Posts

Billy Barr Signs a Memo That Wouldn’t Have Helped Carter Page

/2 Comments/in , , /by

For eight months, FBI and DOJ have been diligently making changes to the way they do FISA applications, with regular reports into the FISA Court. Whether or not those changes are adequate to fix the problems that beset the Carter Page application, they represent significant effort.

Curiously, a memo Billy Barr just released purporting to enhance compliance in FISA applications appears unaware of the filings at FISC, and instead cites only changes implemented in Christopher Wray’s response to the December 9, 2019 DOJ IG Report (see PDF 466 for his letter).

Therefore, in order to address concerns identified in the report by the Inspector General of the Department of Justice entitled, “Review of Four FISA Applications and Other Aspects of the FBI ‘s Crossfire Hurricane Investigation” (December 2019), and to build on the important reforms described by the Director of the Federal Bureau of Investigation (“FBI”) in his December 6, 2019, response to the Inspector General’s report, I hereby direct that the following additional steps be taken:

Arguably (as I’ll show), at least one of the provisions in the memo is weaker than a change FISC mandated itself.

And while the memo claims to want to protect the rights of people like Carter Page, Barr’s memo would in no way apply to Page. That’s because the special protections tied to political campaigns only apply to those currently associated with campaigns.

With respect to applications for authorization to conduct electronic surveillance or physical searches pursuant to FISA targeting (i) a federal elected official or staff members of the elected official, or (ii) an individual who is a declared candidate for federal elected office or staff members or advisors of such candidate’s campaign (including any person who has been publicly announced by a campaign as a staff member or member of an official campaign advisory committee or group, or any person who is an informal advisor to the campaign),

By the time FBI applied for a FISA application targeting Page, several prominent members of the campaign had dissociated the campaign from him — for his controversial ties to Russia! — in no uncertain terms; those disavowals were included in the FISA application. Yes, Page had been announced as an informal advisor, but then the campaign made very clear he was no longer an informal advisor (and even claimed he never had been).

To be sure, some of the changes proposed — both those limited to those connected with a campaign and the more general ones — are improvements. For example:

  • ¶3(b) requires non-delegable sign-off by the Director of the FBI and the Attorney General) of any application targeting someone associated with a campaign; while requiring non-delegable sign-off may introduce some problems, this is the kind of certification recommended by the DOJ IG Report (though arguably is already incorporated in the December 6, 2019 letter Barr cited).
  • ¶3(d) and ¶3(e) institutes a shorter renewal deadline for these political FISAs, 60 days instead of 90, and requires monthly reports to FISC describing the results and affirming the continued need for such surveillance. These are arbitrary but perhaps useful improvements, not least because by increasing the paperwork required to surveil a political target, they make it more likely that such surveillance will actually be worth it (as the third and fourth applications targeting Page were not).
  • ¶3(f) requires that any political application describe whether less intrusive investigative procedures have been considered — something already required in all FISA applications — and an explanation why those procedures weren’t used. Such a requirement would have been useful in Page’s case (as I noted last year), because it would have emphasized the efforts FBI was making not to take public actions, but in practice this response would almost always point to DOJ guidelines on avoiding taking public actions that might affect an election and might actually encourage the increased reliance on informants, something Trump’s people claim equates to FISA surveillance. A requirement like this might be useful if it took place in the scope of a debate about what techniques were intrusive or not, but there’s zero evidence such a debate has happened.

The memo has two parts on defensive briefings, probably designed to placate Republicans, but which likely don’t do much in practice:

  • For political targets, ¶3(a) requires the FBI Director to consider a defensive briefing before targeting someone, and if no briefing is given, then the Director must document it in writing. FBI did consider defensive briefings for Trump’s people, but for various reasons decided not to do it, but in the case of Carter Page, he had long been wittingly sharing non-public information with known Russian intelligence officers and when FBI tried to explain why such dalliances were problematic in March 2017, he simply disagreed. A defensive briefing for Page would have been as useless as President Obama’s warnings to Trump that Mike Flynn was a problem.
  • For all counterintelligence concerns pertaining to election interference, ¶4 requires the FBI Director to “promulgate procedures, in consultation with the Deputy Attorney General, concerning defensive briefings.” Not only is this requirement utterly silent about what such procedures should do, not only did Wray commit to a similar recommendation in his December 2019 letter, but defensive briefings are precisely what Acting Director of National Intelligence John Ratcliffe is currently politicizing.

As for key review processes mandated by the memo, some are just redundant at best or stupid at worst. For example:

  • ¶1 requires FBI personnel to review the accuracy sub-file before submitting a FISA application. That process is already in place. It’s called the Woods Procedure and it’s the procedure that failed to find errors in the Page application.
  • ¶2 requires someone — it doesn’t say whether FBI or NSD bears responsibility — to report any misstatement or omission to FISC. That’s already required. Plus, this requirement twice gives NSD the authority to determine whether something amounts to a reportable incident. The ongoing DOJ IG investigation into all the errors in FISA applications suggest NSD has deemed some omissions and errors not to be worthwhile of reporting (indeed, there were multiple instances in the Page applications where NSD did not include information they knew of, in at least one case information that FBI did not have). In short, this paragraph seems more focused on ensuring NSD — and not an outside entity, like DOJ IG or the FISC — retains the ability to determine what is and is not a reportable error.
  • ¶3(c) requires an FBI Assistant Special Agent in Charge who is not involved in an investigation to review the FISA application of any defined political targets. The DOJ IG Report found that even NSD lawyers involved in an investigation don’t have enough insight into a case to identify omissions. While an ASAC might have access to case files that NSD lawyers do not, there’s zero reason to believe someone with even less insight into an investigation would better be able to spot omissions than an NSD lawyer with an ongoing role in the application. So this review is likely useless busywork.
  • ¶3(g) requires the Assistant Attorney General to review the case file of a political target within 60 days of its initial grant to make sure everything is kosher, including that the investigation was properly predicated. In conjunction with the shorter renewal timeframe of such applications (which would require DAG sign-off in any case), all this amounts to is a heightened review on first renewal (the memo does not say this is not delegable, so such a review will and probably should not be done by the AAG). But in Page’s case, it would have done nothing (indeed, at the time this would have been done for Page, he was in Russia meeting high level officials, falsely claiming to represent Trump’s interests).

In short, while some of these changes are salutary, a number are just show, and some are worthless busy work.

But my real concern about them — particularly given how Barr only invokes the first Christopher Wray letter to DOJ IG — is how they interact with other details of the FISA reform events that have transpired since last December.

For example, in the last month, the FBI and DOJ engaged in a big dog-and-pony show to claim that none of the errors DOJ IG had identified in 29 FISA applications they reviewed affected probable cause and just two were material. Effectively, that big press push amounted to having NSD pre-empt DOJ IG’s findings in an ongoing investigation, and the public details of NSD’s own review raise abundant reason to doubt the rigor of it. So Barr’s emphasis (in ¶2) on NSD’s role in deciding what is an error seems to be a reassertion of the status quo ante in the midst of an ongoing investigation that is still assessing whether NSD’s reviews are adequate. That makes this feel like another attempt to pre-empt an ongoing investigation.

Even more troubling, Barr’s memo seems unaware of — and in key respects, conflicts with — an order presiding FISA Judge James Boasberg issued in March. As I noted at the time, that order recognized something that was apparent from the DOJ IG Report but which the IG either missed, ignored, or was bureaucratically unable to address: it wasn’t just FBI that dropped the ball on the Page FISA application, NSD did so too.

According to the OIG Report, the DOJ attorney responsible for preparing the Page applications was aware that Page claimed to have had some type of reporting relationship with another government agency. See OIG Rpt. at 157. The DOJ attorney did not, however, follow up to confirm the nature of that relationship after the FBI case agent declared it “outside scope.” Id. at 157, 159. The DOJ attorney also received documents that contained materially adverse information, which DOJ advises should have been included in the application. Id. at 169-170. Greater diligence by the DOJ attorney in reviewing and probing the information provided by the FBI would likely have avoided those material omissions.

Because of that, Boasberg required that DOJ attorneys, too, sign off on all FISA applications, and suggested they get more involved earlier in the process.

As a result, reminders of DOJ’s obligation to meet the heightened duty of candor to the FISC appear warranted. The Court is therefore directing that any attorney submitting a FISA application make the following representation: “To the best of my knowledge, this application fairly reflects all information that might reasonably call into question the accuracy of the information or the reasonableness of any FBI assessments in the application, or otherwise raise doubts about the requested probable cause findings.”

DOJ should also consider whether its attorneys need more formalized guidance – e.g. , their own due-diligence checklists. Consideration should also be given to the potential benefits of DOJ attorney visits to field offices to meet with case agents and review investigative files themselves, at least in select cases – e.g. , initial applications for U.S.-person targets. Increased interaction between DOJ attorneys and FBI case agents during the preparatory process should not only improve accuracy in individual cases but also likely foster a common understanding of how to satisfy the government’s heightened duty of candor to the FISC.

There’s no mention of Boasberg’s order and suggestions in Barr’s memo, and it’s unclear whether that’s because he has no idea what has transpired with the FISC, whether he thinks he can ignore Boasberg’s order, or whether his memo is just for show. In any case, it’s notable that Barr’s memo doesn’t incorporate the key insight Boasberg made, that FISA requires increased diligence from NSD, too.

Similarly, because Boasberg deemed the role of FBI’s lawyers to be “perfunctory,” he asked for more details about their role.

But the role described in the revised Woods Form appears largely 10 perfunctory. To assess whether additional modifications to the Woods Form or related procedures may be warranted, the Court is directing the FBI to describe the current responsibilities FBI OGC lawyers have throughout the FISA process.

Here, Barr has added one more FBI person (an ASAC uninvolved in the case) to the process, whose review can only be perfunctory, rather than ensuring that those with more visibility on the process have a substantive role. Barr also doesn’t incorporate into his memo a change that came from Amicus David Kris after the Wray letter cited in Barr’s memo that case agents attest to the accuracy of FISA reviews, a recommendation FBI adopted, which might accomplish more than any review by an outside ASAC.

There’s one more reason this memo is concerning. ABC reported the other day that long-time Deputy Assistant Attorney General for Legal Policy Brad Wiegmann was reassigned two weeks ago and replaced by a far less experienced political appointee, Kellen Dwyer (though I’ve seen people vouch for his integrity — he’s not a hack). Wiegmann would likely be part of discussions about how to meet FISC’s demands for further accountability.

Though a relatively small unit of fewer than two dozen attorneys, the Office of Law and Policy participates in almost every National Security Council meeting, works with congressional staff to draft new legislation, and conducts oversight of the FBI’s intelligence-gathering activities.

“[It] has been sort of the center of gravity for the Department of Justice on national security policy, and it’s a central role,” said Olsen, who at one point ran the department’s National Security Division and later advised Hillary Clinton’s 2016 presidential campaign.

Wiegmann has led the office since the Obama administration and for almost all of the Trump administration.

In particular, Wiegmann has long been involved in efforts to meet FISC’s demands regarding surveillance it authorizes. Here, just days after Wiegmann’s removal, Barr is issuing a memo that seems unaware of and in at least a few respects, potentially inconsistent with, explicit orders from the presiding FISA Judge.

There’s nothing obviously offensive about this memo. But it would do little to prevent a repeat of the Carter Page problems. And it’s not clear that it adds anything to the very real efforts to improve the FISA process at DOJ. Indeed, it may well be an effort to pre-empt more substantive concerns about the role of NSD (as opposed to FBI) in this process.

Barr released a second memo creating an audit mechanism for national security functions that feels like an effort to get ahead of ongoing DOJ IG investigation. I welcome additional oversight of FBI’s national security functions, though the timing of this and the timing of its implementation — with a report on its creation due just days before the election but all review of its functionality years down the road — feels like an attempt to stave off real legal oversight.

Why I Left The Intercept: The Surveillance Story They Let Go Untold for 15 Months

/112 Comments/in , , , , /by

The Intercept has a long, must-read story from James Risen about the government’s targeting of him for his reporting on the war on terror. It’s self-serving in many ways — there are parts of his telling of the Wen Ho Lee, the Valerie Plame, and the Jeffrey Sterling stories he leaves out, which I may return to. But it provides a critical narrative of DOJ’s pursuit of him. He describes how DOJ tracked even his financial transactions with his kids (which I wrote about here).

The government eventually disclosed that they had not subpoenaed my phone records, but had subpoenaed the records of people with whom I was in contact. The government obtained my credit reports, along with my credit card and bank records, and hotel and flight records from my travel. They also monitored my financial transactions with my children, including cash I wired to one of my sons while he was studying in Europe.

He also reveals that DOJ sent him a letter suggesting he might be a subject of the investigation into Stellar Wind.

But in August 2007, I found out that the government hadn’t forgotten about me. Penny called to tell me that a FedEx envelope had arrived from the Justice Department. It was a letter saying the DOJ was conducting a criminal investigation into “the unauthorized disclosure of classified information” in “State of War.” The letter was apparently sent to satisfy the requirements of the Justice Department’s internal guidelines that lay out how prosecutors should proceed before issuing subpoenas to journalists to testify in criminal cases.

[snip]

When my lawyers called the Justice Department about the letter I had received, prosecutors refused to assure them that I was not a “subject” of their investigation. That was bad news. If I were considered a “subject,” rather than simply a witness, it meant the government hadn’t ruled out prosecuting me for publishing classified information or other alleged offenses.

But a key part of the story lays out the NYT’s refusals to report Risen’s Merlin story and its reluctance — until Risen threatened to scoop him with his book — to publish the Stellar Wind one.

Glenn Greenwald is rightly touting the piece, suggesting that the NYT was corrupt for acceding to the government’s wishes to hold the Stellar Wind story. But in doing so he suggests The Intercept would never do the same.

That’s not correct.

One of two reasons I left The Intercept is because John Cook did not want to publish a story I had written — it was drafted in the content management system — about how the government uses Section 702 to track cyberattacks. Given that The Intercept thinks such stories are newsworthy, I’m breaking my silence now to explain why I left The Intercept.

I was recruited to work with First Look before it was publicly announced. The initial discussions pertained to a full time job, with a generous salary. But along the way — after Glenn and Jeremy Scahill had already gotten a number of other people hired and as Pierre Omidyar started hearing from friends that the effort was out of control — the outlet decided that they were going to go in a different direction. They’d have journalists — Glenn and Jeremy counted as that. And they’d have bloggers, who would get paid less.

At that point, the discussion of hiring me turned into a discussion of a temporary part time hire. I should have balked at that point. What distinguishes my reporting from other journalists — that I’m document rather than source-focused (though by no means exclusively), to say nothing of the fact that I was the only journalist who had read both the released Snowden documents and the official government releases — should have been an asset to The Intercept. But I wanted to work on the Snowden documents, and so I agreed to those terms.

There were a lot of other reasons why, at that chaotic time, working at The Intercept was a pain in the ass. But nevertheless I set out to write stories I knew the Snowden documents would support. The most important one, I believed, was to document how the government was using upstream Section 702 for cybersecurity — something it had admitted in its very first releases, but something that it tried to hide as time went on. With Ryan Gallagher’s help, I soon had the proof of that.

The initial hook I wanted to use for the story was how, in testimony to PCLOB, government officials misleadingly suggested it only used upstream to collect on things like email addresses.

Bob Litt:

We then target selectors such as telephone numbers or email addresses that will produce foreign intelligence falling within the scope of the certifications.

[snip]

It is targeted collection based on selectors such as telephone numbers or email addresses where there’s reason to believe that the selector is relevant to a foreign intelligence purpose.

[snip]

It is also however selector-based, i.e. based on particular phone numbers or emails, things like phone numbers or emails.

Raj De:

Selectors are things like phone numbers and email addresses.

[snip]

A term like selector is just an operational term to refer to something like an email or phone number, directive being the legal process by which that’s effectuated, and tasking being the sort of internal government term for how you start the collection on a particular selector.

[snip]

So all collection under 702 is based on specific selectors, things like phone numbers or email addresses.

Brad Wiegmann:

A selector would typically be an email account or a phone number that you are targeting.

[snip]

So that’s when we say selector it’s really an arcane term that people wouldn’t understand, but it’s really phone numbers, email addresses, things like that.

[snip]

So putting those cases aside, in cases where we just kind of get it wrong, we think the email account or the phone is located overseas but it turns out that that’s wrong, or it turns out that we think it’s a non-U.S. person but it is a  U.S. person, we do review every single one to see if that’s the case.

That PCLOB’s witnesses so carefully obscured the fact that 702 is used to collect cybersecurity and other IP-based or other code collection is important for several reasons. First, because collection on a chat room or an encryption key, rather than an email thread, has very different First Amendment implications than collecting on the email of a target. But particularly within the cybersecurity function, identifying foreignness is going to be far more difficult to do because cyberattacks virtually by definition obscure their location, and you risk collecting on victims (whether they are hijacked websites or emails, or actual theft victims) as well as the perpetrator.

Moreover, the distinction was particularly critical because most of the privacy community did not know — many still don’t — how NSA interpreted the word “facility,” and therefore was missing this entire privacy-impacting aspect of the program (though Jameel Jaffer did raise the collection on IP addresses in the hearing).

I had, before writing up the piece, done the same kind of iterative work (one, two, three) I always do; the last of these would have been a worthy story for The Intercept, and did get covered elsewhere. That meant I had put in close to 25 hours working on the hearing before I did other work tied to the story at The Intercept.

I wrote up the story and started talking to John Cook, who had only recently been brought in, about publishing it. He told me that the use of 702 with cyber sounded like a good application (it is!), so why would we want to expose it. I laid out why it would be questionably legal under the 2011 John Bates opinion, but in any case would have very different privacy implications than the terrorism function that the government liked to harp on.

In the end, Cook softened his stance against spiking the story. He told me to keep reporting on it. But in the same conversation, I told him I was no longer willing to work in a part time capacity for the outlet, because it meant The Intercept benefitted from the iterative work that was as much a part of my method as meetings with sources that reveal no big scoop. I told him I was no longer willing to work for The Intercept for free.

Cook’s response to that was to exclude me from the first meeting at which all Intercept reporters would be meeting. The two things together — the refusal to pay me for work and expertise that would be critical to Intercept stories, as well as the reluctance to report what was an important surveillance story, not to mention Cook’s apparent opinion I was not a worthy journalist — are why I left.

And so, in addition to losing the person who could report on both the substance and the policy of the spying that was so central to the Snowden archives, the story didn’t get told until 15 months later, by two journalists with whom I had previously discussed 702’s cybersecurity function specifically with regards to the Snowden archive. In the interim period, the government got approval for the Tor exception (which I remain the only reporter to have covered), an application that might have been scrutinized more closely had the privacy community been discussing the privacy implications of collecting location-obscured data in the interim.

As recently as November, The Intercept asked me questions about how 702 is actually implemented because I am, after all, the expert.

So by all means, read The Intercept’s story about how the NYT refused to report on certain stories. But know that The Intercept has not always been above such things itself. In 2014 it was reluctant to publish a story the NYT thought was newsworthy by the time they got around to publishing it 15 months later.

In Advance of USA Freedom and CISA Fights, PCLOB Pretends Section 702 Doesn’t Have a Cyber Function

/2 Comments/in , /by

In a piece for Salon, I note some of the weird silences in yesterday’s PCLOB report, from things like the failure to give defendants notice (which I discussed yesterday) to the false claim that Targeting Procedures haven’t been released (they have been — by Edward Snowden). One of the most troubling silences, however, pertains to cybersecurity.

That’s especially true in one area where PCLOB inexplicably remained entirely silent. PCLOB noted in its report that, because Congress limited its mandate to counterterrorism programs, it focused primarily on those uses of Section 702. That meant a number of PCLOB’s discussions — particularly regarding “incidental collections” of Americans sucked up under Section 702 — minimized the degree to which Americans who corresponded with completely innocent foreigners could be in a government database. That said, PCLOB did admit there were other uses, and it discussed the government’s use of Section 702 to pursue weapons proliferators.

Yet PCLOB remained silent about a use of Section 702 that both Director of National Intelligence James Clapper’s office, in its very first information sheet on Section 702 released in June 2013, and multiple government witnesses at PCLOB’s own hearing on this topic in March, discussed: cybersecurity. Not only should that have been discussed because Congress is preparing to debate cybersecurity legislation that would be modeled on Section 702. But the use of Section 702 for cybersecurity presents a number of unique, and potentially more significant, privacy concerns.

And PCLOB just dodged that issue entirely, even though Section 702′s use for cybersecurity is unclassified.

In the transcript of the March PCLOB hearing on Section 702 uses, the word “cyber” shows up 12 times. Four of those references come from DOJ’s Deputy Assistant Attorney General Brad Wiegmann’s description of the kinds of foreign intelligence uses targeted under Section 702. (The other references came from Information Technology Industry Council President Dean Garfield.)

MR. WIEGMANN: You task a selector. So you’re identifying, that’s when you take that selector to the company and say this one’s been approved. You’ve concluded that it is, does belong to a non-U.S. person overseas, a terrorist, or a proliferator, or a cyber person, right, whoever it is, and then we go to the company and get the information.

[snip]

It’s aimed at only those people who are foreign intelligence targets and you have reason to believe that going up on that account that I mentioned, bad guy at Google.com is going to give you back information, information that is foreign intelligence, like on cyber threats, on terrorists, on proliferation, whatever it might be.

[snip]

So in other words, if I need to, if it’s Joe Smith and his name is necessary if I’m passing it to that foreign government and it’s key that they understand that it’s Joe Smith because that’s relevant to understanding what the threat is, or what the information is, let’s say he’s a cyber, malicious cyber hacker or whatever, and it was key to know the information, then you might pass Joe Smith’s name.

Yesterday’s report, however, doesn’t mention “cyber” a single time. Indeed, it seems to go out of its way to avoid mentioning it.

As discussed elsewhere in this Report, the Board believes that the Section 702 program significantly aids the government’s efforts to prevent terrorism, as well as to combat weapons proliferation and gather foreign intelligence for other purposes.

[snip]

The Section 702 program, for instance, is also used for surveillance aimed at countering the efforts of proliferators of weapons of mass destruction.473 Given that these other foreign intelligence purposes of the program are not strictly within the Board’s mandate, we have not scrutinized the effectiveness of Section 702 in contributing to those other purposes with the same rigor that we have applied in assessing the program’s contribution to counterterrorism. Nevertheless, we have come to learn how the program is used for these other purposes, including, for example, specific ways in which it has been used to combat weapons proliferation and the degree to which the program supports the government’s efforts to gather foreign intelligence for the benefit of policymakers.

Its footnote to that last section cites DOJ’s 2012 report to SSCI on the uses of Section 702 (which doesn’t mention cyber) rather than the information sheet released in June 2013, which does.

I find PCLOB’s silence about the use of Section 702 to pursue cyber targets particularly interesting for several reasons.

First, because cyber targets pose unique privacy threats — in part because cyberattackers are more likely to hide their location and exploit the communications of entirely innocent people, meaning Section 702’s claimed targeting limits offer no protection to Americans. Additionally, targeting (as Wiegmann describes it) a “malicious cyber hacker” goes beyond any traditional definition of foreign agent; it is telling he didn’t use a Chinese military hacker as his example instead! Indeed, while proliferation (along with foreign governments, the other presumed certification) is solidly within FISA Amendment Act’s definition of foreign intelligence, cybersecurity is not. In its discussion of back door searches, PCLOB admits there are concerns raised by back door searches that are heightened (or perhaps more sensitive, because they involve affluent white people) outside the counterterrorism context, that’s especially true for cybersecurity targeting.

Consider, too, the likelihood that cyber collection is among the categories of about collection that PCLOB obliquely mentions but doesn’t describe due to classification.

Although we cannot discuss the details in an unclassified public report, the moniker “about” collection describes a number of distinct scenarios, which the government has in the past characterized as different “categories” of “about” collection. These categories are not predetermined limits that confine what the government acquires; rather, they are merely ways of describing the different forms of communications that are neither to nor from a tasked selector but nevertheless are collected because they contain the selector somewhere within them.

At the beginning of the report, PCLOB repeated the government’s claim this is primarily about emails; here in the guts of it, it obliquely references other categories of collection, without really considering whether these categories present different privacy concerns.

Remember, too, that the original, good version of USA Freedom Act remains before the Senate Judiciary Committee. That bill would disallow the use of upstream 702 for any use but counterterrorism and counterproliferation. Did PCLOB ignore this use of Section 702 just to avoid alerting Senators who haven’t been briefed on it that it exists?

Finally, I also find PCLOB’s silence about NSA’s admitted use of Section 702 to pursue cyberattackers curious given that, after Congress largely ditched ideas to involve PCLOB in various NSA oversight — such as providing it a role in the FISA Advocate position — Dianne Feinstein’s Cyber Information Sharing Act all of a sudden has found a use for PCLOB again (serving a function, I should add, that arguably replaces FISC review).

(1) BIENNIAL REPORT FROM PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD.—Not later than 1 year after the date of the enactment of this Act and not less frequently than once every 2 years thereafter, the Privacy and Civil Liberties Oversight Board shall submit to Congress and the President a report providing—

(A) an assessment of the privacy and civil liberties impact of the type of activities carried out under this Act; and

(B) an assessment of the sufficiency of the policies, procedures, and guidelines established pursuant to section 5 in addressing privacy and civil liberties concerns.

Feinstein introduced this bill on June 17, several weeks after PCLOB briefed her staffers on their report (they briefed Congressional committee aides on June 2, and the White House on June 17 — see just after 9:00).

A renewed openness to expanding PCLOB’s role may be entirely unmotivated, or it may stem from PCLOB’s chastened analysis of the legal issues surrounding Section 702.

But I do find it interesting that PCLOB uttered, literally, not one word about the topic that, if DiFi’s bill passes, would expand their mandate.

Does FBI EVER Age Off Its Section 702 Data?

/3 Comments/in /by

The Privacy and Civil Liberties Oversight Board has released the transcript of the first panel from its hearing on Wednesday.

And while I was concerned by the following exchange — between Principal Deputy Assistant Attorney General Brad Wiegmann and PCLOB Chair David Medine — in real time, I find it even more troubling on second pass.

MR. MEDINE: And could you address why the minimization procedures make it a reasonable form of collection under the Fourth Amendment?

[snip]

MR. WIEGMANN: You have retention rules. I believe in some cases, for NSA for example, you have a five year retention limit on how long the information can be retained. And so these are procedures that the courts have found protect U.S. privacy and make the collection reasonable for Fourth Amendment purposes.

MR. MEDINE: And under the minimization procedures I understand that the agency, the NSA, FBI, the CIA have their own minimization procedures and they’re not the same with each other?

MR. WIEGMANN: That’s right.

MR. MEDINE: Can you address why that shouldn’t be a concern that this information is not being subjected to the same minimization standards?

MR. WIEGMANN: So each of them have their own minimization procedures based on their unique mission, and the court reviews each of those for CIA, FBI, NSA, and it’s found them all reasonable for each different agency. They’re slightly different based on the operational needs, but they’re similar.

MR. MEDINE: Would it make more sense then if the same set of minimization procedures apply across the board for this kind of information?

MR. WIEGMANN: I don’t think. Again, just to contrast, for example, FBI and NSA that are using information in different ways. The FBI has a little more latitude with respect to U.S. person information in terms of criminal activity and evidence of a crime than NSA, which doesn’t have that law enforcement mission. So I think it is important to have some differences between the agencies in terms of how they handle the information.

We know what the NSA minimization procedures look like. Not only do they permit dissemination use of US person data in more than the examples described by Wiegmann, they’re frightfully permissive on other points (such as the retention of data for technical database purposes, or the limits on Attorney-Client privilege). Moreover, they permit the retention of data because of a threat to property, a clear expansion on the legal requirements.

But from Wiegmann’s description, it sounds like FBI’s minimization procedures (which are used as a basis for National Counterterrorism Center’s minimization procedures) are worse. Worse because they permit FBI even more leeway to use FISA authorized data in criminal investigations.

And worse because it’s not clear whether there’s even any retention time limits. Indeed, if you watch the clip above, it might be more accurate to punctuate that data retention sentence this way:

You have retention rules, I believe, in some cases. For NSA, for example, you have a five year retention limit.

In any case, the comment seems to suggest that in other cases — like, perhaps, the FBI and derivatively NCTC — you don’t have temporal limits. That would be consistent with FBI’s retention of many kinds of investigative data forever. But it would mean a great deal of data involving innocent Americans collected without a warrant remains in the FBI’s hands forever.

And all that’s before you consider that FBI has always, since the passage of FISA Amendments Act (or at least the first certifications later that year), been permitted to conduct backdoor searches on incidentally collected data. So they may not only be keeping this data forever, but performing warrantless back door searches on it.