Obama’s New Phone Dragnet Pre-Review Policy Supports Dragnet-as-Index Understanding

/2 Comments/in , /by

As I noted, yesterday the FISA Court released the motion and approval reflecting the changes to accessing the dragnet reflecting Obama’s promises from last month.

Effective immediately, we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization instead of three. And I have directed the Attorney General to work with the Foreign Intelligence Surveillance Court so that during this transition period, the database can be queried only after a judicial finding, or in a true emergency.

These promises have been taken to limit all queries to two hops (which was NSA”s practice in any case) and, except in an emergency, to require FISC to approve the Reasonable Articulable Suspicion determination an identifier before it is used to query the database.

That’s not exactly how the modification implements the change. Rather, it lays out 3 ways to access the database:

  • With prior FISC review, by motion, of the RAS determination
  • With an assertion of emergency from the Acting Director of NSA or DIRNSA, in which case FISC reviews it after the fact
  • Using an identifier for which FISC has already found probable cause under traditional FISA

Access under the terms of the last bullet, which has actually been part of dragnet orders since the second order, is accomplished in the supplement with this language:

For any selection term that is subject to ongoing Court-authorized electronic surveillance, pursuant to 50 U.S.C. § 1805, based on this Court’s finding of probable cause to believe that the selection term is being used or is about to be used by [redacted–describes a tie to a foreign terrorist organization], including those used by U.S. persons, the government may use such selection terms as “seeds” during any period of ongoing Court-authorized electronic surveillance without first seeking authorization from this Court as described herein. Except in the case of emergency, NSA will first notify the Department of Justice, National Security Division of its proposed use as a seed any selection term subject to Court-authorized electronic surveillance.

Now, with one minor caveat, I actually have no problem with this. As I said in this post, it makes sense that NSA should have access to the metadata of calls it already has access to content of. And this third access still complies with the language of Obama’s promise: rather than a judicial finding regarding RAS, such queries would have been justified by a judicial finding regarding probable cause, a much higher standard.

I’m mostly interested in this detail for what it might suggest about the way the NSA is currently using the dragnet. I have repeatedly focused on Theresa Shea’s description of how NSA uses the dragnet to prioritize which content they read.

Section 215 bulk telephony metadata complements other counterterrorist-related collection sources by serving as a significant enabler for NSA intelligence analysis. It assists the NSA in applying limited linguistic resources available to the counterterrorism mission against links that have the highest probability of connection to terrorist targets. Put another way, while Section 215 does not contain content, analysis of the Section 215 metadata can help the NSA prioritize for content analysis communications of non-U.S. persons which it acquires under other authorities. Such persons are of heightened interest if they are in a communication network with persons located in the U.S. Thus, Section 215 metadata can provide the means for steering and applying content analysis so that the U.S. Government gains the best possible understanding of terrorist target actions and intentions.

If this is primarily how the dragnet is currently being used — to tell NSA which call content that it has collected it should listen to or translate first — then it would explain why the FISC didn’t complain about having to approve a bunch of new query identifiers: because it wouldn’t really have to do much pre-approval beyond the traditional FISC warrant review it has already done.

And given that NSA ran queries on 288 identifiers in 2012, a year when FISC approved 1,788 FISA warrants (though some were for physical searches), it is feasible that many or even most of the dragnet queries were tied to FISC warrant targets.

If that’s right, it suggests the dragnet no longer serves primarily as the alert function it has been sold as, but instead serves an indexing function (which is, after all, what James Clapper said months ago).

So here’s my one caveat to my assertion that I have no problem with this.

In making this modification, DOJ actually changed the way they refer to what FISC-approved targets automatically qualify as RAS-approved. In the order itself, it describes it this way:

Selection terms that are currently the subject of electronic surveillance authorized by the Foreign Intelligence Surveillance Court (FISC) based on the FISC’s finding of probable cause to believe that they are used by [redacted description of tie to terrorism] including those used by U.S. persons, may be deemed approved for querying for the period of FISC-authorized electronic surveillance without review and approval by a designated approving official. The preceding sentence shall not apply to selection terms under surveillance pursuant to any certification of the Director of National Intelligence and the Attorney General pursuant to Section 702 of FISA, as added by the FISA Amendments Act of 2008, or pursuant to an Order of the FISC issued under Section 703 or Section 704 of FISA, as added by the FISA Amendments Act of 2008.

I think this works out to be a distinction without a difference, or even an improvement. The language of the order says targets of FISA orders — except those targeted under Section 702 (bulk collection targeted at foreigners outside the US), Sections 703 and 704 (US person target outside the US) — are pre-approved as dragnet identifiers. The language of the modification says targets only of traditional FISA orders (authorizing electronic surveillance of either US persons or foreign individuals in the US) are pre-approved for dragnet identifiers. If anything, the modification language is more narrow, as it would also exclude those against whom FISC has approved physical search warrants from automatic RAS approval. If this reading is correct, it would seem to support my supposition that the dragnet is increasingly serving primarily as an index to already-collected content.

But given the way they’ve expanded the intent of traditional FISA in the past, I do wonder whether something else is going on.

All that said, I mostly intend with this post to point to yet more evidence suggesting that the dragnet increasingly serves as an index rather than the early warning system it gets billed as.

Section 215 FISC Orders Specifically Included Mobile Phone IDs Starting in 2008

/2 Comments/in , /by

I’ve been obsessing on when and whether telecoms turn over cell phone data under Section 215 and EO 12333 for the last several days. So I want to point out a change in the FISC orders for the Section 215 phone dragnet starting in 2008.

Here’s how the April 3, 2008 Section 215 FISC order describes the metadata to be turned over to NSA:

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, communications device identifier, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

Here’s how the August 19, 2008 order and (I believe) all subsequent orders describe the metadata to be turned over to the NSA.

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) numbers, International Mobile Station Equipment Identity (IMEI) etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

In both cases, these paragraphs end with a footnote that starts, “The Court understands that the,” followed by redacted language that would probably be very instructive in explaining where and how the telecoms got their data.

The IMSI is a subscriber’s account number — basically the number tied to the SIM card. The IMEI is a phone handset’s ID number. Drone targeting may track both numbers.

Amid claims the NSA doesn’t collect cell phone data, I find it notable that NSA started asking for cell phone identifiers back in 2008. (I find it equally notable that they started asking for IMSI and IMEI on the second docket after NSA put a copy of  the Section 215 data onto the same server as the EO 12333 data). That was also the year that Tempora — under which GCHQ   accessed huge amounts of Internet and phone data off Transatlantic cables, including from Verizon — was first piloted.

I don’t think that proves definitively that NSA was collecting cell phone data (though the WSJ reported last June that it was collecting cell data directly from AT&T and Sprint, with T-Mobile and Verizon data coming from another source). Depending on where providers got the data (on a daily basis, remember) to provide to NSA, they would have the IMSI and IMEI data on phones in contact with their land lines.

But the NSA has been collecting data about cell phones at least since 2008.

Which raises real questions about claims they don’t know how to integrate cell phone data into their database.

Update: To answer Dr. Pitchfork’s question, 4 national journalists reported on Friday that the NSA only “gets” 20 to 30% of US phone data because they don’t get cell data. Even ignoring details like the explicit mention of cell data in the 215 orders, their story doesn’t make any sense. I think the real problem may arise from a recent FISC order and Verizon’s split from Vodaphone.

DOD Complains about “Speculative” Risk of Bulk Collection

/14 Comments/in , /by

Maybe I have a sick sense of humor.

But I laughed at the irony of this NYT story about how Edward Snowden used a web-crawler to scrape data from the NSA’s servers.

In paragraphs 28 and 29 (of 29), Defense Intelligence Agency head Michael Flynn admits what he has avoided admitting in public hearings: he has no fucking clue what Snowden took.

The head of the Defense Intelligence Agency, Lt. Gen. Michael T. Flynn, told lawmakers last week that Mr. Snowden’s disclosures could tip off adversaries to American military tactics and operations, and force the Pentagon to spend vast sums to safeguard against that. But he admitted a great deal of uncertainty about what Mr. Snowden possessed.

“Everything that he touched, we assume that he took,” said General Flynn, including details of how the military tracks terrorists, of enemies’ vulnerabilities and of American defenses against improvised explosive devices. He added, “We assume the worst case.”

DOD doesn’t actually know what Snowden took. They know he had access to a bunch of files on military operations.

But that leaves open the question of how Mr. Snowden chose the search terms to obtain his trove of documents, and why, according to James R. Clapper Jr., the director of national intelligence, they yielded a disproportionately large number of documents detailing American military movements, preparations and abilities around the world.

But DOD doesn’t know whether he just touched them, or took them with him. It doesn’t know whether he deleted any he took before turning them over to journalists.

For his part, Snowden says DOD’s claims he deliberately took military information are unfounded.

In his statement, Mr. Snowden denied any deliberate effort to gain access to any military information. “They rely on a baseless premise, which is that I was after military information,” Mr. Snowden said.

Snowden suggests any military information he got, he got incidentally. DOD will just have to trust him.

Nevertheless, DOD will assume the worst because that’s the only way to protect DOD equities — and indeed, the lives of our military service members (that is, if Flynn’s claims are true; given his track record I don’t necessarily believe they are).

The necessity of protecting people and secret plans because of a potential risk is actually not funny at all. Indeed, it points to the problem inherent with bulk collection conducted in secret: Those potentially targeted by it have to assume the worst to protect themselves.

Mind you, if Sam Alito were a fair and balanced kind of guy, he’d tell DOD to suck it up. The risk of this bulk collection inflicting harm on military operations is speculative.

Respondents’ claim of future injury is too speculative to establish the well-established requirement that certain injury must be “certainly impending.”

But I think Alito is wrong. I definitely don’t fault DOD for adjusting to potential risks given the lack of certainty over which of their most sensitive secrets bulk collection has compromised.

If it is a problem that Snowden touched or maybe even incidentally collected data that could cause DOD great harm — if it is understandable that DOD would assume and prepare for the worst — then NSA needs to shut down its own indiscriminate scraping of data from all over the world. Because it is imposing the same kinds of risk and costs and worries to private individuals all over the world.

Update: Eli Lake got sources who received DIA’s briefing on their Snowden report to distinguish between what DIA knows and what they’re just assuming.

NSA’s Latest Claim: It Only Gets 30% of “Substantially All” the Hay in the Haystack

/10 Comments/in , /by

SIGINT and 215In December 2007, the FBI began intercepting MOALIN’s cell phone.

FBI search warrant affidavit seeking (among other things) additional cell phones, October 29, 2010

Yesterday, Siobhan Gorman reported that NSA’s “phone-data program” collects 20% or less of the phone data in the US. She explains that the program doesn’t collect cell phone data, and so has covered a decreasing percentage of US calls over the last several years.

The National Security Agency’s phone-data program, which has been at the center of controversy over the NSA’s surveillance operations, collects information from about 20% or less of all U.S. calls—much less than previously described by lawmakers.

The program had been described as collecting records on virtually every phone call placed in the U.S., but in fact, it doesn’t cover records for most cellphones, the fastest-growing sector in telephony and an area where the agency has struggled to keep pace, according to several people familiar with the program.

Ellen Nakashima’s report places the percentage between 20 and 30%, echoing Gorman’s claim about limits on cell data.

The actual percentage of records gathered is somewhere between 20 and 30 percent and reflects Americans’ increasing turn away from the use of land lines to cellphones. Officials also have faced technical challenges in preparing the NSA database to handle large amounts of new records without taking in data such as cell tower locations that are not authorized for collection.

[snip]

The bulk collection began largely as a land-line program, focusing on carriers such as AT&T and Verizon Business Network Services. At least two large wireless companies are not covered — Verizon Wireless and T-Mobile U.S., which was first reported by the Wall Street Journal.

Industry officials have speculated that partial foreign ownership has made the NSA reluctant to issue orders to those carriers. But U.S. officials said that was not a reason.

“They’re doing business in the United States; they’re required to comply with U.S. law,” said one senior U.S. official. “A court order is a court order.”

Rather, the official said, the drop in collection stems from several factors.

Apart from the decline in land-line use, the agency has struggled to prepare its database to handle vast amounts of cellphone data, current and former officials say. For instance, cellphone records may contain geolocation data, which the NSA is not permitted to receive.

These reports offer a more credible explanation than Geoffrey Stone’s multiple claims to this effect about why the program misses data. So they may be true.

But I think they instead point to the legal range of authorities NSA uses to collect phone records, not to what records they actually have in their possession.

These reports are commenting (though without specifying, or even seeming to be aware they need to specify) on what the government claims it collects under Section 215. These reports are not commenting on what NSA collects under all authorities.

In this post I will show why I believe these reports to be credible only in a very narrow sense. In a follow-up post I will point to the legal issues that underlie the Administration’s conflicting claims about what it collects.

Read more

The Lapses in Dragnet Notice to Congress

/7 Comments/in , /by

I’m at a great conference on national security and civil liberties. Unfortunately, speakers have repeatedly claimed that NSA fully informs Congress on its programs.

Even setting aside Dianne Feinstein’s admission that the intelligence committees exercise less oversight over programs conducted under EO 12333, there are a number of public documents that show the Executive failing to fully inform Congress:

April 27, 2005: Alberto Gonzales and Robert Mueller brief SSCI on PATRIOT Authorities in advance of reauthorization. They make no mention of the use of PR/TT to gather Internet metadata, much less the violations of Colleen Kollar-Kotelly limits on the kind of data collected during the first period of its use.

October 21, 2009: A Michael Leiter and NSA Associate Deputy Director briefing to the House Intelligence Committee pointed to the September 3, 2009 phone dragnet reauthorization as proof that NSA had regained FISC’s confidence, without mentioning further violations on September 21 and 23 — violations that NSA did not inform FISC about.

August 16, 2010: DOJ did not provide the Intelligence and Judiciary Committees with some of the pre-July 10, 2008 FISC rulings providing significant constructions of FISA pertaining to — at a minimum — Section 215 until after the first PATRIOT Reauthorization.

February 2, 2011: House Intelligence Chair Mike Rogers did not invite members of Congress to read the 2011 notice about the phone and Internet dragnets. Approximately 86 freshmen members — 65 of whom voted to reauthorize the PATRIOT Act, a sufficient number to tip the vote — had no opportunity to read that notice.

May 13, 2011: In a briefing by Robert Mueller and Valerie Caproni designed to substitute for the Executive’s notice to Congressmen about the phone and Internet dragnets, the following exchange took place.

Comment — Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

A — To the FBI’s knowledge, those authorities have not been abused.

While the balance of the briefing remains redacted, this seems to suggest the FBI did not brief House Republicans about the dragnet violations.

September 1, 2011: NSA did not provide notice to the House Judiciary Committee about its testing of geolocation data under Section 215 until after the reauthorization of PATRIOT Act, in spite of the fact that it had been conducting such tests throughout the 2010 and 2011 debates on the PATRIOT Act.

When Judge Reggie Walton Disappeared the FBI Director: The Tell that FISC Wasn’t Following the Law

/4 Comments/in , /by

SEN. MIKULSKI: General Clapper, there are 36 different legal opinions.

DIR. CLAPPER: I realize that.

SEN. MIKULSKI: Thirty-six say the program’s constitutional. Judge Leon said it’s not.

Thirty-six “legal opinions” have deemed the dragnet legal and constitutional, its defenders say defensively, over and over again.

But that’s not right — not by a long shot, as ACLU’s Brett Max Kaufman pointed out in a post yesterday. In its report, PCLOB confirmed what I first guessed 4 months ago: the FISA Court never got around to writing an opinion considering the legality or constitutionality of the dragnet until August 29, 2013.

FISC judges, on 33 occasions before then, signed off on the dragnet without bothering to give it comprehensive legal review.

Sure, after the program had been reauthorized 11 times, Reggie Walton considered the more narrow question of whether the program violates the Stored Communications Act (I suspect, but cannot yet prove, that the government presented that question because of concerns raised by DOJ IG Glenn Fine). But until Claire Eagan’s “strange” opinion in August, no judge considered in systematic fashion whether the dragnet was legal or constitutional.

And the thing is, I think FISC judge — now Presiding Judge — Reggie Walton realized around about 2009 what they had done. I think he realized the program didn’t fit the statute.

Consider a key problem with the dragnet — another one I discussed before PCLOB (though I was not the first or only one to do so). The wrong agency is using it.

Section 215 does not authorize the NSA to acquire anything at all. Instead, it permits the FBI to obtain records for use in its own investigations. If our surveillance programs are to be governed by law, this clear congressional determination about which federal agency should obtain these records must be followed.

Section 215 expressly allows only the FBI to acquire records and other tangible things that are relevant to its foreign intelligence and counterterrorism investigations. Its text makes unmistakably clear the connection between this limitation and the overall design of the statute. Applications to the FISA court must be made by the director of the FBI or a subordinate. The records sought must be relevant to an authorized FBI investigation. Records produced in response to an order are to be “made available to,” “obtained” by, and “received by” the FBI. The Attorney General is directed to adopt minimization procedures governing the FBI’s retention and dissemination of the records it obtains pursuant to an order. Before granting a Section 215 application, the FISA court must find that the application enumerates the minimization procedures that the FBI will follow in handling the records it obtains. [my emphasis, footnotes removed]

The Executive convinced the FISA Court, over and over and over, to approve collection for NSA’s use using a law authorizing collection only by FBI.

Which is why I wanted to point out something else Walton cleaned up in 2009, along with watchlists of 3,000 Americans who had not received First Amendment Review. Judge Reggie Walton disappeared the FBI Director.

>>>Poof!<<<

Gone.

The structure of all the dragnet orders released so far (save Eagan’s opinion) follow a similar general structure:

  • An (unnumbered, unlettered) preamble paragraph describing that the FBI Director made a request
  • 3-4 paragraphs measuring the request against the statute, followed by some “wherefore” language
  • A number of paragraphs describing the order, consisting of the description of the phone records required, followed by 2 minimization paragraphs, the first pertaining to FBI and,
  • The second paragraph introducing minimization procedures for NSA, followed by a larger number of lettered paragraphs describing the treatment of the records and queries (this section got quite long during the 2009 period when Walton was trying to clean up the dragnet and remains longer to this day because of the DOJ oversight Walton required)

Here’s how the first three paragraphs looked in the first order and (best as I can tell) the next 11 orders, including Walton’s first order in December 2008:

An application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (the Act), Title 50, United States Code (U.S.C.), § 1861, as amended, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, the Court finds that:

1. The Director of the FBI is authorized to make an application for an order requiring the production of any tangible thing for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the First Amendment to the Constitution of the United States. [50 U.S.C. § 1861 (c)(1)]

2. The tangible things to be produced are all call-detail records or “telephone metadata” created by [the telecoms]. Telephone metadata includes …

[snip]

3. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12,333 to protect against international terrorism, … [my emphasis]

Here’s how the next order and all (released) following orders start [save the bracketed language, which is unique to this order]:

An verified application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (FISA), as amended, 50 U.S.C. § 1861, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, [as well as the government’s filings in Docket Number BR 08-13 (the prior renewal of the above-captioned matter),] the Court finds that:

1. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12333 to protect against international terrorism, …

That is, Walton took out the paragraph — which he indicated in his opinion 3 months earlier derived from the statutory language at 50 U.S.C. § 1861 (c)(1) — pertaining to the FBI Director. The paragraph always fudged the issue anyway, as it doesn’t discuss the FBI Director’s authority to obtain this for the NSA. Nevertheless, Walton seems to have found that discussion unnecessary or unhelpful.

Walton’s March 5, 2009 order and all others since have just 3 statutory paragraphs, which basically say:

  1. The tangible things are relevant to authorized FBI investigations conducted under EO 12333 — Walton cites 50 USC 1861 (c)(1) here
  2. The tangible things could be obtained by a subpoena duces tecum (50 USC 1861 (c)(2)(D)
  3. The application includes an enumeration of minimization procedures — Walton doesn’t cite statute in this May 5, 2009 order, but later orders would cite 50 USC 1861 (c)(1) again

Here’s what 50 USC 1861 (c)(1), in its entirety, says:

(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.

And here are two key parts of subsections (a) and (b) — in addition to “relevant” language that has always been included in the dragnet orders.

(a) Application for order; conduct of investigation generally

(1) Subject to paragraph (3), the Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things

[snip]

(2) shall include—

[snip]

(B) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

FBI … FBI … FBI.

The language incorporated in 50 USC 1861 (c)(1) that has always been cited as the standard judges must follow emphasizes the FBI repeatedly (PCLOB laid out that fact at length in their analysis of the program). And even Reggie Walton once admitted that fact.

And then, following his lead, FISC stopped mentioning that in its statutory analysis altogether.

Eagan didn’t even consider that language in her “strange” opinion, not even when citing the passages (here, pertaining to minimization) of Section 215 that directly mention the FBI.

Section 215 of the USA PATRIOT Act created a statutory framework, the various parts of which are designed to ensure not only that the government has access to the information it needs for authorized investigations, but also that there are protections and prohibitions in place to safeguard U.S. person information. It requires the government to demonstrate, among other things, that there is “an investigation to obtain foreign intelligence information … to [in this case] protect against international terrorism,” 50 U.S.C. § 1861(a)(1); that investigations of U.S. persons are “not conducted solely upon the basis of activities protected by the first amendment to the Constitution,” id.; that the investigation is “conducted under guidelines approved by the Attorney General under Executive Order 12333,” id. § 1861(a)(2); that there is “a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant” to the investigation, id. § 1861(b)(2)(A);14 that there are adequate minimization procedures “applicable to the retention and dissemination” of the information requested, id. § 1861(b)(2)(B); and, that only the production of such things that could be “obtained with a subpoena duces tecum” or “any other order issued by a court of the United States directing the production of records” may be ordered, id. § 1861(c)(2)(D), see infra Part III.a. (discussing Section 2703(d) of the Stored Communications Act). If the Court determines that the government has met the requirements of Section 215, it shall enter an ex parte order compelling production.

This Court must verify that each statutory provision is satisfied before issuing the requested Orders. For example, even if the Court finds that the records requested are relevant to an investigation, it may not authorize the production if the minimization procedures are insufficient. Under Section 215, minimization procedures are “specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” Id. § 1861(g)(2)(A)

Reggie Walton disappeared the FBI Director as a statutory requirement (he retained that preamble paragraph, the nod to authorized FBI investigations, and the perfunctory paragraph on minimization of data provided from NSA to FBI) on March 5, 2009, and he has never been heard from in discussions of the FISC again.

Now I can imagine someone like Steven Bradbury making an argument that so long as the FBI Director actually signed the application, and so long as the FBI had minimization procedures for the as few as 16 tips they receive from the program in a given year, it was all good to use an FBI statute to let the NSA collect a dragnet potentially incorporating all the phone records of all Americans. I can imagine Bradbury pointing to the passive construction of that “things to be made available” language and suggest so long as there were minimization procedures about FBI receipt somewhere, the fact that the order underlying that passive voice was directed at the telecoms didn’t matter. That would be a patently dishonest argument, but not one I’d put beyond a hack like Bradbury.

The thing is, no one has made it. Not Malcolm Howard in the first order authorizing the dragnet, not DOJ in its request for that order (indeed, as PCLOB pointed out, the application relied heavily on Keith Alexander’s declaration about how the data would be used). The closest anyone has come is the white paper written last year that emphasizes the relevance to FBI investigations.

But no one I know of has affirmatively argued that it’s cool to use an FBI statute for the NSA. In the face of all the evidence that the dragnet has not helped the FBI thwart a single plot — maybe hasn’t even helped the FBI catch one Somali-American donating less than $10,000 to al-Shabaab, as they’ve been crowing for months — FBI Director Jim Comey has stated to Congress that the dragnet is useful to the FBI primarily for agility (though the record doesn’t back Comey’s claim).

Which leaves us with the only conclusion that makes sense given the Executive’s failure to prove it is useful at all: it’s not the FBI that uses it, it’s NSA. They don’t want to tell us how the NSA uses it, in part, because we’ll realize all their reassurances about protections for Americans fall flat for the millions of Americans who are 3 degrees away from a potential suspect.

But they also don’t want to admit that it’s the NSA that uses it, because then it’ll become far more clear how patently illegal this program has been from the start.

Better to just disappear the FBI Director and hope no one starts investigating the disappearance.

Jim Comey: For FBI, Section 215 Only Provides Agility

/6 Comments/in , /by

In yesterday’s Threat Hearing, James Clapper and John Brennan provided so much news early, I suspect many didn’t stick around to hear the question Angus King posed to Jim Comey. He asked about the significance of the phone dragnet.

SEN. KING: Director Comey, do you have views on the significance of 215? You understand this is not easy for this committee. The public is very skeptical and in order for us to continue to maintain it, we have to be convinced that it is in fact effective and not just something that the intelligence community thinks is something nice to have in their toolkit.

DIR. COMEY: Yeah, I totally understand people’s concerns and questions about them. They’re reasonable questions. I believe it’s a useful tool. For the FBI, its primary value is agility. That is, it allows us to do in minutes what would otherwise take us in hours. And I’ll explain what I mean by that. If a terrorist is identified in the United States or something blows up in the United States, we want to understand, OK, is there a network that we’re facing here?

And we take any telephone numbers connected to that terrorist, to that attack. And what I would do in the absence of 215 is use the legal process that we use every day, either grand jury subpoenas or national security letters, and by subpoenaing each of the telephone companies I would assemble a picture of whether there’s a network connected to that terrorist. That would take hours.

What this tool allows us to do is do that in minutes. Now, in most circumstances, the difference between hours and minutes isn’t going to be material except when it matters most. And so it’s a useful tool to me because of the agility it offers. [my emphasis]

Comey prefaced his entire answer by making it clear he was only addressing the way the FBI uses the dragnet. That suggests he was bracketing off his answer from possible other uses, notably by NSA.

If the FBI Director brackets off such an answer after 7 months of NSA pointing to FBI’s efforts to thwart plots, to suggest his Agency’s use may not be the most important use of the dragnet, can we stop talking about plots thwarted and get an explanation what role the dragnet really plays?

That said, it’s worth comparing Comey’s answer to what the PCLOB said about FBI’s use of the dragnet. Because in the 5 cases the government cited claiming the dragnet found particular leads (the exception is Basaaly Moalin, which PCLOB said might have been found via active investigations FBI already had going), FBI found the same leads via other means (and the implication for some of these is that FBI found those other leads first).

Operation WiFi: Those numbers simply mirrored information about telephone connections that the FBI developed independently using other authorities.

[snip]

David Headley: Those numbers, however, only corroborated data about telephone calls that the FBI obtained independently through other authorities.

[snip]

3 other cases: But in all three cases, that information simply mirrored or corroborated intelligence that the FBI obtained independently through other means.

That is, usually the dragnet isn’t even a matter of agility. It’s a matter of redundancy.

It seems Jim Comey, sharing the dais with several colleagues who’ve already torched their credibility, had no interest in pretending the dragnet is primarily about the investigations of his Agency.

Perhaps the rest of the us can dispense with that myth too now?

Important: Changes to Section 215 Dragnet Will Not Change Treatment of EO 12333 Metadata

/2 Comments/in , /by

In their Angry Birds stories, both the Guardian and NYT make what I believe is a significant error. They suggest changes in the handling of the Section 215-collected phone metadata will change the way NSA handles EO 12333-collected phone metadata.

Guardian:

Data collected from smartphone apps is subject to the same laws and minimisation procedures as all other NSA activity – procedures which US president Barack Obama suggested may be subject to reform in a speech 10 days ago. But the president focused largely on the NSA’s collection of the metadata from US phone calls and made no mention in his address of the large amounts of data the agency collects from smartphone apps.

NYT:

President Obama announced new restrictions this month to better protect the privacy of ordinary Americans and foreigners from government surveillance, including limits on how the N.S.A. can view “metadata” of Americans’ phone calls — the routing information, time stamps and other data associated with calls. But he did not address the avalanche of information that the intelligence agencies get from leaky apps and other smartphone functions.

Here’s what the President actually said, in part, about phone metadata:

I am therefore ordering a transition that will end the Section 215 bulk metadata program as it currently exists, and establish a mechanism that preserves the capabilities we need without the government holding this bulk meta-data.

That is, Obama was speaking only about NSA’s treatment of Section 215 metadata, not the data — which includes a great amount of US person data — collected under Executive Order 12333.

To be clear, both Guardian and NYT were distinguishing Obama’s promises from the treatment extended to the leaky mobile data app. But they incorrectly suggested that all phone metadata, regardless of how it was collected, receives the same protections.

Section 215 metadata has different and significantly higher protections than EO 12333 phone metadata because of specific minimization procedures imposed by the FISC (arguably, the program doesn’t even meet the minimization procedure requirements mandated by the law). We’ve seen the implications of that, for example, when the NSA responded to being caught watch-listing 3,000 US persons without extending First Amendment protection not by stopping that tracking, but simply cutting off the watch-list’s ability to draw on Section 215 data.

Basically, the way NSA treats data collected under FISC-overseen programs (including both Section 215 and FISA Amendments Act) is to throw the data in with data collected under EO 12333, but add query screens tied to the more strict FISC-regulations governing production under it. This post on federated queries explains how it works in practice. As recently as 2012 at least one analyst improperly searched on US person FAA-collected content because she didn’t hit the right filter on her query screen.

[T]he NSA analyst conducted a federated query using a known United States person identifier, but forgot to filter out Section 702-acquired data while conducting the federated query.

That’s it. If the data is accessed via one of the FISC-overseen programs, US persons benefit from the additional subject matter, dissemination, and First Amendment protections of those laws or FISC’s implementation of them (and would benefit from the minor changes Obama has promised to both Section 215 and FAA).

But if NSA collected the data via one of its EO 12333 programs, it does not get get those protections. To be clear, it does get some dissemination protection and can only be accessed with a foreign intelligence purpose, but that is much less than what the FISC programs get. Which leaves the NSA a fair amount of leeway to spy on US persons, so long as it hasn’t collected the data to do so under the programs overseen by FISC. And when it collects data under EO 12333, it is a lot easier for the NSA to spy on Americans.

The metadata from leaky mobile apps almost certainly comes from EO 12333 collection, not least given the role of GCHQ and CSEC (Canada’s Five Eyes’ partner) to the collection. The Facebook and YouTube data GCHQ collects (just reported by Glenn Greenwald working with NBC) surely counts as EO 12333 collection.

NSA’s spokeswoman will say over and over that “everyday” or “ordinary” Americans don’t have to worry about their favorite software being sucked up by NSA. But to the extent that collection happens under EO 12333, they have relatively little protection.

Is NSA Wiretapping Now Rather than Tipping?

/3 Comments/in , /by

One of the news bits a number of outlets took away from the phone dragnet order document dump 10 days ago is that the NSA averages(d) about 3 tips a day to the FBI.

That’s actually not news. It’s consistent with a series of accountings NSA gave to Reggie Walton in 2009, as when, in February 2009, they provided more exact numbers (though they’d get tweaked a bit during that summer) that were smaller, but still in the range of 2-3 tips a day.

Demonstrating the value of the BR metadata to the U.S. Intelligence Community, the NSA has disseminated 275 reports and tipped over 2,500 telephone identifiers to the FBI and CIA for further investigative action since the inception of this collection in docket number BR 06-05.

That said, at least according to Geoffrey Stone, the scale of the referrals may have gone down dramatically.

Under the FISA statute, the NSA queried 288 numbers in 2012 and had only 16 instances where matches were analyzed, confirmed, and then forwarded to the FBI. According to Stone, these queries only produced about 6,000 numbers that were “touched” by the analysis, of the millions of numbers whose meta-data the NSA stores for up to five years.

In general and specifically here, there are reasons I don’t entirely trust Stone’s comments on the dragnet. He has said a lot that is inconsistent with other public (and legally sworn) claims, notably on the volume of phone records collected. And his silences about certain aspects of the dragnet make me wonder how complete an understanding he has.

Plus, the “16 instances” may — as was true in the earlier period — represent reports that include more than one number. If, as occurred until 2009, each report had roughly 10 numbers, then this might amount to 160 identifiers (which is still far below the pace of the 2006-2009 period, but then during that period they weren’t enforcing RAS).

Then there’s the complete lack of definition for “touch” with regards to his 6,000 number.

In addition, 2012 might be a new baseline (or perhaps outlier) year, as the rollout of the new automated system at the end of 2011 would likely have changed the treatment of phone identifiers entirely.

And as I’ve said, I expect the use of the phone dragnet for a “peace of mind” query after the Boston Marathon attack to result in a huge number of tips (though perhaps in just one or several reports), given how wired the Tsarnaevs were and had been for the five years leading up to the attack.

Moreover, in a development that may or may not be entirely unrelated, the number of telephone taskings under Section 702 have started to go up again starting in 2012, after having been down since 2009.

As the chart demonstrates, the number of newly tasked telephone numbers decreased after 2009, but began to increase again in 2012. The average number of telephone numbers tasked each month for the first 11 months of 2012 [redacted].

There are admittedly a number of possible explanations (increasing collection of text messages, different kind of upstream collection, potentially even a fourth certificate in addition to the terror, proliferation, and cyber ones we know about). But one possibility is that the new alert system has led NSA to move toward wiretapping interesting numbers, rather than sending them to FBI for investigation. Moreover, by wiretapping someone, NSA could share data with FBI and CIA in relatively unfettered fashion, as both are permitted to receive unminimized content under 702 in certain circumstances, and both have the authority to do backdoor searches on US person content on all but upstream collected 702 data.

The NSA can’t give phone numbers to FBI without review, but according to section 702 minimization procedures, in some cases they can let CIA and FBI read wiretap content without such review.

That is, wiretapping someone could be a way to evade data dissemination restrictions in place on actual phone dragnet queries.

The Corporate Store: Where NSA Goes to Shop Your Content and Your Lifestyle

/56 Comments/in , /by

I’m increasingly convinced that for seven months, we’ve been distracted by a shiny object, the phone dragnet, the database recording all or almost all of the phone-based relationships in the US over the last five years. We were never wrong to discuss the dangers of the dragnet. It is the equivalent of a nuclear bomb, just waiting to go off. But I’m quite certain the NatSec establishment decided in the days after Edward Snowden’s leaks to intensify focus on the actual construction of the dragnet — the collection of phone records and the limits on access to the initial database (what they call the collection store) of them — to distract us away from the true family jewels.

A shiny object.

All that time, I increasingly believe, we should have been talking about the corporate store, the database where queries from the collection store are kept for an undisclosed (and possibly indefinite) period of time. Once records get put in that database, I’ve noted repeatedly, they are subject to “the full range of [NSA’s] analytic tradecraft.”

We don’t know precisely when that tradecraft gets applied or to how many of the phone identifiers collected in any given query. But we know that tradecraft includes matching individuals’ various communication identifiers (which can include phone number, handset identifier, email address, IP address, cookies from various websites) — a process the NSA suggests may not be all that accurate, but whatever! Once NSA links all those identities, NSA can pull together both network maps and additional lifestyle information.

The agency was authorized to conduct “large-scale graph analysis on very large sets of communications metadata without having to check foreignness” of every e-mail address, phone number or other identifier, the document said.

[snip]

The agency can augment the communications data with material from public, commercial and other sources, including bank codes, insurance information, Facebook profiles, passenger manifests, voter registration rolls and GPS location information, as well as property records and unspecified tax data, according to the documents. They do not indicate any restrictions on the use of such “enrichment” data, and several former senior Obama administration officials said the agency drew on it for both Americans and foreigners.

That analysis might even include tracking a person’s online sex habits, if the government deems you a “radicalizer” for opposing unchecked US power, even if you’re a US person.

Such profiles are not the only thing included in NSA’s “full range of analytic tradecraft.”

We also know — because James Clapper told us this very early on in this process — the metadata helps the NSA pick and locate which content to read. The head of NSA’s Signals Intelligence Division, Theresa Shea, said this more plainly in court filings last year.

Section 215 bulk telephony metadata complements other counterterrorist-related collection sources by serving as a significant enabler for NSA intelligence analysis. It assists the NSA in applying limited linguistic resources available to the counterterrorism mission against links that have the highest probability of connection to terrorist targets. Put another way, while Section 215 does not contain content, analysis of the Section 215 metadata can help the NSA prioritize for content analysis communications of non-U.S. persons which it acquires under other authorities. Such persons are of heightened interest if they are in a communication network with persons located in the U.S. Thus, Section 215 metadata can provide the means for steering and applying content analysis so that the U.S. Government gains the best possible understanding of terrorist target actions and intentions. [my emphasis]

The NSA prioritizes reading the content that involves US persons. And the NSA finds it, and decides what to read, using the queries that get dumped into the corporate store (presumably, they do some analytical tradecraft to narrow down which particular conversations involving US persons they want to read).

And there are several different kinds of content this might involve: content (phone or Internet) of a specific targeted individual — perhaps the identifier NSA conducted the RAS query with in the first place — already sitting on some NSA server, Internet and in some cases phone content the NSA can go get from providers after having decided it might be interesting, or content the NSA collects in bulk from upstream collections that was never targeted at a particular user.

The NSA is not only permitted to access all of this to see what Americans are saying, but in all but the domestically collected upstream content, it can go access the content by searching on the US person identifier, not the foreign interlocutor, without establishing even Reasonable Articulable Suspicion that it pertains to terrorism (though the analyst does have to claim it serves foreign intelligence purpose). That’s important because lots of this content-collection is not tied to a specific terrorist suspect (it can be tied to a geographical area, for example), so the NSA can hypothetically get to US person content without ever having reason to believe it has any tie to terrorism.

In other words, all the things NSA’s defenders have been insisting the dragnet doesn’t do — it doesn’t provide content, it doesn’t allow unaudited searches, NSA doesn’t know identities, NSA doesn’t data mine it, NSA doesn’t develop dossiers on it, even James Clapper’s claim that NSA doesn’t voyeuristically troll through people’s porn habits — every single one is potentially true for the results of queries run three hops off an identifier with just Reasonable Articulable Suspicion of some tie to terrorism (or Iran). Everything the defenders say the phone dragnet is not, the corporate store is.

All the phone contacts of all the phone contacts of all the phone contacts of someone subjected to the equivalent of a digital stop-and-frisk are potentially subject to all the things NSA’s defenders assure us the dragnet is not subject to.

Read more