Posts

If Section 215 Lapsed, Would the Government Finally Accede to ECPA Reform?

/1 Comment/in , /by

Now that the Section 215 Sunset draws nearer, the debate over what reformers should do has shifted away from whether USA Freedom Act is adequate reform to whether it is wise to push for Section 215 to sunset.

That debate, repeatedly, has focused almost entirely on the phone dragnet that Section 215 authorizes. It seems most of the people engaging in this debate or reporting on it are unaware or uninterested in what the other roughly 175 Section 215 orders authorized last year did (just 5 orders authorized the phone dragnet).

But if Section 215 sunsets in June, those other 175 orders will be affected too (though thus far it looks like FISC is approving fewer 215 orders than they did last year). Yet the government won’t tell us what those 175 orders do.

We know — or suspect — some of what these other orders do. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year (and would have been unaffected and hidden in transparency reporting under USA Freedom Act).

The FBI has previously confirmed that it used Section 215 to collect records of explosives precursors — things like large quantities of acetone, hydrogen peroxide, fertilizer, and (probably now) pressure cookers; given that the Presidential Review Group consulted with ATF on its review of Section 215, it’s likely these are programmatic collection. (If the government told us it was, we might then be able to ask why these materials couldn’t be handled the same way Sudafed is handled, too, which might force the government to tie it more closely to actual threats.) This too would have been unaffected by USAF.

The government also probably uses Section 215 to collect hotel records (which is what it was originally designed for, though not in the bulk it is probably accomplished). This use of Section 215 will likely be reinforced if and when SCOTUS affirms the collection of hotel records in Los Angeles v. Patel.

But the majority of those 175 Section 215 orders, we now know, are for some kind of Internet records that may or may not relate to cyber investigations, depending on whether you think FBI talks out of its arse when trying to keep authorities, but which they almost certainly collect in sufficient bulk that FISC imposed minimization procedures on FBI.

Which brings me to my argument that reauthorizing Section 215 will forestall any ECPA reform.

We know most Section 215 orders are for Internet records because someone reliable — DOJ’s Inspector General in last year’s report on National Security Letters — told us that a collection of Internet companies successfully challenged FBI’s use of NSLs to collect this stuff after DOJ published an opinion on ECPA in 2008.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

That report went on to explain that FBI considered fixing this problem by amending the definition for toll records in Section 2709, but then bagged that plan and just moved all this collection to Section 215, which takes longer.

In the absence of a legislative amendment to Section 2709, [2.5 lines redacted]. [Deputy General Counsel of FBI’s National Security Law Branch] Siegel told us that the process of generating and approving a Section 215 application is similar to the NSL process for the agents and supervisors in the field, but then the applications undergo a review process in NSLB and the Department’s National Security Division, which submits the application to the Foreign Intelligence Surveillance Court (FISA Court). According to Siegel, a request that at one time could be accomplished with an NSL in a matter of hours if necessary, now takes about 30-40 days to accomplish with a standard Section 215 application.

In addition to increasing the time it takes to obtain transactional records, Section 215 requests, unlike NSL requests, require the involvement of FBI Headquarters, NSD, and the FISA Court. Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

The government is, according to the report, going through all sorts of hoop-jumping on these records rather than working with Congress to pass ECPA reform.

Why?

That’s not all the Report told us. Even earlier than that problem, in 2007, the IG identified other uncertainties about what the FBI should be obtaining with an NSL, and FBI actually put together a proposal to Congress. The proposed definition included both financial information and what could be construed as location data in toll records. That bill has never been passed.

But while Internet companies have shown reluctance to let the FBI secretly expand the meaning of toll record, two telecoms have not (a third, which I suspect is Verizon, backed out of closer cooperation on NSLs in 2009, and presumably a fourth, which probably is T-Mobile, was never a part of it).

And here’s what happened to the kinds of records FBI has been obtaining (almost certainly from AT&T) in the interim:

Screen Shot 2015-03-19 at 5.15.23 PM

 

FBI is collecting 7 kinds of things from (probably) AT&T that the Inspector General doesn’t think fits under ECPA.

Now, I’m not sure precisely why ECPA reform has gone nowhere in the last 8 years, but all this redaction suggests one reason is the government doesn’t want to be bound by a traditional definition of toll record, so much so it’s willing to put up with the aggravation of getting Section 215 orders for (what may be the same kind of) information from Internet companies in order to not be bound by limits on its telecom (or at least AT&T) NSLs.

Don’t get me wrong. I’d rather have the Internet stuff be under Section 215 orders, where it will be treated with some kind of minimization (the FBI is still completely ignoring the 2006 language in Section 215 requiring it to adopt minimization procedures for that section, but FISC has stepped into the void and imposed some itself).

But ultimately what’s going on — in addition to the adoption of a dragnet approach for phone records (that might have been deemed a violation of 18 USC 2302-3 if litigated with an adversary) and financial records (that might have been deemed a violation of 12 USC 3401-3422 if litigated with an adversary), is that the government is also, apparently, far exceeding the common understanding of NSLs without going back to Congress to get them to amend the law (and this goes well beyond communities of interest — two or maybe three hop collection under an NSL — which isn’t entirely redacted in this report).

It may be moot anyway. I actually wonder whether Internet companies will use the immunity of CISA, if and when it passes, to turn whatever they’re turning over without a Section 215 order.

And it’s not like Pat Leahy and Mike Lee have been successful in their efforts to get ECPA reform that protects electronic communications passed. ECPA isn’t happening anyway.

But maybe it might, if Section 215 were to lapse and the government were forced to stop kluging all the programs that have never really been approved by Congress in the first place into Section 215.

David Barron’s ECPA Memo

/4 Comments/in , /by

Last week, I laid out the amazing coinkydink that DOJ provided Sprint a bunch of FISA opinions — including the December 12, 2008 Reggie Walton opinion finding that the phone dragnet did not violate ECPA — on the same day, January 8, 2010, that OLC issued a memo finding that providers could voluntarily turn over phone records in some circumstances without violating ECPA.

Looking more closely at what we know about the opinion, I’m increasingly convinced it was not a coinkydink at all. I suspect that the memo not only addresses FBI’s exigent letter program, but also the non-Section 215 phone dragnet.

As a reminder, we first learned of this memo when, in January 2010, DOJ’s Inspector General issued a report on FBI’s practice of getting phone records from telecom provider employees cohabiting at FBI with little or no legal service. The report was fairly unique in that it was released in 3 versions: the public unclassified but heavily redacted version, a Secret version, and a Top Secret/SCI version. Given how closely parallel the onsite telecom provider program was with the phone dragnet, that always hinted the report may have touched on other issues.

Roughly a year after the IG Report came out, EFF FOIAed the memo (see page 30). Over the course of the FOIA litigation — the DC Circuit rejected their appeal for the memo in January — DOJ provided further detail about the memo.

Here’s how OLC Special Counsel Paul Colborn described the memo (starting at 25):

The document at issue in this case is a January 8, 2010 Memorandum for Valerie Caproni, General Counsel of the Federal Bureau of Investigation (the “FBI”), from David J. Barron, Acting Assistant Attorney General for the Office of Legal Counsel (the “Opinion”). The OLC Opinion was prepared in response to a November 27, 2009 opinion request from the FBI’s General Counsel and a supplemental request from Ms. Caproni dated December 11, 2009. These two requests were made in order to obtain OLC advice that would assist FBI’s evaluation of how it should respond to a draft Report by the Office of Inspector General at the Department of Justice (the “OIG”) in the course of a review by the OIG of the FBI’s use of certain investigatory procedures.In the context of preparing the Opinion, OLC, as is common, also sought and obtained the views of other interested agencies and components of the Department. OIG was aware that the FBI was seeking legal advice on the question from OLC, but it did not submit its views on the question.

The factual information contained in the FBI’s requests to OLC for legal advice concerned certain sensitive techniques used in the context of national security and law enforcement investigations — in particular, significant information about intelligence activities, sources, and methodology.

Later in his declaration, Colborn makes it clear the memo addressed not just FBI, but also other agencies.

The Opinion was requested by the FBI and reflects confidential communications to OLC from the FBI and other agencies. In providing the Opinion, OLC was serving an advisory role as legal counsel to the Executive Branch. In the context of the FBI’s evaluation of its procedures, the general counsel at the FBI sought OLC advice regarding the proper interpretation of the law with respect to information-gathering procedures employed by the FBI and other Executive Branch agencies. Having been requested to provide counsel on the law, OLC stood in a special relationship of trust with the FBI and other affected agencies.

And FBI Record/Information Dissemination Section Chief David Hardy’s declaration revealed that an Other Government Agency relied on the memo too. (starting at 46)

This information was not examined in isolation. Instead, each piece of information contained in the FBI’s letters of November 27, 2009 and December 11, 2009, and OLC’s memorandum of January 8, 2010, was evaluated with careful consideration given to the impact that disclosure of this information will have on other sensitive information contained elsewhere in the United States intelligence community’s files, including the secrecy of that other information.

[snip]

As part of its classification review of the OLC Memorandum, the FBI identified potential equities and interests of other government agencies (“OGAs”) with regard to the OLC memo. … FBI referred the OLC Memo for consultation with those OGAs. One OGA, which has requested non-attribution, affirmatively responded to our consultation and concurs in all of the classification markings.

Perhaps most remarkably, the government’s response to EFF’s appeal even seems to suggest that what we’ve always referred to as the Exigent Letters IG Report is not the Exigent Letters IG Report!

Comparing EFF’s claims (see pages 11-12) with the government’s response to those claims (see pages 17-18), the government appears to deny the following:

  • The Exigent Letters IG Report was the 3rd report in response to reporting requirements of the USA PATRIOT reauthorization
  • FBI responded to a draft of the IG Report by asserting a new legal theory defending the way it had obtained certain phone records in national security investigations, which resulted in the January 8, 2010 memo
  • The report didn’t describe the exception to the statute involved and IG Glenn Fine didn’t recommend referring the memo to Congress
  • In response to a Marisa Taylor FOIA, FBI indicated that USC 2511(2)(f) was the exception relied on by the FBI to say it didn’t need legal process to obtain voluntary disclosure of phone records

Along with these denials, the government reminded that the report “contained significant redactions to protect classified information and other sensitive information.” And with each denial (or non-response to EFF’s characterizations) it “respectfully refer[red] the Court to the January 2010 OIG report itself.”

The Exigent Letters IG Report is not what it seems, apparently.

With all that in mind, consider two more details. First, as David Kris (who was the Assistant Attorney General during this period) made clear in his paper on the phone (and Internet) dragnet, in addition to Section 215, the government obtained phone records from the telecoms under USC 2511(2)(f), the clause in question.

And look at how the chronology maps.

November 5, 2008: OLC releases opinion ruling sneak peak and hot number requests (among other things) impermissible under NSLs

December 12, 2008: Reggie Walton rules that the phone dragnet does not violate ECPA

Throughout 2009: DOJ confesses to multiple violations of Section 215 program, including:

  • An alert function that serves the same purpose as sneak peaks and also violates Section 215 minimization requirements
  • NSA treated Section 215 derived data with same procedures as EO 12333 data; that EO 12333 data included significant US person data
  • One provider’s (which I originally thought was Sprint, then believed was Verizon, but could still be Sprint) production got shut down because it included foreign-to-foreign data (the kind that, according to the OLC, could be obtained under USC 2511(2)(f)

Summer and Fall, 2009: Sprint meets with government to learn how Section 215 can be used to require delivery of “all” customer records

July 9, 2009: Sprint raises legal issues regarding the order it was under; Walton halts production from provider which had included foreign-to-foreign production

October 30, 2009: Still unreleased primary order BR 09-15

November 27, 2009: Valerie Caproni makes first request for opinion

December 11, 2009: Caproni supplements her request for a memo

December 16, 2009: Application and approval of BR 09-19

December 30, 2009: Sprint served with secondary order

January 7, 2010: Motion to unseal records

January 8, 2010: FISC declassifies earlier opinions; DOJ and Sprint jointly move to extend time when Sprint can challenge order; and OLC releases OLC opinion; FISC grants motion (John Bates approves all these motions)

January 11, 2010: DOJ moves (in a motion dated January 8) to amend secondary order to incorporate language on legality; this request is granted the following day (though we don’t get that order)

January 20, 2010: IG Report released, making existence of OLC memo public

This memo is looking less and less like a coinkydink after all, and more and more a legal justification for the provision of foreign-to-foreign records to accompany the Section 215 provision. And while FBI said it wasn’t going to rely on the memo, it’s not clear whether NSA said the same.

Golly. It’d sure be nice if we got to see that memo before David Barron got to be a lifetime appointed judge.

The “Other Authority” Footnote

/3 Comments/in /by

For a variety of reasons, I want to track backward what appears to happen to a footnote in the phone dragnet that currently addresses dragnet records from other authorities, as it appears here in the July 18, 2013 Primary Order.

The Court understands that NSA receives certain call detail records pursuant to other authority, in addition to call records produced in response to this Court’s Orders. NSA shall store, handle, and disseminate call detail records produced in response to this Court’s Orders pursuant to this Order [3 lines redacted].

The footnote is currently the second footnote off of paragraph 3(c)(iii) about the timeline on RAS authorizations. The footnote was entirely redacted, but still 7 lines, in BR 13-80. It appears to be longer — perhaps 11 lines — in BR 11-107. It appears the same size, but split from the first of two footnotes, in BR 11-57 and BR 11-07; it appears a line or two longer in BR 10-70. The typeface is different but it appears equivalent in BR 10-49, and  BR 10-17.

The footnote in that position — now numbered footnote 7 — appears largely unredacted in BR 10-10. It reads:

The Court understands that call detail records of foreign-to-foreign communications provided by [redacted] pursuant to this Order will not be used to make chain summary records. Further, such records will be used solely for technical purposes, including use by NSA’s data integrity analysts to correctly interpret and extract contact information in [redacted] international records. In the event that an NSA analyst performs an authorized query that includes a search of the BR metadata, and the results of that query include information from [redacted] foreign-to-foreign call detail records, NSA shall handle and minimize the information in those records in accordance with the minimization procedures in this Order, regardless of the authority pursuant to which NSA obtained the record. In contrast, if the analyst’s query does not include a search of the BR metadata, and the results of that query include information from [redacted] foreign-to-foreign call detail records, then the minimization procedures in this Order shall not be applied to the information in those records.

Primary Orders BR 09-19 and 09-15 are two of three the government is withholding from that year. The footnote is entirely redacted in BR 09-13. BR 09-09 is the third Primary Order withheld from that year (that is the order that shuts down one provider’s production — presumed to be Verizon — because of the foreign-to-foreign inclusion). BR 09-06 doesn’t split out the custodian of the third provider, though includes foreign-to-foreign language; because the structure of this Order is different, it is impossible to tell whether the equivalent footnote appears. BR 09-01 doesn’t even include the foreign-to-foreign language.

Which is an elaborate way of surmising (though we can’t be sure with the redactions) that the footnote retains a related function between the time it maps out what to do with foreign-to-foreign data and the time it currently appears to say that BR FISA data must be treated according to BR FISA rules.

As I laid out here, that appears to stem from an issue dating to 2009 when Verizon turned over all its call records, including its foreign-to-foreign ones, under BR FISA (though the redactions in the BR 10-10 footnote are shorter — maybe 4-5 characters, so it’s possible this happened with a second provider as well). What appears to have happened is FISC shut down their production for a period, resumed it, then tried to deal with the problem with minimization procedures. Over time, the footnote dealing with that evolved into a more general footnote requiring that BR FISA data be treated with BR FISA rules, no matter what ever else happened. This would mean that if Verizon or another telecom provider made the same mistake, NSA would have access to its foreign data for a shorter period of time and subject to much narrower dissemination rules.

Sometime between 2009 and 2011, NSA started putting XML tags on each new piece of data, so it could track where the data came from, presumably to make this process easier, but also so it could run queries under whatever authority provided it with easier minimization rules. That XML system would permit the NSA to comply with the footnote in BR 10-10 easily, by tracking precisely where the data came from.

David Kris Points to the Clause Loopholed Under David Barron on Metadata Collection

/10 Comments/in , /by

I’m working on a longer post on David Kris’ paper on the phone [and Internet] dragnets.

But for the moment, I want to note that he strongly implies the US is relying on 18 U.S.C. § 2511(2)(f) to collect international metadata. He does it when he first introduces the phone dragnet secondary order (page 2).

The order excluded production of metadata concerning “communications wholly originating and terminating in foreign countries.”5 215 Bulk Secondary Order at 2; see Business Records FISA NSA Review at 15 (June 25, 2009) [hereinafter NSA End-to-End Review], available at http://www.dni.gov/files/documents/section/pub_NSA%20Business%20Records%20
FISA%20Review%2020130909.pdf; August 2013 FISC Order at 10 n.10; cf. 18 U.S.C. §2511(2)(f) (“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”). [my emphasis]

And he does it just after suggesting that the FISA Court may have approved the phone dragnet in 2006 — however shabby the legal case — just to have it under FISC supervision (note, he also nods to the Internet metadata dragnet, but as I’ll note he goes through some contortions to avoid addressing it all that directly).

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch.147

147 With respect to metadata concerning foreign-to-foreign communications, which the FISC’s order expressly does not address, see 18 U.S.C. § 2511(2)(f)

This is important because it is precisely the clause (the one Kris cites above) that the Office of Legal Counsel reinterpreted in 2010 to cover past illegal access to phone metadata, including US based phone metadata.

The existence of that memo was first disclosed by Glenn Fine in his Exigent Letter IG Report. (See also this post.) He described how, in the context of its effort to clean up the legal process free access of phone data from the telecoms, DOJ had ordered up this opinion (though they claimed they were not relying on it). In 2011, DOJ provided enough information in response to a FOIA to make it clear the memo pertained to this passage.

Now, in context, Kris is just implying that the government is using this clause to get the telecoms to voluntarily turn over foreign to foreign communications.

Except we know precisely how the NSA defines “foreign communications.”

Foreign communication means a communication that has at least one communicant outside of the United States. All other communications, including communications in which the sender and all intended recipients are reasonably believed to be located in the United States at the time of acquisition, are domestic communications.

That is, so long as just one end of a communication is foreign, the NSA considers it a foreign communication (and therefore the telecoms can voluntarily disclose it under their interpretation of this clause of ECPA).

And remember: this opinion reinterpreting ECPA was written under the direction of — if not written by — David Barron, the guy Obama wants to have a lifetime appointment on the First Circuit.

I need to think through whether this means what I think it means. But it sure seems like Kris is not only saying that the government did use this loophole to collect metadata involving foreigners (and Americans). But given that DOJ claimed it could use this memo to clean up its entirely domestic communications problems (per the Fine IG Report), it sure seems like Kris is saying if we close the Section 215 collection, the government will just resume using ECPA.

Update: I just realized this post, which adopts an argument I made almost two weeks ago (that there is no original opinion for the phone dragnet) was written by Marty Lederman (who was at OLC during roughly the same period that Barron was).

Which is why I find it weird that Lederman makes an extended argument noting that an earlier clause in ECPA tweaked during the original PATRIOT Act bill prohibits this sharing of phone metadata.

You wouldn’t know it from Judge Eagan’s opinion–or from David Kris’s paper, for that matter–but Congress has actually considered the specific question about whether and under what circumstance service providers may disclose to the government the telephony metadata of their customers, and has enacted a statute dealing specifically with that question–a statute that expressly prohibits such disclosure.  Moreover, the prohibition in question was enacted as part of the very same law that includes Section 215, namely, the PATRIOT Act of 2001.

A provision of the Electronic Communications Protection Act (ECPA), 18 U.S.C. 2702(a)(3), states that “a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.”

Statutory language doesn’t often get much clearer than that:  A provider of remote computing service or electronic communication service to the public — a category that includes phone service providers — cannot knowingly convey consumer records or information to any governmental entity.

Remarkably, Congress added this prohibition to ECPA in section 212(a)(1)(B)(iii) of the 2001 PATRIOT Act itself–the same law in which section 215 expanded the “business records” provision upon which the government relies here.  The two provisions are only three pages apart in the Statutes at Large.  In other words, the government is relying here upon a broad, general “business records” provision included in the PATRIOT Act; but in that very same legislation, Congress included another provision specifically involving the business records of telephone customers, and in that more specific provision it precluded the very sort of records transfer at issue here.

The thing is, I find it almost impossible to believe that Lederman wouldn’t know about (or even didn’t review) that January 8, 2010 opinion. And he certainly must know what the implications of invoking foreign communications in the context of 18 U.S.C. § 2511(2)(f) to be.

I’m confused.

Update: I missed one other mention of 2511(2)(f), which comes in Kris’ incomplete description of all the violations in the phone dragnet program (it is incomplete, in part, because he cites from the June report of the problems rather than the August filing presenting them, which includes several more, probably more troubling violations; but he also misses details of a few of the other violations which is particularly interesting because he, of all people, must know this stuff).

(8) acquisition of metadata for foreign-to-foreign telephone calls from a provider that believed such metadata to be within the scope of the FISC’s orders, when it was not, NSA End-to-End Review at 15; cf. August 2013 FISC Order at 10 n.10 (“The Court understands that NSA receives certain call detail records pursuant to other authority, in addition to the call detail records produced in response to this Court’s Orders.”); see generally 18 U.S.C. § 2511(2)(f) (“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”);

His inclusion of it here is interesting because this violation is likely the collection that Reggie Walton shut down temporarily on July 9, 2009. Does that mean they just kept collecting from this provider (I wonder, by the way, whether it’s something exotic like Skype), and deemed it covered by 18 U.S.C. § 2511(2)(f)? If so, Kris would have been among those who made the decision to do so.

The Two OLC Still-Secret Memos Behind the Cross-Border Keyword Searches?

/1 Comment/in , , /by

Last week, Charlie Savage explained what this paragraph from the NSA’s targeting document means.

In addition, in those cases where NSA seeks to acquire communications about the target that are not to or from the target, SNA will either employ an Internet Protocol filter to ensure that the person from whom it seeks to obtain foreign intelligence information is located overseas, or it will target Internet links that terminate in a foreign country. In either event, NSA will direct surveillance at a party to the communication reasonably believed to be outside the United States.

Savage explained that it refers to the way the US snoops through almost all cross-border traffic for certain keywords.

To conduct the surveillance, the N.S.A. is temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border. The senior intelligence official, who, like other former and current government officials, spoke on condition of anonymity because of the sensitivity of the topic, said the N.S.A. makes a “clone of selected communication links” to gather the communications, but declined to specify details, like the volume of the data that passes through them.

[snip]

The official said that a computer searches the data for the identifying keywords or other “selectors” and stores those that match so that human analysts could later examine them. The remaining communications, the official said, are deleted; the entire process takes “a small number of seconds,” and the system has no ability to perform “retrospective searching.”

The official said the keyword and other terms were “very precise” to minimize the number of innocent American communications that were flagged by the program. At the same time, the official acknowledged that there had been times when changes by telecommunications providers or in the technology had led to inadvertent overcollection. The N.S.A. monitors for these problems, fixes them and reports such incidents to its overseers in the government, the official said.

In his post on Savage’s story (which I think misreads what Savage describes), Ben Wittes focused closely on the last paragraphs of the story.

But that leaves a big oddity with respect to the story. The end of Savage’s story reads as follows:

There has been no public disclosure of any ruling by the Foreign Intelligence Surveillance Court explaining its legal analysis of the 2008 FISA law and the Fourth Amendment as allowing “about the target” searches of Americans’ cross-border communications. But in 2009, the Justice Department’s Office of Legal Counsel signed off on a similar process for searching federal employees’ communications without a warrant to make sure none contain malicious computer code.

That opinion, by Steven G. Bradbury, who led the office in the Bush administration, may echo the still-secret legal analysis. He wrote that because that system, called EINSTEIN 2.0, scanned communications traffic “only for particular malicious computer code” and there was no authorization to acquire the content for unrelated purposes, it “imposes, at worst, a minimal burden upon legitimate privacy rights.”

The Bradbury opinion was echoed by a later Obama-era opinion by David Barron, and Bradbury later wrote an article about the issue. But here’s the thing: If my read is right and the rule Savage cites permits only acquisition of communications “about” potential targets only from folks reasonably believed themselves to be overseas, these opinions are of questionable relevance. Indeed, if my reading is correct, why is there a Fourth Amendment issue here at all? The Fourth Amendment, after all, does not generally have extraterritorial application. This may be a reason to suspect that the issue is more complicated than I’m suggesting here. It may also merely suggest that someone cited to Savage a memo that is of questionable relevance to the issue at hand.

In his letter to John Brennan in January asking for a slew of things, Ron Wyden mentioned two opinions that may be the still-secret legal analysis mentioned by Savage.

Third, over two years ago, Senator Feingold and I wrote to the Attorney General regarding two classified opinions from the Justice Department’s Office of Legal Counsel, including an opinion that interprets common commercial service agreements. We asked the Attorney General to declassify both of these opinions, and to revoke the opinion pertaining to commercial service agreements. Last summer, I repeated the request, and noted that the opinion regarding commercial service agreements has direct relevance to ongoing congressional debates regarding cybersecurity legislation. The Justice Department still has not responded to these letters.

The opinions would have to pre-date January 14, 2011, because Feingold and Wyden requested the opinions before that date.

The reason I think the service agreements one may be relevant is because the opinions Ben cites focus on whether government users have given consent for EINSTEIN surveillance; in his article on it Bradbury focuses on whether the government could accomplish something similar with critical infrastructure networks.

Remember, we do know of one OLC memo — dated January 8, 2010 — that pertains to the government obtaining international communications willingly from service providers. We learned about it in the context of the Exigent Letters IG Report, which first led observers to believe it pertained to phone records.

But we’ve subsequently learned this is the passage of ECPA the OLC interpreted creatively in secret.

(f) Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, and procedures in this chapter or chapter 121 and the Foreign Intelligence Surveillance Act of 1978 shall be the exclusive means by which electronic surveillance, as defined in section 101 of such Act, and the interception of domestic wire, oral, and electronic communications may be conducted.

Savage’s reference to the Bradbury opinion suggests all this happens at the packet stage, which may be one (arguably indefensible) way around the electronic communications dodge.

The FBI had not relied on the opinion as of 2010, when we first learned about it. But we also know that since then, the government stopped collecting Internet metadata using a Pen Regsiter/Trap and Trace order.

We know that Feingold and Wyden, with Dick Durbin, asked for a copy of the opinion themselves shortly after the IG Report revealed it. It’s possible that the former two asked for it to be declassified.

This is, frankly, all a wildarsed guess. But Wyden certainly thinks there are two problematic OLC memos out there pertaining to cybersecurity. And Savage seems to think this process parallels the means the government is using for cybersecurity. So it may be these are the opinions.

The Most Transparent Administration Ever Hides More OLC Opinions

/5 Comments/in /by

Ryan Reilly has liberated a list — such as DOJ would release — of the OLC opinions written under Obama. As he notes, DOJ has refused to even give him a list, much the number, of the classified OLC memos.

What’s more interesting is what wasn’t included: The office stated that it was withholding, in full, 11 lists of classified OLC opinions. Because the length of each list is unknown, it’s unclear how many classified opinions the OLC has issued during the Obama administration.

And it has redacted a ton of the names of unclassified opinions, citing deliberative privilege.

The titles of many OLC opinions were fully redacted in the lists provided, with a Justice Department official writing that the titles were “protected by the deliberative process, attorney-client, and/or attorney work-product privileges.” The names of the lawyers who wrote a number of opinions — including the memo on the president’s use of recess appointments during the Senate’s pro forma sessions — were also blacked out because their disclosure would “constitute a clearly unwarranted invasion of personal privacy,” the official wrote.

Some of the memos mentioned in the list have already been disclosed online by the OLC.

He also notes one memo the existence of which has already been revealed doesn’t appear on the list.

The Justice Department even redacted the title of the opinion on whether the president could unilaterally ignore the debt ceiling limit, though the existence of that memo was disclosed in response to a FOIA request from Talking Points Memo in 2011.

There’s in fact at least one other known OLC opinion that doesn’t show up on the list: a January 8, 2010 memo on whether the Electronics Communication Privacy Act would prevent telecoms from willingly turning over international communications to the government. It was first revealed in a January 2010 DOJ IG Report on Exigent Letters (see this post for background).

On January 8, 2010, the OLC issued its opinion, concluding that the ECPA “would not forbid electronic communications service providers [three lines redacted]281 In short, the OLC agreed with the FBI that under certain circumstances [~2 words redacted] allows the FBI to ask for and obtain these records on a voluntary basis from the providers, without legal process or a qualifying emergency.

In February 2011, McClatchy’s Marisa Taylor received a FOIA denial for the memo, although in denying her request DOJ revealed that this was the section of the law the memo discussed.

(f) Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, and procedures in this chapter or chapter 121 and the Foreign Intelligence Surveillance Act of 1978 shall be the exclusive means by which electronic surveillance, as defined in section 101 of such Act, and the interception of domestic wire, oral, and electronic communications may be conducted.

Effectively, DOJ has already made clear that the memo says it can get international communications with no legal process.

But it didn’t release the name of the memo to Reilly.

There are two explanations for that. It has redacted the names of many OLC opinions under deliberative process, which it often argues means that it did not rely on the memo and therefore it did not influence the Executive’s final decision. That’s probably what happened with the debt ceiling memo; we know Obama hasn’t unilaterally raised the debt ceiling, meaning he hasn’t relied on the memo, so even though it has confirmed the memo exists, DOJ is hiding the memo because the Administration didn’t ultimately rely on it.

It may have redacted the title of the ECPA decision for the same reason. In the IG Report, at least, FBI claimed it would not rely on the opinion (no doubt meaning it would get all our communications via some other means).

Alternately, it could be considering this memo, which has been discussed at length, classified. Stranger things have happened with this Administration.

Update: Just checked, and via email at the time, Taylor said this is what DOJ told her:

The cover letter dated Feb. 8, 2011 to McClatchy said the OLC memo was protected by the “deliberative process privilege” under Exception Five. The letter also said the memo is “classified” and therefore “exempt pursuant to Exemption One, 5 USC 552 (b)(1).” The letter goes on to describe the memo as “a January 8, 2010 OLC memorandum analyzing the authority of the FBI under Section 2511 (2)(F) of the Stored Communications Act, 18 USC 2511 (2)(f).”

So they’re at least claiming a b5, and possibly claiming that its very name remains classified, in spite of repeated references to it in unclassified form.

In any case, the refusal to release even the name of memos that we know exist sure boosts the Administration’s claim to be the most transparent ever!

ECPA Amendments and Privacy in a Post Petraeus World

/5 Comments/in , , , , , /by

One of the issues making the rounds like wildfire today was a report from Declan McCullagh at CNET regarding certain proposed amendments to the Electronic Communications Privacy Act (ECPA). The article is entitled “Senate Bill Rewrite Lets Feds Read Your E-mail Without Warrants” and relates:

A Senate proposal touted as protecting Americans’ e-mail privacy has been quietly rewritten, giving government agencies more surveillance power than they possess under current law.

CNET has learned that Patrick Leahy, the influential Democratic chairman of the Senate Judiciary committee, has dramatically reshaped his legislation in response to law enforcement concerns. A vote on his bill, which now authorizes warrantless access to Americans’ e-mail, is scheduled for next week.

Leahy’s rewritten bill would allow more than 22 agencies — including the Securities and Exchange Commission and the Federal Communications Commission — to access Americans’ e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge. (CNET obtained the revised draft from a source involved in the negotiations with Leahy.)

This sounds like the predictably craven treachery that regularly comes out of Senate, indeed Congressional, legislation on privacy issues. And exactly what many had hoped would cease coming out of Washington after the public scrutiny brought on by the Petraeus/Broadwell/Kelley scandal. And, should these amendments make it into law, they may yet prove detrimental.

But there are a couple of problems here. First, as Julian Sanchez noted, those abilities by the government already substantially exist.

Lots of people RTing CNET’s story today seem outraged Congress might allow access to e-mail w/o warrant—but that’s the law ALREADY!

Well, yes. Secondly, and even more problematic, is Pat Leahy vehemently denies the CNET report. In fact, Senator Leahy does not support broad exemptions for warrantless searches for email content. A source within the Judiciary Committee described the situation as follows: Read more

FBI Still Inventing New Ways to Surveil People with No Oversight

/in /by

Marisa Taylor has an important update on the OLC exigent letter opinion. Last year, DOJ’s now-retired Inspector General Glenn Fine released a report revealing how the FBI had used exigent letters to get call data information from telecoms with no oversight. Ryan Singel noted a reference to an OLC opinion that basically melted away the problems created by use of these exigent letters (see pages 264-266 of the report).

On January 8, 2010, the OLC issued its opinion, concluding that the ECPA “would not forbid electronic communications service providers [three lines redacted]281 In short, the OLC agreed with the FBI that under certain circumstances [~2 words redacted] allows the FBI to ask for and obtain these records on a voluntary basis from the providers, without legal process or a qualifying emergency.

Taylor FOIAed the opinion.

And while DOJ refused to release the opinion, they did apparently reveal enough in their letter explaining their refusal to make it clear that the FBI maintains that it does not need any kind of court review to get telephone records of calls made from the US to other countries.

The Obama administration’s Justice Department has asserted that the FBI can obtain telephone records of international calls made from the U.S. without any formal legal process or court oversight, according to a document obtained by McClatchy.

[snip]

The Obama administration’s Justice Department has asserted that the FBI can obtain telephone records of international calls made from the U.S. without any formal legal process or court oversight, according to a document obtained by McClatchy.

EFF’s Kevin Bankston provides some context.

“This is the answer to a mystery that has puzzled us for more than a year now,” said Kevin Bankston, a senior staff attorney and expert on electronic surveillance and national security laws for the nonprofit Electronic Frontier Foundation.

“Now, 30 years later, the FBI has looked at this provision again and decided that it is an enormous loophole that allows them to ask for, and the phone companies to hand over, records related to international or foreign communications,” he said. “Apparently, they’ve decided that this provision means that your international communications are a privacy-free zone and that they can get records of those communications without any legal process.”

Now, I’m trying to get some clarification as to precisely what language DOJ used (see update below). But the revelation is interesting for two reasons.

As I argued last year, the opinion probably serves to clean up a lot of the illegal stuff done under the Bush Administration. I think it likely that this includes Cheney’s illegal wiretap program. If I’m right, then this claim would be particularly interesting not least because of all the discussions about US to international calls during the debate around FISA Amendments Act.

Then of course there’s the even bigger worry. When Fine released his report, the FBI assured him that it wouldn’t actually use this opinion. “No, Dad, I have no intention of taking the Porsche out for a spin, so don’t worry about leaving the keys here.”

But the fact that DOJ seems to be doubling down on this claim sort of suggests they are relying on the opinion.

Also, I can’t help but note about the timing of this FOIA response: Conveniently for DOJ, they didn’t respond to McClatchy until after Russ Feingold and Glenn Fine, the two people most likely to throw a fit about this, were out of the way.

Update: Via email, Kevin Bankston told me this is the clause the government is using to find its loophole: 18 USC 2511(2)(f).

(f) Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978, and procedures in this chapter or chapter 121 and the Foreign Intelligence Surveillance Act of 1978 shall be the exclusive means by which electronic surveillance, as defined in section 101 of such Act, and the interception of domestic wire, oral, and electronic communications may be conducted.