Posts

Intelligence Committees Still Trying to Force Agencies to Follow Reagan’s Rules

/in /by

34 years ago Ronald Reagan issued the Executive Order that still governs most of our country’s intelligence activities, EO 12333.

As part of it, the EO required any agency using information concerning US persons to have a set of procedures laying out how it obtains, handles, and disseminates information (see the language of 2.3 below).

Only — as the Privacy and Civil Liberties Oversight Board started pointing out in August 2013 — some agencies have never complied. In February, PCLOB revealed the 4 agencies that are still flouting Reagan’s rules, along with what they have been using:

The Department of Homeland Security’s notoriously shoddy Office of Intelligence and Analysis: Pending issuance of final procedures, I&A is operating pursuant to Interim Intelligence Oversight Procedures, issued jointly by the Under Secretary for Intelligence and Analysis and the Associate General Counsel for Intelligence (April 3, 2008).

United States Coast Guard (USCG)- Intelligence and counterintelligence elements: Pending issuance of final procedures, operating pursuant to Commandant Instruction – COMDINST 3820.12, Coast Guard Intelligence Activities (August 28, 2003).

Department of Treasury Office of Intelligence and Analysis (OIA): Pending issuance of final procedures. While draft guidelines are being reviewed in the interagency approval process, the Office of Intelligence and Analysis conducts intelligence operations pursuant to EO 12333 and statutory responsibilities of the IC element, as advised by supporting legal counsel.

Drug Enforcement Administration, Office of National Security Intelligence (ONSI): Pending issuance of final procedures, operates pursuant to guidance of the Office of Chief Counsel, other guidance, and: Attorney General approved “Guidelines for Disclosure of Grand Jury and Electronic, Wire, and Oral Interception Information Identifying United States Persons” (September 23, 2002); Attorney General approved “Guidelines Regarding Disclosure to the Director of Central Intelligence and Homeland Security Officials of Foreign Intelligence Acquired in the Course of a Criminal Investigation” (September 23, 2002).

Last year’s House Intelligence Committee version of NSA reform (the one I called RuppRoge) would have included language requiring agencies to finish these procedures — mandated 34 years ago — within 6 months. And now, over a year later, Dianne Feinstein’s latest attempt at reform echoed that language.

Which strongly suggests these agencies are still deadbeats.

As I said in February, I’m most concerned about DEA (because DEA is out of control) and, especially, Treasury (because Treasury’s intelligence activities are a black box with little court review). Treasury is making judgements that can blacklist someone financially, but it has thus far refused to institute procedures to protect Americans’ privacy while it does so.

And no one seems to be rushing to require them to do so.

2.3 Collection of Information. Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order. Those procedures shall permit collection, retention and dissemination of the following types of information:
(a) Information that is publicly available or collected with the consent of the person concerned;
(b) Information constituting foreign intelligence or counterintelligence, including such information concerning corporations or other commercial organizations. Collection within the United States of foreign intelligence not otherwise obtainable shall be undertaken by the FBI or, when significant foreign intelligence is sought, by other authorized agencies of the Intelligence Community, provided that no foreign intelligence collection by such agencies may be undertaken for the purpose of acquiring information concerning the domestic activities of United States persons;
(c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation;
(d) Information needed to protect the safety of any persons or organizations, including those who are targets, victims or hostages of international terrorist organizations;
(e) Information needed to protect foreign intelligence or counterintelligence sources or methods from unauthorized disclosure. Collection within the United States shall be undertaken by the FBI except that other agencies of the Intelligence Community may also collect such information concerning present or former employees, present or former intelligence agency contractors or their present or former employees, or applicants for any such employment or contracting;
(f) Information concerning persons who are reasonably believed to be potential sources or contacts for the purpose of determining their suitability or credibility;
(g) Information arising out of a lawful personnel, physical or communications security investigation;
(h) Information acquired by overhead reconnaissance not directed at specific United States persons;
(i) Incidentally obtained information that may indicate involvement in activities that may violate federal, state, local or foreign laws; and
(j) Information necessary for administrative purposes.
In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

Share this entry

A Brief History of the PATRIOT Reauthorization Debate

/7 Comments/in , /by

I wanted to provide some background of how we got to this week’s PATRIOT Reauthorization debate to explain what I believe the surveillance boosters are really aiming for. Rather than a response to Edward Snowden, I think it is more useful to consider “reform” as an Intelligence Community effort to recreate functionalities they had and then lost in 2009.

2009 violations require NSA to start treating PATRIOT data like PATRIOT data and shut down automated functions

That history starts in 2009, when NSA was still operating under the system they had established under Stellar Wind while pretending to abide by FISC rules.

At the beginning of 2009, the NSA had probably close to full coverage of phone records in the US, and coverage on the most important Internet circuits as well. Contrary to the explicit orders of the FISC, NSA was treating all this data as EO 12333 data, not PATRIOT data.

On the Internet side, it was acquiring data that it considered Dialing, Routing, Addressing, and Signaling information but which also constituted content (and which violated the category limits Colleen Kollar-Kotelly had first imposed).

On the phone side, NSA was not only treating PATRIOT data according to NSA’s more general minimization procedures as opposed to those dictated by the FISC. But in violation of those minimization procedures, NSA was submitting phone dragnet data to all the automated procedures it submitted EO 12333 data to, which included automated searches and automatic chaining on other identifiers believed to belong to the same user  (the latter of which NSA calls “correlations”). Either these procedures consisted of — or the data was also treated to — pattern analysis, chaining users on patterns rather than calls made. Of key importance, one point of having all the data in the country was to be able to run this pattern analysis. Until 2008 (and really until 2009) they were sharing the results of this data in real time.

Having both types of data allowed the NSA to chain across both telephony and Internet data (obtained under a range of authorities) in the same query, which would give them a pretty comprehensive picture of all the communications a target was engaging in, regardless of medium.

I believe this bucolic state is where the surveillance hawks want us to return to. Indeed, to a large extent that’s what Richard Burr’s bill does (with a lot of obstructive measures to make sure this process never gets exposed again).

But when DOJ disclosed the phone violations to FISC in early 2009, they shut down all those automatic processes. And Judge Reggie Walton took over 6 months before he’d even let NSA have full ability to query the data.

Then, probably in October 2009, DOJ finally confessed to FISC that every single record NSA had collected under the Internet dragnet for five years violated Kollar-Kotelly’s category rules. Walton probably shut down the dragnet on October 30, 2009, and it remained shut down until around July 2010.

At this point, not only didn’t NSA have domestic coverage that included Internet and phone, but the phone dragnet was a lot less useful than all the other phone data NSA collected because NSA couldn’t use its nifty automatic tools on it.

Attempts to restore the pre-2009 state

We know that NSA convinced John Bates to not only turn the Internet dragnet back on around July 2010 (though it took a while before they actually turned it on), but to expand collection to some or all circuits in the US. He permitted that by interpreting anything that might be Dialing, Routing, Addressing, and Signaling (DRAS) to be metadata, regardless of whether it also was content, and by pointing back to the phone dragnet to justify the extension of the Internet dragnet. Bates’ fix was short-lived, however, because by 2011, NSA shut down that dragnet. I wildarseguess that may partly because DOJ knew it was still collecting content, and when Bates told NSA if it knew it was collecting content with upstream collection, it would be illegal (NSA destroyed the Internet dragnet data at the same time it decided to start destroying its illegal upstream data). I also think there may have been a problem with Bates’ redefinition of DRAS, because Richard Burr explicitly adopted Bates’ definition in his bill, which would have given Bates’ 2010 opinion congressional sanction. As far as we know, NSA has been coping without the domestic Internet dragnet by collecting on US person Internet data overseas, as well as off PRISM targets.

Remember, any residual problems the Internet dragnet had may have affected NSA’s ability to collect any IP-based calls or at least messaging.

Meanwhile, NSA was trying to replace the automated functions it had up until 2009, and on November 8, 2012, the NSA finally authorized a way to do that. But over the next year plus, NSA never managed to turn it on.

The phone records gap

Meanwhile, the phone dragnet was collecting less and less of the data out there. My current theory is that the gap arose because of two things involving Verizon. First, in 2009, part or all of Verizon dropped its contract with the FBI to provide enhanced call records first set up in 2002. This meant it no longer had all its data collected in a way that was useful to FBI that it could use to provide CDRs (though Verizon had already changed the way it complied with phone records in 2007, which had, by itself, created some technical issues). In addition, I suspect that as Verizon moved to 4G technology it didn’t keep the same kind of records for 4G calls that transited its backbone (which is where the records come from, not from customer bills). The problems with the Internet dragnet may have exacerbated this (and in any case, the phone dragnet orders only ask for telephony metadata, not IP metadata).

Once you lose cell calls transiting Verizon’s backbone, you’ve got a big hole in the system.

At the same time, more and more people (and, disproportionately, terrorist targets) were relying more and more on IP-based communications — Skype, especially, but also texting and other VOIP calls. And while AT&T gets some of what crosses its backbone (and had and still has a contract for that enhanced call record service with the FBI, which means it will be accessible), a lot of that would not be available as telephony. Again, any limits on Internet collection may also impact IP based calls and messaging.

Edward Snowden provides a convenient excuse

Which brings you to where the dragnets were in 2013, when Edward Snowden alerted us to their presence. The domestic PATRIOT-authorized Internet dragnet had been shut down (and with it, potentially, Internet-based calls and messaging). The phone dragnet still operated, but there were significant gaps in what the telecoms would or could turn over (though I suspect NSA still has full coverage of data that transits AT&T’s backbone). And that data couldn’t be subjected to all the nifty kinds of analysis NSA liked to subject call data to. Plus, complying with the FISC-imposed minimization procedures meant NSA could only share query results in limited situations and even then with some bureaucratic limits. Finally, it could only be used for counterterrorism programs, and such data analysis had become a critical part of all of NSA’s analysis, even including US collection.

And this is where I suspect all those stories about NSA already considering, in 2009 and in 2013, shutting down the dragnet. As both Ken Dilanian stories on this make clear, DOJ believed they could not achieve the same search results without a new law passed by Congress. Bob Litt has said the same publicly. Which makes it clear these are not plain old phone records.

So while Edward Snowden was a huge pain in the ass for the IC, he also provided the impetus to make a decision on the phone dragnet. Obama made a big show of listening to his Presidential Review Group and PCLOB, both of which said to get rid of it (the latter of which said it was not authorized by Section 215). But — as I noted at the time — moving to providers would fix some of their problems.

In their ideal world, here’s what we know the IC would like:

  • Full coverage on both telephony and IP-based calls and messaging and — ideally — other kinds of Internet communications
  • Ability to share promiscuously
  • Ability to use all NSA’s analytical tools on raw data (the data mandates are about requiring some kind of analytical work from providers)
  • Permission to use the “call” function for all intelligence purposes
  • Ability to federate queries with data collected under other authorities

And the IC wants this while retaining Section 215’s use of bulky collections that can be cross-referenced with other data, especially the other Internet collection it conducts using Section 215, which makes up a majority of Section 215 orders.

Those 5 categories are how I’ve been analyzing the various solutions (which is one of about 10 reasons I’m so certain that Mitch McConnell would never want straight reauthorization, because there’s nothing that straight reauthorization would have ratified that would have fixed the existing problems with the dragnet), while keeping in mind that as currently constructed, the Internet 215 collection is far more important to the IC than the phone dragnet.

How the bills stack up

USA F-ReDux, as currently incarnated, would vastly expand data sharing, because data would come in through FBI (as PRISM data does) and FBI metadata rules are very permissive. And it would give collection on telephony and IP-based calls (probably not from all entities, but probably from Apple, Google, and Microsoft). It would not permit use for all intelligence purposes. And it is unclear how many of NSA’s analytical tools they’d be able to use (I believe they’d have access to the “correlations” function directly, because providers would have access internally to customers’ other accounts, but with the House report, other kinds of analysis should be prohibited, though who knows what AT&T and Microsoft would do with immunity). The House report clearly envisions federated queries, but they would be awkward to integrate with the outsourced collection.

Burr’s bill, on the other hand, would expand provider based querying to all intelligence uses. But even before querying might —  maybe — probably wouldn’t — move to providers in 2 years, Burr’s bill would have immediately permitted NSA to obtain all the things they’d need to return to the 2009 bucolic era where US collected data had the same treatment as EO 12333 collected data. And Burr’s bill would probably permit federated queries with all other NSA data. This is why, I think, he adopted EO 12333 minimization procedures, which are far more restrictive than what will happen when data comes in via FBI, because since it will continue to come in in bulk, it needs to have an NSA minimization procedure. Burr’s bill would also sneak the Section 215 Internet collection back into NSL production, making that data more promiscuously available as well.

In other words, this is why so many hawks in the House are happy to have USA F-ReDux: because it is vastly better than the status quo. But it’s also why so many hawks in the Senate are unsatisfied with it: because it doesn’t let the IC do the other things — some of the analytical work and easy federated queries — that they’d like, across all intelligence functions. (Ironically, that means even while they’re squawking about ISIS, the capabilities they’d really like under Burr’s bill involve entirely other kinds of targets.)

A lot of the debate about a phone dragnet fix has focused on other aspects of the bill — on transparency and reporting and so on. And while I think those things do matter (the IC clearly wants to minimize those extras, and had gutted many of them even in last year’s bill), what really matters are those 5 functionalities.

 

Share this entry

Feinstein Enters the Non-Compromise Compromise Fray (Working Thread)

/4 Comments/in /by

Dianne Feinstein is the latest member of Congress to offer a non-compromise compromise to replace the compromise USA F-ReDux, this time with a bill that would:

  • Impose a 2-year data mandate in some cases (which would affect Apple and Verizon most immediately)
  • Extend the current dragnet order — which is already 89 days old — for an entire year
  • Require certification that the providers could provider phone data before moving over to the replacement system before that year runs out
  • Retain Richard Burr’s Section 215-specific Espionage Act imposing 10 year penalties on anyone who tells us what the intelligence community is really doing with the call records program
  • Retain Richard Burr’s counter-productive amicus provision
  • Revamps USA F-ReDux’s transparency provisions in ways that are less dishonest but just as useless
  • For key authorities, allow any member of Congress (under certain limits) to learn how the government is using them

This will be a working thread.

Update: Just to clarify, I believe Feinstein’s bill is almost certainly supposed to be the “face-saving” version of USA F-ReDux referred to in this article.

Feinstein accomplishes this:

Some leaders of the House Intelligence Committee, along with supporters in the Senate, hope they can assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in.

In Section 108, with the certification process.

Feinstein adds an odd data mandate — not listed in this story but a key complaint from Mitch and others — in Section 101 (page 4).

And Feinstein responds to this request,

Republicans have also expressed a desire to protect the phone companies against harassment from privacy activists over their participation in a new surveillance program.

By adopting the Section 215 dedicated Espionage Act at Section 501.

(3) DiFi’s bill explicitly permits the government to get call detail records in the old way.

(4) DiFi’s bill tweaks USA F-ReDux’s call chaining language for use with “individuals” who are not agents of foreign powers engaged in international terrorism. Those would be US persons.

(5) The data mandate is really fascinating. It only requires a company to retain data after getting a request but is vague about how much data must be retained (which is likely “all”).

(3) may include a request for an order that requires each recipient of the order under this section to retain the call detail records for up to 24 months from the date the call detail record was initially generated—

(A) if the request includes a certification made by the Director of the Federal Bureau of Investigation that the Government has reason to believe that the recipient of the order being applied for is not retaining call detail records for a period of up to 24 months and that the absence of call detail records for that period of time is resulting in, or is reasonably likely toresult in, the loss of foreign intelligence information relevant to an authorized investigation; and

(B) if the order provides that call detailrecords retained solely for purposes of complying with an order under this section may only be produced pursuant to an order under this section.

It’s an odd construct (though it does try to keep the records out of the hands of divorce lawyers, which I guess is good). Obviously, the government will have the records they actually ask for at any given time. So what it suggests is this will be a mandate on some or entire universe of the providers existing records so they can do pattern analysis.

(7) The scheme for call detail records is the same as in USA F-ReDux, but absent the HJC report language saying it can’t involve analysis I assume it does.

(12) DiFi retains the minimization procedures from USA F-ReDux.

(14) The bill adds immunity for records retention.

(17) The “limitation” language is different, and adds “indiscriminate.” Again, this still uses the IC definition of bulk, though, which is meaningless, even modified by “indiscriminate.” SST is the same, including the narrower limit for CDR function.

(19) DiFi eliminates IG reports, I guess because they show how sloppily these things are run and how generally useless they are.

(19) Here’s how DiFi deals w/Burr’s transition canard.

IN GENERAL.—The amendments made by sections 101 through 107 shall take effect on the date that is 180 days after the date of the enactment of this Act unless the President certifies to the appropriate committees of Congress that the transition from the existing procedures for the productionof business records under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.), as in effect prior to the effective date for the amendments made by section 101 through 107,to the new procedures, as amended by sections 101through 107, is not sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.

(2) EXTENSION FOR CERTIFICATION.—If the President makes a certification described in paragraph (1), the amendment made by sections 101 through 107 shall take effect on the date, that may be up to 1 year after the date of the enactment of this Act, that the President determines that the transition referred to in such paragraph is sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.

(3) LIMITATION ON TRANSITION PERIOD.—If the President makes a certification under paragraph(1) and does not determine an effective date under paragraph (2), the amendments made by sections 101 through 107 shall take effect on the date that is 1 year after the date of the enactment of this Act.

(b) NO EFFECT ON PRIOR AUTHORITY.—Nothing in this Act, or any amendment made by this Act, shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.) as in effect on May 31, 2015, during the period ending on such effective date.

(c) TRANSITION.—(1) ORDERS IN EFFECT ON MA

Y 31, 2015.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, any order issued or made under title V of the Foreign Intelligence Surveillance Act of 1978 and in effect on May 31, 2015, shall continue in effect until the date of the expiration of such order.

(2) CONTINUED APPLICABILITY.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, the order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26, 2015, in Docket No. BR 15–24, may be extended by order of that court until the effective date established in subsection (a).

(3) USE OF INFORMATION.—

(A) IN GENERAL.—Information acquired from the call detail records pursuant to an order issued under section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) prior to the effective date in subsection (a) may continue to be used after the effective date of this Act, subject to the limitation in subparagraph (B).

(B) DESTRUCTION OF INFORMATION.—

Any record produced under any order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26 2015, in Docket No. BR 15–24 , or any predecessor order for such an order shall be destroyed no later than 5 years after the date such record was initially collected. Until that time, such a record may be used in accordance with the purpose prescribed and the procedures established in such order.

(23) DiFi’s bill takes out this language, which was in USA F-ReDux, in the PRTT section, but it does retain privacy procedures.

(C) For purposes of subparagraph (A), the term ‘address’ means a physical address or electronic address, such as an electronic mail address or temporarily assigned network address (including an Internet protocol address).

(24) Difi includes bulk controls on NSLs, but not the gag fix.

(26) The 215 reporting takes out the reporting on bulk collection to Congress that was in USA F-ReDux. Sharing of this is extended to everyone in Congress whom the HPSCI chair likes.

(33) DiFi gets rid of two-track reporting on all non-215 and consolidates it. The reporting is somewhat different (for example, Congress will no longer know when something has been used in a trial). DiFi pretends to extend this reporting to everyone in Congress, but since it’s subject to Congressional rules that will only happen in the senate.

(40) DiFi does include significant matter of law reporting to the appropriate committees (which exists).

(45) DiFi continues Burr’s Espionage Act.

(47) The amicus curiae is the John Bates Richard Burr version, which I think might be counterproductive.

(55) DiFi requires agencies that have not established minimization procedures required under the original EO 12333. See this post for more background.

Share this entry

I’m Shocked, Shocked, to Find that Lying Is Going on in the Senate

/3 Comments/in /by

As I noted here, given the content of the radical bill Richard Burr introduced on Friday, it appears likely that his claim Section 215 sIpported an IP dragnet was no misstatement, as he claimed when I called him on it. But that — and the misstatements Mitch McConnell made on Friday about the bill — are not the only lies the authoritarians have been telling.

Just after USA F-ReDux failed in the Senate Friday night and Barbara Boxer tried to call it back up for a vote, Mitch McConnell falsely claimed that Dianne Feinstein was involved in Burr’s radical bill. Senator Feinstein actually had to interrupt and point out that not only doesn’t she think Burr’s bill is the way to go, but that pushing for it might put all the expiring provisions at risk. (h/t Steven Aftergood for pulling Congressional Research Service records)

McCONNELL. Mr. President, the Senate has demonstrated that the House-passed bill lacks the support of 60 Senators. I would urge a “yes” vote on the 2-month extension. Senator Burr, the chairman of the Intelligence Committee, and Senator Feinstein, the ranking member, as we all know, have been working on a proposal that they think would improve the version that the Senate has not accepted that the House sent over. It would allow the committee to work on this bill, refine it, and bring it before us for consideration. So the 2-month extension, it strikes me, would be in the best interest of getting an outcome that is acceptable to both the Senate and the House and hopefully the President.

[snip]

Mrs. FEINSTEIN. Mr. President, if I may a point of personal privilege. Mr. President, I would like to correct the majority leader, regretfully. I did not support the Burr bill. I do not believe that is the way to go. I have taken a good look at this. For those who want reform and want to prevent the government from holding the data, the FREEDOM Act is the only way to do it. The House has passed it. The President wants it. All of the intelligence personnel have agreed to it, and I think not to pass that bill is really to throw the whole program–that whole section 215 as well as the whole business records, the “lone wolf,” the roving wiretaps–into serious legal jeopardy.

That is, of course, precisely what has happened. In his bid to ram through Burr’s expanded dragnet, Mitch has now made it increasingly likely that all the expiring provisions will lapse on June 1.

Share this entry

Mitch McConnell Suggests He Wants a Bulk Document Collection System

/2 Comments/in , /by

On May 7, the very same day the Second Circuit ruled that Congress has to say specifically what a surveillance bill means for the bill to mean that thing, Richard Burr engaged in a staged colloquy on the Senate floor where he claimed that the Section 215 bulk collection program collects IP addresses. After Andrew Blake alerted me to that and I wrote it up, Burr stuffed the claim into the memory hole and claimed, dubiously, to have made a misstatement in a planned colloquy.

Then, after Mitch McConnell created a crisis by missing the first Section 215 reauthorization deadlines, Burr submitted a bill that would immediately permit the bulk collection of IP addresses, plus a whole lot more, falsely telling reporters this was a “compromise” bill that would ensure a smooth transition between the current (phone) dragnet and its replacement system.

Which strongly suggests Burr’s initial “misstatement” was simply an attempt to create a legislative record approving a vast expansion of the current dragnet that, when he got caught, led Burr to submit a bill that actually would implement that in fact.

This has convinced me we’re going to need to watch these authoritarians like hawks, to prevent them from creating the appearance of authorizing vast surveillance systems without general knowledge that’s what’s happening.

So I reviewed the speech Mitch made on Friday (this appears after 4:30 to 15:00; unlike Burr’s speech, the congressional record does reflect what Mitch actually said; h/t Steve Aftergood for Congressional Record transcript). And amid misleading claims about what the “compromise” bill Burr was working on, Mitch suggested something remarkable: among the data he’s demanding be retained are documents, not just call data.

I’ve placed the key part of Mitch’s comments below the rule, with my interspersed comments. As I show, one thing Mitch does is accuse providers of an unwillingness to provide data when in fact what he means is far more extensive cooperation. But I’m particularly interested in what he says about data retention:

The problem, of course, is that the providers have made it abundantly clear that they will not commit to retaining the data for any period of time as contemplated by the House-passed bill unless they are legally required to do so. There is no such requirement in the bill. For example, one provider said the following: “[We are] not prepared to commit to voluntarily retain documents for any particular period of time pursuant to the proposed USA FREEDOM Act if not otherwise required by law.”

Now, one credulous journalist told me the other day that telecoms were refusing to speak to the Administration at all, which he presumably parroted from sources like Mitch. That’s funny, because not only did the telecom key to making the program work — Verizon — provide testimony to Congress (which is worth reviewing, because Verizon Associate General Counsel — and former FBI lawyer — Michael Woods pointed to precisely what the dragnet would encompass under Burr’s bill, including VOIP, peer-to-peer, and IP collection), but Senator Feinstein has repeatedly made clear the telecoms have agreed with the President to keep data for two years.

Furthermore, McConnell’s quotation of this line from a (surely highly classified letter) cannot be relied on. Verizon at first refused to retain data before it made its data handshake with the President. So when did this provider send this letter, and does their stance remain the same? Mitch doesn’t say, and given how many other misleading comments he made in his speech, it’s unwise to trust him on this point.

Most curiously, though, look at what they’re refusing to keep. Not phone data! But documents.

Both USA F-ReDux and Burr’s bill only protect messaging contents, not other kinds of content (and Burr’s excludes anything that might be Dialing, Routing Addressing and Signaling data from his definition of content, which is the definition John Bates adopted in 2010 to be able to permit NSA to resume collecting Internet metadata in bulk). Both include remote computing services (cloud services) among the providers envisioned to be included not just under the bill, but under the “Call Detail Record” provision.

Perhaps there’s some other connotation for this use of the word “documents.” Remember, I think the major target of data retention mandates is Apple, because Jim Comey wants iMessage data that would only be available from their cloud.

But documents? What the hell kind of “Call Detail Records” is Mitch planning on here?

One more thing is remarkable about this. Mitch is suggesting it will take longer for providers to comply with this system than it took them to comply with Protect America Act. Yahoo, for example, challenged its orders and immediately refused to comply on November 8, 2007. Yet, even in spite of challenging that order and appealing, Yahoo started complying with it on May 5, 2008, that same 180-time frame envisioned here. And virtually all of the major providers already have some kind of compliance mechanism in place, either through PRISM (Apple, Google, and Microsoft) or upstream 702 compliance (AT&T and Verizon).
Read more

Share this entry

USA F-ReDux: The Risks Ahead

/4 Comments/in /by

Sometime after 2 today, the House will pass USA F-ReDux by a large margin. Last night the Rules Committee rejected all amendments, including two (a version of the Massie-Lofgren amendment prohibiting back doors and a Kevin Yoder amendment that would improved ECPA protections) that have majority support in the House.

After the bill passes the House today it will go to the Senate where Mitch McConnell will have his way with it.

What happens in the Senate is anyone’s guess.

One reason no one knows what Mitch has planned is because most people haven’t figured out what Mitch really wants. I think there are 3 possibilities:

  • He actually wants USA F-ReDux with some tweaks (about which more below) and the threat of a straight reauthorization is just a tactic to push through those tweaks; this makes the most sense because USA F-ReDux actually gives the IC things they want and need that they don’t currently have
  • There is something the government is doing — a bulk IP program, for example — that Mitch and Burr plan to provide Congressional sanction for even while basically adopting USA F-ReDux as a limit on Section 215 (but not other authorities); the problem with this plan is that secret briefings like the Administration offered the Senate, but not the House, last night don’t seem to meet the terms of ratification described by the Second Circuit
  • The Second Circuit decision threatens another program, such as SPCMA (one basis for Internet chaining involving US persons right now), that the Senate believes it needs to authorize explicitly and that’s what the straight reauthorization is about
  • [Update] I’m reminded by Harley Geiger that Mitch might just be playing to let 215 sunset so he can create a panic that will let him push through a worse bill. That’s possible, but the last time such an atmosphere of panic reigned, after Congress failed to replace Protect American Act in 2008, it worked to reformers’ advantage, to the extent that any cosmetic reform can be claimed to be a win.

I think — though am not certain — that it’s the first bullet, though Burr’s so-called misstatement the other day makes me wonder. If so Mitch’s procedural move is likely to consist of starting with his straight reauthorization but permitting amendments, Patrick Leahy introducing USA F-ReDux as an amendment, Ron Wyden and Rand Paul unsuccessfully pushing some amendments to improve the bill, and Richard Burr adding tweaks to USA F-ReDux that will make it worse. After that, it’s not clear how the House will respond.

Which brings me to what I think Burr would want to add.

As I’ve said before, I think hawks in the Senate would like to have data mandates, rather than the data handshake that Dianne Feinstein keeps talking about. While last year bill supporters — including corporate backers — suggested that would kill the bill, I wonder whether everyone has grown inured to the idea of data retention, given that they’ve been silent about the data handshake since November.

I also suspect the IC would like to extend the CDR authority to non-terrorism functions, even including drug targets (because they probably were already using it as such).

The Senate may try to tweak the Specific Selection Term language to broaden it, but it’s already very very permissive.

I’m also wondering if the Senate will introduce language undermining the limiting language HJC put in its report.

Those are the predictable additions Burr might want. There are surely a slew more (and there will be very little time to review it to figure out the intent behind what they add).

The two big questions there are 1) are any of those things significant enough to get the House to kill it if and when it gets the bill back and 2) will the House get that chance at all?

Share this entry

USA F-ReDux: Dianne Feinstein Raises the Data Handshake Again

/6 Comments/in /by

As I noted last November, in her defense of USA Freedom Act last year, Dianne Feinstein suggested the telecoms (principally, Verizon) had agreed to retain their data for longer than their business purposes required without any mandate — what I dubbed the “data handshake.”

On Tuesday, Nov. 18, Feinstein explained how she had resolved the problem presented by telecoms like Verizon that don’t hold these records as long as the NSA currently does. She and Chambliss had written the country’s four biggest telecom companies a letter — she didn’t say when — asking whether the companies would retain phone records longer than they currently do. Two said yes; two said no. “Since that time, the situation has changed,” Feinstein said. “Not in writing, but by personal testament from two of the companies that they will hold the data for at least two years for business reasons.” President Barack Obama even vouched for the telecom companies’ willingness to hold the data. “The fact is that the telecoms have agreed to hold the data. The president himself has assured me of this,” Feinstein said.

Taken in context, Feinstein’s comments reveal how proponents of the USA Freedom Act solved the intelligence community’s problem with the reform bill — that the period of time that records would be held would shrink dramatically. Rather than a legal mandate requiring that telecoms hold onto the data — which some members of the Senate Intelligence Committee demanded in June — the reform bill would use a “data handshake.”

The terms of the data handshake are the most interesting part. This promise is not in writing. According to Feinstein, it is a “personal testament.” (And of course it wasn’t in the bill, where privacy advocates might have objected to it.) The telecom companies could say they were retaining the data for business purposes, though, until now, they’ve had no business purpose to keep the records.

While some, like Bob Litt, have suggested one challenge for having telecoms retain phone records concerned whether telecoms would retain enough of their call records to do pattern analysis, the issue of data retention has largely been unspoken in this round of debate over USA F-ReDux.

But Dianne Feinstein just raised it again this morning on Meet the Press, again endorsing a “data handshake” behind USA F-ReDux and seemingly referring to the assurances the President got from telecoms they would keep the data.

CHUCK TODD:

Senator, while I have you, the Patriot Act, obviously the big, bulk data collection was struck down, in Court. Not quite saying it was unconstitutional, basically saying that the law doesn’t cover what the administration has said it covers, which is this idea of bulk data collection. And says, “If Congress wants to be able to do this, then they need to explicitly pass a law that forces telephone companies to do this or not.” Where are you on this? Are you willing to pass a specific law that allows for bulk data collection, whether held by the phone companies or the government?

SENATOR DIANNE FEINSTEIN:

I think here’s the thing. The president, the House and a number of members of the Senate believe that we need to change that program. And the way to change it is simply to go to the FISA Court for a query, permission to go to a telecom and get that data. The question is whether the telecoms will hold the data. And the answer to that question is somewhat mixed. I know the president believes that the telecoms will hold the data. I think we should try that.

CHUCK TODD:

An act of Congress could force them to do that, correct?

SENATOR DIANNE FEINSTEIN:

An act of Congress could force them to do that.

CHUCK TODD:

And can that pass this Congress?

SENATOR DIANNE FEINSTEIN:

Well, that’s the problem. The House does not have it in their bill. Senator Leahy does not have that in his bill.

If I had to bet on the most likely outcome for the USA F-ReDux bill, it would be USA F-ReDux, with some more shit added in because USA F-ReDux boosters are reluctant to talk about how much more it gives the Intelligence Community than what they have now, and with data retention mandates. As I have said, I think that’s one of the ultimate purposes of Mitch McConnell’s PATRIOT gambit.

One thing is clear, however, which is that Intelligence insiders like Feinstein are talking about data mandates among themselves, even if they’re not discussing them publicly.

Share this entry

Dean Baquet Explains that the CIA Cries Wolf, But Misses How Transparency Helps Hold Feinstein Accountable

/7 Comments/in , /by

Jack Goldsmith conducted  fascinating interview with NYT Executive Editor Dean Baquet about the latter’s decision to name Michael D’Andrea and two other top CIA officials whose identities the CIA was trying to suppress.

He attributes his decision to three factors: The CIA has increasingly taken on a new military role that demands some accountability, the CIA admitted these three figures were widely known anyway, and the CIA (and NSA’s) explanations in the past have proven lame.

There are some interesting points, but I think Baquet — and Goldsmith — miss two aspects of accountability that the NYT article permitted.

Widely known figures

Baquet reveals that even the CIA didn’t claim these men were secret, even if it still pretends they are under cover.

DB: These guys may technically be undercover. But even the CIA admitted when they called – and this was a big factor in the decision – that they are widely known, and they were known to the governments where they were stationed. The CIA’s pitch was not that these guys are secret or that people don’t know about them. The CIA’s pitch to me was, “Look, its one thing to be widely known, and to be known to governments and to be on web sites; but when they appear on the front page of the New York Times, that has a larger meaning.” So they were known anyway. The gentleman at the very top [of the CTC] runs a thousand-person agency, and makes huge decisions, personally, that have tremendous repercussions for national security. I’m not making judgments about him, but that’s the reality.

Later in the interview Goldsmith appears to totally ignore this point when he worries that these men don’t have the same kind of security as their counterparts running drone programs in the military. He suggests they might come under new threat because their names have been published on the front page of the NYT.

But that assumes our adversaries are too dumb to look in the places where these men’s names have been published before — just like CIA’s successful attempt to suppress Raymond Davis’ association with the CIA even after it was broadly known in Pakistan. It assumes our adversaries who seek out this information are not going to find where it’s hiding in plain sight.

The CIA isn’t keeping these secrets from our adversaries. They already know them. Which makes CIA’s efforts to keep them from the US public all the more problematic.

Crying wolf

Baquet’s argument about CIA’s squandered credibility is two fold. First, he notes that the CIA always claims people are under cover, which makes their claims less credible as a result.

JG: Let me ask you a different question. What do you think about the claim by Bob Litt, the General Counsel of the DNI, that you’ve put these guys’ lives and their families’ lives in jeopardy, and also the people they worked with undercover abroad? How do you assess that? How do you weigh that?

DB: I guess I would say a couple of things. I wish the CIA did not say that about everybody and everything. They hurt their case.

JG: They say it a lot?

DB: They say it all the time. I wish they were a little more measured in saying that. Sometime it’s a little difficult to deal with the Agency. When somebody says that and has a track record of rarely saying that, it really gives me pause. But they [the CIA] say it whenever we want to mention a [covert] CIA operative or CIA official.

But — perhaps more importantly for a guy who has taken heat for killing important stories in the past — Baquet also mentions the times agencies convince him to kill stories that turn out to get published anyway. Baquet uses sitting on the detail that the US used a drone base in Saudi Arabia to kill Anwar al-Awlaki as his example.

DB: I’ll give you an example. When Al-Awlaki was killed by a drone strike, we were on deadline, and I was the Managing Editor. The Acting Director of the CIA called up because we were going to say in the middle of the story that the drone that killed Al-Awlaki took off from a base in Saudi Arabia. (I can give you twenty examples, but this is just one.) He called up and said, “If you say that the drone took off from a base in Saudi Arabia, we are going to lose that base. The Saudis are going to go nuts, they don’t want people to know that we are flying drones from their base.” And so I took it out. And I think we made it something like, “The drones took off from a base in the Arabian Peninsula,” something vague. Sure enough, the next day, everybody other than us said it was Saudi Arabia. When I thought hard about it, [I concluded] that was not a good request. And I later told the CIA it was not a good request. And they should have admitted that was not a good request. Everyone knew they had a base. It was for geopolitical reasons, not really national security reasons. I think that’s one where they shouldn’t have asked and I shouldn’t have said “yes” so automatically. So now I am tougher. Now I just say to them, “Give me a compelling reason, really really tell me.” Because to not publish, in my way of thinking, is almost a political act. To not publish is a big deal. So I say, “Give me a compelling reason.” And I don’t think I said that hard enough earlier on. That influences me now. It does make me want to say to the CIA, and the NSA, and other agencies involved in surveillance and intelligence: “Guys, make the case. You can’t just say that it hurts national security. You can’t just say vaguely that it’s going to get somebody killed. You’ve got to help me, tell me.” In cases where they have actually said to me something really specific, I have held it. There is still stuff that’s held, because it is real. But I think I am tougher now and hold them to higher standards. And part of that is that secrecy now is part of the story. It’s not just a byproduct of the story. It’s part of the story. I think there is a discussion in the country about secrecy in government post-9/11. It was provoked partly by Snowden, it was provoked partly by the secrecy of the drone program. And I think that secrecy is now part of it. And that puts more pressure on me to reveal details when I have them.

But I find his invocation of Snowden (and the mention of the NSA which he makes 4 times) all the more interesting.

Remember, in 2006, Mark Klein brought the story, with documents to prove the case, that the NSA had tapped into AT&T’s Folsom Street switch to Baquet when the latter was at the LAT. Baquet killed the story, only to have the NYT publish the story shortly thereafter.

Back in 2006, former AT&T employee Mark Klein revealed information that proved the communications giant was allowing the NSA to monitor Internet traffic “without any regard for the Fourth Amendment.” Klein initially brought the story to The Los Angeles Times, but it never made it to print under Baquet, who recently replaced the fired Jill Abramson as executive editor of The New York Times.

Klein told HuffPost Live’s Alyona Minkovski that he gave 120 pages of AT&T documents to an LA Times reporter who “was promising a big front-page expose” on the story. But the reporter eventually told Klein there was a “hangup,” and the story was abandoned shortly after with no explanation.

Months later, producers from ABC’s “Nightline” who were working on the story contacted editors at the LA Times to ask if they had, in fact, decided not to print it. The producers were told that Baquet killed the story, Klein said.

“That’s when Dean Baquet came out with this lame excuse that he just couldn’t figure out my technical documents, so he didn’t think they had a story. I don’t think anybody really believed that argument because, as I said, a few weeks after the LA Times killed the story, I went to The New York Times and they had no trouble figuring it out,” Klein said.

Any question of the clarity in the documents Klein produced “was just Dean Baquet’s lame cover story for capitulating to the government’s threats,” Klein alleged.

And while Baquet still claims he didn’t kill the story due to pressure from the government, the claim has always rung hollow.

The CIA and NSA have not only cried wolf once too often, they have cried wolf with Baquet personally.

Missing accountability

There are two things that are, sadly, missing from this discussion.

First, no one actually believes that Michael D’Andrea, who (as I pointed out yesterday) the CIA helped Hollywood turn into one of the heroes of the Osama bin Laden hunt) is really under cover. But it’s important to look at what suppressing his actual name does for accountability. And the torture report is the best exhibit for that.

If you can’t connect all the things that D’Andrea — or Alfrea Bikowsky or Jonathan Fredman — have done in their role with torture, you can’t show that certain people should have known better. After KSM led Bikowsky to believe, for 3 months, that he had sent someone to recruit black Muslims in Montana to start forest fires, any further unfathomable credulity on her part can no longer be deemed an honest mistake; it’s either outright incompetence, or a willful choice to chase threats that are not real. Hiding D’Andrea’s name, along with the others, prevents that kind of accountability.

But there’s one other crucial part of accountability that’s core to the claim that our representative government adequately exercises oversight over CIA.

A key part of the NYT story (and Baquet emphasized this) was challenging whether the Intelligence Committees were exercising adequate oversight over the drone strikes. The NYT included really damning details about Mike Rogers and Richard Burr pushing to kill Americans.

Yet the article was most damning, I think, for Dianne Feinstein, though it didn’t make the case as assertively as they could have. Consider the implications of this:

In secret meetings on Capitol Hill, Mr. D’Andrea was a forceful advocate for the drone program and won supporters among both Republicans and Democrats. Congressional staff members said that he was particularly effective in winning the support of Senator Dianne Feinstein, the California Democrat who was chairwoman of the Senate Intelligence Committee until January, when Republicans assumed control of the chamber.

[snip]

The confidence Ms. Feinstein and other Democrats express about the drone program, which by most accounts has been effective in killing hundreds of Qaeda operatives and members of other militant groups over the years, stands in sharp contrast to the criticism among lawmakers of the now defunct C.I.A. program to capture and interrogate Qaeda suspects in secret prisons.

But both programs were led by some of the same people.

The implication — which should be made explicit — is that Dianne Feinstein has been protecting and trusting a guy who also happens to have been a key architect of the torture program (Feinstein did the same with Stephen Kappes).

Feinstein can complain about torture accountability all she wants. But she has the ability to hold certain people to a higher standard, and instead, in D’Andrea’s case and in Kappes, she has instead argued that they should maintain their power.

And that’s the kind of the thing the public can and should try to hold Feinstein accountable for. Rogers and Burr, at least, are not hypocrites. They like unchecked and ineffective CIA power, unabashedly. But Feinstein claims to have concerns about it … sometimes, but not others.

The public may not be able to do much to hold the CIA accountable. But we can call out Feinstein for failing to do the things she herself has power to do to get accountability for torture and other CIA mismanagement. And that, at least, is a key value of having named names.

Share this entry

The Burr Family USE to Assassinate People in Light of Day

/16 Comments/in /by

At the end of a must-read article on how the people — whom it names — in charge of the CIA’s drone program are the same people who were in charge of the torture program, the NYT also reveals that Richard Burr joined Mike Rogers pressuring CIA to kill American citizen Mohanad Mahmoud Al Farekh — who recently got captured and charged in the US with material support for terrorism — be drone killed.

The Republican lawmakers, Senator Richard M. Burr of North Carolina and Representative Mike Rogers of Michigan, said during the closed sessions that the administration was being timid, and urged that [Mohanad Mahmoud Al] Farekh be hunted and killed.

Burr is, as he likes to point out, a relative of Aaron Burr, who killed Treasury Secretary Alexander Hamilton in a duel, a detail about which Burr reminded Treasury Secretary Jack Lew last year. It appears the Burr family no longer operates with the faux honor of dueling, but instead sits inside secret closets and demands CIA conduct assassination by remotely piloted drone.

And that’s why NYT’s decision to name names is so notable.

The C.I.A. asked that Mr. D’Andrea’s name and the names of some other top agency officials be withheld from this article, but The New York Times is publishing them because they have leadership roles in one of the government’s most significant paramilitary programs and their roles are known to foreign governments and many others.

The article names D’Andrea — the long-time head of CIA’s Counterterrorism Center, whom Gawker named last month but whom the WaPo continued to refer to under the pseudonym Roger last month, it named his replacement, Chris Wood, who has served in ALEC station and oversaw operations in Afghanistan and Pakistan, and it named the Operations Chief, Greg Vogel, who was Kabul Station Chief before leading the CIA’s paramilitary Special Activities Division.

These are the men who invite people like Rogers and Burr and Dianne Feinstein (who is a champion of D’Andrea) and their staffers to watch a monthly snuff film of drone operations and with it convince them that CIA should remain in charge of assassinations.

As the NYT notes in explaining why it was refusing to cede to John Brennan’s demand that the paper hide these identities, others know who they are. It’s just the public, those who pay their salaries and in whose name those assassinations are conducted, that didn’t know.

That, of course, prevents anyone — the family of Warren Weinstein, for example — from holding them to legal account.

But it also prevents us from holding Feinstein accountable when she shields the same people who oversaw the torture program she claims to abhor.

Perhaps the NYT’s decision to break the spell of false secrecy will demonstrate that these men’s identities were’t really secrets. They were rather just a vacuum of accountability.

Share this entry

On Mitch’s PATRIOT Gambit

/4 Comments/in , /by

Mitch McConnell, as you’ve probably heard, has just introduced a bill to reauthorize the expiring provisions of the PATRIOT Act until 2020.

The move has elicited a bunch of outraged comments — as if anyone should ever expect anything but dickishness from Mitch McConnell. But few interesting analytical comments.

For example, Mitch is doing this under Rule 14, meaning it bypasses normal committee process. But that’s not as unusual, in ultimate effect, as people are making out. After all, last year the House Judiciary Committee was forced to adopt a much more conservative opening bill under threat of having its jurisdiction stripped entirely — something that Bob Goodlatte surely liked because it helped him rein in the reformers on his committee. Particularly given Chuck Grassley’s dawdling, I suspect something similar is at issue, an effort to give him leverage to rein in last year’s USA Freedom Act in order to undercut Mitch’s ploy.

Moreover, I think it would be utterly naive to believe Mitch and Richard Burr when they claim they would prefer straight reauthorization.

That’s because we know the IC can’t do everything they want to do under Section 215 right now. While reports that they only get 30% of calls are misleading (not least because NSA gets plenty of international calls into the US under EO 12333), for legal or technical or some other reason, the NSA isn’t currently getting all the records it needs to have full coverage. But it could get all or almost all if it worked with providers.

In addition — and this may be related — the NSA has never been able to turn its automated processes back on for US collected telephone data since they had to turn them off in 2009. They gave up trying last year, when Obama decided to move data to the providers. I suspect that the combination of mandated assistance, record delivery in optimal form, and immunity will permit NSA to dump this data into its existing automated system.

So while Mitch and Burr may pretend they’d love straight reauthorization, it is far, far more likely they’re using this gambit to demand changes to USAF that permit the IC to claim more authorities while pretending to reluctantly adopt reform.

And chief on that list is likely to be data retention, something reformers have been conspicuously silent about since Dianne Feinstein revealed USAF would have had a data retention handshake, but not a mandate. Data retention is why most SSCI members opposed USAF last year, it’s why Bill Nelson (working off his dated understanding of the program from when he served on SSCI) voted against it, and Bob Litt has renewed his emphasis on data retention.

Moreover, given the debates about encryption of the last year, especially Jim Comey’s concerns that Apple would have an unfair advantage over Verizon if it can shield iMessage data, I suspect that by data retention they also mean “forced retention of non-telephony messaging metadata.” I’m not sure whether they would be able to pull this off, but I wouldn’t be surprised if the IC plans to use “NSA reform” as an opportunity to force Apple to keep iMessage metadata.

So that’s what I expect this is about: I expect Mitch deliberately caused outright panic among those fighting straight reauthorization that even he doesn’t really want to demand more things from this “reform” bill.

 

Share this entry