objections with this claim–as described by the FISA Appeals Court.

Which is part of the reason I’m so intrigued by this passage of John Bates’ October 3, 2011 decision ruling some of NSA’s collection and retention practices violated the Fourth Amendment. In a footnote amending a passage explaining why the retention of entirely US person communications with the permissive minimization procedures the government had proposed is a problem, Bates points back to that earlier comment.

The Court of Review plaining limited its holding regarding incidental collection to the facts before it. See In re Directives at 30 (“On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.” (emphasis added). The dispute in In re Directives involved the acquisition by NSA of discrete to/from communications from an Internet Service Provider, not NSA’s upstream collection of Internet transactions. Accordingly, the Court of Review had occasion to consider NSA’s acquisition of MCTs (or even “about” communications, for that matter). Furthermore, the Court of Review noted that “[t]he government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary.” Id. Here, however, the government proposes measures that will allow NSA to retain non-target United States person information in its databases for at least five years.

Ultimately, Bates’ approval for the government to query on US person identifiers on existing incidentally collected Section 702 material (see pages 22-23) show that he hasn’t really thought through what happens to US person incidental collection; he actually has a shocking (arguably mis-) understanding of how permissive the existing minimization rules are, and therefore how invasive his authorization for searching on incidentally collected information will actually be.

But his complaint with the proposed minimization procedures shows what he believes they should be.

The measures proposed by the government for MCTs, however, largely dispense with the requirement of prompt disposition upon initial review by an analyst. Rather than attempting to identify and segregate information “not relevant to the authorized purpose of the acquisition” or to destroy such information promptly following acquisition, NSA’s proposed handling of MCTs tends to maximize the retention of such information, including information of or concerning United States persons with no direct connection to any target.

As Bates tells it, so long as he’s paying close attention to an issue, the government should ideally destroy any US person data it collects that is not relevant to the authorized purpose of the acquisition. (His suggestion to segregate it actually endorses Russ Feingold’s fix from 2008.)

But the minimization rules clearly allow the government to keep such data (after this opinion, they made an exception only for the multiple communication transactions in question, but not even for the other search identifiers involving entirely domestic communication so long as that’s the only communication in the packet).

All the government has to do, for the vast majority of the data it collects, is say it might have a foreign intelligence or crime or encryption or technical data or threat to property purpose, and it keeps it for 5 years.

In a database.

Back when the FISCR used this language, it allowed the government the dodge that, so long as it didn’t have a database dedicated to solely US person communications incidentally, it was all good. But the language Bates used should make all the US person information sitting in databases for 5 year periods (which Bates seems not to understand) problematic.

Not least, the phone dragnet database, which — after all — includes the records of 310 million people even while only 12 people’s data has proved useful in thwarting terrorist plots.

Update: Fixed the last sentence to describe what the Section 215 dragnet has yielded so far.

How NSA Bypassed the Fourth Amendment for 3 Years

/15 Comments/in , /by

On October 3, 2011, the FISA Court deemed some of the NSA’s collections to violate the Fourth Amendment. Since Ron Wyden first declassified vague outlines of that ruling a year ago, we’ve been trying to sort through precisely what practice that decision curtailed.

A new WSJ story not only expands on previous descriptions of the practice.

The systems operate like this: The NSA asks telecom companies to send it various streams of Internet traffic it believes most likely to contain foreign intelligence. This is the first cut of the data.

These requests don’t ask for all Internet traffic. Rather, they focus on certain areas of interest, according to a person familiar with the legal process. “It’s still a large amount of data, but not everything in the world,” this person says.

The second cut is done by NSA. It briefly copies the traffic and decides which communications to keep based on what it calls “strong selectors”—say, an email address, or a large block of computer addresses that correspond to an organization it is interested in. In making these decisions, the NSA can look at content of communications as well as information about who is sending the data.

But it reveals the illegal program continued for 3 years, during which the telecoms and NSA simply policed (or did not police) themselves.

For example, a recent Snowden document showed that the surveillance court ruled that the NSA had set up an unconstitutional collection effort. Officials say it was an unintentional mistake made in 2008 when it set filters on programs like these that monitor Internet traffic; NSA uncovered the inappropriate filtering in 2011 and reported it.

[snip]

Paul Kouroupas, a former executive at Global Crossing Ltd. and other telecom companies responsible for security and government affairs, says the checks and balances in the NSA programs depend on telecommunications companies and the government policing the system themselves. “There’s technically and physically nothing preventing a much broader surveillance,” he says.

The entire WSJ article (and an accompanying explainer) is actually quite polite to the NSA, suggesting that minimization protects Americans better than the plain letter of the procedures do, remaining silent about NSA’s refusal to count how many Americans get sucked up in this, and focusing on terrorism more than the other applications of this. That’s not meant as a criticism; they got the story out, after all!

Most of all, though, it doesn’t question the claim that NSA set the filters too broadly in 2008 unintentionally.

Remember, those filters got set in the wake of the FISA Amendments Act. The telecoms doing the initial pass had just gotten immunity. While I think it possible that one of the telecoms got cold feet and that led to the FISA Court’s discovery of a practice that had been going on 3 years, I’m highly skeptical that the timing of the immunity and the overly broad filters was randomly coincidental.

I think we’re getting closer and closer to the iceberg Ron Wyden and Mark Udall warned us about.