Posts

10 Goodies USA Freedom Act Gives the Intelligence Community

Since the Paris attack has turned much of our country into a shriveling pack of cowards, Republicans have ratcheted up claims that USA Freedom Act will make us less safe. Those claims tend to be so ignorant they claim the law — passed in June but not fully implemented until a week from Sunday — prevented the Intelligence Community from preventing the Paris attack. That would not be possible for two reasons. First, because the key provision hasn’t started yet (though some of the benefits for the IC have). And, because according to reports the network that carried out the Paris attack had no ties to the US, and therefore the dragnet couldn’t have shown anything useful.

All that said, I thought both the fear-mongering and the imminent changeover made it a good time to update (and in a few places, correct) this post, which laid out 10 things the IC gets out of USAF.

1. Inclusion of cell and (probably) some Internet “calls” in chaining system

Since early 2014, intelligence sources have been leaking that the phone dragnet misses 70% of US calls. That number is probably an exaggeration (and doesn’t account for what the NSA collects under significantly redundant collection under EO 12333). But there are probably several reasons for why the old dragnet had incomplete coverage. First, providers that only keep cell records with location data attached could not be obligated to turn over those records under the existing program (when AT&T started turning over cell records in 2011, it stripped location data for the NSA voluntarily, but no providers were obligated to do so). In a declaration submitted in Larry Klayman’s challenge to the phone dragnet, NSA makes it clear the ability to demand production in the form NSA wants is one big difference in the program (as is having facilities onsite, which probably mirrors the PRISM program).

Screen shot 2015-11-20 at 11.33.10 AM

In addition, USA Freedom is technology neutral; unlike phone dragnet orders, it does not limit collection to telephony calls, though it does limit collection to “phone companies,” which I presume includes handset makers Apple, Microsoft, and Google. This probably means the government will fill the gap in calls that has been growing of late, probably including VOIP and iMessage.

2. Addition of emergency provision for all Section 215 applications

Before USAF passed, there was a FISC-authorized emergency provision for the phone dragnet, but not the rest of Section 215 production. That was a problem, because the most common use of Section 215 is for more targeted (though it is unclear how targeted it really is) Internet production, and the application process for Section 215 can be slow. USAF made emergency application procedures available for all kinds of Section 215 applications.

3. Creation of parallel construction loophole under emergency provision

Not only does USAF extend emergency provision authority to all Section 215 applications, but it changes the status quo FISC created in a way that invites abuse. That’s because, even if the FISC finds an agency collected records improperly under the emergency provision, the government doesn’t have to destroy those records. It prohibits the use of “derivative” evidence in any proceeding, but there is abundant reason to believe the government still finds a way to parallel construct evidence even in other laws with such limitation on “derivative” evidence and so we should expect the same to happen here. The risk that the government will do this is not illusory; in the 18 months or so since FISC created this emergency provision, they’ve already had reason to explicitly remind the government that even under emergency collection, the government still can’t collect on Americans solely for First Amendment protected activities.

4. Chaining on “connections” rather than “calls,” which might be used to access unavailable smart phone data

Rather than chaining on calls made, USAF chains on “connections,” with Call Detail Record defined based on “session identifier.” This is probably intended to permit the government to obtain the call records of “correlated” identities, including things like all the records from a “Friends and Family” account. And while the House Report specifically prohibited some potentially troubling uses (like having providers chain on location information), in the era of smart phones and super cookies, the language of the bill leaves open the possibility of vastly expanded “connections.”

5. Elimination of pushback from providers

USAF gives providers two things they don’t get under existing Section 215: immunity and compensation. This will make it far less likely that providers will push back against even unreasonable requests. Given the parallel construction loophole in the emergency provisions and the potentially expansive uses of connection chaining, this is particularly worrisome.

6. Expansion of data sharing

Currently, chaining data obtained under the phone dragnet is fairly closely held. Only specially trained analysts at NSA may access the data returned from phone dragnet queries, and analysts must get a named manager to certify that the data is for a counterterrorism purpose to share outside that group of trained analysts. Under this new law, all the returned data will be shared — in full, apparently — with the NSA, CIA, and FBI. And the FBI is exempted from reporting on how many back door searches it does of this data.

Thus, this data, which would ostensibly be collected for a counterterrorism purpose, will apparently be available to FBI every time it does an assessment or opens up certain kinds of intelligence, even for non-counterterrorism purposes. Furthermore, because FBI’s data sharing rules are much more permissive than NSA’s, this data will be able to be shared more widely outside the federal government, including to localities. Thus, not only will it draw from far more data, but it will also share the data it obtains far more broadly.

7. Mooting of court challenges

As we’ve seen in both ACLU v. Clapper and Klayman v. Obama, USAF mooted court challenges to the dragnet, including ones that looked likely to rule the expansive “relevant to” based collections unconstitutional. In addition, the law may moot EFF’s First Unitarian Church v. NSA challenge to the dragnet, which of all the challenges is most likely to get at some of the underlying constitutional problems with the dragnet.

8. Addition of 72-hour spying provisions

In addition to the additional things the IC got related to its Section 215 spying, there are three unrelated things the House added. First, the law authorized the “emergency roamer” authority the IC has been asking for since 2013. It permits the government to continue spying on a legitimate non-US target if he enters the US for a 72-hour period, with Attorney General authorization. While in practice, the IC often misses these roamers until after this window, this will save the IC a lot of paperwork and bring down their violation numbers.

9. Expansion of proliferation-related spying

USAF also expanded the definition of “foreign power” under FISA to include not just those proliferating in weapons of mass destruction, but also those who “knowingly aid or abet” or “conspire” with those doing so. This will make it easier for the government to spy on more Iran-related targets (and similar such targets) in the US.

10. Lengthening of Material Support punishments

In perhaps the most gratuitous change, USAF lengthened the potential sentence for someone convicted of material support for terrorism — which, remember, may be no more than speech! — from 15 years to 20. I’m aware of no real need to do this (except, perhaps, to more easily coerce people to inform for the government). But it is clearly something someone in the IC wanted.

Let me be clear: some of these provisions (like permission to chain on Internet calls) will likely make the chaining function more useful and therefore more likely to prevent attacks, even if it will also expose more innocent people to expanded spying. Some of these provisions (like the roamer provision) are fairly reasonably written. Some (like the changes from status quo in the emergency provision) are hard to understand as anything but clear intent to break the law, particularly given IC intransigence about fixing obvious problems with the provision as written. I’m not claiming that all of these provisions are bad for civil liberties (though a number are very bad). But all of them are (or were, for those that have already gone into force) clear expansions on the authorities and capabilities the IC used to have.

The Second Circuit Attempts to Reassert Its Non-Definition of Relevant

Orin Kerr and Steve Vladeck got in a bit of a squabble last week over the Second Circuit’s decision not to reach the constitutionality of the phone dragnet. Vladeck called it wrong-headed, because even if the constitutional injury of the dragnet is temporary (that is, only until November 29), it’s the kind of injury that can recur. Kerr reads both this — and the Second Circuit’s original opinion — to be nothing more than a pragmatic nudge to Congress. “If you liked that opinion, it’s a little hard to object to the Second Circuit’s pragmatic, politically savvy, we-got-Congress-to-act-on-this-so-we’re-done moves in the second opinion.”

But I think both are misreading what the Second Circuit tried to do with this.

Take Kerr’s suggestion that the initial ruling from the Second Circuit got Congress to act.  He doesn’t say what he means by that (or which civil libertarians he had in mind when asserting that). The earlier decision certainly added pressure to get the bill through Congress.

But look at how Gerard Lynch, in his opinion, describes the relationship: Congress not just passed a bill to prohibit bulk telephone collection, but it “endorsed our understanding of the key term ‘relevance.'”

Congress passed the Freedom Act in part to prohibit bulk telephone metadata collection, and in doing so endorsed our understanding of the key term “relevance.”  See H.R. Rep. No. 114‐109, at 19.

Lynch goes on to cite the House report on the bill to support this claim.

Section 103 of the Freedom Act, titled “Prohibition on Bulk Collection of Tangible Things,” states that “[n]o order issued under this subsection may authorize the collection of tangible things without the use of a specific selection term” that meets certain requirements.  Id.  The purpose of § 103 is to “make[] clear that the government may not engage in indiscriminate bulk collection of any tangible thing or any type of record.”  H.R. Rep. No. 114‐109, pt. 1, at 18 (2015).  Section 103 is also intended to “restore meaningful limits to the ‘relevance’ requirement of Section 501, consistent with the opinion of the U.S. Court of Appeals for the Second Circuit in ACLU v. Clapper.”  Id. at 19.

He cites language point to an entire section that the House says will restore limits to the relevance requirement of a section of a law “consistent” with his own earlier opinion.

All that said, it’s not clear that USA F-ReDux, as written, does do that. That’s true, first of all, because while the House report specifically states, “Congress’ decision to leave in place the ‘relevance’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term” (Lynch cites this language in his opinion), it also doesn’t state that Congress intended to override that definition. What the bill did instead was leave the word “relevant” (still potentially meaning “all” as FISC defined it) in place, but place additional limits for its application under FISA.

Moreover, I’m not convinced the limits as written in USA F-ReDux accomplish all that the Second Circuit’s earlier opinion envisioned, which is perhaps best described in the ways the dragnets didn’t resemble warrants or subpoenas.

Moreover, the distinction is not merely one of quantity – however vast the quantitative difference – but also of quality.  Search warrants and document subpoenas typically seek the records of a particular individual or corporation under investigation, and cover particular time periods when the events under investigation occurred.  The orders at issue here contain no such limits.  The metadata concerning every telephone call made or received in the United States using the services of the recipient service provider are demanded, for an indefinite period extending into the future.  The records demanded are not those of suspects under investigation, or of people or businesses that have contact with such subjects, or of people or businesses that have contact with others who are in contact with the subjects – they extend to every record that exists, and indeed to records that do not yet exist, as they impose a continuing obligation on the recipient of the subpoena to provide such records on an ongoing basis as they are created.

Even setting aside my concern that USA F-ReDux only explicitly prohibits the use of communications company names like Verizon and AT&T as a specific selection term — thus leaving open the possibility FISC will continue to let the government use financial company names as specific selection terms — USA F-ReDux certainly envisions the government imposing “a continuing obligation on the recipient of the subpoena to provide such records on an ongoing basis.” It also permits the collection of records that “are not those of suspects under investigation.”

In other words, Lynch used this second opinion to do more than say the Second Circuit was “done with it.” He used it to interpret USA F-ReDux — and the word “relevant” generally, outside of FISA, and to do so in ways that go beyond the clear language of the bill.

Vladeck is wrong when he suggested the Second Circuit would assess “whether and to what extent the Fourth Amendment applies to information we voluntarily provide to third parties” — that is, the Third Party Doctrine generally. The Second Circuit made it quite clear throughout that they were interested in the application of “relevant,” not whether the Third Party Doctrine still applied generally, which is probably why Lynch isn’t that worried about the injury recurring.

And I think Lynch used this opinion — one the government can’t really appeal — to suggest the application of USA F-ReDux is broader than it necessarily is, and to suggest the narrowing of “relevant to” is more general than it would be under USA F-ReDux (which applies just to certain sections of FISA, but not to the definition of “relevant” generally).

It’s not clear how useful the opinion will be in restricting other over-broad uses of the word “relevant” (especially given DEA claims it has eliminated its dragnet). But I do suspect, having interpreted the law as having narrowed the meaning of the law, Lynch felt like he had limited the egregious constitutional injury.

DOJ Doesn’t Care What the Text of the Law or the 2nd Circuit Says, Dragnet Edition

Since USA F-ReDux passed JustSecurity has published two posts about how the lapse of Section 215 might create problems for the dragnet. Megan Graham argued that technically USA F-ReDux would have amended Section 215 as it existed in 2001, meaning the government couldn’t obtain any records but those that were specifically authorized before the PATRIOT Act passed. And former SSCI staffer Michael Davidson argued that a technical fix would address any uncertainty on this point.

DOJ, however, doesn’t much give a shit about what USA F-ReDux actually amends. In its memorandum of law accompanying a request to restart the dragnet submitted the night USA F-ReDux passed, DOJ asserted that of course Section 215 as it existed on May 31 remains in place.

Its brief lapse notwithstanding, the USA FREEDOM Act also expressly extends the sunset of Section 215 of the USA PATRIOT Act, as amended, until December 15, 2019, id.§ 705(a), and provides that, until the effective date of the amendments made by Sections 101through103, it does not alter or eliminate the Government’s authority to obtain an order under Section 1861 as in effect prior to the effective date of Sections 101through103 of the USA FREEDOM Act. Id.§ 109(b). Because the USA FREEDOM Act extends the sunset for Section 215 and delays the ban on bulk production under Section 1861until180 days from its enactment, the Government respectfully submits that it may seek and this Court may issue an order for the bulk production of tangible things under Section 1861 as amended by Section 215 of the USA PATRIOT Act as it did in docket number BR 15-24 and prior related dockets.

It cites comments Pat Leahy and Chuck Grassley made on May 22 (without, curiously, quoting either Rand Paul or legislative record from after Mitch McConnell caused the dragnet to lapse) showing that the intent of the bill was to extend the current dragnet.

While I think most members of Congress would prefer DOJ’s argument to hold sway, I would expect a more robust argument from DOJ on this point.

Likewise their dismissal of the Second Circuit decision in ACLU v. Clapper (which they say they’re still considering appealing). While it notes the Second Circuit did not immediately issue an injunction, DOJ’s base argument is weaker: it likes FISC’s ruling better and so it thinks FISC’s District Court judges should consider but ultimately ignore what the Second Circuit said.

The Government believes that this Court’s analysis of Section 215 reflects the better interpretation of the statute, see, e.g., In Re Application of the FBI for an Order Requiring the Production of Tangible Things, docket no. BR 13-109, Amended Mem. Op., 2013 WL 5741573 (FISA Ct. Aug. 29, 2013) (Eagan, J.) and In Re Application of the FBI for an Order Requiring the Production of Tangible Things, docket no. BR 13-158, Mem. (FISA Ct. Oct. 11, 2013) (McLaughlin, J.), disagrees with the Second Circuit panel’s opinion, and submits that the request for renewal of the bulk production authority is authorized under the statute as noted above.

[snip]

The Government submits that this Court’s analysis continues to reflect the better reading of Section 1861.

This is where, incidentally, the flaccid report language attached to USA F-ReDux is so problematic. In a filing affirming the importance of legislative language, had the HJC report said something more than “Congress’ decision to leave in place the ‘‘relevance’’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term,” DOJ might have to take notice of the language. But as it is, without affirmatively rejecting FISC’s opinion, the government will pretend it doesn’t matter.

I’m no more surprised with DOJ’s argument about the Second Circuit decision than I am its insistence that lapsing a bill doesn’t have legal ramifications.

But I would expect both arguments to make some effort to appear a bit less insolent. I guess DOJ is beyond that now.

The Section 215 Rap Sheet

Marco Rubio, who is running for President as an authoritarian, claims that “There is not a single documented case of abuse of this program.”

He’s not alone. One after another defender of the dragnet make such claims. FBI witnesses who were asked specifically about abuses in 2011 claimed FBI did not know of any abuses (even though FBI Director Robert Mueller had had to justify FBI’s use of the program to get it turned back on after abuses discovered in 2009).

Comment — Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

A — To the FBI’s knowledge, those authorities have not been abused.

Though Section 215 boosters tend to get sort of squishy on their vocabulary, changing language about whether this was illegal, unconstitutional, or abusive.

Here’s what we actually know about the abuses, illegality, and unconstitutionality of Section 215, both the phone dragnet program and Section 215 more generally.

Judges

First, here’s what judges have said about the program:

1) The phone dragnet has been reapproved around 41 times by at least 17 different FISC judges

The government points to this detail as justification for the program. It’s worth noting, however, that FISC didn’t get around to writing an opinion assessing the program legally until 10 judges and 34 orders in.  Since Snowden exposed the program, the FISC appears to have made a concerted effort to have new judges sign off on each new opinion.

2) Three Article III courts have upheld the program:

Judges William Pauley and Lynn Winmill upheld the constitutionality of the program (but did not asses the legality of it); though Pauley was reversed on statutory, not constitutional grounds. Judge Jeffrey Miller upheld the use of Section 215 evidence against Basaaly Moalin on constitutional grounds.

3) One Article III court — Judge Richard Leon in Klayman v. Obama — found the program unconstitutional.

4) The Second Circuit (along with PCLOB, including retired Circuit Court judge Patricia Wald, though they’re not a court), found the program not authorized by statute.

The latter decision, of course, is thus far the binding one. And the 2nd Circuit has suggested that if it has to consider the program on constitution grounds, it might well find it unconstitutional as well.

Statutory abuses

1) As DOJ’s IG confirmed yesterday, for most of the life of the phone dragnet (September 2006 through November 2013), the FBI flouted a mandate imposed by Congress in 2006 to adopt Section 215-specific minimization procedures that would give Americans additional protections under the provision (note–this affects all Section 215 programs, not just the phone dragnet). While, after a few years, FISC started imposing its own minimization procedures and reporting requirements (and rejected proposed minimization procedures in 2010), it nevertheless kept approving Section 215 orders.

In other words, in addition to being illegal (per the 2nd Circuit), the program also violated this part of the law for 7 years.

2) Along with all the violations of minimization procedures imposed by FISC discovered in 2009, the NSA admitted that it had been tracking roughly 3,000 presumed US persons against data collected under Section 215 without first certifying that they weren’t targeted on the basis of First Amendment protected activities, as required by the statute.

Between 24 May 2006 and 2 February 2009, NSA Homeland Mission Coordinators (HMCs) or their predecessors concluded that approximately 3,000 domestic telephone identifiers reported to Intelligence Community agencies satisfied the RAS standard and could be used as seed identifiers. However, at the time these domestic telephone identifiers were designated as RAS-approved, NSA’s OGC had not reviewed and approved their use as “seeds” as required by the Court’s Orders. NSA remedied this compliance incident by re-designating all such telephone identifiers as non RAS-approved for use as seed identifiers in early February 2009. NSA verified that although some of the 3,000 domestic identifiers generated alerts as a result of the Telephony Activity Detection Process discussed above, none of those alerts resulted in reports to Intelligence Community agencies.

NSA did not fix this problem by reviewing the basis for their targeting; instead, it simply moved these US person identifiers back onto the EO 12333 only list.

While we don’t have the background explanation, in the last year, FISC reiterated that the government must give First Amendment review before targeting people under Emergency Provisions. If so, that would reflect the second time where close FISC review led the government to admit it wasn’t doing proper First Amendment reviews, which may reflect a more systematic problem. That would not be surprising, since the government has already been chipping away at that First Amendment review via specific orders.

Minimization procedure abuses

1) The best known abuses of minimization procedures imposed by the FISC were disclosed to the FISC in 2009. The main item disclosed involved the fact that NSA had been abusing the term “archive” to create a pre-archive search against identifiers not approved for search. While NSA claimed this problem arose because no one person knew what the requirements were, in point of fact, NSA’s Inspector General warned that this alert function should be disclosed to FISC, and it was a function from the Stellar Wind program that NSA simply did not turn off when FISC set new requirements when it rubber-stamped the program.

But there were a slew of other violations of FISC-imposed minimization procedures disclosed at that time, almost all arising because NSA treated 215 data just like it treats EO 12333, in spite of FISC’s clear requirements that such data be treated with additional protections. That includes making query results available to CIA and FBI, the use of automatic search functions, and including querying on any “correlated” identifiers. These violations, in sum, are very instructive for the USA F-ReDux debate because NSA has never managed to turn these automated processes back on since, and one thing they presumably hope to gain out of moving data to the providers is to better automate the process.

2) A potentially far more egregious abuse of minimization procedures was discovered (and disclosed) in 2012, when NSA discovered that raw data NSA’s techs were using over 3,000 files of phone dragnet data on their technical server past the destruction date.

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

But rather than investigate this violation — rather than clarify how much data this entailed, whether it had been mingled with Stellar Wind data, whether any other violations had occurred — NSA destroyed the data.

In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit. The technical server in question was not available to intelligence analysts.

From everything we’ve seen the tech and research functions are not audited, not even when they’re playing with raw data (which is, I guess, why SysAdmin Edward Snowden could walk away with so many records). So not only does this violation show that tech access to raw data falls outside of the compliance mechanisms laid out in minimization procedures (in part, with explicit permission), but that NSA doesn’t try very hard to track down very significant violations that happen.

Overall sloppiness

Finally, while sloppiness on applications is not a legal violation, it does raise concerns about production under the statute. The IG Report reviewed just six case files which used Section 215 orders. Although the section is heavily redacted, there are reasons to be significantly concerned about four of those.

  • An application made using expedited approval that made a material misstatement about where FBI obtained a tip about the content of a phone call. The FBI agent involved “is no longer with the FBI.” The target was prosecuted for unlawful disclosure of nuke information, but the Section 215 evidence was not introduced into trial and therefore he did not have an opportunity to challenge any illegal investigative methods.
  • A 2009 application involving significant minimization concerns and for which FBI rolled out a “investigative value” exception for access limits on Section 215 databases. This also may involve FBI’s secret definition of US person, which I suspect pertains to treating IP addresses as non-US persons until they know it is a US person (this is akin to what they do under 702 MPs). DOJ’s minimization report to FISC included inaccuracies not fixed until June 13, 2013.
  • A 2009 application for a preliminary investigation that obtained medical and education records from the target’s employer. FBI ultimately determined the target “had no nexus to terrorism,” though it appears FBI kept all information on the target (meaning he will have records at FBI for 30 years). The FBI’s minimization report included an error not fixed until June 13, 2013, after the IG pointed it out.
  • A cyber-investigation for which the case agent could not locate the original production, which he claims was never placed in the case file.

And that’s just what can be discerned from the unredacted bits.

Remember, too: the inaccuracies (as opposed to the material misstatement) were on minimization procedures. Which suggests FBI was either deceitful — or inattentive — to how it was complying with FISC-mandated minimization procedures designed to protect innocent Americans’ privacy.

And remember — all this is just Section 215. The legal violations under PRTT were far more egregious, and there are other known violations and misstatements to FISC on other programs.

This is a troubling program, one that several judges have found either unconstitutional or illegal.

 

How the Second Circuit, FISC, and the Telecoms Might Respond to McConnell’s USA F-ReDux Gambit

Update: Jennifer Granick (who unlike me, is a lawyer) says telecoms will be subject to suit if they continue to comply with dragnet orders. 

Any company that breaches confidentiality except as required by law is liable for damages and attorneys’ fees under 47 U.S.C. 206. And there is a private right of action under 47 U.S.C. 207.

Note that there’s no good faith exception in the statute, no immunity for acting pursuant to court order. Rather, the company is liable unless it was required by law to disclose. So Verizon could face a FISC 215 dragnet order on one side and an order from the Southern District of New York enjoining the dragnet on the other. Is Verizon required by law to disclose in those circumstances? If not, the company could be liable. And did I mention the statute provides for attorneys’ fees?

Everything is different now than it was last week. Reauthorization won’t protect the telecoms from civil liability. It won’t enable the dragnet. As of last Thursday, the dragnet is dead, unless a phone company decides to put its shareholders’ money on the line to maintain its relationships with the intelligence community.

Last night, Mitch McConnell introduced a bill for a 2-month straight reauthorization of the expiring PATRIOT provisions as well as USA F-ReDux under a rule that bypasses Committee structure, meaning he will be able to bring that long-term straight reauthorization, that short term one, or USA F-ReDux to the floor next week.

Given that a short term reauthorization would present a scenario not envisioned in Gerard Lynch’s opinion ruling the Section 215 dragnet unlawful, it has elicited a lot of discussion about how the Second Circuit, FISC, and the telecoms might respond in case of a short term reauthorization. But these discussions are almost entirely divorced from some evidence at hand. So I’m going to lay out what we know about both past telecom and FISA Court behavior.

Because of the details I lay out below, I predict that so long as Congress looks like it is moving towards an alternative, both the telecoms and the FISC will continue the phone dragnet in the short term, and the Second Circuit won’t weigh in either.

The phone dragnet will continue for another six months even under USA F-ReDux

As I pointed out here, even if USA F-ReDux passed tomorrow, the phone dragnet would continue for another 6 months. That’s because the bill gives the government 180 days — two dragnet periods — to set up the new system.

(a) IN GENERAL.—The amendments made by sections 101 through 103 shall take effect on the date that is 180 days after the date of the enactment of this Act.

(b) RULE OF CONSTRUCTION.—Nothing in this Act shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 24 1861 et seq.) as in effect prior to the effective date described in subsection (a) during the period ending on such effective date.

The Second Circuit took note of USA F-ReDux specifically in its order, so it would be hard to argue that it doesn’t agree Congress has the authority to provide time to put an alternative in place. Which probably means (even though I oppose Mitch’s short-term reauth in most scenarios) that the Second Circuit isn’t going to balk — short of the ACLU making a big stink — at a short term reauth for the purported purpose of better crafting a bill that reflects the intent of Congress. (Though the Second Circuit likely won’t look all that kindly on Mitch’s secret hearing the other day, which violates the standards of debate the Second Circuit laid out.)

Heck, the Second Circuit waited 8 months — and one failed reform effort — to lay out its concerns about the phone dragnet’s legality that were, in large part, fully formed opinions at least September’s hearing. The Second Circuit wants Congress to deal with this and they’re probably okay with Congress taking a few more months to do so.

FISC has already asked for briefing on any reauthorization

A number of commentators have also suggested that the Administration could just use the grandfather clause in the existing sunset to continue collection or might blow off the Appeals Court decision entirely.

But the FISC is not sitting dumbly by, oblivious to the debate before Congress and the Courts. As I laid out here, in his February dragnet order, James Boasberg required timely briefing from the government in each of 3 scenarios:

  • A ruling from an Appellate Court
  • Passage of USA F-ReDux introduces new issues of law that must be considered
  • A plan to continue production under the grandfather clause

And to be clear, the FISC has not issued such an order in any of the publicly released dragnet orders leading up to past reauthorizations, not even in advance of the 2009-2010 reauthorizations, which happened at a much more fraught time from the FISC’s perspective (because FISC had had to closely monitor the phone dragnet production for 6 months and actually shut down the Internet dragnet in fall 2009). The FISC clearly regards this PATRIOT sunset different than past ones and plans to at least make a show of considering the legal implications of it deliberately.

FISC does take notice of other courts

Of course, all that raises questions about whether FISC feels bound by the Second Circuit decision — because, of course, it has its very own appellate court (FISCR) which would be where any binding precedent would come from.

There was an interesting conversation on that topic last week between (in part) Office of Director of National Intelligence General Counsel Bob Litt and ACLU’s Patrick Toomey (who was part of the team that won the Second Circuit decision). That conversation largely concluded that FISC would probably not be bound by the Second Circuit, but Litt’s boss, James Clapper (one of the defendants in the suit) would be if the Second Circuit ever issued an injunction.

Sunlight Foundation’s Sean Vitka: Bob, I have like a jurisdictional question that I honestly don’t know the answer to. The Court of Appeals for the Second Circuit. They say that this is unlawful. Obviously there’s the opportunity to appeal to the Supreme Court. But, the FISA Court of Review is also an Appeals Court. Does the FISC have to listen to that opinion if it stands?

Bob Litt: Um, I’m probably not the right person to ask that. I think the answer is no. I don’t think the Second Circuit Court of Appeals has direct authority over the FISA Court. I don’t think it’s any different than a District Court in Idaho wouldn’t have to listen to the Second Circuit’s opinion. It would be something they would take into account. But I don’t think it’s binding upon them.

Vitka: Is there — Does that change at all given that the harms that the Second Circuit acknowledged are felt in that jurisdiction?

Litt: Again, I’m not an expert in appellate jurisdiction. I don’t think that’s relevant to the question of whether the Second Circuit has binding authority over a court that is not within the Second Circuit. I don’t know Patrick if you have a different view on that?

Third Way’s Mieke Eoyang: But the injunction would be, right? If they got to a point where they issued an injunction that would be binding…

Litt: It wouldn’t be binding on the FISA Court. It would be binding on the persons who received the —

Eoyong: On the program itself.

Patrick Toomey: The defendants in the case are the agency officials. And so an injunction issued by the Second Circuit would be directed at those officials.

But there is reason to believe — even beyond FISC’s request for briefing on this topic — that FISC will take notice of the Second Circuit’s decision, if not abide by any injunction it eventually issues.

That’s because, twice before, it has even taken notice of magistrate judge decisions.

The first known example came in the weeks before the March 2006 reauthorization of the PATRIOT Act would go into effect. During 2005, several magistrate judges had ruled that the government could not add a 2703(d) order to a pen register to obtain prospective cell site data along with other phone data. By all appearances, the government was doing the same with the equivalent FISA orders (this application of a “combined” Business Record and Pen Register order is redacted in the 2008 DOJ IG Report on Section 215, but contextually it’s fairly clear this is close to what happened). Those magistrate decisions became a problem when, in 2005, Congress limited Section 215 order production to that which could be obtained with a grand jury subpoena. Effectively, the magistrates had said you couldn’t get prospective cell site location with just a subpoena, which therefore would limit whether FBI could get cell site location with a Section 215 order.

While it is clear that FISC required briefing on this point, it’s not entirely clear what FISC’s response was. For a variety of reasons, it appears FISC stopped these combined application sometime in 2006 — the reauthorization went into effect in March 2006 — though not immediately (which suggests, in the interim, DOJ just found a new shell to put its location data collection under).

The other time FISC took notice of magistrate opinions pertained to Post Cut Through Dialed Digits (those are the things like pin and extension numbers you dial after your call or Internet connection has been established). From 2006 through 2009, some of the same magistrates ruled the government must set its pen register collection to avoid collecting PCTDD. By that point, FISC appears to have already ruled the government could collect that data, but would have to deal with it through minimization. But the FISC appears to have twice required the government to explain whether and how its minimization of PCTDD did not constitute the collection of content, though it appears that in each case, FISC permitted the government to go on collecting PCTDD under FISA pen registers. (Note, this is another ruling that may be affected by the Second Circuit’s focus on the seizure, not access, of data.)

In other words, even on issues not treating FISC decisions specifically, the FISC has historically taken notice of decisions made in courts that have no jurisdiction over its decisions (and in one case, FISC appears to have limited government production as a result). So it would be a pretty remarkable deviation from that past practice for FISC to completely blow off the Second Circuit decision, even if it may not feel bound by it.

Verizon responds to court orders, but in half-assed fashion

Finally, there’s the question of how the telecoms will react to the Second Circuit decision. And even there, we have some basis for prediction.

In January 2014, after receiving the Secondary Order issued in the wake of Judge Richard Leon’s decision in Klayman v. Obama that the dragnet was unconstitutional, Verizon made a somewhat half-assed challenge to the order.

Leon issued his decision December 16. Verizon did not ask the FISC for guidance (which makes sense because they are only permitted to challenge orders).

Verizon got a new Secondary Order after the January 3 reauthorization. It did not immediately challenge the order.

It only got around to doing so on January 22 (interestingly, a few days after ODNI exposed Verizon’s role in the phone dragnet a second time), and didn’t do several things — like asking for a hearing or challenging the legality of the dragnet under 50 USC 1861 as applied — that might reflect real concern about anything but the public appearance of legality. (Note, that timing is of particular interest, given that the very next day, on January 23, PCLOB would issue its report finding the dragnet did not adhere to Section 215 generally.)

Indeed, this challenge might not have generated a separate opinion if the government weren’t so boneheaded about secrecy.

Verizon’s petition is less a challenge of the program than an inquiry whether the FISC has considered Leon’s opinion.

It may well be the case that this Court, in issuing the January 3,2014 production order, has already considered and rejected the analysis contained in the Memorandum Order. [redacted] has not been provided with the Court’s underlying legal analysis, however, nor [redacted] been allowed access to such analysis previously, and the order [redacted] does not refer to any consideration given to Judge Leon’s Memorandum Opinion. In light of Judge Leon’s Opinion, it is appropriate [redacted] inquire directly of the Court into the legal basis for the January 3, 2014 production order,

As it turns out, Judge Thomas Hogan (who will take over the thankless presiding judge position from Reggie Walton next month) did consider Leon’s opinion in his January 3 order, as he noted in a footnote.

Screen Shot 2014-04-28 at 10.49.42 AM

And that’s about all the government said in its response to the petition (see paragraph 3): that Hogan considered it so the FISC should just affirm it.

Verizon didn’t know that Hogan had considered the opinion, of course, because it never gets Primary Orders (as it makes clear in its petition) and so is not permitted to know the legal logic behind the dragnet unless it asks nicely, which is all this amounted to at first.

Ultimately, Verizon asked to see proof that FISC had considered Leon’s decision. But it did not do any of the things people think might happen here — it did not immediately cease production, it did not itself challenge the legality of the dragnet, and it did not even ask for a hearing.

Verizon just wanted to make sure it was covered; it did not, apparently, show much concern about continued participation in it.

And this is somewhat consistent with the request for more information Sprint made in 2009.

So that’s what Verizon would do if it received another Secondary Order in the next few weeks. Until such time as the Second Circuit issues an injunction, I suspect Verizon would likely continue producing records, even though it might ask to see evidence that FISC had considered the Second Circuit ruling before issuing any new orders.

The Verizon Publicity Stunt, Mosaic Theory, and Collective Fourth Amendment Rights

On Friday, I Con the Record revealed that a telecom — Ellen Nakashima confirms it was Verizon — asked the FISA Court to make sure its January 3 order authorizing the phone dragnet had considered Judge Richard Leon’s December 16 decision that it was unconstitutional. On March 20, Judge Rosemary Collyer issued an opinion upholding the program.

Rosemary Collyer’s plea for help

Ultimately, in an opinion that is less shitty than FISC’s previous attempts to make this argument, Collyer examines the US v. Jones decision at length and holds that Smith v. Maryland remains controlling, mostly because no majority has overturned it and SCOTUS has provided no real guidance as to how one might do so. (Her analysis raises some of the nuances I laid out here.)

The section of her opinion rejecting the “mosaic theory” that argues the cumulative effect of otherwise legal surveillance may constitute a search almost reads like a cry for help, for guidance in the face of the obvious fact that the dragnet is excessive and the precedent that says it remains legal.

A threshold question is which standard should govern; as discussed above, the court of appeals’ decision in Maynard and two concurrences in Jones suggest three different standards. See Kerr, “The Mosaic Theory of the Fourth Amendment,” 111 Mich. L. Rev. at 329. Another question is how to group Government actions in assessing whether the aggregate conduct constitutes a search.See id. For example, “[w]hich surveillance methods prompt a mosaic approach? Should courts group across surveillance methods? If so, how? Id. Still another question is how to analyze the reasonableness of mosaic searches, which “do not fit an obvious doctrinal box for determining reasonableness.” Id. Courts adopting a mosaic theory would also have to determine whether, and to what extent, the exclusionary rule applies: Does it “extend over all the mosaic or only the surveillance that crossed the line to trigger a search?”

[snip]

Any such overhaul of Fourth Amendment law is for the Supreme Court, rather than this Court, to initiate. While the concurring opinions in Jones may signal that some or even most of the Justices are ready to revisit certain settled Fourth Amendment principles, the decision in Jones itself breaks no new ground concerning the third-party disclosure doctrine generally or Smith specifically. The concurring opinions notwithstanding, Jones simply cannot be read as inviting the lower courts to rewrite Fourth Amendment law in this area.

As I read these passages, I imagined that Collyer was trying to do more than 1) point to how many problems overruling the dragnet would cause and 2) uphold the dignity of the rubber stamp FISC and its 36+ previous decisions the phone dragnet is legal.

There is reason to believe she knows what we don’t, at least not officially: that even within the scope of the phone dragnet, the dragnet is part of more comprehensive mosaic surveillance, because it correlates across platforms and identities. And all that’s before you consider how, once dumped into the corporate store and exposed to NSA’s “full range of analytic tradecraft,” innocent Americans might be fingerprinted to include our lifestyles.

That is, not only doesn’t Collyer see a way (because of legal boundary concerns about the dragnet generally, and possibly because of institutional concerns about FISC) to rule the dragnet illegal, but I suspect she sees the reverberations that such a ruling would have on the NSA’s larger project, which very much is about building mosaics of intelligence.

No wonder the government is keeping that August 20, 2008 opinion secret, if it indeed discusses the correlations function in the dragnet, because it may well affect whether the dragnet gets assessed as part of the mosaic NSA uses it as.

Verizon’s flaccid but public legal complaint

Now, you might think such language in Collyer’s opinion would invite Verizon to appeal this decision. But given this lukewarm effort, it seems unlikely to do so. Consider the following details:

Leon issued his decision December 16. Verizon did not ask the FISC for guidance (which makes sense because they are only permitted to challenge orders).

Verizon got a new Secondary Order after the January 3 reauthorization. It did not immediately challenge the order.

It only got around to doing so on January 22 (interestingly, a few days after ODNI exposed Verizon’s role in the phone dragnet a second time), and didn’t do several things — like asking for a hearing or challenging the legality of the dragnet under 50 USC 1861 as applied — that might reflect real concern about anything but the public appearance of legality. (Note, that timing is of particular interest, given that the very next day, on January 23, PCLOB would issue its report finding the dragnet did not adhere to Section 215 generally.)

Indeed, this challenge might not have generated a separate opinion if the government weren’t so boneheaded about secrecy.

Verizon’s petition is less a challenge of the program than an inquiry whether the FISC has considered Leon’s opinion.

It may well be the case that this Court, in issuing the January 3,2014 production order, has already considered and rejected the analysis contained in the Memorandum Order. [redacted] has not been provided with the Court’s underlying legal analysis, however, nor [redacted] been allowed access to such analysis previously, and the order [redacted] does not refer to any consideration given to Judge Leon’s Memorandum Opinion. In light of Judge Leon’s Opinion, it is appropriate [redacted] inquire directly of the Court into the legal basis for the January 3, 2014 production order,

As it turns out, Judge Thomas Hogan (who will take over the thankless presiding judge position from Reggie Walton next month) did consider Leon’s opinion in his January 3 order, as he noted in a footnote.

Screen Shot 2014-04-28 at 10.49.42 AM

And that’s about all the government said in its response to the petition (see paragraph 3): that Hogan considered it so the FISC should just affirm it.

Verizon didn’t know that Hogan had considered the opinion, of course, because it never gets Primary Orders (as it makes clear in its petition) and so is not permitted to know the legal logic behind the dragnet unless it asks nicely, which is all this amounted to at first.

Note that the government issued its response (as set by Collyer’s scheduling order) on February 12, the same day it released Hogan’s order and its own successful motion to amend it. So ultimately this headache arose, in part, because of the secrecy with which it treats even its most important corporate spying partners, which only learn about these legal arguments on the same schedule as the rest of us peons.

Yet in spite of the government’s effort to dismiss the issue by referencing Hogan’s footnote, Collyer said because Verizon submitted a petition, “the undersigned Judge must consider the issue anew.” Whether or not she was really required to or could have just pointed to the footnote that had been made public, I don’t know. But that is how we got this new opinion.

Finally, note that Collyer made the decision to unseal this opinion on her own. Just as interesting, while neither side objected to doing so, Verizon specifically suggested the opinion could be released with no redactions, meaning its name would appear unredacted.

The government contends that certain information in these Court records (most notably, Petitioner’s identity as the recipient of the challenged production order) is classified and should remain redacted in versions of the documents that are released to the public. See Gov’t Mem. at 1. Petitioner, on the other hand, “request[s] no redactions should the Court decide to unseal and publish the specified documents.” Pet. Mem. at 5. Petitioner states that its petition “is based entirely on an assessment of [its] own equities” and not on “the potential national security effects of publication,” which it “is in no position to evaluate.” Id.

I’ll return to this. But understand that Verizon wanted this opinion — as well as its own request for it — public.

Read more

NSA’s Newfound Concern about Defendants’ Rights under FISA

As WSJ reported it was going to do, NSA has requested that the FISA Court permit it to retain call data beyond the 5 year age-off date because of all the lawsuits it faces.

[T]he Government requests that Section (3)E of the Court’s Primary Order be amended to authorize the preservation and/or storage of certain call detail records or “telephony metadata” (hereinafter “BR metadata”) beyond five years (60 months) after its initial collection under strict conditions and for the limited purpose of allowing the Government to comply with its preservation obligations, described below, arising as a result of the filing of several civil lawsuits challenging the legality of the National Security Agency (NSA) Section 215 bulk telephony metadata collection program.

It provides this introduction to a list of the suits in question.

The following matters, currently pending either before a United States District Court, or United States Court of Appeals, are among those in which a challenge to the lawfulness of the Section 215 program have been raised:

And lists:

  • ACLU v. Clapper
  • Klayman v. Obama
  • Smith v. Obama, an Idaho case
  • First Unitarian Church of LA, the EFF related case
  • Paul v. Obama
  • Perez v. Clapper, a Bivens suit out of West Texas I hadn’t known about before

It goes on to say,

The duty to preserve typically arises from the common-law duty to avoid spoilation of relevant evidence for use at trial;

[snip]

A party may be exposed to a range of sanctions not only for violating a preservation order,3 but also for failing to produce relevant evidence when ordered to do so because it destroyed information that it had a duty to preserve.

3 To date, no District Court or Court of Appeals has entered a specific preservation order in any of the civil lawsuits referenced in paragraph 4 but a party’s duty to preserve arises apart from any specific court order.

[snip]

When preservation of information is required, the duty to preserve supersedes statutory or regulatory requirements or records-management policies that would otherwise result in the destruction of the information.

[snip]

Based upon the claims raised and the relief sought, a more limited retention of the BR metadata is not possible as there is no way for the Government to know in advance and then segregate and retain only that BR metadata specifically relevant to the identified lawsuits.

[snip]

Congress did not intend FISA or the minimization procedures adopted pursuant to section 1801(h) to abrogate the rights afforded to defendants in criminal proceedings.4 For example, in discussing section 1806, Congress stated,

[a]t the outset, the committee recognizes that nothing in these subsections abrogates the rights afforded a criminal defendant under Brady v. Maryland, and the Jencks Act. These legal principles inhere in any such proceeding and are wholly consistent with the procedures detailed here.

[snip]

Although the legislative history discussed above focuses on the use of evidence against a person in criminal proceedings, the Government respectfully submits that the preservation of evidence in civil proceedings is likewise consistent with FISA.

4 By extension, this should also apply to section 1861(g) which, with respect to retention is entirely consistent with section 1801(h).

Now, if you’re not already peeing your pants in laughter, consider the following.

First, as EFF’s Cindy Cohn pointed out to the WSJ, Judge Vaughn Walker issued a retention order in EFF’s 2008 suit against the dragnet.

Ms. Cohn also questioned why the government was only now considering this move, even though the EFF filed a lawsuit over NSA data collection in 2008.

In that case, a judge ordered evidence preserved related to claims brought by AT&T customers. What the government is considering now is far broader.

So, at least in her interpretation, it should already be retaining it.

Then, consider DOJ’s very serious citation of Congress’ intention that FISA not impair any defendant’s criminal rights. It basically says that that principle, laid out during debates about traditional FISA in 1978, should apply to other parts of FISA like the phone dragnet.

Of course, it was only 24 hours ago when DOJ was last caught violating that principle in Section 702, abrogating a defendant’s right to know where the evidence against him came from. And there are a whole slew of criminal defendants — most now imprisoned — whose 702 notice DOJ is still sitting on, whose rights DOJ felt perfectly entitled to similarly abrogate (we know this because back in June FBI was bragging about how many of them there were). So I am … surprised to hear DOJ suggest it gives a goddamn about criminal defendants’ rights, because for at least the last 7 years it has been shirking precisely that duty as it pertains to FISA.

Also, did you notice what pending case pertaining to the legality of the phone dragnet DOJ didn’t mention? Basaaly Moalin’s appeal of his conviction based off evidence collected pursuant to Section 215. What do you want to bet that NSA hasn’t retained the original phone records that busted him, which would have aged off NSA’s servers back in October 2012, well before DOJ told Moalin it had used Section 215 to nab him. That’s relevant because, according to recent reporting, NSA should not have been able to find Moalin’s call records given claims about limits on collection; if they did, they probably only did because AT&T was turning over other providers phone records. Moreover, we know that NSA was in violation of the dragnet minimization requirements in a slew of different ways at the time. Notably, that includes queries using selectors that had not been RAS-approved, as required, and dissemination using EO 12333’s weaker dissemination rules. Now that we know of these problems, a court might need that original data to determine whether the search that netted Moalin was proper (I presume NSA has the original query results and finished intelligence reports on it, but it’s not clear that would explain precisely how NSA obtained that data). Significantly, it was not until after 2009 that NSA even marked incoming data to show where it had been obtained.

So show us (or rather, Moalin’s lawyers) the data, NSA.

Ah well. If nothing else, this laughable motion should prove useful for defendants challenging their conviction because DOJ abrogated their rights!