As WaPo Was Letting Pincus Transcribe, They Were Fighting Administration on Gellman Story

/11 Comments/in , /by

On Friday, the President promised us more transparency on NSA issues.

Meanwhile, the WaPo was preparing this story on NSA issues from Barton Gellman.

Along the way, the Administration gave Gellman a 90-minute interview of unspecified date (it may have been Saturday, the day after Obama’s promise to be more transparent) with NSA’s Director of Compliance John DeLong only to, after the fact, ask for quote approval.

The Obama administration referred all questions for this article to John DeLong, the NSA’s director of compliance, who answered questions freely in a 90-minute interview. DeLong and members of the NSA communications staff said he could be quoted “by name and title” on some of his answers after an unspecified internal review. The Post said it would not permit the editing of quotes. Two days later, White House and NSA spokesmen said that none of DeLong’s comments could be quoted on the record and sent instead a prepared statement in his name. The Post declines to accept the substitute language as quotations from DeLong.

On August 12, the government refused to answer specific questions about compliance issues, even though Gellman had a report on them in hand.

The NSA communications office, in coordination with the White House and Director of National Intelligence, declined to answer questions about the number of violations of the rules, regulations and court-imposed standards for protecting the privacy of Americans, including whether the trends are up or down. Spokesmen provided the following prepared statement.

Then, on August 14, it offered this statement in response to specific questions about the FISA Court finding NSA to have violated the Fourth Amendment in October 2011.

In July 2012, Director of National Intelligence [James R.] Clapper declassified certain statements about the government’s implementation of Section 702 in order to inform the public and congressional debate relating to reauthorization of the FISA Amendments Act (FAA). Those statements acknowledged that the Foreign Intelligence Surveillance Court (FISC) had determined that “some collection carried out pursuant to the Section 702 minimization procedures used by the government was unreasonable under the Fourth Amendment.”

The FISC’s finding was with respect to a very specific and highly technical aspect of the National Security Agency’s 702 collection. Once the issue was identified and fully understood, it was reported immediately to the FISC and Congress. In consultation with the FISC, the Department of Justice, NSA, and the Office of the Director of National Intelligence worked to address the concerns identified by the FISC by strengthening the NSA minimization procedures, thereby enhancing privacy protections for U.S. persons. The FISC has continued to approve the collection as consistent with the statute and reasonable under the Fourth Amendment.

I’m so old I remember when President Obama promised us more transparency.

But even as the WaPo was having these ridiculous conversations with the IC about data that Gellman had in hand, Walter Pincus was writing this story.

It’s time for the intelligence community to have its side of the debate over the National Security Agency’s collection programs explained.

[snip]

Such transparency is useless if the news media do not pass it on to the public. Few, if any, major news outlets carried any of the details from the Justice and NSA papers.

[snip]

Intelligence officials say that if the U.S. media do not provide what the government claims are the facts underlying what critics and supporters say, the public cannot understand the issue.

[snip]

There are two more issues intelligence officials want noted.

That is, even while IC officials were whining to Pincus that no one was spewing their propaganda, they were playing games with Gellman to try to influence his piece while not admitting he had a handful of documents on violations that proved them wrong.

Though none of that explains what this is, from Gellman’s story.

a senior NSA official said in an interview, speaking with White House permission on the condition of anonymity.

I’m going to guess that’s DeLong. But still: why give the government their shot at rebuttal if they refuse to let their officials be accountable for their comments?

More Notice Problems in the 215 Dragnet White Paper

/4 Comments/in , /by

According to the 2009 Draft NSA IG Report, the telecoms asked for some kind of order for the telecom dragnet collection in 2005, just after the NYT revealed the illegal wiretap program.

After the New York Times article was published in December 2005, Mr. Potenza stated that one of the PSP providers expressed concern about providing telephone metadata to NSA under Presidential Authority without being compelled. Although OLC’s May 2004 opinion states that NSA collection of telephony metadata as business records under the Authorization was legally supportable, the provider preferred to be compelled to do so by a court order.

At least for the beginning of 2006, the government responded to these concerns with a letter from Alberto Gonzales.

On 24 January 2006, the Attorney General sent letters to COMPANIES A, B, and C, [AT&T, Verizon, and MCI] certifying under 18 U.S.C. 2511 (2)(a)(ii)(B) that “no warrant or court order was or is required by law for the assistance, that all statutory requirements have been met, and that the assistance has been and is required.

The court first signed an order authorizing the collection of phone metadata on May 24, 2006 — 76 days after Congress had passed the reauthorization of the PATRIOT Act with the new “relevant to” language.

The FISC signed the first Business Records Order on 24 May 2006. The order essentially gave NSA the same authority to collect bulk telephony metadata from business records that it had under the PSP. And, unlike the PRTT, there was no break in collection at transition.

But according to the March 2008 DOJ IG Report on Section 215 use, DOJ’s Office of Intelligence Policy and Review was briefing changes to at least some of the use of the use of Section 215 that would be implemented by the reauthorization before PATRIOT was reauthorized.

OIPR determined that substantive amendments to the statute undermined the legal basis for which OIPR had received authorization [redacted] from the FISA Court. Therefore, OIPR decided not to request [redacted] pursuant to Section 215 until it re-briefed the issue for the FISA Court.24

24 OIPR first briefed the issue to the FISA Court in February 2006, prior to the Reauthorization Act.

The import of the new “relevant to” may well have been the substantive change in question; so this February briefing may have been the start of stripping “relevant to” of all meaning.

Ron Wyden seems to want the government to admit this first court authorization just approved dragnet collection already going on.

When he and 25 other Senators sent James Clapper some questions about Section 215, they asked how long the NSA was conducting dragnet collection under the PATRIOT Act (which remember also includes the PW/TT statute used for the Internet dragnet).

How long has the the NSA used PATRIOT Act authorities to engage in bulk collection of Americans’ records? Was this collection under way when the law was reauthorized in 2006?

And Wyden called out Clapper when he refused to answer.

In addition, the intelligence community’s response fails to indicate when the PATRIOT Act was first used for bulk collection, or whether this collection was underway when the law was renewed in 2006.

Was the government using National Security Letters to collect this information between the NYT scoop and the FISC authorization, I wonder?

In any case, we know the government was collecting phone metadata going back years, we know the government was discussing changes instituted by PATRIOT reauthorization in February 2006, and we know the FISC approved using Section 215 for a phone dragnet in May 2006.

In an interview published yesterday, Ron Wyden (who had already been on the Senate Intelligence Committee for several years in 2006) revealed when he first learned about the phone dragnet.

You went from supporting the Patriot Act in 2001 to pushing relentlessly for its de-authorization. What was the tipping point?
My concerns obviously deepened when I first learned that the Patriot Act was being used to justify the bulk collection of Americans’ records, which was in late 2006 or early 2007.

In other words, the government didn’t get around to briefing all of the Intelligence Committee about this collection until months after it started, and possibly up to a year after they first briefed related issues to the FISC.

Here’s how the White Paper turns that unforgivable delay into a boast.

Moreover, in early 2007, the Department of Justice began providing all significant FISC pleadings and orders related to this program to the Senate and House Intelligence and Judiciary committees. By December 2008, all four committees had received the initial application and primary order authorizing the telephony metadata collection. Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees.

Translation: The Executive Branch stalled for an impermissibly long period of time after this dragnet started before briefing even the Intelligence Committee. And while we might blame the Bush Administration, remember that Keith Alexander was already running the dragnet by this period.

So not only didn’t the government tell Congress it was using PATRIOT to conduct dragnet collection of Internet metadata when it reauthorized it in 2006, but it didn’t even tell all members of SSCI until well after the phone dragnet moved under PATRIOT as well.

When the FISA Court becomes the Exotic Surveillance Shop

/27 Comments/in , /by

I’m still updating yesterday’s post collecting everything we might know about the government’s demand to Lavabit that led Ladar Levison to shut it down.

I’d like to consider the implications of Levison’s hint that the order or warrant he got came not solely from the FBI — as a National Security Letter would — but from the FISA Court.

LADAR LEVISON: I think it’s important to note that, you know, it’s possible to receive one of these orders and have it signed off on by a court. You know, we have the FISA court, which is effectively a secret court, sometimes called a kangaroo court because there’s no opposition, and they can effectively issue what we used to consider to be an NSL. And it has the same restrictions that your last speaker, your last guest, just talked about.

(The restrictions in question pertain to the gag and risk of prison that came with the National Security Letter Nicholas Merrill received.)

Several of us on Twitter today brainstormed what kind of FISA order this might involve: possibilities include using a physical FISA search to get keys from Lavabit’s users, using the Internet dragnet precedents to use FISA’s Pen Register/Trap and Trace provision to get the keys, treating the keys as “tangible things” under Section 215 and demanding them that way, or possibly just a traditional electronic surveillance warrant. They also might have issued a protection order requiring Lavabit to archive things that users otherwise might be able to delete, as they have in a prior case.

But the implication is that all happens under the FISA Court and not (as, for example, the government’s demand for Twitter information on WikiLeaks associates did in that investigation) the Eastern District of VA court.

And that, to me, seems as problematic as the gag and the apparently exotic request.

Consider: presumably the target of this order is Edward Snowden and alleged accomplices of his, though hints about the order suggest the government demanded information on all of Lavabit’s users to get to the information on Snowden. Snowden has already been charged in a criminal complaint (which has been released, but is still not docketed). Snowden has been charged with several crimes, not just probable cause that he’s an agent of a foreign power (and while many in government have been trying to claim he’s a defector to Russia since those charges, at the time he was charged there was no hint of his being a foreign agent).

In other words, this is now and seems to have always been a criminal investigation, not a foreign intelligence investigation (and it didn’t start out as an old-style Espionage investigation, which would have been the appropriate application with Snowden to get into a foreign intelligence court).

So why is it in the “Foreign Intelligence Surveillance Act” court (if in fact it is)? Why isn’t it in a Title III Court, with a nice hefty gag attached to it that would serve the same purpose as the legal gag tied to FISA orders?

Hell, why is it gagged anyway, since it had been publicly reported that Snowden was a Lavabit customer, and since the government itself has leaked that it is investigating and has charged Snowden?

The obvious answer is likely because the FISA Court is where the exotic precedents live — wacky interpretations of Pen Register/Trap and Trace statutes to allow bulk collection of stuff that might loosely be called Internet metadata or of the word “relevant” to mean “whatever the government wants it to mean.”

And that, it seems to me, presents a troubling new interpretation for the “significant purpose” language in FISA, which was passed after 9/11 to allow the government to use information collected under the guise of foreign intelligence for criminal prosecution purposes. The idea, then, was that the court is supposed to serve primarily as a foreign intelligence shop with the criminal use being incidental.

But the very vague outlines of the Lavabit demands appears to suggest the government has reversed that, using the FISA Court for investigative purposes that might easily be accomplished under Title III, except that the government is relying on exotic precedents that only exist in the secret FISA Court.

With so much secret about this order, we can’t be sure, but it appears the government is using the FISA Court for this exotic theory when the appropriate venue should be a traditional Article III court.

You know? Courts that might find such exotic theories outrageous and might disclose the outlines of it to Snowden if he were ever put on trial.

“There are two more issues intelligence officials want noted”

/21 Comments/in , /by

Walter Pincus fancies his work to be about “reading documents” and finding the bits that everyone else has missed.

The way I’ve always done it is reading documents. I mean there is a huge amount of public material that’s put every day out in the public record and people don’t read it. The key to the column whether it’s good or not is documents. I just – I try to base every column on something I read; a transcript, a report, a hearing, whatever.

Somehow, that approach to journalism has resulted in this, basically an entire piece listing the things Intelligence Community bigwigs wish people had noticed in the White Paper released last Friday.

There are two more issues intelligence officials want noted.

For the most part, however, Pincus’ piece either reiterates the same tired bullet points the IC keeps repeating.

The NSA document notes that of 54 terrorist events discussed publicly, 13 had a U.S. connection, and in 12 of them, the phone metadata played a role.

[snip]

Intelligence officials later pieced together — and have remembered ever since — that 9/11 hijacker Khalid Almihdhar resided in California in early 2000 and that while some of his conversations with an al-Qaeda safe house in Yemen were picked up, the NSA did not have that U.S. phone number or any indication that he was located in San Diego.

[snip]

Another point they note is that over the length of these NSA programs, and similar ones that date to the late 1960s, there have been layers of oversight by the NSA, the Justice and Defense departments, Congress and the judiciary.

Or, in what is really only Pincus’ close focus on the released documents, uses thin evidence from the White Paper to “support” whiny complaints from the IC.

What also angers many former senior intelligence officials is the complaint by members of Congress and particularly some on the intelligence oversight committees that they were never told about the extent of the phone metadata program.

As the Justice paper notes, the Senate and House Intelligence and Judiciary committees “by December 2008 . . . had received the initial application and primary order authorizing the telephone metadata collection. Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees.”

What Pincus fails to mention is that the White Paper actually proves the critics to be correct. Not only does it prove the Administration waited 5 months — from Silvestre Reyes’ September 30, 2009 request to their December 14, 2009 response to Reyes’ request to the February 24, 2010 letter to members making them aware of that notice, effectively stalling through the entire period of debate over this issue — before actually informing Congress about the dragnet. It also suggests — as has been all-but confirmed since — that Mike Rogers simply decided not to pass on the notice at all the following year. The White Paper proves critics’ point, but Pincus hides that fact.

And all those details about 2009 and 2011 distract from the question of why the Bush Administration didn’t even try to give notice to Congress in 2006, when it had already briefed the FISA Court it planned to use the “relevant” language Congress intended to use to constrain Section 215’s use to blow up it up beyond recognition. Why is it adequate to provide the judiciary committees notice (note, even here the Administration’s claims fall short, as I’ll show in a follow-up) only 3 years after the fact?

Remember, too, that Pincus is a JD. At least in theory, he is trained to do the kind of analysis that Jeffrey Rosen and Orin Kerr have done, pointing out the legal flaws in this logic. Or maybe he might just want to point out how hard the Administration had to look for a definition of “relevant” that didn’t totally undermine their argument.

All of which is to show that Pincus has himself failed to do what he claims is his schtick. A close reading of the White Paper actually introduces more problems, not fewer, for the Administration’s dragnet programs.

Which makes these two parroted claims all the more painful to read.

Such transparency is useless if the news media do not pass it on to the public. Few, if any, major news outlets carried any of the details from the Justice and NSA papers.

[snip]

Intelligence officials say that if the U.S. media do not provide what the government claims are the facts underlying what critics and supporters say, the public cannot understand the issue.

Here Pincus is in a major news outlet passing on not what the White Paper actually shows, not the actual facts presented there, but reinterpreting it with the mostly anonymous guidance of the IC, spinning it to put in better light.

I guess Walter Pincus should read Walter Pincus.

Alexander Joel: Dragnet with a Human Face

/11 Comments/in , /by

For some reason, James Clapper’s office decided it would be a good idea to tell the rest of the world that it has a Civil Liberties Protection Officer, Alexander Joel. Today, he introduces himself in a piece in McClatchy.

Before you read it, consider that, back in 2006 when he was appointed, he said he was cool with Dick Cheney’s illegal wiretap program.

When the NSA wiretapping program began, Mr. Joel wasn’t working for the intelligence office, but he says he has reviewed it and finds no problems. The classified nature of the agency’s surveillance work makes it difficult to discuss, but he suggests that fears about what the government might be doing are overblown.

“Although you might have concerns about what might potentially be going on, those potentials are not actually being realized and if you could see what was going on, you would be reassured just like everyone else,” he says.

As for his essay, most of it is the same blathering boilerplate about Section 215 not collecting content and Section 702 not permitting “targeting” of US persons (without acknowledging that it does permit collecting of their content).

But there are two amusing details. First, in one paragraph he goes from actually mentioning the Constitution (which is welcome and novel!) to suggesting that a national security contractor like Edward Snowden would have been protected as a whistleblower.

Some people question whether people who work for the government can be trusted. In my experience, intelligence professionals � [sic] and those overseeing them – are profoundly committed to the oath they take to support and defend the Constitution. People inside government have questions and concerns just like everyone else. It’s my job to raise civil liberties and privacy issues about intelligence activities, and I do. If intelligence personnel have legal or civil liberties concerns, they can raise them in secure ways, including by contacting my office, offices of inspector general, or the congressional oversight committees. Under law, they are protected from reprisal if they do.

More interesting still, is Joel’s discussion of the two oversight Boards he claims have an active role in these programs.

Oversight boards are also involved. The President’s Intelligence Oversight Board reviews reports of potential violations. The Privacy and Civil Liberties Oversight Board, an independent federal agency, is currently conducting an in-depth review of these two programs, and has full access to classified information about them and to the personnel involved. My office works with both boards to ensure that they are receiving the information they need to perform their oversight functions.

Back in 2010 and 2011 — a time when Joel was in the office — ODNI at first stalled and then provided really confused information about whether there even was a functional Intelligence Oversight Board. And with the ascension of Chuck Hagel, who was a big part of the board, to be Defense Secretary, it is dysfunctional (unless Obama has snuck another person onto without telling anyone).

And PCLOB only recently became functional for the first time in Obama’s presidency, partly due to his delays, partly due to the Senate’s. And their recent public hearing on the NSA programs was underwhelming.

Joel has just bragged about how closely he worked with these Boards. He knows they’ve been of spotty functionality.

But this is the dragnet with a human face. The truth doesn’t matter so much as making people feel better.

Update, 8/15: On the subject of IOB and its parent board, the President’s Intelligence Advisory Board, Josh Gerstein has this:

The President’s Intelligence Advisory Board stood 14 members strong through 2012, but the White House website was recently updated to show the panel’s roster shrinking to just four people.

In the past four years, the high-powered group has waded into the implications of WikiLeaks for intelligence sharing, and urged retooling of America’s spy agencies as the United States withdraws from big wars abroad.

[snip]

Chuck Hagel was nominated in January as defense secretary and sworn in the following month. Venture capitalist and former lobbyist Tom Wheeler joined the board in 2011, but was tapped by Obama in May 2013 to head the Federal Communications Commission.

And Hagel’s co-chairman and fellow former senator, David Boren, said he asked to leave the panel early this year “because of the demands of my work as president of the University of Oklahoma. My request to the president was made shortly after the first of the year,” Boren said in a statement responding to a query from POLITICO.

Also exiting the board in recent months, according to the White House website: former Securities and Exchange Commission member Roel Campos, international lawyer and philanthropist Rita Hauser, stealth technology pioneer and former Undersecretary of Defense Paul Kaminski, Stimson Center CEO Ellen Laipson, and retired Air Force Gen. Lester Lyles. [my emphasis]

So yesterday, Alexander Joel pointed to IOB as one of the key oversight mechanisms over the dragnet. Today, we learn that every single member of the Board has been appointed away or asked to resign.

Update: Gerstein says on Twitter he thinks IOB is fully operational.

Actually, I think IOB more or less fully staffed & chaired by Meltzer. I think WH understands they need that up for lgl reasons

Administration’s OWN White Paper Backs Claim Mike Rogers Did Not Share Dragnet Notice

/9 Comments/in , /by

I already made this point when I was the first person to point out that the House Intelligence Committee apparently did not share the 2011 notice provided by DOJ with members outside of the House Intelligence Committee.

But no one besides me appears to have noticed it. Here’s what the Section 215 dragnet White Paper says happened to the 2009 notice provided to Silvestre Reyes and Dianne Feinstein.

In December 2009, DOJ worked with the Intelligence Community to provide a classified briefing paper to the House and Senate Intelligence Committees that could be made available to all Members of Congress regarding the telephony metadata collection program. A letter accompanying the briefing paper sent to the House Intelligence Committee specifically stated that “it is important that all Members of Congress have access to information about this program” and that “making this document available to all members of Congress is an effective way to inform the legislative debate about reauthorization of Section 215.” See Letter from Assistant Attorney General Ronald Weich to the Honorable Silvestre Reyes, Chairman, House Permanent Select Committee on Intelligence (Dec. 14, 2009). Both Intelligence Committees made this document available to all Members of Congress prior to the February 2010 reauthorization of Section 215. See Letter from Sen. Diane Feinstein and Sen. Christopher S. Bond to Colleagues (Feb. 23, 2010); Letter from Rep. Silvestre Reyes to Colleagues (Feb. 24, 2010); [my emphasis]

Here’s what it says happened to the 2011 notice provided to Mike Rogers and Dianne Feinstein.

An updated version of the briefing paper, also recently released in redacted form to the public, was provided to the Senate and House Intelligence Committees again in February 2011 in connection with the reauthorization that occurred later that year. See Letter from Assistant Attorney General Ronald Weich to the Honorable Dianne Feinstein and the Honorable Saxby Chambliss, Chairman and Vice Chairman, Senate Select Committee on Intelligence (Feb. 2, 2011); Letter from Assistant Attorney General Ronald Weich to the Honorable Mike Rogers and the Honorable C.A. Dutch Ruppersberger, Chairman and Ranking Minority Member, House Permanent Select Committee on Intelligence (Feb. 2, 2011). The Senate Intelligence Committee made this updated paper available to all Senators later that month. See Letter from Sen. Diane Feinstein and Sen. Saxby Chambliss to Colleagues (Feb. 8, 2011). [my emphasis]

See that word “both” when describing what the intelligence committees did in 2009? See the description of the “Senate Intelligence Committee” followed by a period in describing what the intelligence committees did in 2011, with no mention of “both” or the House Intelligence Committee whatsoever?

The White Paper is as clear as any document spewing disingenuous claims can be (there are several even in these two passages). In 2009, both intelligence committees sent a letter to their respective colleagues letting them know the notice was available. In 2011, just the Senate Intelligence Committee did.

That means at 65 of the people who voted to reauthorize the PATRIOT Act in 2011 had no way of knowing they were reauthorizing the ongoing creation of a database of the phone-based relationships of every American. At least in theory, those 65 members were more than enough to make a difference in the vote.

The Known Details on the Lavabit Demand

/12 Comments/in , , /by

Ladar Levison’s interview with Amy Goodman yesterday was his most extensive statement about the demand he got that led him to shut down his company. I want to pull the important tidbits from that interview and this one, with Forbes’ Kashmir Hill, to collect what we know about the demand so far.

Levison told DN the entire service was insecure:

I felt that in the end I had to pick between the lesser of two evils and that shutting down the service, if it was no longer secure, was the better option. It was, in effect, the lesser of the two evils.

He told Hill that he shut down to protect all his users.

“This is about protecting all of our users, not just one in particular. It’s not my place to decide whether an investigation is just, but the government has the legal authority to force you to do things you’re uncomfortable with,” said Levison in a phone call on Friday.

The demand affected his paid users and involved him being forced to have access to the private information the system was designed to ensure he didn’t have.

And at least for our paid users, not for our free accounts—I think that’s an important distinction—we offered secure storage, where incoming emails were stored in such a way that they could only be accessed with the user’s password, so that, you know, even myself couldn’t retrieve those emails.

[snip]

in our case it was encrypted in secure storage, because, as a third party, you know, I didn’t want to be put in a situation where I had to turn over private information. I just didn’t have it. I didn’t have access to it. And that was sort of—may have been the situation that I was facing.

Levison told Hill he has complied with legal requests where the requested information was not encrypted (suggesting it involved his free users).

“I’m not trying to protect people from law enforcement,” he said. “If information is unencrypted and law enforcement has a court order, I hand it over.”

Snowden was a registered user of Lavabit, apparently under his own name.

Ladar, you were the service provider for Edward Snowden?

LADAR LEVISON: I believe that’s correct. Obviously, I didn’t know him personally, but it’s been widely reported, and there was an email account bearing his name on my system, as I’ve been made well aware of recently.

The government has prevented Levison from sharing some of the demand with his lawyer. And Levison thinks that’s because the government would be ashamed of the nature of the demand.

I mean, there’s information that I can’t even share with my lawyer, let alone with the American public. So if we’re talking about secrecy, you know, it’s really been taken to the extreme. And I think it’s really being used by the current administration to cover up tactics that they may be ashamed of.

He told Hill, too, the method they were demanding is what bothered him.

In this case, it is the government’s method that bothers him. “The methods being used to conduct those investigations should not be secret,” he said.

Update: In an interview w/MoJo, he suggests the demand pertains to bulk collection on an entire user base of people.

While Levison of Lavabit could not discuss the specifics of his case, he suggested that the government was trying to compel him to give access to vast quantities of user data. He explained that he was not opposed to fulfilling law enforcement requests that were “specific in nature” and “approved by a judge after showing probable cause,” and noted that he had responded to some two dozen subpoenas during his decade in business. “What I’m against, at least on a philosophical level,” he added, “is the bulk collection of information, or the violation of the privacy of an entire user base just to conduct the investigation into a handful of individuals.”

And suggested if they could intercept communications between the servers and the user, they could decrypt the communications.

if someone could intercept the communication between the Lavabit’s Dallas-based servers and a user, they could get the user’s password and then use that to decrypt their data.

What distinguishes this from previous subpoenas is what is so secret.

AARON MATÉ: And, Ladar, during this time, you’ve complied with other government subpoenas. Is that correct?

LADAR LEVISON: Yeah, we’ve probably had at least two dozen subpoenas over the last 10 years, from local sheriffs’ offices all the way up to federal courts. And obviously I can’t speak to any particular one, but we’ve always complied with them. I think it’s important to note that, you know, I’ve always complied with the law. It’s just in this particular case I felt that complying with the law—

JESSE BINNALL: And we do have to be careful at this point.

LADAR LEVISON: Yeah, I—

Levison questions whether it is possible to run cloud service in this country without being forced to spy on your customers.

I still hope that it’s possible to run a private service, private cloud data service, here in the United States without necessarily being forced to conduct surveillance on your users by the American government.

Levison suggests both his and Silent Circle’s unannounced shut-down served to avoid government efforts to capture data beforehand.

Mike Janke, Silent Circle’s CEO and co-founder, said, quote, “There was no 12-hour heads up. If we announced it, it would have given authorities time to file a national security letter. We decided to destroy it before we were asked to turn (information) over. We had to do scorched earth.” Ladar, your response?

LADAR LEVISON: I can certainly understand his position. If the government had learned that I was shutting my service down—can I say that?

JESSE BINNALL: Well, I think it’s best to kind of avoid that topic, unfortunately. But I think it is fair to say that Silent Circle was probably in a very different situation than Lavabit was, and which is probably why they took the steps that they did, which I think were admirable.

LADAR LEVISON: Yeah. But I will say that I don’t think I had a choice but to shut it down without notice. I felt that was my only option. And I’ll have to leave it to your listeners to understand why.

Everything is being monitored.

LADAR LEVISON: I think you should assume any communication that is electronic is being monitored.

This echoes something Levison told Forbes’ Kashmir Hill:

“I’m taking a break from email,” said Levison. “If you knew what I know about email, you might not use it either.”

Levison also told Hill his location in Texas made it harder to respond to a demand in VA.

“As a Dallas company, we weren’t really equipped to respond to this inquiry. The government knew that,” said Levison, who drew parallels with the prosecutorial bullying of Aaron Swartz. “The same kinds of things have happened to me. The government tried to bully me, and [my lawyer] has been instrumental in protecting me, but it’s amazing the lengths they’ve gone to to accomplish their goals.”

His statement shuttering the company mentioned an appeal to the Fourth Circuit, which includes VA, and the complaint against Edward Snowden was issued in EDVA.

Update: I hadn’t watched the continuation of the DN interview, where Nicholas Merrill, who challenged a National Security Letter back in 2004, came on. But as CDT’s Joseph Lorenzo Hall notes on Twitter, Levison strongly suggests his order came from the FISA Court.

LADAR LEVISON: I think it’s important to note that, you know, it’s possible to receive one of these orders and have it signed off on by a court. You know, we have the FISA court, which is effectively a secret court, sometimes called a kangaroo court because there’s no opposition, and they can effectively issue what we used to consider to be an NSL. And it has the same restrictions that your last speaker, your last guest, just talked about.

Hall also has an interesting piece on Lavabit and CALEA II that addresses issues I’ve been thinking about, in which he includes this discussion.

What did the government demand and under what authority prompted Lavabit’s shutdown? We don’t know, and that’s part of the problem. The Wiretap Act, which authorizes the government to intercept communications content prospectively in criminal investigations, indicates that a provider of wire or electronic communication service (such as Lavabit) can be compelled to furnish law enforcement with “all information, facilities and technical assistance necessary to accomplish the interception unobtrusively… .” 18 USC 2518(4). The Foreign Intelligence Surveillance Act (FISA), which regulates surveillance in intelligence investigations, likewise requires any person specified in a surveillance order to provide the same assistance (50 USC 1805(2)(B)) and so does the FISA Amendments Act with respect to directives for surveillance targeting people and entities reasonably believed to be abroad (50 USC 1881a(h)(1)). The “assistance” the government demands may include the disclosure of the password information necessary to decrypt the communications it seeks, if the service provider has that information, but modern encryption services can be designed so that the service provider does not hold the keys or passwords. Was the “assistance” that the government demanded of Lavabit a change in the very architecture of its secure email service? Was the “assistance” the installation of the government’s own malware to accomplish the same thing? Lavabit has not answered these questions outright, but it did make it clear that its concern extended to the privacy of the communications of all of its users, not just those of one user under one court order.

The Two OLC Still-Secret Memos Behind the Cross-Border Keyword Searches?

/1 Comment/in , , /by

Last week, Charlie Savage explained what this paragraph from the NSA’s targeting document means.

In addition, in those cases where NSA seeks to acquire communications about the target that are not to or from the target, SNA will either employ an Internet Protocol filter to ensure that the person from whom it seeks to obtain foreign intelligence information is located overseas, or it will target Internet links that terminate in a foreign country. In either event, NSA will direct surveillance at a party to the communication reasonably believed to be outside the United States.

Savage explained that it refers to the way the US snoops through almost all cross-border traffic for certain keywords.

To conduct the surveillance, the N.S.A. is temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border. The senior intelligence official, who, like other former and current government officials, spoke on condition of anonymity because of the sensitivity of the topic, said the N.S.A. makes a “clone of selected communication links” to gather the communications, but declined to specify details, like the volume of the data that passes through them.

[snip]

The official said that a computer searches the data for the identifying keywords or other “selectors” and stores those that match so that human analysts could later examine them. The remaining communications, the official said, are deleted; the entire process takes “a small number of seconds,” and the system has no ability to perform “retrospective searching.”

The official said the keyword and other terms were “very precise” to minimize the number of innocent American communications that were flagged by the program. At the same time, the official acknowledged that there had been times when changes by telecommunications providers or in the technology had led to inadvertent overcollection. The N.S.A. monitors for these problems, fixes them and reports such incidents to its overseers in the government, the official said.

In his post on Savage’s story (which I think misreads what Savage describes), Ben Wittes focused closely on the last paragraphs of the story.

But that leaves a big oddity with respect to the story. The end of Savage’s story reads as follows:

There has been no public disclosure of any ruling by the Foreign Intelligence Surveillance Court explaining its legal analysis of the 2008 FISA law and the Fourth Amendment as allowing “about the target” searches of Americans’ cross-border communications. But in 2009, the Justice Department’s Office of Legal Counsel signed off on a similar process for searching federal employees’ communications without a warrant to make sure none contain malicious computer code.

That opinion, by Steven G. Bradbury, who led the office in the Bush administration, may echo the still-secret legal analysis. He wrote that because that system, called EINSTEIN 2.0, scanned communications traffic “only for particular malicious computer code” and there was no authorization to acquire the content for unrelated purposes, it “imposes, at worst, a minimal burden upon legitimate privacy rights.”

The Bradbury opinion was echoed by a later Obama-era opinion by David Barron, and Bradbury later wrote an article about the issue. But here’s the thing: If my read is right and the rule Savage cites permits only acquisition of communications “about” potential targets only from folks reasonably believed themselves to be overseas, these opinions are of questionable relevance. Indeed, if my reading is correct, why is there a Fourth Amendment issue here at all? The Fourth Amendment, after all, does not generally have extraterritorial application. This may be a reason to suspect that the issue is more complicated than I’m suggesting here. It may also merely suggest that someone cited to Savage a memo that is of questionable relevance to the issue at hand.

In his letter to John Brennan in January asking for a slew of things, Ron Wyden mentioned two opinions that may be the still-secret legal analysis mentioned by Savage.

Third, over two years ago, Senator Feingold and I wrote to the Attorney General regarding two classified opinions from the Justice Department’s Office of Legal Counsel, including an opinion that interprets common commercial service agreements. We asked the Attorney General to declassify both of these opinions, and to revoke the opinion pertaining to commercial service agreements. Last summer, I repeated the request, and noted that the opinion regarding commercial service agreements has direct relevance to ongoing congressional debates regarding cybersecurity legislation. The Justice Department still has not responded to these letters.

The opinions would have to pre-date January 14, 2011, because Feingold and Wyden requested the opinions before that date.

The reason I think the service agreements one may be relevant is because the opinions Ben cites focus on whether government users have given consent for EINSTEIN surveillance; in his article on it Bradbury focuses on whether the government could accomplish something similar with critical infrastructure networks.

Remember, we do know of one OLC memo — dated January 8, 2010 — that pertains to the government obtaining international communications willingly from service providers. We learned about it in the context of the Exigent Letters IG Report, which first led observers to believe it pertained to phone records.

But we’ve subsequently learned this is the passage of ECPA the OLC interpreted creatively in secret.

(f) Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, and procedures in this chapter or chapter 121 and the Foreign Intelligence Surveillance Act of 1978 shall be the exclusive means by which electronic surveillance, as defined in section 101 of such Act, and the interception of domestic wire, oral, and electronic communications may be conducted.

Savage’s reference to the Bradbury opinion suggests all this happens at the packet stage, which may be one (arguably indefensible) way around the electronic communications dodge.

The FBI had not relied on the opinion as of 2010, when we first learned about it. But we also know that since then, the government stopped collecting Internet metadata using a Pen Regsiter/Trap and Trace order.

We know that Feingold and Wyden, with Dick Durbin, asked for a copy of the opinion themselves shortly after the IG Report revealed it. It’s possible that the former two asked for it to be declassified.

This is, frankly, all a wildarsed guess. But Wyden certainly thinks there are two problematic OLC memos out there pertaining to cybersecurity. And Savage seems to think this process parallels the means the government is using for cybersecurity. So it may be these are the opinions.

The Clapper Review: How to Fire 90% of SysAdmins?

/23 Comments/in , , , /by

Yesterday, I noted it took just 72 hours from Obama to turn an “independent” “outside” review of the government’s SIGINT programs into the James Clapper Review of James Clapper’s SIGINT Programs.

But many other commenters have focused on the changed description of the review’s mandate. In his speech on Friday, Obama said the review would study, “how we can maintain the trust of the people, how we can make sure that there absolutely is no abuse in terms of how these surveillance technologies are used, ask how surveillance impacts our foreign policy.”

On Monday, his instruction to James Clapper said the review would, “whether, in light of advancements in communications technologies, the United States employs its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while appropriately accounting for other policy considerations, such as the risk of unauthorized disclosure and our need to maintain the public trust.”

Both addressed public trust. But Monday’s statement replaced a focus on “absolutely no abuse” with “risk of unauthorized disclosure.”

Now, I’m not certain, but I’m guessing we all totally misunderstood (by design) Obama’s promises on Friday.

The day before the President made those promises, after all, Keith Alexander made a different set of promises.

“What we’re in the process of doing – not fast enough – is reducing our system administrators by about 90 percent,” he said.

The remarks came as the agency is facing scrutiny after Snowden, who had been one of about 1,000 system administrators who help run the agency’s networks, leaked classified details about surveillance programs to the press.

Before the change, “what we’ve done is we’ve put people in the loop of transferring data, securing networks and doing things that machines are probably better at doing,” Alexander said.

We already know that NSA’s plan to minimize the risk of unauthorized disclosure involves firing 900 SysAdmins (Bruce Schneier provides some necessary skepticism about the move). They probably believe that automating everything (including, presumably, the audit-free massaging of the metadata dragnet data before analysts get to it) will ensure there “absolutely is no abuse.”

And by turning the review intended to placate the civil libertarians into the review that will come up with the brilliant idea of putting HAL in charge of spying, the fired SysAdmins might just blame the civil libertarians.

So this review we all thought might improve privacy? Seems, instead, designed to find ways to fire more people faster.

Domestic Terrorists and the Dragnet Database

/1 Comment/in , /by

This is the first reference to actual alleged terrorists in the Administration’s White Paper on the Section 215 metadata dragnet (there’s one earlier reference to counterterrorism).

This telephony metadata is important to the Government because, by analyzing it, the Government can determine whether known or suspected terrorist operatives have been in contact with other persons who may be engaged in terrorist activities, including persons and activities within the United States.

It’s a remarkable reference, in that it (and the prior mention of counterterrorism) doesn’t limit the terrorism in question to international terrorism (that which transcends national boundaries). And that’s not the only place in the White Paper where the government neglects such a modifier: by my rough count, about half the references to terrorism include no indication in the sentence that the discussion is limited exclusively to international terrorism.

But there should be such a limitation. The Section 215 statute (which is broader in scope than the 215 metadata dragnet) makes quite clear that its use, when concerning a US person, is limited to international terrorism or clandestine activities.

Subject to paragraph (3), the Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution. [my emphasis]

And the Primary Order for the program notes it can only be used “to protect against international terrorism.”

So legally, at least, the dragnet can only be used for foreign terrorism. Which is why I find it so disturbing the legal argument laid out here doesn’t make that distinction very carefully (and indeed, distinguish what makes the tracking of foreign terrorists legal whereas similar tracking of domestic ones would not be).

Let me be clear: I’m not alleging the government has extended the use of either Section 215 or the metadata dragnet to investigating domestic terrorists. In other statements — and indeed, usually in statements that address intelligence programs addressed to Al Qaeda and other terrorists — the Administration the distinction quite clear.

By comparison, look at the way Jack Goldsmith defined the targets of Bush’s illegal wiretap program in his May 6, 2004 OLC memo. Remember, while this passage pertains just to content collection, Bush’s illegal program did include precisely the same dragnet function (Goldsmith’s discussion of both Internet and phone metadata dragnets in the memo remains redacted, but we know he discussed at least the Internet metadata dragnet).

the authority to intercept the content of international communications “for which, based on the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are reasonable grounds to believe … [that] a party to such communication is a group engaged in international terrorism, or activities in preparation therefor, or any agent of such a group,” as long as that group is al Qaeda, an affiliate of al Qaeda or another international terrorist group that the President has determined both (a) is in armed conflict with the United States and (b) poses a threat of hostile actions within the United States;

By comparison, here’s how one of the passages from the White Paper describes the limits on the database to foreign terrorism.

The Government cannot conduct substantive queries of the bulk records for any purpose other than counterterrorism. Under the FISC orders authorizing the collection, authorized queries may only begin with an “identifier,” such as a telephone number, that is associated with one of the foreign terrorist organizations that was previously identified to and approved by the Court.

Thus, even where the White Paper is specific, it doesn’t lay out what makes foreign terror metadata somehow legally distinct from domestic terror metadata, aside from the approval of the court.

By being downright sloppy about the distinction in the White Paper, the government actually lays out the case that they could use a metadata dragnet to pursue domestic terrorists, as in this section which emphasizes suspects in the US are the target because they might be planning to attack the “homeland.”

The most analytically significant terrorist-related communications are those with one end in the United States or those that are purely domestic, because those communications are particularly likely to identify suspects in the United States—whose activities may include planning attacks against the homeland.

Or in this section, which argues that discovering and tracking terrorists fulfills the requirements of a Special Needs collection.

On the other side of the scale, the interest of the Government—and the broader public—in discovering and tracking terrorist operatives and thwarting terrorist attacks is a national security concern of overwhelming importance.

[snip]

Thus, even if the appropriate standard for the telephony metadata collection program were not relevance, but rather a Fourth Amendment reasonableness analysis, the Government’s interest is compelling and immediate, the intrusion on privacy interests is limited, and the collection is a reasonably effective means of detecting and monitoring terrorist operatives and thereby obtaining information important to FBI investigations.

So while the White Paper’s description of the actual query process makes it clear that the dragnet can be used only to hunt people with ties to foreign terrorists, in a number of places the government makes a legal argument that it would be permitted to hunt domestic terrorists using such a dragnet as well.

Using the government’s logic, mind you, there should be no distinction. The government argues that if the government interest is compelling and immediate — as it would be with Timothy McVeigh every bit as much as it was with Anwar al-Awlaki — then it has the authority to conduct such surveillance.

But when you imagine this dragnet being used in the name of pursuing domestic terrorists, it quickly becomes clear why it would be — and is, even when limited to foreign terrorists — so problematic.

If you searched two or three hops from Timothy McVeigh, you’d be inventing probable cause to investigate a whole slew of potentially loathsome but perfectly legal right wing activists. If you searched two or three hops from Scott Roeder (George Tiller’s assassin), you’d be inventing probable cause to investigate much of the anti-choice movement. If you searched two or three hops from the Occupy Cleveland activists convicted of plotting to blow up a bridge, you’d be inventing probable cause to investigate much Occupy generally.

In all of these cases, accessing that metadata (and putting it into the corporate store, which is accessible for counterterrorism investigations, again not modified to limit it to international context) would provide key insights into Constitutionally protected political groups. But that’s almost certainly the case for certain extremist mosques around the country as it is.

And while you’re not supposed to investigate these groups solely on the basis of First Amendment protected activities, the association with a presumed terrorist seems to provide the additional rationale the FBI would need to open at least a preliminary investigation. Plus, as the White Paper argued, by claiming a good faith investigation into terrorism, the government can dismiss any and all First Amendment concerns (note, in context this reference to terrorism makes clear that it pertains to foreign terrorism).

Rather, the collection is in furtherance of the compelling national interest in identifying and tracking terrorist operatives and ultimately in thwarting terrorist attacks, particularly against the United States. It therefore satisfies any “good faith” requirement for purposes of the First Amendment. See Reporters Comm., 593 F.2d at 1052 (“[T]he Government’s good faith inspection of defendant telephone companies’ toll call records does not infringe on plaintiffs’ First Amendment rights, because that Amendment guarantees no freedom from such investigation.”)

The First Amendment protected association demonstrated by the database would, in effect, provide the rationale to claim this wasn’t an investigation solely on the basis of First Amendment protected political speech.

Going back to the Goldsmith opinion — and the 2006 White Paper limited to the intercept part of the illegal program, both include this language about the wiretap Keith precedent.

Keith made clear that one of the significant concerns driving the Court’s conclusion in the domestic security context was the inevitable connection between perceived threats to domestic security and political dissent. As the Court explained: “Fourth Amendment protections become the more necessary when the targets of official surveillance may be those suspected of unorthodoxy in their political beliefs. The danger to political dissent is acute where the Government attempts to act under so vague a concept as the power to protect ‘domestic security.’” Keith, 407 U.S. at 314; see also id. at 320 (“Security surveillances are especially sensitive because of the inherent vagueness of the domestic security concept, the necessarily broad and continuing nature of intelligence gathering, and the temptation to utilize such surveillances to oversee political dissent.”). Surveillance of domestic groups raises a First Amendment concern that generally is not present when the subjects of the surveillance are foreign powers or their agents.

I realize the government doesn’t consider creating a database of every phone-based relationship in the US surveillance. I realize Keith pertained to wiretapping, not metadata.

But you would expect some kind of language like this in the metadata White Paper anyway, because mapping relationships in the way the government does so clearly infringes on political dissent, whether that dissent happens in mosques or anti-choice churches.

It’s not there. Nor is any other language that would distinguish the targeting of international terrorists from targeting domestic ones.

They’re not using the dragnet to map the relationships of domestic terrorists and their legally protected associates. But legally, they’ve already laid out the case to do so.