Posts

Is the Government Hiding FISC’s “Erroneous” 215 Opinion Until After Basaaly Moalin’s Hearing for a New Trial?

/4 Comments/in , /by

As I mentioned in this post, the government is due to turn over the remaining documents in the ACLU FOIA for Section 215 documents on November 18. Among the documents it may release is a February 24, 2006 FISC opinion. This may be the only comprehensive opinion written to authorize the Section 215 dragnet … and if it’s not, no comprehensive opinion authorized the opinion until August 29, 2013.

In short, that release will answer a lot of questions about what former Assistant Attorney General David Kris suggests may have been an erroneous decision authorizing the entire phone dragnet. We’ll learn more November 18.

But that won’t help Basaaly Moalin, who on Wednesday, November 13, will argue he should have a new trial in light of disclosures that the government only started wiretapping him after being tipped by the Section 215 dragnet. If the Judge in his case, Jeffrey Miller, decides he doesn’t merit a new trial, then he will be sentenced on November 18. And then, later that same day, the government will release what could be evidence that the very foundations of the Section 215 dragnet that caught Moalin are “erroneous.”

That seems to be the way things have gone for Moalin since June 18, when the government pushback on the Snowden leaks first led Moalin to learn his entire prosecution rested on the Section 215 dragnet, and since August 28, when Moalin first started pushing for a delay in sentencing so he could push for a new trial.

Back in July, the ACLU demanded the government turn over all responsive documents by August 12. That would have brought the release of all documents a month before Moalin’s then-scheduled sentencing. Instead, the government asked to have until September 15, the day before the date scheduled for his sentencing. That request would have been almost two weeks after the 60 day extension James Clapper asked for on July 5, 2013.

On August 16, Judge Pauley set up this production schedule.

The Government will review the Foreign Intelligence Surveillance Court (FISC) Opinions at issue and release any segreable information not exempt under FOIA by September 10, 2013. The Government will review a second tranche of documents and release any segreable information not exempt under FOIA by October 10, 2013. The Government will review the remaining documents at issue, excluding the FISC orders in the final row of the Government’s Vaughn index, and release any segreable information not exempt under FOIA by 10/31/2013. The parties will submit a status report to the Court by 11/8/2013.

The October 10 and 31 dates got pushed back because of the shut-down (which, of course, was not DOJ’s fault).

But the results has been to limit the argument Moalin should be able to make. In the Motion for a new trial (submitted on September 5), for example, Moalin’s team relies on the October 3, 2011 John Bates opinion (released on August 21) rather than the slew of documents showing systemic problems with the very program that tipped Moalin admitted in 2009 (released September 10). The government even taunts them about it in their Response.

Defendants’ reliance on an October 3, 2011 FISC Opinion is misplaced. The opinion documented the FISC’s judicial review of the Government’s Certifications of Collection and Interception pursuant to Section 702 of FISA and is hence irrelevant here were Section 702 is not at issue.

Of course. But the only reason the defendants weren’t able to make the very same argument — that the NSA had almost no meaningful controls over the querying they were doing of the Section 215 dragnet — and make it with collection closer to the time when the dragnet tipped Moalin is because ODNI sat on the Section 215 disclosures until after Moalin submitted his motion.

Of particular concern is the delay in revealing details of contact chaining (and that at the time Moalin was tipped, it was possible to chain a fourth hop in). The defense clearly focused on the government’s admission that Moalin had been indirectly in contact with Aden Ayro. That’s a point the government almost entirely ignored in their response. Add in that the government is still largely hiding how it uses the phone dragnet to find burner phones (and the evidence the government used Moalin’s calls with Ayro to find the warlords new phone after he had ditched an old one), and the defense was only given delayed access to some of the details that might best undermine the case that such indirect contacts might constitute probable cause for a FISA warrant.

The defense integrated some of the revelations about the 2009 disclosures in their reply, submitted October 10. That left unavailable the documents released on October 28, some of which showed the government in violation of FISA Amendment’s Act’s requirement to provide all significant FISC opinions on the topic at hand to the Intelligence and Judiciary Committees. Those documents would also present additional challenges to the legitimacy of the two reauthorizations of the dragnet since 2006.

Now, maybe this is just coincidental, that the one person who might challenge his conviction through the use of Section 215 would be prevented from using documents that might show the program itself is “erroneous.”

But as people like Dianne Feinstein squawk that the program is “legal,” they’d be well advised to consider the remarkable way that Moalin was deprived of the documents that might allow a challenge to the law as erroneous from the very start.

Three Theories Why the Section 215 Phone Dragnet May Have Been “Erroneous” from the Start

/6 Comments/in , /by

Update, 1/6/14: I just reviewed this post and realize it’s based on the misunderstanding that the February 24 OLC opinion is from last year, not 2006. That said, the analysis of the underlying tensions that probably led to the use of Section 215 for the phone dragnet are, I think, still valid. 

According to ACLU lawyer Alex Abdo, the government may provide more documents in response to their FOIA asking for documents relating to Section 215 on November 18. Among those documents is a February 24, 2006 FISA Court opinion, which the government says it is processing for release.

That release — assuming the government releases the opinion in any legible form — should solve a riddle that has been puzzling me for several weeks: whether the FISA Court wrote any opinion authorizing the phone dragnet collection before its May 24, 2006 order at all.

The release may also provide some insight on why former Assistant Attorney General David Kris concedes the initial authorization for the program may have been “erroneous.”

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch.

[snip]

The briefings and other historical evidence raise the question whether Congress’s repeated reauthorization of the tangible things provision effectively incorporates the FISC’s interpretation of the law, at least as to the authorized scope of collection, such that even if it had been erroneous when first issued, it is now—by definition—correct. [my emphasis]

That “erroneous” language comes not from me, but from David Kris, one of the best lawyers on these issues in the entire country.

And the date of the opinion — February 24, 2006, 6 days before the Senate would vote to reauthorize the PATRIOT Act having received no apparent notice the Administration planned to use it to authorize a dragnet of every American’s phone records — suggests several possible reasons why the original approval is erroneous.

Possibility one: There is no opinion

The first possibility, of course, is that my earlier guess was correct: that the FISC court never considered the new application of bulk collection, and simply authorized the new collection based on the 2004 Colleen Kollar-Kotelly opinion authorizing the Internet dragnet. In this possible scenario, that February 2006 opinion deals with some other use of Section 215 (though I doubt it, because in that case DOJ would withhold it, as they are doing with two other Section 215 opinions dated August 20, 2008 and November 23, 2010).

So one possibility is the FISA Court simply never considered whether the phone dragnet really fit the definition of relevant, and just took the application for the first May 24, 2006 opinion with no questions. This, it seems to me, would be erroneous on the part of FISC.

Possibility two: FISC approved the dragnet based on old PATRIOT knowing new “relevant to” PATRIOT was coming

Another possibility is that the FISA Court rushed through approval of the phone dragnet knowing that the reauthorization that would be imminently approved would slightly different language on the “relevance” standard (though that new language was in most ways more permissive). Thus, the government would already have an approval for the dragnet in hand at the time when they applied to use it in May, and would just address the “relevance” language in their application, which we know they did.

In this case, the opinion would seem to be erroneous because of the way it deliberately sidestepped known and very active actions of Congress pertaining to the law in question.

Possibility three: FISC approved the dragnet based on new PATRIOT language even before it passed

Another possibility is that FISC approved the phone dragnet before the new PATRIOT language became law. That seems nonsensical, but we do know that DOJ’s Office of Intelligence Policy Review briefed FISC on something pertaining to Section 215 in February 2006.

After passage of the Reauthorization Act on March 9, 2006, combination orders became unnecessary for subscriber information and [one line redacted]. Section 128 of the Reauthorization Act amended the FISA statute to authorize subscriber information to be provided in response to a pen register/trap and trace order. Therefore, combination orders for subscriber information were no longer necessary. In addition, OIPR determined that substantive amendments to the statute undermined the legal basis for which OIPR had received authorization [half line redacted] from the FISA Court. Therefore, OIPR decided not to request [several words redacted] pursuant to Section 215 until it re-briefed the issue for the FISA Court. 24

24 OIPR first briefed the issue to the FISA Court in February 2006, prior to the Reauthorization Act. [two lines redacted] [my emphasis]

Still, this passage seems to reflect an understanding, at the time DOJ briefed FISC and at the time that the FISC opinion was written that the law was changing in significant ways (some of which made it easier for the government to get IDs along with the Internet metadata it was collecting using a Pen Register).

This would seem to be erroneous for timing reasons, in that the judge issued an opinion based on a law that had not yet been signed into law, effectively anticipating Congress.

The looming threat of Hepting v. AT&T and Mark Klein’s testimony

Which brings me to why. The 2009 Draft NSA IG Report describes some of what went on in this period.

After the New York Times article was published in December 2005, Mr. Potenza stated that one of the PSP providers expressed concern about providing telephone metadata to NSA under Presidential Authority without being compelled. Although OLC’s May 2004 opinion states that NSA collection of telephony metadata as business records under the Authorization was legally supportable, the provider preferred to be compelled to do so by a court order.

As with the PR/TT Order, DOJ and NSA collaboratively designed the application, prepared declarations, and responded to questions from court advisors. Their previous experience in drafting the PRTT Order made this process more efficient.

The FISC signed the first Business Records Order on 24 May 2006. The order essentially gave NSA the same authority to collect bulk telephony metadata from business records that it had under the PSP. And, unlike the PRTT, there was no break in collection at transition.

But the IG Report doesn’t explain why the telecom(s) started getting squeamish after the NYT scoop.

It doesn’t mention, for example, that on January 17, 2006, the ACLU sued the NSA in Detroit. A week after that suit was filed, Attorney General Alberto Gonzales wrote the telecoms a letter giving them cover for their cooperation.

On 24 January 2006, the Attorney General sent letters to COMPANIES A, B, and C, certifying under 18 U.S.C. 2511 (2)( a)(ii)(B) that “no warrant or court order was or is required by law for the assistance, that all statutory requirements have been met, and that the assistance has been and is required.”

Note, this wiretap language pertains largely to the collection of content (that is, the telecoms had far more reason to worry about sharing content). Except that two issues made the collection of metadata particularly sensitive: the data mining of it, and the way it was used to decide who to wiretap.

More troubling still to the telecoms, probably, came when EFF filed a lawsuit, Hepting, on January 31 naming AT&T as defendant, largely based on an LAT story of AT&T giving access to the its stored call records.

But I’m far more interested in the threat that Mark Klein, the AT&T technician who would ultimately reveal the direct taps on AT&T switches at Folsom Street, posed. Read more

Was Adel Daoud Targeted Off of a Back Door Search of Traditional FISA Collection?

/9 Comments/in /by

Daoud Adel is a 20-year old US citizen from suburban Chicago who was charged last year in an FBI sting in which he allegedly tried to set off a car bomb outside a night club. Last year, during the debate on FISA Amendments Act reauthorization, Dianne Feinstein named his case directly, suggesting he had been busted using the legislation before the Senate. His legal team first demanded the FAA material she suggested existed back in May. And in September, they requested discovery for materials relating to FAA.

The government, however, strongly suggests none of the communications used to charge him were collected under FAA. It even suggests he misunderstands the meaning of DiFi’s comment.

Any discovery based on the FAA is unwarranted here because the FAA is simply not at issue in this case. As the Government explained in a previous filing, it “does not intend to use any such evidence obtained or derived from FAA-authorized surveillance in the course of this prosecution.” (DE 49, at 2).

[snip]

The defendant’s claim that the Government should disclose “the nature of the FAA surveillance in this case even, for instance[,] Defendant’s communications themselves were not intercepted” is perplexing. (DE 52, at 15 n.11). If Daoud’s communications were not intercepted, or his facilities not targeted, he would not be aggrieved and have no basis to challenge the collection. The Government sees no legal relevance to his broad discovery request.

Moreover, the defendant has also made multiple claims, in this motion and others, based on his interpretation of a single public remark. While the Government appreciates the defendant’s position in litigating FISA-related matters, it offers that the defendant may misunderstand this public remark, which is not a revelation that has any legal implication.

[snip]

As the Government has explained, this case singularly involves “traditional” FISA surveillance. [my emphasis]

Soapbox Orator’s comments in response to one of my posts on back door searches led me to examine the government’s response closely and I now suspect Daoud may have been identified using a back door search on traditional FISA collection.

Much of this debate centers on comments DiFi made on December 27, 2012, which seemed to suggest the 8 cases she named involved FAA.  But those comments were in response to comments Ron Wyden had just made. In that speech Wyden described (among other problems with FAA) back door searches.

The fact is, once the government has this pile of communications, which contains an unknown but potentially very large number of Americans’ phone calls and e-mails, there are surprisingly few rules about what can be done with it.

For example, there is nothing in the law that prevents government officials from going to that pile of communications and deliberately searching for the phone calls or e-mails of a specific American, even if they do not have any actual evidence that the American is involved in some kind of wrongdoing, some kind of nefarious activity.

Read more

Senate Intelligence Swiss Cheese on OLC Memos

/5 Comments/in , , /by

Great news!

After a member of the President’s party had to hold up that President’s nominee to head the CIA just to get Office of Legal Counsel memos authorizing the killing of an American citizen with no due process, the Senate Intelligence Committee has moved to force the Administration to turn over OLC memos in the future.

Terrible news!

The language is full of ginormous loopholes that would allow the Executive Branch to avoid sharing all the memos they’re already withholding.

Here’s what it says.

(1) REQUIREMENT TO PROVIDE LIST OF OPINIONS TO CONGRESS.—Except as provided in subsections (b) and (c), not later than 180 days after the date of the enactment of this Act and annually thereafter, the Attorney General, in coordination  with the Director of National Intelligence, shall provide to the congressional intelligence committees a  listing of every opinion of the Office of Legal Counsel of the Department of Justice that has been provided to an element of the intelligence community.

(2) CONTENT.—Each listing submitted under paragraph (1) shall include—

(A) as much detail as possible about the subject of each opinion;

(B) the date the opinion was issued;

(C) a listing of each recipient agency;

(D) whether the opinion has been made available to Congress or a specific committee of  Congress, including the identity of each such committee; and

(E) for any opinion that has not been made available to Congress or a specific committee of Congress, the basis for such withholding.

(b) EXCEPTION FOR COVERT ACTION.—If the President determines that it is essential to limit access to a covert action finding under section 503(c)(2) of the National Security Act of 1947 (50 U.S.C. 3093(c)(2)), the

President may limit access to information concerning such finding that is subject to disclosure under subsection (a) to those members of Congress who have been granted access to the relevant finding under such section 503(c)(2).

(c) EXCEPTION FOR INFORMATION SUBJECT TO EXECUTIVE PRIVILEGE.—If the President determines that a particular listing subject to disclosure under subsection (a) is subject to an executive privilege that protects against such disclosure, the Attorney General shall not be required to disclose such opinion or listing if the Attorney General notifies the congressional intelligence committees, in writing, of the legal justification for such assertion of executive privilege prior to the date by which the opinion or listing is required to be disclosed.

Basically, this language requires the Attorney General to give the Intelligence Committees — not the public, not all of Congress, not even the Judiciary Committees — an annotated list — not the actual opinions! — of all the OLC memos written for an element of the Intelligence Community (which would presumably exclude the White House) in a given year.

There are two exceptions to this rule.

DOJ doesn’t have to include memos on covert operations — like torture, illegal domestic wiretapping, or drone killing — that have only been briefed to a subset of the committee, such as the Gang of Four. This would allow the White House to continue to hide all the OLC memos about which there have been contentious fights in the past, including the roughly seven OLC memos on targeted killing they’re still (as far as we know) sitting on.

And DOJ doesn’t have to include memos “subject to” executive privilege (it’s not clear he has to formally invoke executive privilege, mind you). If the limitation on this language wouldn’t already have done so, this would allow the White House to hide memos like the torture memos addressed to the White House rather than CIA or DOD.

Seriously, the annotated list mandated for the Intelligence Committees ought to be the standard mandated for the public, with provision to hide secret stuff. Which is close to the standard earlier Presidents had abided by.

So what this basically does is enshrine the status quo, in which the President doesn’t have to tell the American people what his lawyers say the law is.

NSA Lost the House Judiciary Committee During the 2011 PATRIOT Act Reauthorization

/4 Comments/in /by

I want to put the two documents pertaining to the NSA’s geolocation effort released last week into context. Because they show yet another instance where the Intelligence Community did not inform Congress about what they were doing.

The two documents make it clear NSA started considering collecting geolocation in February 2010, almost certainly before the February 26-27 one year reauthorization of PATRIOT Act that month. The December 2009 letter that provided notice to Congress — which wasn’t shared with the rest of Congress until February 23-24 — provided no notice NSA was going to start testing on geolocation. So the NSA missed one opportunity to brief Congress that it was again expanding its interpretation of Section 215.

Then on February 2, 2011, Ronald Weich provided the Intelligence Chairs a second letter designed to inform Congress about the dragnet. Again, this letter also appears to make no mention of the geolocation testing. So NSA missed a second opportunity to brief Congress. Moreover, this is the letter that Mike Rogers did not pass onto members of the House.

It is unclear when NSA briefed the Intelligence Committees about the program, but a Senate Intelligence Committee staffer posed questions to NSA on March 7, but even those basic questions about legal support for the testing did not get answered until April 1.

The 4-year extension of the PATRIOT Act passed on May 26, 2011.

It took another three months before the House Judiciary Committee would get notice of a geolocation program already in action.

In other words, this was a clear instance where NSA was expanding the dragnet during the entire 15 month period of PATRIOT Act reauthorization. But according to the public record, it didn’t even inform the House Judiciary Committee — which the I Con insists always gets adequate briefing — until months after 4-year reauthorization of the PATRIOT Act.

NSA defenders are trying to use HJC member Jim Sensenbrenner’s earlier prevarications to suggest he doesn’t have reason to claim the NSA keeps secrets from Congress. Too bad the record — as it always tends to, once it becomes public — proves them wrong.  Read more

DiFi’s “Surveillance” Dictionary Makes Her Beloved Phone Dragnet Illegal

/6 Comments/in , /by

Ut oh.

Dianne Feinstein’s been writing op-eds again.

This one mostly rehashes the old arguments.

There’s the claim that stopping a guy less dangerous than Peter King once was is worth creating a database of all the phone-based relationships in the United States.

In fact, since its inception, this program has played a role in stopping roughly a dozen terror incidents in the United States. And it continues to contribute to our safety.

There’s the claim her deceitful legislation would make things better. (See here, here, here, here, and here for some details of why it will make things worse.)

On Oct. 31, the Senate Intelligence Committee took the first step to restore that confidence and bridge the gap between preventing terrorism and protecting civil liberties by passing the bipartisan Foreign Intelligence Surveillance Act Improvements Act.

And there’s the claim that “drip, drip, drip” and a higher standard of honesty that government officials has the ability to erode the mighty US military’s credibility.

This drip, drip, drip of disclosures – often without proper context and frequently just plain wrong – has eroded the confidence of the American people in the dedicated men and women of our intelligence community and the strong legal and constitutional protections already in place to prevent improper behavior.

But those arguments have all gotten stale by now.

What’s truly amusing is DiFi’s attempt to rebut the well-deserved mockery for her claim that creating a database of every phone-based relationship in the US to catch just two people with terrorist ties does not constitute surveillance.

This is not a surveillance program.

Merriam-Webster’s dictionary defines “surveillance” as “the act of carefully watching someone or something especially in order to prevent or detect a crime.”

In the case of the call-records program, neither individuals nor their phone conversations are being listened to. No one is being monitored. And no one is being watched under the call-record program.

Nevermind that Merriam-Webster provides this, as an example:

  • government surveillance of suspected terrorists

What’s so funny about DiFi’s op-ed is her desperate reliance on Merriam-Webster to defuse mockery.

Because — as I’ve noted — if the Administration had to rely on Merriam-Webster for their own definitional claims, it would destroy their claims that “substantially all” phone records in the United States are “relevant” — that is, “having significant and demonstrable bearing on the matter at hand” — to the hunt for terrorists.

To create this dragnet, after all, the Administration has had to blow up the meaning of “relevant” beyond all meaning. And they had to dig up an old British tome for this particular, all-important definition?

So I looked up how the American Merriam-Webster online dictionary defines “relevant.” Here are the first two definitions:

a : having significant and demonstrable bearing on the matter at hand

b : affording evidence tending to prove or disprove the matter at issue or under discussion <relevant testimony>

“Having significant and demonstrable bearing on the matter and hand.” Not, “possibly maybe having a teeny fraction bearing on the matter and hand.” But a “significant and demonstrable bearing” on a terrorist investigation, in context.

The same dictionary that DiFi clings to to justify her “surveillance” claim also shows why her beloved dragnet is illegal, a stretch of the word “relevant” so absurd that only old Englishmen would buy it.

So which is it DiFi? Your “not-surveillance” claim, or your dragnet?

Raj De and the Back-Door Loophole

/8 Comments/in /by

As I already noted, NSA General Counsel lied in today’s PCLOB hearing when he said the use of Section 215 to conduct a phone dragnet had the indicia of legitimacy because Congress twice reauthorized the PATRIOT after the executive had given it full information.

We know that the 2010 freshman class — with the exception of the 7 members who served on the Judiciary or Intelligence Committees — did not have opportunity to learn the most important details about the phone dragnet before reauthorizing PATRIOT in 2011. And it appears DOJ withheld from the Judiciary and Intelligence the original phone dragnet opinion — and they clearly withheld significant FISC materials on it — until August 2010, after PATRIOT had been reauthorized the first time. I trust Ben Wittes, who wants to prevent Jim Sensenbrenner from commenting on NSA’s secrecy because he’s dishonest about his own role, applies a similar standard to Raj De.

But I was even more interested in the way De answered Center for Democracy and Technology’s Jim Dempsey’s question about the back-door loophole in which NSA searches on incidentally collected US person data (starting at 2:09:00).  Dempsey asked whether NSA needed something like the Reasonably Articulable Suspicion before it searched incidental US person data. De treated the question as nonsensical, given that when you collect on a particular phone number in the criminal context you don’t need to ignore what you find.

In other words, the NSA has a lower standard for access this content than they do for accessing the metadata of our phone calls.

Curiously, though, De tried to tout the minimization of both 702 and EO 12333 collection to present this as reasonable.

By minimization, Dempsey asked, you mean you keep it.

De insisted that no, there’s minimization at each step of the process.

I get how he was trying to use this blatant dodge. I get that the NSA assumes they can take everything so long as they’re careful about how they sent it around.

But make no mistake. NSA searches on the data before it gets minimized.

Here’s how this year’s Semiannual Compliance Review, submitted by the Attorney General and Director of National Intelligence, describes this practice.

NSA’s querying of unminimized Section 702-acquired communications using United States person identifiers (page 7)

Here’s how John Bates referred to the practice, based on a submission the NSA had made itself (though before De was writing the documents), in his October 3, 2011 opinion.

The government has broadened Section 3(b)(5) to allow NSA to query the vast majority of its Section 702 collection using United States-Person identifiers, subject to approval pursuant to internal NSA procedures and oversight by the Department of Justice. Like all other NSA queries of the Section 702 collection, queries using United States-person identifiers would be limited to those reasonably likely to yield foreign intelligence information. (page 22-23)

Bates justifies this practice by pointing to another agency’s (almost certainly FBI) use of the practice, which he describes as,

an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information.

The NSA has restrictions about circumstances in which they can share this data (which arguably will be expanded under Dianne Feinstein’s FakeFISAFix). But they allow the NSA to share this data if it is “foreign intelligence,” evidence of a crime, and evidence of a threat to life-which-to-NSA-means-property.

They can sweep up entire countries worth of Internet traffic. They can sweep up entire mailboxes overseas. And then go in, without a warrant, and “discover” evidence of crime.

Anonymous Aide Pushback Strengthens Case that DiFi Bill Supports Backdoor Searches

/12 Comments/in /by

Ellen Nakashima wrote a truly remarkable article on the DiFi Fake FISA Fix, in which she quotes the following critics of the bill:

Sen. Ron Wyden (D-Ore.)

Elizabeth Goitein, co-director of the Brennan Center for Justice’s Liberty and National Security Program

Julian Sanchez, a research fellow at the CATO Institute

And quotes the following defenders of the bill and/or surveillance:

Committee Chairman Dianne Feinstein (D-Calif.)

Committee staff, including a committee aide, who was not permitted to speak on the record

Several former senior Justice Department officials, who were not permitted by their current employers to speak on the record

DiFi’s sole on the record comment, by the way, was stating that she would do “everything I can” to preserve the phone dragnet.

And in this article in which surveillance defenders hide behind anonymity, SSCI aides make the following case about the backdoor search “protections” in DiFi’s Fake FISA Fix (concerns about which I raised here).

Wyden and privacy advocates are also concerned that the bill would place in statute authority for NSA to search without a warrant for Americans’ e-mail and phone call content collected under a separate FISA surveillance program intended to target foreigners overseas. That is what Wyden has called a “back-door search loophole.”

Aides note the bill restricts the queries to those meant to obtain foreign intelligence information. They say that there have been only a “small number” of queries each year. Such searches are useful, for instance, if a tip arises that a terrorist group is plotting to kill or kidnap an American, officials have said. [my emphasis]

Take a look at the language pertaining to this issue in the past. Last year’s FAA conference report from the very same Committee described the issue as, “querying information collected under Section 702 to find communications of a particular United States person.” And when Ron Wyden and Mark Udall busted Keith Alexander for making false claims, they suggested the issue was about “allow[ing] the NSA to deliberately search for the records of particular Americans.” And when John Bates approved the NSA and CIA’s use of the practice in 2011, he described it as “query[ing] the vast majority of its Section 702 collection using United States-Person identifiers.” That’s almost precisely the way the Administration referred to it in its Compliance Report this year: “querying of unminimized Section 702-acquired communications using United States person identifiers” (see page 7).

That is, in every reference to this practice I can think of, nothing suggests the practice is limited to searching for US person identifiers in the content of communications. Indeed, the report from this very same committee last year made it clear the practice pertained to searching for the communications written by Americans, not those written about them. And the easiest way to find communications written by Americans is to search on US person identifiers in the metadata of communications.

But the bill specifically excludes searching for US person identifiers in the metadata of communications from its protections. That is, in addition to not prohibiting the searching of US person identifiers to protect life, body, and probably property, and for law enforcement purposes, the bill specifically leaves unrestricted looking up someone’s email or phone number to pull up all their communications from the collection of Section 702-acquired data.

And in their discussion of what the bill protects, these anonymous aide bill defenders describe its use to find people talking about Americans — the kidnapped American whose abductors refer to him by his IP address or phone number in their email. They appear to refer to searching for US person identifiers in the content of communications (which is all the bill protects anyway), not in its metadata. Communications about Americans, not by them. Which is not how all the previous descriptions of this practice describe it.

But the dead giveaway, the tell that this is a big scam to provide the appearance of limits while at the same time enshrining and possibly expanding the warrantless searching of “incidentally” collected US person content, is where the aides say this:

“There have only been a ‘small number’ of queries each year.”

Hahahaha! Have you missed the number of times NSA has said it would be impossible for them to count the number of Americans whose data has been searched in such a way?! NSA has spent well over a year making that claim, and DiFi has shielded that claim every step of the way.

So when DiFi’s anonymous aides make the claim that the queries protected by the law have only been used a few times a year — indeed, when they make the claim they can be and have been counted at all — they make it crystal clear the protections in the law do not pertain to the vast majority of the searches on US person data that has been collected “incidentally” under Section 702 which — the NSA assures us — cannot be counted.

What DiFi and her aides — by their own anonymous and perhaps inadvertent admission — plan to protect is a tiny fraction of the searches on US person data collected under Section 702, the countable fraction of the practice that NSA can’t or won’t count without incurring resource problems.

OK. Thanks anonymous DiFi aides. I wasn’t sure we had cause to worry. But now you’ve made it crystal clear what is going on.

DiFi’s Fake FISA Fix Appears to Further Extend Searches on US Persons Under Section 702

/4 Comments/in /by

There’s a section of DiFi’s FakeFISAFix bill, called “Restrictions on the Querying of the Contents of Certain Communications,” that purports to put new limits on the searches of data collected under Section 702 for US person information.

(m) QUERIES.—

(1) LIMITATION ON QUERY TERMS THAT IDENTIFY A UNITED STATES PERSON.—A query of the contents of communications acquired under this section with a selector known to be used by a United States person may be conducted by personnel of elements of the Intelligence Community only if the purpose of the query is to obtain foreign intelligence information or information necessary to understand foreign intelligence information or to assess its importance.

(2) RECORD.—

(A) IN GENERAL.—For any query performed pursuant to paragraph (1) a record shall be retained of the identity of the Government personnel who performed the query, the date and time of the query, and the information indicating that the purpose of the query was to obtain foreign intelligence information or information necessary to understand foreign intelligence information or to assess its importance.

While the additional record-keeping is a significant improvement (remember, the IC has been saying they can’t even count this), I think, as it does with Section 215 searches, the language of the bill may actually expand the searches for US person content in information collected under Section 702.

As a threshold matter, the language restricting certain searches to foreign intelligence purposes only codifies the status quo. The language John Bates approved in 2011 (see page 23 and following) when he gave NSA and CIA this authority (FBI apparently already had it) limited such searches to those “reasonably likely to yield foreign intelligence information.”

In addition, this provision permits such searches for the IC in general. As far as we know for sure, only NSA, CIA, and FBI have this authority (though NCTC have recently gotten their own FISA minimization procedures which might allow them). But this language would seem to permit other agencies within the IC — say, DEA — to query 702 data for US person information as well.

Moreover, the section specifically excludes dialing, routing, and addressing information from this.

(B) CONTENT.—The term ‘content’, with respect to a communication—

(i) means any information concerning the substance, purport, or meaning of that communication; and

(ii) does not include any dialing, routing, addressing, or signaling information

While leaving this stuff out of the definition of content makes sense under the law, this would have the effect of permitting searches on Section 702 data to see if US persons were in there (to see whether a US person was in contact with the target, for example), by searching on the selector as metadata rather than content. Such searches wouldn’t require the same documentation, nor would they bear the intelligence purpose limitation (though I think Bates’ ruling would still limit that).

In other words, thus far, this section seems to create the illusion of oversight for such searches, but oversight that only covers one kind of search on US person data. Read more

Dianne Feinstein Opens the Tech Back Door to the Dragnet Database Even Wider

/2 Comments/in , /by

I’ve been writing for months about the great big loophole providing access to the phone dragnet database.

Basically, the NSA needs someone to massage the dragnet data before analysts do queries on it, to take out high frequency call numbers (telemarketers and pizza joints), and probably to take out certain protected numbers, like those of Members of Congress. (Note, that the NSA has to do this demonstrates not only that all their haystack claims are false, but also leaves the possibility they’ll remove numbers that actually do have intelligence value.)

The problem of course, is that this means there is routine access to the database of all phone-based relationships in the United States that does not undergo normal oversight. We know this is a problem because we know NSA has found big chunks of this data in places where it doesn’t belong, as it discovered on February 16, 2012 when it found over 3,000 call records that had been stashed and kept longer than the 5 years permitted by the FISA Court.

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

The bill the Intelligence Committee passed out of committee yesterday not only codifies this practice, but exempts this practice from the explicit limits placed on other uses of this database.

Here’s how it describes this access.

(D) LIMITED ACCESS TO DATA.—Access to information retained in accordance with the procedures described in subparagraph (C) shall be prohibited, except for access—

[snip]

(iii) as may be necessary for technical assurance, data management or compliance purposes, or for the purpose of narrowing the results of queries, in which case no information produced pursuant to the order may be accessed, used, or disclosed for any other purpose, unless the information is responsive to a query authorized under paragraph (3).

Note, I’ve never seen this access described in a way that would include “narrowing the results of queries” before. I’m actually very curious why a tech would need to directly access the database, presumably after a query has already been run, to narrow it. Isn’t that contrary to the entire haystack theory?

In any case, the rest of the bill relevant to the phone dragnet effectively exempts this access from almost all of the oversight it codifies.

The requirement for a written record of the Reasonable Articulable Suspicion and identity of the person making the query does not apply (see 2 A and B). Since no record is made, the FISA Court doesn’t review these queries (6A) and these queries don’t get included in the public reporting (b)(3)(C)(i). I don’t see where the bill requires any record-keeping of this access.

The requirement that the data be kept secure specifically doesn’t apply.

SECURITY PROCEDURES FOR ACQUIRED DATA.—Information acquired pursuant to such an order (other than information properly returned in response to a query under subparagraph (D)(iii)) shall be retained by the Government in accordance with security procedures approved by the court in a manner designed to ensure that only authorized personnel will have access to the information in the manner prescribed by this section and the court’s order. [my emphasis]

And the requirement that personnel accessing the database for these purposes (4) be limited and specially trained doesn’t apply.

A court order issued pursuant to an application made under subsection (a), and subject to the requirements of this subsection, shall impose strict, reasonable limits, consistent with operational needs, on the number of Government personnel authorized to make a determination or perform a query pursuant to paragraph (1)(D)(i).

The only limit that appears to apply to the queries from this data management access of the database is the 5 year destruction.

Now, I think the FISA Court made tentative bids to limit some of the activities in 2009. But this language seems to undermine some of the controls the Court has placed on this access (including audits).

In short, in a purported bid to raise confidence about the NSA creating a database of every phone-based relationship in the United States, the Intelligence Committee has actually codified a loosening of access to the database outside the central purpose of it. It permits a range of people to access the database for vaguely defined purposes, it permits them to move that data onto less secure areas of the network, and it doesn’t appear to require record-keeping of the practice.

But what could go wrong with permitting tech personnel — people like Edward Snowden — access to data with less oversight than that imposed on analysts?

Update: Added the language from the 2012 violation to show how clueless the NSA was about finding this data just lying around and its inability to determine where it came from.