PATRIOT Archives - Page 20 of 44

Both These Things Cannot Be True

August 20, 2013/18 Comments/in Cybersecurity, FISA, PATRIOT /by emptywheel

Last Friday, NSA’s Compliance Director John DeLong assured journalists the violations NSA reported in 2012 were “miniscule.” (I noted that the report showed some of the most sensitive violations primarily get found through audits and therefore their discovery depend in part on how many people are auditing.)

Today, as part of a story describing that NSA still doesn’t know what Edward Snowden took from NSA, MSNBC quotes a source saying NSA has stinky audit capabilities.

Another said that the NSA has a poor audit capability, which is frustrating efforts to complete a damage assessment.

(We’ve long known this about NSA’s financial auditing function, and there have long been signs they couldn’t audit data either, but apparently MSNBC’s source agree.)

For the past several months, various Intelligence officials have assured Congress and the public that it keeps US person data very carefully guarded, so only authorized people can access it.

Today, MSNBC reports NSA had (has?) poor data compartmentalization.

NSA had poor data compartmentalization, said the sources, allowing Snowden, who was a system administrator, to roam freely across wide areas.

Again, there have long been signs that non-analysts had untracked access to very sensitive data. Multiple sources agree — and possibly not just non-analysts.

While I’m really sympathetic for the people who are reportedly “overwhelmed” trying to figure out what Snowden took, we’re seeing precisely the same thing we saw with Bradley Manning: that it takes a giant black eye for intelligence agencies to even admit to gaping holes in their security and oversight.

And in NSA’s case, it proves most of their reassurances to be false.

If NSA Commits Database Query Violations, But Nobody Audits Them, Do They Really Happen?

August 20, 2013/16 Comments/in FISA, PATRIOT /by emptywheel

Barton Gellman, at the beginning of the worthwhile video above, addresses something I addressed here: the only way the government can claim they haven’t “abused” the rules governing NSA activities is by treating all abuse done in the name of the mission as a mistake.

The President, like a lot of people who work for him, has a very narrow definition of two key words in that passage. One is “abuse” and the other is “inappropriately.” As the government depicts it — and this is language it’s using that it does not, frankly, explain.

Abuse — the only kind of abuse that exists would be if, say, an NSA employee were to stalk his ex-wife or spy on movie stars or something of that nature. If they are performing the mission that the NSA wants them to perform, and nevertheless overstep their legal authority, make unauthorized interceptions or searches or retentions or sharing of secret information, that is not abuse, that’s a mistake.

That’s how they get to pretend the 9% to 20% of violations in which a person does not follow the rules seemingly intentionally (these are distinct from human error and training violations) does not constitute an abuse.

With that in mind, I wanted to look more closely at what the audit report says about how errors are found, as shown primarily in this figure:

That looks pretty good on the face, with 64% of all violations found via automated alert, plus a few more — data flow analysis and traffic scanning — that involve technological review.

But this detail on the roamer problem (in which valid foreign targets continue to be targeted when they travel to the US) explains what that’s not all that impressive. Read more →

The Importance of Being Earnest

August 20, 2013/29 Comments/in FISA, PATRIOT, WikiLeaks /by emptywheel

Q Why was the United States given a heads-up by the British government on this detention?

MR. EARNEST: Again, that heads-up was provided by the British government, so you can direct that question to them.

Q Right. But was this heads-up given before he was detained or before it went public that he was detained?

MR. EARNEST: Probably wouldn’t be a heads-up if they would have told us about it after they detained him.

Q So it’s fair to say they told you they were going to do this when they saw that he was on a manifest?

MR. EARNEST: I think that is an accurate interpretation of what a heads-up is.

Q Is this gentleman on some sort of watch list for the United States? Can you look that up?

MR. EARNEST: You’d have to check with the TSA because they maintain the watch list. And I don’t know if they’d tell you or not, but you can ask them.

Q If he’s on a watch list for the U.K., would it be safe to assume then that he’s been put on a watch list in the United States?

MR. EARNEST: The level of coordination between counterterrorism and law enforcement officials in the U.K. and counterterrorism and law enforcement officials in the United States is very good. But in terms of who is on different watch lists and how our actions and their actions are coordinated is not something I’m in a position to talk about from here.

Q Did the United States government — when given the heads-up, did the United States government express any hesitancy about the U.K. doing it — about the U.K. government doing this?

MR. EARNEST: Well, again, this is the British government making a decision based on British law, on British soil, about a British law enforcement action.

Q Did the United States, when given the heads-up, just said okay?

MR. EARNEST: They gave us a heads-up, and this is something that they did not do at our direction and it’s not something that we were involved with. This is a decision that they made on their own.

Q Did the United States discourage the action?

White House Deputy Spokesperson Josh Earnest wants you to know that the decision to detain Glenn Greenwald’s partner David Miranda was done by the British on their own.

Q Josh, you’ve talked about the Mubarak detention as being a Egyptian legal matter. You’ve talked about Morsi’s politically motivated detention. And then with regard to Mr. Greenwald’s partner, you called it a “mere law enforcement action.” Given that the White House has never been shy about criticizing detention policies overseas, do you have any concerns at all about the U.K.’s law enforcement actions in this case?

MR. EARNEST: Well, what I can say is I don’t have a specific reaction other than to observe to you that this is a decision that was made by the British government and not one that was made at the request or with the involvement of the United States government.

But he’s not going to tell you anything about the secret conversations the US have with the British.

MR. EARNEST: To be honest with you, Steve, I don’t have a way to characterize for you any of the conversations between the British government and the U.S. government on this matter other than to say that this is a decision that they made on their own and not at the request of the United States. But in terms of the kinds of classified, confidential conversations that are ongoing between the U.S. and our allies in Britain, I’m not able to characterize that for you.

Q But there are consultations on this matter taking place?

MR. EARNEST: I’m telling you I’m not able to provide any insight into those conversations at all.

Ah well, perhaps this “US security official,” rather bizarrely given anonymity to pass on this British thuggish comment, offers better insight into those conversations.

One U.S. security official told Reuters that one of the main purposes of the British government’s detention and questioning of Miranda was to send a message to recipients of Snowden’s materials, including the Guardian, that the British government was serious about trying to shut down the leaks.

Josh Earnest may not want to admit to the close collaboration here, but American security officials sure seem privy to the message being sent.

Have There Been Significant Phone Dragnet Violations Since 2009?

August 19, 2013/4 Comments/in FISA, PATRIOT /by emptywheel

As I laid out in more obscure fashion here, there are slight — but interesting — differences between how the 2009 Congressional notice, the 2011 Congressional notice, and the 2013 White Paper on the PATRIOT Act dragnet(s) describe the compliance problems. I’ve laid out all three below.

I’ll have more to say about the differences in a follow-up. But for the moment, note that the White Paper released 11 days ago doesn’t date the compliance issues.

Since the telephony metadata collection program under Section 215 was initiated, there have been a number of significant compliance and implementation issues that were discovered as a result of DOJ and ODNI reviews and internal NSA oversight.

The 2009 one doesn’t either — though it does reveal that the government was only just briefing the FISC that September on its compliance fixes when Silvestre Reyes first asked for this notice (they stalled almost 3 months in responding to him), at least suggesting the recentness of the discovery. The 2011 notice limits the compliance issues to 2009, though.

In 2009, a number of technical compliance problems and human implementation errors in these two bulk collection programs were discovered

Note, too, the different descriptions of the FISC response. Both the 2009 and 2011 assure Congress that the FISC, along with the Executive, found no evidence of bad-faith or intentional violations.

However, neither the Department, NSA nor the FISA Court has found any intentional or bad-faith violations.

The 2011 also reveals that the FISC imposed restrictions on the program — restrictions that surely were in place in March 2009, when Dianne Feinstein and Kit Bond tried to start the PATRIOT Reauthorization program and may still have been in place in September 2009 (there were notices to Congress about the program on February 25, April 10, May 7, June 29, September 3, and September 10, 2009, and briefing materials sent to FISC on the program on September 1, September 18, and sometime in October).

Nice of DOJ to tell Congress that two years after the fact.

The White Paper, however, describes the FISC response — at times — quite differently. It makes no claim about whether FISC found intentional violations. And it reveals the FISC has, on occasion, “been critical” of both the compliance problems and the government’s court filings.

The FISC has on occasion been critical of the Executive Branch’s compliance problems as well as the Government’s court filings. However, the NSA and DOJ have corrected the problems identified to the Court, and the Court has continued to authorize the program with appropriate remedial measures.

Not only is there no claim that the FISC found no bad-faith problems, but it now reveals that “on occasion” the FISC has been critical — critical about both the problems and the the government’s claims about the problems.

There are several possible explanations for the difference in language.

Perhaps, for example, the government revealed FISC’s critical stance because it knew the FISC would read this White Paper, along with the rest of us, whereas the Congressional notifications would originally have never been seen by the FISC. Thus, the Administration would have reason to be far more frank about the FISC’s response than it did in the past.

But in conjunction with the silence about the date of these compliance problems, I do wonder whether FISC has grown more critical since 2011. After all, if there have been violations since this apparently extended effort in 2009 to fix compliance issues, wouldn’t it make the Court crankier?

One more thing to keep in mind. Read more →

20 Questions: Mike Rogers’ Vaunted Section 215 Briefings

August 19, 2013/1 Comment/in FISA, PATRIOT /by emptywheel

Comment — Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

A — To the FBI’s knowledge, those authorities have not been abused.

That exchange is, according to DOJ’s Congressional Affairs Office, the level of detail offered up at a May 13, 2011 briefing of the House Republican Caucus regarding the PATRIOT Act provisions the House would vote to reauthorize less than two weeks later.

The questioner — who is not identified — may have been talking about comments Russ Feingold made way back on October 1, 2009, as part of the previous reauthorization of the PATRIOT Act (remember, by this point, Feingold was no longer in the Senate). Here are the things Feingold said about Section 215 in that Senate Judiciary Committee markup.

I remain concerned that critical information about the implementation of the Patriot Act remains classified. Information that I believe, would have a significant impact on the debate….. There is also information about the use of Section 215 orders that I believe Congress and the American People deserve to know. It is unfortunate that we cannot discuss this information today.

…

Mr Chairman, I am also a member of the intelligence Committee. I recall during the debate in 2005 that proponents of Section 215 argued that these authorities had never been misused. They cannot make that statement now. They have been misused. I cannot elaborate here. But I recommend that my colleagues seek more information in a classified setting.
…

I want to specifically disagree with Senator Kyle’s [sic] statement that just the fact that there haven’t been abuses of the other provisions which are Sunsetted. That is not my view of Section 215. I believe section 215 has been misused as well.

Given the context, it is unclear whether Feingold referred to use of Section 215 for things they shouldn’t have, use of it to authorize bulk collection generally, or in the compliance issues identified in 2009 on which the Administration had recently briefed the Intelligence Committee. But his suggestion that the Senate Judiciary Committee was getting less detailed briefings than the Senate Intelligence Committee at that point is consistent with DOJ’s 2009 notice to Congress on the dragnet, which said, “The [compliance] incidents, and the Court’s responses, were also reported to the Intelligence Committees in great detail,” with no mention of similarly detailed briefings to SJC (the 2011 letter indicates that by that point SJC was getting detailed briefings as well). This, in turn, suggests he was referring to dragnet-related violations.

Regardless of what Feingold meant, though, he tied misuse very closely to the secret use of Section 215 to conduct dragnet collection of all Americans’ phone records. Feingold’s other public statements about Section 215 focus even more closely on the secret dragnet application of it.

In other words, this appears to have been a question attempting to get at the secret application of the PATRIOT Act that Feingold, along with Ron Wyden and people like Jerry Nadler, had been warning about. This appears to have been an attempt to learn about a topic that — in 2009, at least — DOJ had “agree[d] that it is important that all Members of Congress have access to information about this program” (DOJ didn’t include such blather in its 2011 notice).

Exactly 100 days before the briefing at which this question was asked, DOJ had sent House Intelligence Chair Mike Rogers (who appears to have convened this briefing) a letter noting, “In 2009, a number of technical compliance problems and human implementation errors in these two bulk collection programs were discovered as a result of Department of Justice (DOJ) reviews and internal NSA oversight.”

Yet in response to a query clearly designed to elicit both the existence of the dragnet program and details on problems associated with it, FBI Director Robert Mueller and then-General Counsel Valerie Caproni (and/or whatever staffers were with them) said, to the Bureau’s knowledge, there had been no abuses. Perhaps, then, as now, they’re relying on the claim that none of these compliance issues were willful — the letter said they weren’t intentional or bad-faith — to avoid telling members of Congress about problems with the program.

Remember, this is one of the (and may have been the only) briefings that Mike Rogers now claims provided adequate substitute for letting House members know about the letter describing the dragnet and the compliance problems associated with it. Rogers’ House Intelligence spokesperson, Susan Phalen, has claimed those briefings “not only covered all of the material in the letter but also provided much more detail.” (As far as I’ve been able to tell from the FOIA production to the ACLU, there was no similar briefing for the Democratic caucus, though FOIA production tends to be incomplete; one Democratic Congressman, Hansen Clarke, attended the Republican briefing.)

And DOJ’s own records of the briefing make it clear that when someone tried, however inartfully, to learn about the program, Mueller and Caproni obfuscated about the compliance issues and possibly the existence of the dragnet itself.

This is a concrete example of what both Justin Amash and Ron Wyden have described as a game of 20 questions briefers play in these briefings. The questioner raised one of the few public hints about the dragnet program to ask the FBI about it, and the FBI responded in a manner very similar to the way James Clapper did in March, when he lied to the SSCI.

Now, we don’t know what remains behind the redactions in the briefing, but there is one other piece of evidence that this briefing, at least, didn’t even touch on the dragnet. If you look at all 5 closed briefings turned over in production to ACLU, two — a February 28, 2011 briefing for SJC and a March 17, 2011 briefing for the House Intelligence Committee — were deemed classified “per OGA letter dated 4/26/2012.” The acronym “Other Government Agency” is usually used to refer to CIA, but in this context, where we now know NSA played a central role but revealing that role last year would have disclosed significant new details about the secret application of Section 215, it may well refer to NSA. Those briefings also redacted the identities of some briefers which, again, may be classified to hide the NSA’s role in this program.

If all this speculation is correct, then it means there was no mention of the NSA in the briefing for the Republican caucus. If there was no mention of NSA, then they really couldn’t have explained the program (both the 2009 and 2011 notices make extensive reference to the NSA).

In any case, what remains unredacted is quite clear. Someone at that briefing — the briefing that Mike Rogers’ staffer claims offered more information than had been provided in the DOJ letter — tried to learn about problems with the secret program. And they got stonewalled in response.

Was the person who asked this question and got an incomplete answer one of the 65 people who would go on to reauthorize the PATRIOT Act having had no way of learning about the program and its compliance problems?

Mike Rogers’ Excuses for Withholding Dragnet Notice Get Stupider

August 16, 2013/7 Comments/in FISA, PATRIOT /by emptywheel

Congratulations to the WaPo which is catching up to what I first reported here, that Mike Rogers didn’t tell House Members about a notice of the PATRIOT Act dragnet programs before the vote. (Note: WaPo makes an error when it claims Congress got the previous notice in 2009; Silvestre Reyes and Dianne Feinstein sat on that letter for 2 months after they got it.)

Sadly for Mike Rogers, his excuses are getting stupider.

Admittedly, his past excuses were pretty stupid. In that version, the House Intelligence Committee suggested that having four briefings (for Republicans! only?!) in the last several months made up for not providing notice back in 2011.

The House Intelligence Committee makes it a top priority to inform Members about the intelligence issues on which Members must vote. This process is always conducted consistent with the Committee’s legal obligation to carefully protect the sensitive intelligence sources and methods our intelligence agencies use to do their important work. Prior to voting on the PATRIOT Act reauthorization and the FAA reauthorization, Chairman Rogers hosted classified briefings to which all Members were invited to have their questions about these authorities answered. Additionally, over the past two months, Chairman Rogers has hosted four classified briefings, with officials from the NSA and other agencies, on the Section 215 and Section 702 programs and has invited all Republican Members to attend and receive additional classified briefings on the use of these tools from Committee staff. The Committee has provided many opportunities for Members to have their questions answered by both the HPSCI and the NSA. And Chairman Rogers has encouraged members to attend those classified briefings to better understand how the authorities are used to protect the country.

But in this version, House Intelligence Committee spokesperson Susan Phalen claims providing notice of the need to be informed is a side issue.

A spokeswoman for the House committee, Susan Phalen, declined to say whether the panel had voted to withhold the letter or if the decision was made by Chairman Mike Rogers (R-Mich.).

“Because the letter by itself did not fully explain the programs, the Committee offered classified briefings, open to all Members of Congress, that not only covered all of the material in the letter but also provided much more detail in an interactive format with briefers available to fully answer any Members’ questions,” Phalen wrote in an e-mail. “The discussion of the letter not being distributed is a side issue intended to give the false impression that Congress was denied information. That is not the case.” [my emphasis]

Remember, what (according to the White Paper) Rogers did not do was write a letter telling Members of Congress there was an issue they might want to learn about. Dianne Feinstein sent a letter, dated February 8, 2011, telling colleagues they could come read the letter from the Administration, dated February 2, 2011. According to the White Paper, Mike Rogers sent no such letter — not to tell Congressmen there was a letter, not to tell them what the briefings they held instead were about. So the briefings were pointless, because without notice of them, no one would attend.

That’s not a “side issue.” That goes to the central issue of whether 65 of the yes votes for the PATRIOT Act had had adequate notice what they were voting for.

At this point, the House Intelligence Committee is not even trying to deny that. The only question remaining is whether Rogers provided no notice on his own, with the consent of the committee, or at the behest of the Administration that gave them the letter in the first place.

Lack of Due Diligence: The NSA’s “the Analyst Didn’t Give a Fuck” Violation

August 16, 2013/12 Comments/in FISA, PATRIOT /by emptywheel

The NSA claims there have been no willful violations the law relating to the NSA databases. For example, NSA’s Director of Compliance John DeLong just said “NSA has a zero tolerance policy for willful misconduct. None of the incidents were willful.” House Intelligence Chair Mike Rogers just said the documents show “no intentional or willful violations.”

Which is why I want to look more closely at the user error categories included in the May 3, 2012 audit.

The report doesn’t actually break down the root cause of errors across all violations. But it does for 3 different types of overlapping incident types (the 195 FISA authority incidents, the 115 database query ones, and the 772 S2 Directorate violations).

It says the root cause for FISA authority incidents breaks down this way:

60 resource (31% of all FISA authority violations)
39 lack of due diligence (20% of all FISA authority violations)
21 human error (11% of all FISA authority violations)
3 training (1.5% of all FISA authority violations)
67 system limitations (34% of all FISA authority violations, mostly on the roamer problem)
4 system engineering (2% of all FISA authority violations)
1 system disruption (.5% of all FISA authority violations)

It says the root cause of all database query incidents breaks down this way:

85 human error (74% of all database query incidents)
13 lack of due diligence (11% of all database query incidents)
9 training (8% of all database query incidents)
7 resources (6% of all database query incidents)
1 system disruption (~1% of all database query incidents)

And it breaks down the errors in its worst performing (in terms of violations) Deputy Directorate organization, S2, this way:

71 human error (9% of all S2 violations)
80 resources (10% of all S2 violations)
68 lack of due diligence (9% of all S2 violations)
2 resources
9 training (1% of all S2 violations)
541 system limitations (70% of all S2 violations)
1 system engineering

What I’m interested in are the three main types of operator error: human error, resources, and lack of due diligence.

Human error is, from the descriptions, an honest mistake. It includes broad syntax errors, typographical errors, Boolean operator errors, misapplied query technique, incorrect option, unfamiliarity with tool, selector mistypes, incorrect realm, or improper queries. Let’s assume, improbably, that none of the violations listed as human error were anything but honest mistakes. These honest mistakes account for anywhere from 9% to 74% of the violations broken out by root cause.

Then there’s resource violations. Those are described as “inaccurate of insufficient research information and/or workload issues.” So partly, resource violations stem from someone having too much analysis to do. But given that “inaccurate or insufficient research information” always appears first, it seems that resource violations arise when an analyst targets someone based on a faulty understanding about this person. Given how prominent this problem is for FISA violations, I suspect it includes, in part, target location. It may also pertain to targets erroneously believed to have a tie to terror or Chinese military or Iranian nukes. These appear to mistakes based on the analyst not having enough or accurate information before she starts the collection. These may or may not be honest mistakes. The description of them as resource errors suggests they may in part by people taking research short cuts. Resource problems account for anywhere from 6% to 31% of the violations broken out by root cause.

But then there’s a third category: lack of due diligence. The report defines lack of due diligence as “a failure to follow standard operating procedures.” But some failure to follow standard operating procedure is accounted for in other categories, like training, the misapplied query techniques, and the apparent inadequate research violations. This category appears to be something different than the “honest mistake” errors categorized under human error. In fact, by the very exclusion of these violations from the “human error” category, NSA seems to be admitting these violations aren’t errors. These violations of standard operating procedures, it seems, are intentional. Not errors. Willful violations.

At the very least, this category seems to count the violations on behalf of analysts who just don’t give a fuck what he rules are, they’re going to ignore the rules.

This category, what consider the “Analyst didn’t give a fuck” category, accounts for 9% to 20% of all the violations broken out by root cause.

In aggregate, these violations may not amount to all that many given the thousands of queries run every year — they make up just 68 of the violations in S2, for example. Those 68 due diligence violations make up almost 8% of the violations in the quarter, not counting due diligence violations that may have happened in other Directorates.

John DeLong, who is in charge of compliance at NSA, says the Agency has zero tolerance for willful misconduct. But the NSA appears to have a good deal more tolerance for a lack of due diligence.

Verizon: Get Exposed for Spying, Win $1 Billion!

August 16, 2013/6 Comments/in FISA, PATRIOT /by emptywheel

Congratulations to Verizon!

Just a few months after being exposed for providing all its American customer records to the government, it just won part of a $10 billion contract to provide cloud storage for the Department of Interior that may be worth as much as $1 billion.

The U.S. Department of the Interior has selected Verizon to participate in a $10 billion, 10-year contract to provide cloud and hosting services. This is potentially one of Verizon’s largest federal cloud contracts to date.

Verizon is one of 10 companies that will compete to offer cloud-based storage, secure file transfer, virtual machine, and database, Web, and development and test environment hosting services. The company is also one of four selected to offer SAP application hosting services.

Each of the 10 agreements awarded under the Foundation Cloud Hosting Services contract has a potential maximum value of $1 billion.

Don’t worry. I’m sure the spying had nothing to do with Verizon winning this huge contract.

But I’m sure it will make Verizon much less interested in pushing the government to roll back the spying.

21% of the Database Query Errors in NSA Report Involved the Phone Internet Dragnet Database

August 16, 2013/12 Comments/in FISA, PATRIOT /by emptywheel

Update: as Mindrayge notes, Marina appears in NSA slides as Internet, not phone metadata (and that’s how Ambinder refers to it here). There are some oddities, then, but I am changing this post accordingly.

As I noted in this post, the May 3, 2012 audit of NSA’s violations falsely suggests “roamer” problems were the cause of an increase in incidents, rather than database query errors, transit collection, and detask problems.

Database query errors are basically when an analyst collects too much data because she doesn’t exclude data that should be excluded, she ran a query believing it was appropriate because she had too little information on it, or she ignored standard operating procedures.

In addition to telling us how many database query problems there were, the report tells us which NSA databases they involved. As the figure above notes, 24 of those errors involved the MARINA database. There were actually 115 total query errors — 4 involved multiple databases — which means 21% of the database query errors involve MARINA.

~~As Marc Ambinder and others have reported, MARINA is the name of the Section 215 phone records dragnet database.~~

~~The telephone metadata is stored in a database called MARINA, which keeps these records for at least five years.~~

In other words, a fifth of the database query errors in the first quarter of 2012 were on the US ~~phone~~ Internet record dragnet database — the one the government has been claiming is so carefully guarded.

[If Mainway is just Internet metadata, then we don’t know the number of queries.]

Not only that, but we have a rough idea of how common query errors on this database are. The government has told us that queries were made on fewer than 300 identifiers in 2012. While it’s not a one-to-one comparison (some identifiers would have been run more than once), that means perhaps as many as 8% of the queries on the dragnet database involved some kind of error, including errors like not following procedures. And that’s assuming analysts didn’t keep making errors with the database at the same rate they did in the first quarter: if they kept up the same error pace, the error rate might be closer to 32%

~~But don’t worry, the government tells us, our phone record data are safe, even with a potential error rate of 32% accessing that data.~~

Update: LAT’s Ken Dilanian, who listened to a conference call NSA just had, just tweeted this:

NSA’s DeLong will not say how often NSA makes privacy errors when it queries US phone records database. But less than 30%, he says.

I asked is the rate between 8 and 30%, and he said 30% isn’t right. So, you may be on to something.

Less than 30%?!?!? That suggests it is probably far higher than even I imagined. Even if it was 8% it would be unacceptably high. But if it’s at the higher end of the possible range, it is unbelievably high.

Update: Ron Wyden and Mark Udall have issued a statement on this. Among other statements, they emphasize that Americans need to know about the phone and Internet dragnet violations.

Americans should know that this confirmation is just the tip of a larger iceberg.

[snip]

In particular, we believe the public deserves to know more about the violations of the secret court orders that have authorized the bulk collection of Americans’ phone and email records under the USA PATRIOT Act.

Given the potential numbers of phone dragnet violations, I should say so.

Update: Fixed “a fifth” for “a quarter.” Now I’m making NSA type simple math errors!

All Three Branches Conduct Vaunted NSA Oversight!

August 15, 2013/17 Comments/in FISA, PATRIOT /by emptywheel

Today, we learned this is what the vaunted Congressional oversight of NSA spying looks like.

Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.), who did not receive a copy of the 2012 audit [showing thousands of violations] until The Post asked her staff about it, said in a statement late Thursday that the committee “can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate.”

We learned this is what the vaunted FISA Court oversight of NSA spying looks like.

The chief judge of the Foreign Intelligence Surveillance Court said the court lacks the tools to independently verify how often the government’s surveillance breaks the court’s rules that aim to protect Americans’ privacy. Without taking drastic steps, it also cannot check the veracity of the government’s assertions that the violations its staff members report are unintentional mistakes.

“The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” its chief, U.S. District Judge Reggie Walton, said in a written statement to The Washington Post. “The FISC does not have the capacity to investigate issues of noncompliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders.”

We learned this is what the vaunted internal NSA oversight of NSA spying looks like.

The NSA uses the term “incidental” when it sweeps up the records of an American while targeting a foreigner or a U.S. person who is believed to be involved in terrorism. Official guidelines for NSA personnel say that kind of incident, pervasive under current practices, “does not constitute a . . . violation” and “does not have to be reported” to the NSA inspector general for inclusion in quarterly reports to Congress. Once added to its databases, absent other restrictions, the communications of Americans may be searched freely.

In one required tutorial, NSA collectors and analysts are taught to fill out oversight forms without giving “extraneous information” to “our FAA overseers.” FAA is a reference to the FISA Amendments Act of 2008, which granted broad new authorities to the NSA in exchange for regular audits from the Justice Department and the office of the Director of National Intelligence and periodic reports to Congress and the surveillance court.

Using real-world examples, the “Target Analyst Rationale Instructions” explain how NSA employees should strip out details and substitute generic descriptions of the evidence and analysis behind their targeting choices.

Vaunted. For well over 2 months. This is what they’ve been hailing.