Posts

The Republican PCLOB Cover-Up of NSA’s XKEYSCORE Use Is More Troubling than Tucker Carlson’s Claims To Be Surveilled

/9 Comments/in /by

The other day, Tucker Carlson claimed that an NSA whistleblower had contacted him to let him know that the NSA was monitoring “our” electronic communications and planned to leak them to take him off the air. Carlson claims the whistleblower’s ability to read back what Carlson said in some texts and emails (both easily hackable communications) about an upcoming story is proof that it happened.

In response, the NSA issued an unprecedented statement via Twitter, reading in part:

This allegation is untrue. Tucker Carlson has never been an intelligence target of the Agency and the NSA has never had any plans to try to take his program off the air.

[snip]

NSA may not target a US citizen without a court order that explicitly authorizes the targeting.

As a number of people have pointed out, given how NSA uses “target” here, this doesn’t amount to a denial, because it’s possible that Carlson’s communications with a foreigner who was legally targeted got swept up. Strictly as a hypothetical, it could be that Carlson is working on another Hunter Biden story involving Ukraine, and the NSA picked up his communications directly with an agent of Russia in Ukraine by targeting that totally legitimate intelligence target. The result would be to incidentally collect Carlson’s communications with said hypothetical Ukrainian target. Particularly if the communications implicating Carlson were damning and potentially illegal, leaking them to him would be an easy way to flip the story, and accuse NSA of spying rather than Carlson of coordinating with Russian agents. Again, that’s all just a hypothetical that might explain Carlson’s claims.

Still, given that Carlson is a liar who has recently been spewing conspiracy theories that are whack even for him, my default assumption is that he’s lying.

Meanwhile, Carlson’s little cultivated outrage occurs at the same time that Privacy and Civil Liberties Oversight Board member Travis LeBlanc released a scathing dissent, dated March 12, 2021 but just declassified, from a recently released but still classified PCLOB report on the NSA’s use of XKEYSCORE. The statement points to problems with both the use of XKEYSCORE and EO 12333 generally, as well as the operation of PCLOB under the recently departed Adam Klein’s tenure as Chair. Together, LeBlanc’s complaint suggests that Klein may have deliberately protected NSA from scrutiny after violations that happened during the Trump Administration were discovered in November 2020.

XKEYSCORE is effectively a means of querying the Five Eyes collections for all information on a target. Here’s what a query, called a “fingerprint,” targeting a peace and reconciliation commission in the Solomon Islands, looks like:

PCLOB started investigating XKEYSCORE in 2014 as part of its review of a limited subset of programs authorized under EO 12333.

The NSA deep dive concerned NSA’s use of XKEYSCORE, an intelligence analysis tool. The Board received briefings from and held meetings with NSA staff between May 2015 and November 2016. The Board also reviewed the guidance and training provided to NSA personnel, compliance mechanisms, and the relationship between the NSA activity and the NSA’s EO 12333 implementing procedures.

In early 2019, after the Board regained a quorum, the Board reengaged with the NSA and received additional briefings, demonstrations, and information. During this process, the Board worked with NSA to confirm and update facts provided in the 2015 timeframe. Again, the Board concentrated on the protection of U.S. persons’ privacy and civil liberties.

The Board produced a detailed, classified report explaining NSA’s use of XKEYSCORE as an analytic tool and relevant privacy and civil liberties protections in late 2020. Accompanying the report were recommendations from the Board and additional views of individual Board Members. The report and recommendations were delivered to the NSA, Congress, and other relevant executive branch agencies.

But PCLOB, under Klein’s leadership, chose not to declassify any parts of the report on XKEYSCORE.

In his dissent, LeBlanc laid out a bunch of problems with the Report itself:

  1. PCLOB didn’t address any of the technological questions presented by the use of artificial intelligence and machine learning
  2. PCLOB didn’t unpack the jargon NSA uses by separating discovery, targeting, and acquisition activities that can — and LeBlanc strongly implies does — result in domestic collection
  3. PCLOB did not conduct the kind of efficacy review that its three earlier surveillance reports had done (which showed, for example, that the phone dragnet had never been really useful)
  4. PCLOB didn’t adequately chase down the legal justification for XKEYSCORE and closed up shop before examining 2019 violations disclosed in November 2020
  5. PCLOB refused to adopt recommendations made by LeBlanc and Ed Felton, including one (to tag communications believed to belong to a US person) that would not be burdensome but would ensure that such US person communications would be not picked up in the future
  6. PCLOB didn’t release the report
  7. The former GOP majority rushed to finalize this report before Republicans lost the majority on it

Of particular note, LeBlanc suggests that (as happened with the phone dragnet), NSA had not conducted any legal analysis specific to XKEYSCORE before PCLOB asked for it in 2015.

Surprisingly, when the Board requested any legal analysis by the NSA or the Department of Justice regarding the use of XKEYSCORE’s functions in 2015, the NSA responded with a 13-page memo prepared by the NSA Office of General Counsel in 2016. Setting aside such a legal analysis was first written in January 2016, it is equally concerning that the agency apparently has not updated that written legal analysis since then. At a general level and on the basis of the documents that have been provided to the Board, it is concerning that any surveillance tool woul have been conceptualized, coded, implemented, and then executed and routinely used without such a prior legal analysis. Further, the analysis that NSA provided in 2016 fundamentally rests on decades-old Supreme Court precedent from United States v. Verdugo-Urquidez, Smith v. Maryland, Katz v. United States, and two DOJ legal memoranda from the 1980s to assert that collection and use of XKEYSCORE is consistent with the Fourth Amendment.35 The NSA’s legal analysis lacks any consideration of recent relevant Fourth Amendment case law on electronic surveillance that one would expect to be considered–for example, Carpenter v. United States, Riley v. California, United States v. Jones, and United States v. Maynard. [some footnotes omitted]

Half of that footnote 35 — probably the bits that refer to DOJ memos likely including a 1984 OLC memo written by Ted Olson that DOJ is still hiding — is redacted.

The likelihood that none of this complies with the Fourth Amendment is all the more troubling given the disclosure of recent violations using XKEYSCORE and the way, subsequent to those violations, the GOP Majority rushed to finish the report before losing a majority on PCLOB.

In one of the most heavily redacted paragraphs in LeBlanc’s declassified dissent, he explains how PCLOB didn’t investigate reports of 2019 violations uncovered in November 2020.

I am equally concerned that the Board’s former majority failed to investigation [redacted] of serious compliance reports involving XKEYSCORE prior to approving this report. During the former Board’s investigation, it was uncovered in November 2020 that some [redacted] compliance reports involving XKEYSCORE occurred in 2019. Of those [redacted] XKEYSCORE reporters, [redacted] were deemed upon agency review to involve Questionable Intelligence Activities (“QIAs”). QIAs are defined as “any intelligence or intelligence-related activity when there is reason to believe such activity is unlawful or contrary to an EO, Presidential Directive, [Intelligence Community] Directive, or applicable DOD policy governing the activity. [entire sentence redacted] Obviously, violations of U.S. law and the known collection of processing of U.S. person information are serious compliance issues. Yet the former Board did not request specific information [full line redacted]

Ellen Nakashima’s story on this dissent reveals there were hundreds of such reports.

The program also resulted in hundreds of compliance incidents in 2019, a majority of which were considered “questionable intelligence activities” — a category that means the action may have involved improper surveillance of Americans’ communications, according to U.S. officials, who spoke on the condition of anonymity because details are classified.

As LeBlanc describes it (though much of that is redacted), when PCLOB heard about these hundreds of violations that happened under Donald Trump in the same month that Trump lost the presidency, they didn’t ask what happened.

Instead, they rushed to complete the still unfinished report while they retained a majority.

I have several concerns about the Board process that was followed to apparently approve the unfinished report. In a December 2020 Board meeting, the former majority sought ot vote on the then-unfinished XKEYSCORE report. During the Board meeting at which the vote was taken, we spent several hours discussing the revisions to the body and recommendations that would need to be made to the report. Instead of completing those revisions and then providing sufficient time for Members to review the report and prepare their statements before voting, the former Board majority sought in that meeting to approve the report for this project, ostensibly foreseeing the expiration of former Member Aditya Bamzai’s term at the end of December. Literally on the evening of December 21, former Member Bamzai circulated his statement. Subsequently, the new Board convened in January 2021 and then-Chairman submitted his own intention to resign the same month. Recognizing that the current 2021 Board has not voted on a report that we were still considering for revision as I drafted this statement, I have repeatedly requested a vote by the current Board on the final version of this report, including all final statements of current Members as well as a vote on whether to include the statement of a former Member. The then-current Chairman created a legal fiction to compel the issuing of a former Member’s statement without so much as a vote of the current Board to release this report. I simply cannot support a report that has not been voted on by the current Board that will issue it.

Even while he was pulling a fast one to close up the review of XKEYSCORE before it was done, Klein was writing his own White Paper on FISA that made claims about the soundness of FISA that he had no ability to conclude (most importantly, because PCLOB did not receive any of the applications implicating Sensitive Investigative Matters that should get the most scrutiny.

There were two claims of improper surveillance by NSA in recent days. One, made by a serial fabulist. And another, made by someone with access to classified information, that may affect hundreds of Americans.

The refusal of Republicans on PCLOB to examine the latter violations merits far more attention given the credibility of the reporting source than Tucker Carlson’s claims.

PCLOB: The Essential Oversight Link Designed to Be Inadequate

/5 Comments/in , , /by

Last year, there were a couple of measures that purported to respond to the problems with the Carter Page FISA application but which would not have helped him at all. In February, House Judiciary Committee rolled out a bill to replace the now-lapsed Section 215 of FISA that included a Privacy and Civil Liberties Oversight Board review of the impact that tradition FISA had on First Amendment Activities.

SEC. 303. REPORT ON USE OF FISA AUTHORITIES REGARDING PROTECTED ACTIVITIES AND PROTECTED CLASSES.

(a) REPORT.—Not later than one year after the date of the enactment of this Act, the Privacy and Civil Liberties Oversight Board shall make publicly available, to the extent practicable, a report on—

(1) the extent to which the activities and protected classes described in subsection (b) are used to support targeting decisions in the use of authorities pursuant to the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.); and

(2) the impact of the use of such authorities on such activities and protected classes.

As I noted at the time, because PCLOB’s mandate is limited to counterterrorism, it would not be able to look at counterintelligence targeting. This is not the first time that PCLOB’s mandate made its work less useful than it could be. Because its Section 702 report was necessarily limited to the counterterrorism uses of the law, PCLOB’s report did not address problems with the cybersecurity and counterproliferation uses of Section 702, both of which have far more unexpected impact on US person’s privacy than the counterterrorism use.

Then, in May, PCLOB’s Chair, Adam Klein, announced PCLOB was going to review traditional FISAs.

Adam I. Klein, the chairman of the privacy board, said that the issues Horowitz surfaced were precisely those that the board was established to examine.

“This is at the heartland of our jurisdiction,” said Klein, a lawyer and prominent researcher of FISA and other national security laws. “The IG found systemic compliance problems. At a minimum, we have a duty to inform ourselves.”

I again noted that PCLOB’s mandate would limit the value of such a review, and indeed, would prevent PCLOB from even reviewing the precipitating application, Page’s counterintelligence application.

Last week, Klein released the results of that review, billed and released not as a PCLOB report, but as a Chairperson’s White Paper (Klein has said he’d step down once Joe Biden replaced him). He makes clear,

I provide several observations and recommendations based on this review. These views are provided in my individual capacity as Chairman and should not be attributed to the Board as a whole or to other members of the Board.

Its recommendations are not obviously supported by the described scope of the review. His White Paper generally argues for more efficiency, a recommendation that conflicts with virtually all other conclusions that came out of the Carter Page review (though some of his recommendations to achieve efficiency, such as making the authorization period for non-US person FISA applications one year, make sense). He makes two recommendations (that the Woods file not require repeated documentation for repeated facts and that DOJ distinguish between information known at the time and information learned subsequent to an initial application) that would undercut some of the results of the DOJ IG Report on Carter Page.

Klein’s White Paper does recommend that a summary memo submitted with the application which highlights novel privacy, legal, or technological issues. If the FBI Director or his delegate were required to sign off on that summary as well as the current certification (that doesn’t address the probable cause content of the application in the least), it might provide a level of accountability that (Congress doesn’t yet understand) FISA currently lacks. Other than that, Klein’s White Paper reads as much like a valedictory trying to guide future PCLOB plans as it does a report to improve FISA. Almost two pages of the 26-page report constitutes a recommendation to reauthorize Section 215 of FISA.

But, as predicted, the review did not consider anything remotely pertinent to what happened to Carter Page.

To conduct its review of applications themselves, PCLOB asked for and received the subset of the 29 FISA files that DOJ IG is conducting a review of that pertain to counterterrorism as well as the backup exchange between FBI and DOJ regarding those applications. That included:

  • 19 total applications (out of 29 reviewed by DOJ IG)
  • All counterterrorism targets
  • Most located in United States at time of targeting

These details help us understand the two reports DOJ IG wrote about the full set of 29 files, which I wrote about here. Of the 29, ten must be counterintelligence files like Carter Page’s.

Because PCLOB did not review the counterintelligence applications, it only reviewed one of the two for which DOJ IG found a material error.  The second was a CI application that showed a worse error rate than the Carter Page file (which was measured using a different methodology than the Carter Page one).

It also didn’t review any Sensitive Investigative Matters — applications which, like Carter Page’s, involve someone who is a political, journalistic, or religious figure whose targeting should get extra scrutiny. That seems to suggest that DOJ IG did not include any counterterrorism applications targeting SIMs in its review (it would seem SIMs would be more likely to be targeted on the counterintelligence side, but we know of religious and political figures targeted under counterterrorism FISA applications). These would be the applications that pose the greatest privacy and civil liberties concern.

In lieu of that, FBI Office of General Counsel provided PCLOB with,

The number of “sensitive investigative matters” pertaining to U.S. persons in which FBI sought a FISA probable cause order in each year between 2015 and 2019, a summary of each matter (including the type of investigation and the features resulting in its classification as a “sensitive investigative matter”), and whether each request was granted.

That’s presumably how PCLOB learned that there aren’t all that many SIMs targeted under FISA.

[I]nformation received by the Board indicates that relatively few FISA applications are obtained each year in SIMs.

Still, this is the core of what you’d need to review to serve the function of PCLOB. Klein even appears not to have reviewed Page’s significantly declassified public applications, which would have been simple to do, would have provided him something to compare the counterterrorism applications he reviewed with, but which would have been outside the scope of PCLOB’s mandate.

This matters because PCLOB has been reasonably effective. Indeed, in a book published in April in recognition of the 50th Anniversary of the Pentagon Papers, Lisa Monaco (in a contribution submitted before she became Deputy Attorney General) pointed to PCLOB’s contributions after the Snowden releases as an important way forward to balance security and secrecy in the age of mass leaks. Monaco even recommended that PCLOB consult with the Director of National Intelligence prior to the implementation of certain policies. (Director of National Intelligence Avril Haines also contributed a chapter to the book, which was far more intriguing that Monaco’s.)

Another would be to institute a practice of DNI consultation with the PCLOB before the adoption of certain collection programs. The PCLOB served an important function after disclosures precisely because it is charged with considering privacy and civil liberties implications as well as the national security implications of counter-terrorism programs.82 It could be a valuable addition to the consideration and review of some intelligence programs for a standing body with the infrastructure to handle classified information to work with privacy officers in each agency to assess privacy concerns and conduct privacy impact assessments that are reported to the DNI.

But as noted above, even PCLOB’s Section 702 review suffered because it couldn’t look at several of the applications of 702, applications implicated by the Snowden releases.

Last year, I was told that efforts to expand the jurisdiction of PCLOB would be a poison pill to any bill to which they were attached. I can only assume that means the Executive doesn’t want to expose to scrutiny they kinds of practices that were central to the Carter Page application.

But if Lisa Monaco believes PCLOB has a role to play in balancing national security and secrecy, she should ensure its mandate is sufficiently broad to do that job.

In a Bid to Remain Relevant, PCLOB Will Treat Carter Page as a Suspected Terrorist

/2 Comments/in /by

It takes until paragraph 19 of this story on the decision by the Privacy and Civil Liberties Oversight Board to examine Title I FISA processes before it explains why the decision is such an obvious political game.

[PCLOB Chair Adam] Klein said the board plans only to examine counterterrorism matters, which would preclude any review of wiretap applications for Page or any investigation by the FBI of the Trump campaign.

PCLOB’s mandate is limited to counterterrorism. There were efforts to expand its mandate to include counterintelligence as part of Section 215 reauthorization that failed, so Congress has expressed an intent in recent days to limit PCLOB’s mandate to counterterrorism. Which means PCLOB has no mandate to investigate the Carter Page investigation.

But in spite of that limit on PCLOB’s mandate, PCLOB’s Republicans have decided to examine what the story calls DOJ IG’s “findings.”

Adam I. Klein, the chairman of the privacy board, said that the issues Horowitz surfaced were precisely those that the board was established to examine.

“This is at the heartland of our jurisdiction,” said Klein, a lawyer and prominent researcher of FISA and other national security laws. “The IG found systemic compliance problems. At a minimum, we have a duty to inform ourselves.”

Let’s review the posture of DOJ IG’s investigations into FISA-related functions. DOJ IG did an investigation into the Carter Page FISA applications, and found significant problems, both Woods Procedure compliance problems and lack of disclosure of material facts to the court. The way in which FBI first validated and then fact-checked an informant — long cited as a problem by defense attorneys representing counterterrorism defendants — was among the most egregious problems in the Page applications.

The Page investigation is the only finished investigation. That investigation is into a counterintelligence case, and therefore well outside of PCLOB’s mandate.

Based on the findings in that report, DOJ IG set out on an investigation into whether the problems evinced in the Page report are more systematic. As originally scoped, however, that review focused on whether the Woods Procedures–failures in which were not the most urgent or egregious aspect of the Carter Page problems–works. After three months, DOJ IG decided to issue a Management Advisor Memorandum to formally reveal its interim results that show that the Woods Procedures, and the National Security Division’s associated Accuracy Reviews, don’t work.

As a result of these findings, in December 2019, my office initiated an audit to examine more broadly the FBI’s execution of, and compliance with, its Woods Procedures relating to U.S. Persons covering the period from October 2014 to September 2019. As an initial step in our audit, over the past 2 months, we visited 8 FBI field offices of varying sizes and reviewed a judgmentally selected sample of 29 applications relating to U.S. Persons and involving both counterintelligence and counterterrorism investigations. This sample was selected from a dataset provided by the FBI that contained more than 700 applications relating to U.S. Persons submitted by those 8 field offices over a 5-year period. The proportion of counterintelligence and counterterrorism applications within our sample roughly models the ratio of the case types within that total of FBI FISA applications. Our initial review of these applications has consisted solely of determining whether the contents of the FBI’s Woods File supported statements of fact in the associated FISA application; our review did not seek to determine whether support existed elsewhere for the factual assertion in the FISA application (such as in the case file), or if relevant information had been omitted from the application. For all of the FISA applications that we have reviewed to date, the period of courtauthorized surveillance had been completed and no such surveillance was active at the time of our review.

[snip]

As a result of our audit work to date and as described below, we do not have confidence that the FBI has executed its Woods Procedures in compliance with FBI policy.

[snip]

During this initial review, we have not made judgments about whether the errors or concerns we identified were material. Also, we do not speculate as to whether the potential errors would have influenced the decision to file the application or the FISC’s decision to approve the FISA application. In addition, our review was limited to assessing the FBI’s execution of its Woods Procedures, which are not focused on affirming the completeness of the information in FISA applications.

The statistics provided in the MAM reveal that, with respect to Woods Procedures, Carter Page’s FISA applications were actually far better than all but one of the applications DOJ IG reviewed.

But the MAM is not a finished review and, aside from a passing reference to FBI’s failures to document informant reliability, hasn’t focused on issues known to be problematic in FISA applications targeting counterterrorism suspects.

Meanwhile, PCLOB plans to use its mandate to review counterterrorism programs to demand a list of prominent individuals targeted under FISA for the period of the DOJ IG review, 2015 to 2019.

The board will also request the number of investigations touching on prominent individuals in which the FBI sought an order from the surveillance court between 2015 and 2019. Those investigations, which the bureau defines as sensitive investigative matters, may include public officials or candidates for office, according to Justice Department guidelines.

As far as is public there have been zero prominent individuals known to be targeted under FISA. Carter Page — an unknown advisor with no institutional affiliation in DC — certainly didn’t qualify when he was targeted. (I can think of one person investigated as part of the Russian investigation who is a key influence peddler in DC who might have been targeted, but the person is not nationally known outside of political circles.)

There have, however, been key leaders in the Muslim community — who are virtually unknown outside of the Muslim or civil liberties community — targeted under FISA, per one of the most important reports to come out of the Snowden leaks (though before the period of PCLOB’s review).

• Faisal Gill, a longtime Republican Party operative and one-time candidate for public office who held a top-secret security clearance and served in the Department of Homeland Security under President George W. Bush;

• Asim Ghafoor, a prominent attorney who has represented clients in terrorism-related cases;

• Hooshang Amirahmadi, an Iranian-American professor of international relations at Rutgers University;

• Agha Saeed, a former political science professor at California State University who champions Muslim civil liberties and Palestinian rights;

• Nihad Awad, the executive director of the Council on American-Islamic Relations (CAIR), the largest Muslim civil rights organization in the country.

PCLOB probably can’t access this list because its members all have clearance, but this is where you’d start to understand the First Amendment impact of FISA on counterterrorism subjects, not by asking for a list of all the prominent people more likely to be targeted under counterintelligence.

Don’t get me wrong. If this PCLOB review were credible, I’d welcome it. If PCLOB’s mandate actually matched the scope of FISA, it could be a welcome new check on the authority.

But, as I noted in a post on some of the efforts to reform FISA legislatively, because PCLOB’s mandate does not cover some of the FISA practices of most concern, it is useless as an oversight body.

One would imagine that Carter Page, whom the Republicans think was targeted because he volunteered for the Trump campaign, would be among the people bill drafters had in mind for First Amendment protect activities.

Except he wouldn’t be included, for two reasons.

First, PCLOB’s mandate is limited to counterterrorism programs. That didn’t matter for their very good Section 215 report, because they were examining only the CDR program, which itself was limited to terrorism (and Iran).

But it did matter for the Section 702 report. In fact, PCLOB ignored some of the most problematic practices under Section 702, conducted under the guise of cybersecurity, because that’s outside their mandate! It also didn’t explore the impact of NSA’s too-broad definition of targeting under the Foreign Government certificate.

In this case, unless you expand the scope of PCLOB, then this report would only report on the targets of terrorism FISA activity, not foreign intelligence FISA activity, and so not people like Carter Page.

I was told by a key congressional negotiator that expanding PCLOB’s mandate to match FISA (that is, to include counterintelligence and foreign cyber investigations) would kill the bill. Mind you, the bill died overnight anyway, in part because Trump and his supporters want something that more directly feels like a response to the Carter Page applications.

Particularly given that FISA remains under active legislative debate, then, PCLOB would be much better served by arguing that their mandate needs to be expanded to cover all national security investigations, citing their inability to review what happened to Carter Page without overstepping their mandate.

Instead, they appear intent on overstepping their mandate.

Update: In a response to some questions from PCLOB’s press person, it appears PCLOB may misunderstand the results of DOJ IG’s interim findings. PCLOB appears to believe that DOJ IG has found material problems with the 29 files it reviewed, rather than Woods Procedures violations that it has not yet determined to be material.

As you’re aware, the most recent DoJ IG examination found problems with all 29 FISA applications it examined, many of which were for counterterrorism. Of these 29, the Board has requested only those applications that were related to counterterrorism.

The IG’s findings are troubling and suggest systematic shortcomings, with serious implications for Americans’ privacy and civil liberties.

It also appears to believe the FISA mandate to involve PCLOB would permit PCLOB to meaningfully address First Amendment issues even though it could not address many of the problems disproportionately affecting Americans.

Finally, as you may know, the House draft of the USA FREEDOM Act reauthorization bill includes a provision that directs the Board to examine whether activities protected under the First Amendment have any impact on the FISA process.  Should the bill ultimately pass Congress and be signed into law, the forum would help inform Board members on that project as well.