Posts

How the Second Circuit, FISC, and the Telecoms Might Respond to McConnell’s USA F-ReDux Gambit

/5 Comments/in /by

Update: Jennifer Granick (who unlike me, is a lawyer) says telecoms will be subject to suit if they continue to comply with dragnet orders. 

Any company that breaches confidentiality except as required by law is liable for damages and attorneys’ fees under 47 U.S.C. 206. And there is a private right of action under 47 U.S.C. 207.

Note that there’s no good faith exception in the statute, no immunity for acting pursuant to court order. Rather, the company is liable unless it was required by law to disclose. So Verizon could face a FISC 215 dragnet order on one side and an order from the Southern District of New York enjoining the dragnet on the other. Is Verizon required by law to disclose in those circumstances? If not, the company could be liable. And did I mention the statute provides for attorneys’ fees?

Everything is different now than it was last week. Reauthorization won’t protect the telecoms from civil liability. It won’t enable the dragnet. As of last Thursday, the dragnet is dead, unless a phone company decides to put its shareholders’ money on the line to maintain its relationships with the intelligence community.

Last night, Mitch McConnell introduced a bill for a 2-month straight reauthorization of the expiring PATRIOT provisions as well as USA F-ReDux under a rule that bypasses Committee structure, meaning he will be able to bring that long-term straight reauthorization, that short term one, or USA F-ReDux to the floor next week.

Given that a short term reauthorization would present a scenario not envisioned in Gerard Lynch’s opinion ruling the Section 215 dragnet unlawful, it has elicited a lot of discussion about how the Second Circuit, FISC, and the telecoms might respond in case of a short term reauthorization. But these discussions are almost entirely divorced from some evidence at hand. So I’m going to lay out what we know about both past telecom and FISA Court behavior.

Because of the details I lay out below, I predict that so long as Congress looks like it is moving towards an alternative, both the telecoms and the FISC will continue the phone dragnet in the short term, and the Second Circuit won’t weigh in either.

The phone dragnet will continue for another six months even under USA F-ReDux

As I pointed out here, even if USA F-ReDux passed tomorrow, the phone dragnet would continue for another 6 months. That’s because the bill gives the government 180 days — two dragnet periods — to set up the new system.

(a) IN GENERAL.—The amendments made by sections 101 through 103 shall take effect on the date that is 180 days after the date of the enactment of this Act.

(b) RULE OF CONSTRUCTION.—Nothing in this Act shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 24 1861 et seq.) as in effect prior to the effective date described in subsection (a) during the period ending on such effective date.

The Second Circuit took note of USA F-ReDux specifically in its order, so it would be hard to argue that it doesn’t agree Congress has the authority to provide time to put an alternative in place. Which probably means (even though I oppose Mitch’s short-term reauth in most scenarios) that the Second Circuit isn’t going to balk — short of the ACLU making a big stink — at a short term reauth for the purported purpose of better crafting a bill that reflects the intent of Congress. (Though the Second Circuit likely won’t look all that kindly on Mitch’s secret hearing the other day, which violates the standards of debate the Second Circuit laid out.)

Heck, the Second Circuit waited 8 months — and one failed reform effort — to lay out its concerns about the phone dragnet’s legality that were, in large part, fully formed opinions at least September’s hearing. The Second Circuit wants Congress to deal with this and they’re probably okay with Congress taking a few more months to do so.

FISC has already asked for briefing on any reauthorization

A number of commentators have also suggested that the Administration could just use the grandfather clause in the existing sunset to continue collection or might blow off the Appeals Court decision entirely.

But the FISC is not sitting dumbly by, oblivious to the debate before Congress and the Courts. As I laid out here, in his February dragnet order, James Boasberg required timely briefing from the government in each of 3 scenarios:

  • A ruling from an Appellate Court
  • Passage of USA F-ReDux introduces new issues of law that must be considered
  • A plan to continue production under the grandfather clause

And to be clear, the FISC has not issued such an order in any of the publicly released dragnet orders leading up to past reauthorizations, not even in advance of the 2009-2010 reauthorizations, which happened at a much more fraught time from the FISC’s perspective (because FISC had had to closely monitor the phone dragnet production for 6 months and actually shut down the Internet dragnet in fall 2009). The FISC clearly regards this PATRIOT sunset different than past ones and plans to at least make a show of considering the legal implications of it deliberately.

FISC does take notice of other courts

Of course, all that raises questions about whether FISC feels bound by the Second Circuit decision — because, of course, it has its very own appellate court (FISCR) which would be where any binding precedent would come from.

There was an interesting conversation on that topic last week between (in part) Office of Director of National Intelligence General Counsel Bob Litt and ACLU’s Patrick Toomey (who was part of the team that won the Second Circuit decision). That conversation largely concluded that FISC would probably not be bound by the Second Circuit, but Litt’s boss, James Clapper (one of the defendants in the suit) would be if the Second Circuit ever issued an injunction.

Sunlight Foundation’s Sean Vitka: Bob, I have like a jurisdictional question that I honestly don’t know the answer to. The Court of Appeals for the Second Circuit. They say that this is unlawful. Obviously there’s the opportunity to appeal to the Supreme Court. But, the FISA Court of Review is also an Appeals Court. Does the FISC have to listen to that opinion if it stands?

Bob Litt: Um, I’m probably not the right person to ask that. I think the answer is no. I don’t think the Second Circuit Court of Appeals has direct authority over the FISA Court. I don’t think it’s any different than a District Court in Idaho wouldn’t have to listen to the Second Circuit’s opinion. It would be something they would take into account. But I don’t think it’s binding upon them.

Vitka: Is there — Does that change at all given that the harms that the Second Circuit acknowledged are felt in that jurisdiction?

Litt: Again, I’m not an expert in appellate jurisdiction. I don’t think that’s relevant to the question of whether the Second Circuit has binding authority over a court that is not within the Second Circuit. I don’t know Patrick if you have a different view on that?

Third Way’s Mieke Eoyang: But the injunction would be, right? If they got to a point where they issued an injunction that would be binding…

Litt: It wouldn’t be binding on the FISA Court. It would be binding on the persons who received the —

Eoyong: On the program itself.

Patrick Toomey: The defendants in the case are the agency officials. And so an injunction issued by the Second Circuit would be directed at those officials.

But there is reason to believe — even beyond FISC’s request for briefing on this topic — that FISC will take notice of the Second Circuit’s decision, if not abide by any injunction it eventually issues.

That’s because, twice before, it has even taken notice of magistrate judge decisions.

The first known example came in the weeks before the March 2006 reauthorization of the PATRIOT Act would go into effect. During 2005, several magistrate judges had ruled that the government could not add a 2703(d) order to a pen register to obtain prospective cell site data along with other phone data. By all appearances, the government was doing the same with the equivalent FISA orders (this application of a “combined” Business Record and Pen Register order is redacted in the 2008 DOJ IG Report on Section 215, but contextually it’s fairly clear this is close to what happened). Those magistrate decisions became a problem when, in 2005, Congress limited Section 215 order production to that which could be obtained with a grand jury subpoena. Effectively, the magistrates had said you couldn’t get prospective cell site location with just a subpoena, which therefore would limit whether FBI could get cell site location with a Section 215 order.

While it is clear that FISC required briefing on this point, it’s not entirely clear what FISC’s response was. For a variety of reasons, it appears FISC stopped these combined application sometime in 2006 — the reauthorization went into effect in March 2006 — though not immediately (which suggests, in the interim, DOJ just found a new shell to put its location data collection under).

The other time FISC took notice of magistrate opinions pertained to Post Cut Through Dialed Digits (those are the things like pin and extension numbers you dial after your call or Internet connection has been established). From 2006 through 2009, some of the same magistrates ruled the government must set its pen register collection to avoid collecting PCTDD. By that point, FISC appears to have already ruled the government could collect that data, but would have to deal with it through minimization. But the FISC appears to have twice required the government to explain whether and how its minimization of PCTDD did not constitute the collection of content, though it appears that in each case, FISC permitted the government to go on collecting PCTDD under FISA pen registers. (Note, this is another ruling that may be affected by the Second Circuit’s focus on the seizure, not access, of data.)

In other words, even on issues not treating FISC decisions specifically, the FISC has historically taken notice of decisions made in courts that have no jurisdiction over its decisions (and in one case, FISC appears to have limited government production as a result). So it would be a pretty remarkable deviation from that past practice for FISC to completely blow off the Second Circuit decision, even if it may not feel bound by it.

Verizon responds to court orders, but in half-assed fashion

Finally, there’s the question of how the telecoms will react to the Second Circuit decision. And even there, we have some basis for prediction.

In January 2014, after receiving the Secondary Order issued in the wake of Judge Richard Leon’s decision in Klayman v. Obama that the dragnet was unconstitutional, Verizon made a somewhat half-assed challenge to the order.

Leon issued his decision December 16. Verizon did not ask the FISC for guidance (which makes sense because they are only permitted to challenge orders).

Verizon got a new Secondary Order after the January 3 reauthorization. It did not immediately challenge the order.

It only got around to doing so on January 22 (interestingly, a few days after ODNI exposed Verizon’s role in the phone dragnet a second time), and didn’t do several things — like asking for a hearing or challenging the legality of the dragnet under 50 USC 1861 as applied — that might reflect real concern about anything but the public appearance of legality. (Note, that timing is of particular interest, given that the very next day, on January 23, PCLOB would issue its report finding the dragnet did not adhere to Section 215 generally.)

Indeed, this challenge might not have generated a separate opinion if the government weren’t so boneheaded about secrecy.

Verizon’s petition is less a challenge of the program than an inquiry whether the FISC has considered Leon’s opinion.

It may well be the case that this Court, in issuing the January 3,2014 production order, has already considered and rejected the analysis contained in the Memorandum Order. [redacted] has not been provided with the Court’s underlying legal analysis, however, nor [redacted] been allowed access to such analysis previously, and the order [redacted] does not refer to any consideration given to Judge Leon’s Memorandum Opinion. In light of Judge Leon’s Opinion, it is appropriate [redacted] inquire directly of the Court into the legal basis for the January 3, 2014 production order,

As it turns out, Judge Thomas Hogan (who will take over the thankless presiding judge position from Reggie Walton next month) did consider Leon’s opinion in his January 3 order, as he noted in a footnote.

Screen Shot 2014-04-28 at 10.49.42 AM

And that’s about all the government said in its response to the petition (see paragraph 3): that Hogan considered it so the FISC should just affirm it.

Verizon didn’t know that Hogan had considered the opinion, of course, because it never gets Primary Orders (as it makes clear in its petition) and so is not permitted to know the legal logic behind the dragnet unless it asks nicely, which is all this amounted to at first.

Ultimately, Verizon asked to see proof that FISC had considered Leon’s decision. But it did not do any of the things people think might happen here — it did not immediately cease production, it did not itself challenge the legality of the dragnet, and it did not even ask for a hearing.

Verizon just wanted to make sure it was covered; it did not, apparently, show much concern about continued participation in it.

And this is somewhat consistent with the request for more information Sprint made in 2009.

So that’s what Verizon would do if it received another Secondary Order in the next few weeks. Until such time as the Second Circuit issues an injunction, I suspect Verizon would likely continue producing records, even though it might ask to see evidence that FISC had considered the Second Circuit ruling before issuing any new orders.

USA F-ReDux: Dianne Feinstein Raises the Data Handshake Again

/6 Comments/in /by

As I noted last November, in her defense of USA Freedom Act last year, Dianne Feinstein suggested the telecoms (principally, Verizon) had agreed to retain their data for longer than their business purposes required without any mandate — what I dubbed the “data handshake.”

On Tuesday, Nov. 18, Feinstein explained how she had resolved the problem presented by telecoms like Verizon that don’t hold these records as long as the NSA currently does. She and Chambliss had written the country’s four biggest telecom companies a letter — she didn’t say when — asking whether the companies would retain phone records longer than they currently do. Two said yes; two said no. “Since that time, the situation has changed,” Feinstein said. “Not in writing, but by personal testament from two of the companies that they will hold the data for at least two years for business reasons.” President Barack Obama even vouched for the telecom companies’ willingness to hold the data. “The fact is that the telecoms have agreed to hold the data. The president himself has assured me of this,” Feinstein said.

Taken in context, Feinstein’s comments reveal how proponents of the USA Freedom Act solved the intelligence community’s problem with the reform bill — that the period of time that records would be held would shrink dramatically. Rather than a legal mandate requiring that telecoms hold onto the data — which some members of the Senate Intelligence Committee demanded in June — the reform bill would use a “data handshake.”

The terms of the data handshake are the most interesting part. This promise is not in writing. According to Feinstein, it is a “personal testament.” (And of course it wasn’t in the bill, where privacy advocates might have objected to it.) The telecom companies could say they were retaining the data for business purposes, though, until now, they’ve had no business purpose to keep the records.

While some, like Bob Litt, have suggested one challenge for having telecoms retain phone records concerned whether telecoms would retain enough of their call records to do pattern analysis, the issue of data retention has largely been unspoken in this round of debate over USA F-ReDux.

But Dianne Feinstein just raised it again this morning on Meet the Press, again endorsing a “data handshake” behind USA F-ReDux and seemingly referring to the assurances the President got from telecoms they would keep the data.

CHUCK TODD:

Senator, while I have you, the Patriot Act, obviously the big, bulk data collection was struck down, in Court. Not quite saying it was unconstitutional, basically saying that the law doesn’t cover what the administration has said it covers, which is this idea of bulk data collection. And says, “If Congress wants to be able to do this, then they need to explicitly pass a law that forces telephone companies to do this or not.” Where are you on this? Are you willing to pass a specific law that allows for bulk data collection, whether held by the phone companies or the government?

SENATOR DIANNE FEINSTEIN:

I think here’s the thing. The president, the House and a number of members of the Senate believe that we need to change that program. And the way to change it is simply to go to the FISA Court for a query, permission to go to a telecom and get that data. The question is whether the telecoms will hold the data. And the answer to that question is somewhat mixed. I know the president believes that the telecoms will hold the data. I think we should try that.

CHUCK TODD:

An act of Congress could force them to do that, correct?

SENATOR DIANNE FEINSTEIN:

An act of Congress could force them to do that.

CHUCK TODD:

And can that pass this Congress?

SENATOR DIANNE FEINSTEIN:

Well, that’s the problem. The House does not have it in their bill. Senator Leahy does not have that in his bill.

If I had to bet on the most likely outcome for the USA F-ReDux bill, it would be USA F-ReDux, with some more shit added in because USA F-ReDux boosters are reluctant to talk about how much more it gives the Intelligence Community than what they have now, and with data retention mandates. As I have said, I think that’s one of the ultimate purposes of Mitch McConnell’s PATRIOT gambit.

One thing is clear, however, which is that Intelligence insiders like Feinstein are talking about data mandates among themselves, even if they’re not discussing them publicly.

Bob Litt: That Bill I Wrote Looks Great on First Read

/in /by

Supporters of USA F-ReDux are hailing Bob Litt’s comments approving of the bill.

“On first read, the new version of the USA Freedom Act looks like it accomplishes the president’s goals and will preserve important intelligence capabilities,” Robert Litt, the general counsel at the Office of the Director of National Intelligence, said on Friday.

“The administration has worked very closely with members of Congress, their staff — both parties in both houses — to come up with this bill,” he added.

But as even his comments make clear, to say nothing of the comments made during markup yesterday, he didn’t just “on first read it” Tuesday after it was released.

He largely wrote it.

In fact, when the Judiciary Committee tried to add things to the bill yesterday to make it comply with the Constitution, they claimed to be impotent to do so because that would blow up the bill. And so they bowed to IC demands.

No wonder Litt is fond of it.

On the Nonsense of Norms about Secrets

/5 Comments/in , /by

At a panel on secrecy yesterday, Bob Litt proclaimed that the NYT “disgraced itself” for publishing names, some of which were widely known, of the people who were conducting our equally widely known secret war on drones.

Sadly, Litt did not get asked the question implied by the Washington Post’s Greg Miller (who has, in the past, caught heat for not publishing some of the same names).

So CIA tried to convince not to name CTC chief, but helped do profile of CTC women with names and photos??

Did the NYT “disgrace itself” for publishing a column by Maureen Dowd that covers over some of the more unsavory female CIA officers — notably, Alfreda Bikowsky — who have nevertheless been celebrated by the Agency?

I’d submit that, yes, the latter was a far more disgraceful act, regardless of the credit some of the more sane female CIA officers deserve, because it was propaganda delivered on demand, and delivered for an agency that would squawk Espionage Act had the NYT published the same details in other circumstances.

Keep that in mind as you read this post from Jack Goldsmith, claiming — without offering real evidence — that this reflects a new “erosion of norms” against publishing classified information.

I mean, sure, I agree the NYT decision was notable. But it’s only notable because comes after a long series of equally notable events — events upping the tension underlying the secrecy system — that Goldsmith doesn’t mention.

There’s the norm — broken by some of the same people the NYT names, as well as Jose Rodriguez before them — that when you take on the most senior roles at CIA, you drop your cover. By all appearances, as CIA has engaged in more controversial and troubled programs, it has increasingly protected the architects of those programs by claiming they’re still undercover, when that cover extends only to the public, and not to other countries, even adversarial ones. That is, CIA has broken the old norm to avoid any accountability for its failures and crimes.

Then there’s the broken norm — exhibited most spectacularly in the Torture Report — of classifying previously unclassified details, such as the names of all the lawyers who were involved in the torture program.

There’s the increasing amounts of official leaking — up to and including CIA cooperating with Zero Dark Thirty to celebrate the work of Michael D’Andrea — all while still pretending that D’Andrea was still under cover.

Can we at least agree that if CIA has decided a Hollywood propagandistic version of D’Andrea’s is not classified, then newspapers can treat his actual career as such? Can we at least agree that as soon as CIA has invited Hollywood into Langley to lionize people, the purportedly classified identities of those people — and the actual facts of their career — will no longer be granted deference?

And then, finally, there’s CIA’s (and the Intelligence Community generally) serial lying. When Bob Litt’s boss makes egregious lies to Congress to cover up for the even more egregious lies Keith Alexander offered up when he played dress-up hacker at DefCon, and when Bob Litt continues to insist that James Clapper was not lying when everyone knows he was lying, then Litt’s judgement about who “disgraced” themselves or not loses sway.

All the so-called norms Goldsmith nostalgically presents without examination rest on a kind of legitimacy that must be earned. The Executive has squandered that legitimacy, and with it any trust for its claims about the necessity of the secrets it keeps.

Goldsmith and Litt are asking people to participate with them in a kind of propagandistic dance, sustaining assertions as “true” when they aren’t. That’s the habit of a corrupt regime. They’d do well to reflect on what kind of sickness they’re actually asking people to embrace before they start accusing others of disgraceful behavior.

On Mitch’s PATRIOT Gambit

/4 Comments/in , /by

Mitch McConnell, as you’ve probably heard, has just introduced a bill to reauthorize the expiring provisions of the PATRIOT Act until 2020.

The move has elicited a bunch of outraged comments — as if anyone should ever expect anything but dickishness from Mitch McConnell. But few interesting analytical comments.

For example, Mitch is doing this under Rule 14, meaning it bypasses normal committee process. But that’s not as unusual, in ultimate effect, as people are making out. After all, last year the House Judiciary Committee was forced to adopt a much more conservative opening bill under threat of having its jurisdiction stripped entirely — something that Bob Goodlatte surely liked because it helped him rein in the reformers on his committee. Particularly given Chuck Grassley’s dawdling, I suspect something similar is at issue, an effort to give him leverage to rein in last year’s USA Freedom Act in order to undercut Mitch’s ploy.

Moreover, I think it would be utterly naive to believe Mitch and Richard Burr when they claim they would prefer straight reauthorization.

That’s because we know the IC can’t do everything they want to do under Section 215 right now. While reports that they only get 30% of calls are misleading (not least because NSA gets plenty of international calls into the US under EO 12333), for legal or technical or some other reason, the NSA isn’t currently getting all the records it needs to have full coverage. But it could get all or almost all if it worked with providers.

In addition — and this may be related — the NSA has never been able to turn its automated processes back on for US collected telephone data since they had to turn them off in 2009. They gave up trying last year, when Obama decided to move data to the providers. I suspect that the combination of mandated assistance, record delivery in optimal form, and immunity will permit NSA to dump this data into its existing automated system.

So while Mitch and Burr may pretend they’d love straight reauthorization, it is far, far more likely they’re using this gambit to demand changes to USAF that permit the IC to claim more authorities while pretending to reluctantly adopt reform.

And chief on that list is likely to be data retention, something reformers have been conspicuously silent about since Dianne Feinstein revealed USAF would have had a data retention handshake, but not a mandate. Data retention is why most SSCI members opposed USAF last year, it’s why Bill Nelson (working off his dated understanding of the program from when he served on SSCI) voted against it, and Bob Litt has renewed his emphasis on data retention.

Moreover, given the debates about encryption of the last year, especially Jim Comey’s concerns that Apple would have an unfair advantage over Verizon if it can shield iMessage data, I suspect that by data retention they also mean “forced retention of non-telephony messaging metadata.” I’m not sure whether they would be able to pull this off, but I wouldn’t be surprised if the IC plans to use “NSA reform” as an opportunity to force Apple to keep iMessage metadata.

So that’s what I expect this is about: I expect Mitch deliberately caused outright panic among those fighting straight reauthorization that even he doesn’t really want to demand more things from this “reform” bill.

 

Section 215’s Multiple Programs and Where They Might Hide after June 1

/6 Comments/in , /by

In an column explicitly limited to the phone dragnet, Conor Friedersdorf pointed to a post I wrote about Section 215 generally and suggested I thought the phone dragnet was about to get hidden under a new authority.

Marcy Wheeler is suspicious that the Obama Administration is planning to continue the dragnet under different authorities.

But my post was about more that just the phone dragnet. It was about two things: First, the way that, rather than go “cold turkey” after it ended the Internet dragnet in 2011 as the AP had claimed, NSA had instead already started doing the same kind of collection using other authorities that — while they didn’t collect all US traffic — had more permissive rules for the tracking they were doing. That’s an instructive narrative for the phone dragnet amid discussions it might lapse, because it’s quite possible that the Intelligence Community will move to doing far less controlled tracking, albeit on fewer Americans, under a new approach.

In addition, I noted that there are already signs that the IC is doing what Keith Alexander said he could live with a year ago: ending the phone dragnet in exchange for cybersecurity information sharing. I raised that in light of increasing evidence that the majority of Section 215 orders are used for things related to cybersecurity (though possibly obtained by FBI, not NSA). If that’s correct, Alexander’s comment would make sense, because it would reflect that it is working cybersecurity investigations under protections — most notably, FISC-supervised minimization — all involved would rather get rid of.

Those two strands are important, taken together, for the debate about Section 215 expiration, because Section 215 is far more than the dragnet. And the singular focus of everyone — from the press to activists and definitely fostered by NatSec types leaking — on the phone dragnet as Section 215 sunset approaches makes it more likely the government will pull off some kind of shell game, moving the surveillances they care most about (that is, not the phone dragnet) under some new shell while using other authorities to accomplish what they need to sustain some kind of  phone contact and connection chaining.

So in an effort to bring more nuance to the debate about Section 215 sunset, here is my best guess — and it is a guess — about what they’re doing with Section 215 and what other authorities they might be able to use to do the same collection.

Here are the known numbers on how Section 215 orders break out based on annual reports and this timeline.

215 Tracker

The Phone Dragnet

Since its transfer under Section 215 in 2006, the phone dragnet has generally made up 4 or 5 orders a year (Reggie Walton imposed shorter renewal periods in 2009 as he was working through the problems in the program). 2009 is the one known year where many of the modified orders — which generally involve imposed minimization procedures — were phone dragnet orders.

We  know that the government believes that if Section 215 were to sunset, it would still have authority to do the dragnet. Indeed, it not only has a still-active Jack Goldsmith memo from 2004 saying it can do the dragnet without any law, it sort of waved it around just before the USA Freedom  Act debate last year as if to remind those paying attention that they didn’t necessarily think they needed USAF (in spite of comments from people like Bob Litt that they do need a new law to do what they’d like to do).

But that depends on telecoms being willing to turn over the dragnet data voluntarily. While we have every reason to believe AT&T does that, the government’s inability to obligate Verizon to turn over phone records in the form it wants them is probably part of the explanation for claims the current dragnet is not getting all the cell records of Americans.

A number of people — including, in part, Ron Wyden and other SSCI skeptics in a letter written last June — think the government could use FISA’s PRTT authority (which does not sunset) to replace Section 215, and while they certainly could get phone records using it, if they could use PRTT to get what it wants, they probably would have been doing so going back to 2006 (the difference in authority is that PRTT gets actual activity placed, whereas 215 can only get records maintained (and Verizon isn’t maintaining the records the government would like it to, and PRTT could not get 2 hops).

For calls based off a foreign RAS, the government could use PRISM to obtain the data, with the added benefit that using PRISM would include all the smart phone data — things like address books, video messaging, and location — that the government surely increasingly relies on. Using PRISM to collect Internet metadata is one of two ways the government replaced the PRTT Internet dragnet. The government couldn’t get 2 hops and couldn’t chain off of Americans, however.

I also suspect that telecoms’ embrace of supercookies may provide other options to get the smart phone data they’re probably increasingly interested in.

For data collected offshore, the government could use SPCMA, the other authority the government appears to have replaced the PRTT Internet dragnet with. We know that at least one of the location data programs NSA has tested out works with SPCMA, so that would offer the benefit of including location data in the dragnet. If cell phone location data is what has prevented the government from doing what they want to do with the existing phone dragnet, SPCMA’s ability to incorporate location would be a real plus for NSA, to the extent that this data is available (and cell phone likely has more offshore availability than land line).

The government could obtain individualized data using NSLs — and it continues to get not just “community of interest” (that is, at least one hop) from AT&T, but also 7 other things that go beyond ECPA that FBI doesn’t want us to know about. But using NSLs may suffer from a similar problem to the current dragnet, that providers only have to provide as much as ECPA requires. Thus, there, too, other providers are probably unwilling to provide as much data as AT&T.

Telecoms might be willing to provide data the government is currently getting under 215 under CISA and CISA collection won’t be tied in any way to ECPA definitions, though its application is a different topic, cybersecurity (plus leaks and IP theft) rather than terrorism. So one question I have is whether, because of the immunity and extended secrecy provisions of CISA, telecoms would be willing to stretch that?

Other Dragnets

In addition to the phone dragnet, FBI and other IC agencies seem to operate other dragnets under Section 215. It’s probably a decent guess that the 8-13 other 215 orders prior to 2009 were for such things. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year. Other items discussed involve hotel dragnets and explosives precursor dragnets, the latter of which would have been expanded after the 2009 Najibullah Zazi investigation. In other words, there might be up to 5 dragnets, each representing 4-5 orders a year (assuming they work on the same 90-day renewal cycle), so a total of around 22 of the roughly 175 orders a year that aren’t the phone dragnet (the higher numbers for 2006 are known to be combination orders both obtaining subscription data for PRTT orders and location data with a PRTT order; those uses stopped in part with the passage of PATRIOT reauthorization in 2006 and in part with FISC’s response to magistrate rulings on location data from that year).

Some of these dragnets could be obtained, in more limited fashion, with NSLs (NSLs currently require reporting on how many US persons are targeted, so we will know if they move larger dragnets to NSLs). Alternately, the FBI may be willing to do these under grand jury subpoenas or other orders, given the way they admitted they had done a Macy’s Frago Elite pressure cooker dragnet after the Boston Marathon attack. The three biggest restrictions on this usage would be timeliness (some NSLs might not be quick enough), the need to have a grand jury involved for some subpoenas, and data retention, but those are all probably manageable hurdles.

The Internet content

Finally, there is the Internet content — which we know makes up for a majority of Section 215 orders — that moved to that production from NSLs starting in 2009. It’s probably a conservative bet that over 100 of current dragnet orders are for this kind of content. And we know the modification numbers for 2009 through 2011 — and therefore, probably still — are tied to minimization procedure requirements imposed by the FISC.

A recent court document from a Nicholas Merrill lawsuit suggests this production likely includes URL and data flow requests. And the FBI has recently claimed –for what that’s worth — that they rely on Section 215 for cybersecurity investigations.

Now, for some reason, the government has always declined to revise ECPA to restore their ability to use NSLs to obtain this collection, which I suspect is because they don’t want the public to know how extensive the collection is (which is why they’re still gagging Merrill, 11 years after he got an NSL).

But the data here strongly suggests that going from NSL production to Section 215 production has not only involved more cumbersome application processes, but also added a minimization requirement.

And I guarantee you, FBI or NSA or whoever is doing this must hate that new requirement. Under NSLs, they could just horde data, as we know both love to do, the FBI even more so than the NSA. Under 215s, judges made them minimize it.

As I noted above, this is why I think Keith Alexander was willing to do a CISA for 215 swap. While CISA would require weak sauce Attorney General derived “privacy guidelines,” those would almost certainly be more lenient than what FISC orders, and wouldn’t come with a reporting requirement. Moreover, whereas at least for the phone dragnet, FISC has imposed very strict usage requirements (demanding that a counterterrorism dragnet be used only for counterterrorism purposes), CISA has unbelievably broad application once that data gets collected — not even requiring that terrorist usages be tied to international terrorism, which would seem to be a violation of the Keith Supreme Court precedent).

All of this is to suggest that for cybersecurity, IP theft, and leak investigations, CISA would offer FBI their ideal collection approach. It would certainly make sense that Alexander (or now, Admiral Mike Rogers and Jim Comey) would be willing to swap a phone dragnet they could largely achieve the same paltry results for using other authorities if they in exchange got to access cybersecurity data in a far, far more permissive way. That’d be a no-brainer.

There’s just one limitation on this formula, potentially a big one. CISA does not include any obligation. Providers may share data, but there is nothing in the bill to obligate them to do so. And to the extent that providers no longer provide this data under NSLs, it suggests they may have fought such permissive obligation in the past. It would seem that those same providers would be unwilling to share it willingly.

But my thoughts on CISA’s voluntary nature are for another post.

One final thought. If the government is contemplating some or all of this, then it represents an effort — one we saw in all versions of dragnet reform to greater (RuppRoge) or lesser degrees (USAF) — to bypass FISC. The government and its overseers clearly seem to think FISC-ordered minimization procedures are too restrictive, and so are increasingly (and have been, since 2009) attempting to replace the role played by an utterly dysfunctional secret court with one entirely within the Executive.

This is the reason why Section 215 sunset can’t be treated in a vacuum: because, to the extent that the government could do this in other authorities, it would largely involve bypassing what few restrictions exist on this spying. Sunsetting Section 215 would be great, but only if we could at the same time prevent the government from doing similar work with even fewer controls.

In February, the Government Turned in Its Dragnet Homework Late

/3 Comments/in /by

Last Wednesday, I Con the Record released the latest dragnet order, signed on February 26.

This order actually has several changes of note.

As I predicted, yet another new FISC judge signed the order, James Boasberg, who only joined the court last May. I suspect they’ve been ensuring that every new approval is approved by a different FISC judge, so they can boast to other courts about how many judges have approved the dragnet.

In what may be related detail, the application for this was late, having been submitted just 3 days before the renewal request was due (and therefore 4 days late). FISC judges have one week terms, so they may have stalled until Boasberg, as a new judge, was presiding.

Whatever the reason, Boasberg scolded DOJ for turning in their homework late, and warned them not to do it again for the next renewal, if there is one.

With two exceptions, neither of which applies here, Rule 9 of this Court’s Rules of Procedure requires the government to submit a proposed application no later than seven days before it seeks to have a matter entertained by the Court. The Court notes that the government filed its proposed application in this matter four days late. If the government seeks to renew the authorities approved herein prior to their expiration on June 1, 2015, the government is directed to file the proposed renewal application no later than Friday, May 22, 2015.

Curiously, Boasberg doesn’t discuss the five-day longer period of collection under this order, he just sets it.

Boasberg also laid out how the government must proceed under each of three scenarios.

First, if any of the 3 Appellate Courts reviewing the dragnet issue an opinion, “the government is directed to inform the Court promptly if the government’s implementation of this Order has changed as a result.”

Equally important, if Congress does pass some kind of new law, it must tell the court about anything the Court hasn’t already considered.

If Congress has enacted legislation amending 50 U.S.C. § 1861 prior to a request for renewed authorities, the government is directed to provide, along with its request, a legal memorandum pursuant to Rule 11(d) of this Court’s Rules of Procedure addressing any issues of law raised by the legislation and not previously considered by the Court.

This last bit is important. Some things — connection rather than contact chaining — would be codified if USA Freedom Act were to pass. But the Court has already considered it; it has been part of dragnet orders for over a year. Some USAF supporters had assumed new definitions in the bill would elicit new opinions that would be treated under the bill’s transparency provisions, but that’s only if the government believes the FISC has never reviewed it. So (for example) we might never know how the FISC has permitted the government to interpret selection term if it deems that the same as selection term it is using.

Finally, in language that might address the possibility Charlie Savage raised in November — that the government would continue doing what it is doing, because the underlying “investigation” remains the same, and therefore no extension is required — if nothing happens, the Court requires a memo of law explaining that.

If Congress, conversely, has not enacted legislation amending § 1861 or extending its sunset date, established by Section 102(b) of Public Law 109-177, 120 Stat. 195, as most recently amended by Section 2(a) of Public Law 112-14, 125 Stat. 216, the government is directed to provide a legal memorandum pursuant to Rule 11(d) addressing the power of the Court to grant such authority beyond June 1, 2015.

Section 102(b) of Public Law 109-177 is the section Savage pointed to that might permit the dragnet to continue.

(2) Exception.–With respect to any particular foreign intelligence investigation that began before the date on which the provisions referred to in paragraph (1) cease to have effect, or with respect to any particular offense or potential offense that began or occurred before the date on which such provisions cease to have effect, such provisions shall continue in effect.

That basically says the Court is aware of this discussion, either because it reads the NYT or because the government has mentioned it. This order doesn’t tip a hand on how FISC would regard this claim, but it does make clear it considers it a distinct possibility.

Note, unless I’m missing something, no language like this appears in any of the unredacted sections of previous dragnet orders, not even when Congress was giving the government straight renewals. We can’t be sure, but that certainly seems to suggest the Court has been having conversations — either by itself or with the government — about alternatives in a way Bob Litt and others are not having publicly.

Which brings me back to the government’s late homework again. There are other possibilities to explain the delayed submission. For example, it’s possible they delayed to make the extension of the 90-day period less odd (though I’m not sure why). It’s possible they honestly considered not renewing the order, already putting into place whatever they’re going to unilaterally do once Congress does nothing. Or perhaps they were still debating how to proceed with the Court.

When I used to turn in homework late (okay — it probably only happened once), I had to have a good excuse. What was the government’s?

There’s one more tiny change of note. This order moves its definition for connection chaining to footnote 7 (and the order consolidated some other footnotes). That’s likely just cosmetic, unless the FISC had some concern that the government was using a flexible definition of “connection chaining” for its emergency approvals.

Bob Litt Tried to Stuff Ron Wyden down Alice In Wonderland’s Rabbit Hole

/2 Comments/in /by

Screen Shot 2015-03-05 at 5.59.31 PM

Man, I must have written about this letter Ron Wyden sent to John Brennan during his confirmation process 15 times (of which just a few are linked below). Which is why I’m so fascinated by the back and forth between Wyden’s office (the staffer’s name is redacted) and ODNI, largely Bob Litt, both before and after Wyden sent the letter on January 14, 2013. (Many many kudos to Zack Sampson who FOIAed it through MuckRock.)

Wyden’s office submitted the letter for a declassification review on January 11, 2013. Wyden’s office did not get an answer before he sent it. And on January 15, Bob Litt complained,

I have a concern that there are several references in this letter that are not only classified but compartmented.

So the staffer writes back letting Litt know that he or she had unclassified comments by Executive Branch officials for all the references, and he or she will happily share it. To which Litt responded (on January 17),

Although I am dubious, since there are statements in there that assume as fact things that we have recently succeeded in convincing a judge remain classified, I’ll take a look.

It went on for a while (the email thread is from page 21 to 24), with Litt complaining some more, promising Brennan wouldn’t answer questions about it, and the staffer ultimately pointing out that the reason they keep asking publicly is because ODNI won’t provide answers even in classified form (this exchange precedes Clapper’s lies about the dragnet — about which most of the other documents released under this FOIA pertain — by two months).

What Litt was talking about, clearly, was the Administration’s killing of Anwar al-Awlaki, the memos authorizing which Judge Colleen McMahon, citing Alice in Wonderland for the bizarreness of it all, had just ruled remained exempt from FOIA on January 2, 2013.

In other words, Litt was suggesting that Wyden should not have said the following — which cites McMahon!! — because McMahon had ruled that the government did not have to give the OLC memos authorizing the Awlaki killing to ACLU and NYT, which is rather different from ruling they didn’t have to share such information with the Intelligence Committee or claiming that Wyden could not refer to official comments in a letter to someone who made those comments because citing back those comments made them classified.

I have asked repeatedly over the past two years to see the secret legal opinions that contain the executive branch’s understanding of the President’s authority to kill American citizens in the course of counterterrorism operations. Senior intelligence officials have said publicly that they have the authority to knowingly use lethal force against Americans in the course of counterterrorism operations, and have indicated that there are secret legal opinions issued by the Justice Department’s Office of Legal Counsel that explain the basis for this authority. I have asked repeatedly to see these opinions and I have been provided with some relevant information on the topic, but I have yet to see the opinions themselves.

Both you and the Attorney General gave public speeches on this topic early last year, and these speeches were a welcome step in the direction of more transparency and openness, but as I noted at the time, these speeches left a large number of important questions unanswered. A federal judge recently noted in a Freedom of Information Act case that “no lawyer worth his salt would equate Mr. Holder’s statements with the sort of robust analysis that one finds in a properly constructed legal opinion,” and I assume that Attorney General Holder would agree that this was not his intent.

As Wyden noted, both Brennan and Holder had given big dog-and-pony shows that were clearly about killing Awlaki, and yet Bob Litt wanted to prevent Wyden from pressuring Brennan to turn over the actual legal authorizations to the Intelligence Community’s oversight committee? Really?

Ah well, it all worked out for the forces of good, as when the Committee threatened to hold up Brennan’s confirmation, someone leaked the White Paper to Mike Isikoff that therefore had to be shared with Jason Leopold that ultimately led McMahon to liberate the opinions themselves.

Which is probably precisely what Bob Litt was worried about.
Read more

Bob Litt: No Contingency Plans for Section 215

/4 Comments/in /by

A month into the new Congress, neither USA Freedom Act nor a replacement has been reintroduced. Which has led to a discussion of what will happen if Section 215 sunsets in June.

I hope to do my own piece on all of what happens if Section 215 sunsets in the June. But in the meantime, I want to point to three things Bob Litt said in his speech on the topic yesterday. In his prepared speech, Litt defended the program and then re-endorsed USA Freedom with the caveats of his letter to Patrick Leahy on it. First, note a few details here.

Finally, the President directed specific steps to address concerns about the bulk collection of telephone metadata pursuant to FISA Court order under Section 215 of the USA PATRIOT Act. You’ll recall that this was the program set up to fix a gap identified in the wake of 9/11, to provide a tool that can identify potential domestic confederates of foreign terrorists. I won’t explain in detail this program and the extensive controls it operates under, because by now most of you are familiar with it, but there is a wealth of information about it available at IContheRecord.

Litt doubles down on the claim the phone dragnet closes a “gap” that never existed. And he suggests this is solely about “identifying potential domestic confederates” of foreigners. Not only does that obscure that it also serves to identify networks here in the US (as it did after the Marathon bombing, and with Najibullah Zazi) but that two court filings admit that it is also about identifying potential informants on networks of interest, not finding confederates.  It also helps NSA to identify which conversations to prioritize for translation or other analysis (meaning it necessarily ties directly to content).

Which is why I find it interesting that Litt follows that disingenuous description of the use of the phone dragnet.

Some have claimed that this program is illegal or unconstitutional, though the vast majority of judges who have considered it to date have determined that it is lawful. People have also claimed that the program is useless because they say it’s never stopped a terrorist plot. While we have provided examples where the program has proved valuable, I don’t happen to think that the number of plots foiled is the only metric to assess it; it’s more like an insurance policy, which provides valuable protection even though you may never have to file a claim. And because the program involves only metadata about communications and is subject to strict limitations and controls, the privacy concerns that it raises, while not non-existent, are far less substantial than if we were collecting the full content of those communications.

Twenty months after Snowden first revealed the phone dragnet, the IC is not admitting what or how this is used (and is maintaining the charade that there aren’t legal problems with having proclaimed everything relevant to terrorism in secret).

Even so, the President recognized the public concerns about this program and ordered that several steps be taken immediately to limit it. In particular, except in emergency situations NSA must now obtain the FISA court’s advance agreement that there is a reasonable articulable suspicion that a number being used to query the database is associated with specific foreign terrorist organizations. And the results that an analyst actually gets back from a query are now limited to numbers in direct contact with the query number and numbers in contact with those numbers – what we call “two hops” instead of three, as it used to be.

Fact check: The current language of the dragnet orders permits chaining on “connections,” not “contacts.”

Longer term, the President directed us to find a way to preserve the essential capabilities of this program without having the government hold the metadata in bulk. In furtherance of this direction, we worked extensively with Congress, on a bipartisan basis, and with privacy and civil liberties groups, on the USA FREEDOM Act. This was not a perfect bill. It went further than some proponents of national security would wish, and it did not go as far as some advocacy groups would wish. But it was the product of a series of compromises, and if enacted it would have accomplished the President’s goal: it would have prohibited bulk collection under Section 215 and several other authorities, while authorizing a new mechanism that – based on telecommunications providers’ current practice in retaining telephone metadata – would have preserved the essential capabilities of the existing program. Having invested a great deal of time in those negotiations, I was personally disappointed that the Senate failed by two votes to advance this bill, and with Section 215 sunsetting on June 1 of this year, I hope that the Congress acts expeditiously to pass the USA FREEDOM Act or another bill that accomplishes the President’s goal.

As a reminder, when Bob Litt says, “bulk collection,” he is not using common English usage. He is instead referring to the collection of stuff with no discriminators. So the aspiration to collect “all” phone records is bulk under his definition, but the aspiration to collect all US-to-foreign money transfers is not because the latter uses a discriminator (US-to-foreign).

Also note that Litt claims this is based on “telecommunications providers’ current practices,” which is when (during the speech) I started tweeting requests for a divorce lawyer to subpoena some 20-month old Verizon records. Last summer, Verizon said in sworn testimony they only kept records 12 to 18 months, though during the debate Dianne Feinstein revealed they and another carrier had agreed “voluntarily” to keep their phone records 2 years. So has Verizon already extended how long it keeps these records? Or is Bob Litt fibbing here? (My bet is they haven’t because my bet is that “voluntary” retention would have been worked into the new compensation mechanisms of USA Freedom Act.)

After that endorsement for USAF or another bill to pass before the Section 215 sunset, Litt got two more questions on the topic (in addition to one on the FISC advocate, to which he responded he’d like the weak tea advocate of his interpretation of the bill).

In the first question, Cameron Kerry asked what happens if Section 215 sunsets. Litt responded (my transcription):

Good question. The President said he wants to have a mechanism that preserves the essential capabilities of the bulk collection program that we have now without the bulk collection. There’s a proposal up there that would accomplish that. I’m hopeful that we will get that passed. If it sunsets, if it goes away, obviously the program will end. We’ll also lose other authorities that are under the same section, which have nothing to do with bulk collection whatsoever. So at this point we’re still far enough away that I think that we’re not doing extensive contingency planning other than trying to map out the legislative way to get something passed that will accomplish the President’s goals.

One thing to emphasize here — which no one I saw noted — is Litt focuses on the “essential capabilities” of the existing program. That’s not just phone records for contact chaining, as I pointed out above. It includes connection chaining, which I strongly suspect is part of the problem with current compliance.

That is, it would not be enough to just get phone records, because that likely doesn’t give all the parameters for “connections” that are currently in place.

Furthermore, as Litt points out but others have not, if Section 215 sunsets, the IC loses the current authorization they’re using for the phone dragnet, but also the authorizations for what are probably several other bulky programs (the aforementioned money transfer one, one targeted at hotel rooms which might be imperiled anyway because of a pending SCOTUS case, and one or ones targeted at the purchase records of explosive precursors like fertilizer, acetone, hydrogen peroxide, and possibly pressure cookers). In addition, the FBI would lose the ability to get certain Internet records that providers have been able to refuse NSLs for; these currently make up the majority of Section 215 orders (given that I Con the Record said the IC had had 161 phone dragnet targets last year and there were around 180 Section 215 orders, there may well have been more of these Internet requests last year than phone dragnet targets).

Even if there are alternatives for the phone dragnet (I see problems with meeting the government’s goals, rather than just getting phone records, using either PRTT or NSLs), alternatives would be more difficult for the others, including the Internet one (for reasons I don’t understand). That is, a sunset of Section 215 comes with additional costs for the government that not passing USAF (which would close existing gaps) doesn’t.

Not long after this exchange, another questioner asked, “Does this mean government won’t take advantage of ways to extend phone dragnet,” apparently referring to this Charlie Savage report suggesting the government could just continue because the underlying investigations are.

Litt responded by saying there’d be problems to continue to do the dragnet “under this authority.”

I don’t think we’ve thought a lot about contingency plans. I think that if, there’s obviously, I don’t think I’m revealing any deep secrets here. There’s obviously a somewhat more substantial political hurdle in saying, Yes Congress, we know you didn’t reauthorize this but we’re going to go ahead and do it anyway under this authority. We’ll just — I’m hopeful we’ll never have to confront those issues.

While that definitely suggests Litt would advise against continuing the dragnet under Section 215, he was very specific about using Section 215 here, as opposed to some other authority.

Which brings me back to my take. I do believe the government could get some subset of phone records using PRTT or NSLs. But there is a reason why the Administration has resisted calls — specifically saying there are non-technical (suggesting legal) problems with doing so. At the very least, they’re holding out to get the immunity and compensation and provider assistance Congress would be trading for a few small reforms.

But I think they need that package — immunity, compensation, and provider assistance — to do what they want to be done. And they’re not going to get it under PRTT or NSL.

The 702 Crimes Include Cybersecurity, Infrastructure, and “Transnational Crimes”

/3 Comments/in , /by

Bob Litt is giving a speech. In it he described what “serious crimes” FBI can use 702-derived information to investigate and prosecute. They include:

Can use for 702: Crimes involving death, kidnapping, bodily harm, v minor, infrastructure, cybersecurity, transnational crimes.

Both cybersecurity and infrastructure are big, and potentially egregiously interpreted. They surely can include a whole slew of innocent protestors who are deemed a threat to things like fracking or city infrastructure.

But also, if FBI can use 702 to investigate “transnational crime” then why isn’t Jamie Dimon in prison?