Posts

NSA Non-Denial Denial 241,352,052

Here’s the best the NSA could come up with to deny the WaPo’s report about how it steals data from Google and Yahoo overseas.

NSA has multiple authorities that it uses to accomplish its mission, which is centered on defending the nation. The Washington Post’s assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and FAA 702 is not true.

NSA seems defensive about WaPo’s suggestion they used EO 12333 — if they did — for this collection. But note that David Kris suggests at least one other possibility for this “vacuum cleaner” collection, voluntary production (as well as procedures subordinate to EO 12333), so it’s possible they didn’t use EO 123333. Maybe the first line is meant to suggest at least one of these providers did cough this up voluntarily (which I think past reporting might support).

NSA then engages in the most delectable projection ever, in which it takes this comment from its biggest apologist this side of Michael Hayden, John Schindler, and suggests the WaPo made the assertion.

Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to “full take,” “bulk access” and “high volume” operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.

Outside U.S. territory, statutory restrictions on surveillance seldom apply and the Foreign Intelligence Surveillance Court has no jurisdiction. Senate Intelligence Committee Chairwoman Dianne Feinstein has acknowledged that Congress conducts little oversight of intelligence-gathering under the presidential authority of Executive Order 12333 , which defines the basic powers and responsibilities of the intelligence agencies.

John Schindler, a former NSA chief analyst and frequent defender who teaches at the Naval War College, said it was obvious why the agency would prefer to avoid restrictions where it can.

“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,” he said. “It’s fair to say the rules are less restrictive under Executive Order 12333 than they are under FISA.” [my emphasis]

The WaPo didn’t make the assertion, NSA’s most loyal voice on Twitter did.

Read more

NSA Returns to Stealing from Yahoo and Google

Screen shot 2013-10-30 at 1.23.18 PMThe entire point of the Protect America Act and FISA Amendments Act was to provide a way for NSA to collect data from Yahoo and Google without stealing it from telecom switches, which is what they had been doing for 6 years. That was the primary goal: provide a legal means, with oversight, to collect intelligence from the multinational US-based Internet companies that dominated the free email market.

Yet, as I’ve been predicting for weeks, that wasn’t good enough for NSA. In addition to all the intelligence they collect legally using PRISM under Section 702 authority, it turns out they’ve been busy returning to their thieving ways.

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from among hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.

According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.

The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, GCHQ. From undisclosed interception points, the NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.

Mind you, the apologists will say that breaking into Yahoo and Google’s internal clouds to steal this information isn’t stealing because it takes place overseas, and therefore doesn’t have to abide by FISA, and therefore just amounts to normal old spying.

Case in point:

Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to “full take,” “bulk access” and “high volume” operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.

Outside U.S. territory, statutory restrictions on surveillance seldom apply and the Foreign Intelligence Surveillance Court has no jurisdiction. Senate Intelligence Committee Chairwoman Dianne Feinstein has acknowledged that Congress conducts little oversight of intelligence-gathering under the presidential authority of Executive Order 12333 , which defines the basic powers and responsibilities of the intelligence agencies.

John Schindler, a former NSA chief analyst and frequent defender who teaches at the Naval War College, said it was obvious why the agency would prefer to avoid restrictions where it can.

“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,” he said. “It’s fair to say the rules are less restrictive under Executive Order 12333 than they are under FISA.”

But as I noted in this post, there’s at least an argument to be made that the 2011 John Bates decision ruling Section 702 upstream collection intentional and the existing FAA (that is, far more stringent than the 12333) minimization procedures insufficient under the Fourth Amendment would apply here, making the exposure of US person data under this collection a constitutional violation. And all that’s assuming there’s a purpose, like terrorism, that would warrant (heh) a special needs exception. With such bulk collection and nonexistent oversight, it’s not clear such a case could be made.

So stealing. And in the process doing enormous damage to two important American companies.

There’s one odd thing about this article though. Notice the absence of any discussion of Microsoft?

James Clapper versus DOJ (and NSA) on Upstream Collection Transparency

Screen shot 2013-10-26 at 12.31.00 PM

Last week, David Ignatius wrote a column declaring the Director of National Intelligence position under James Clapper “Mission Accomplished!” It’s mostly a beat sweetener, but I’m intrigued by his claim that James Clapper forced the NSA to declassify more of the 2011 John Bates decision than they wanted to.

But there are welcome signs that this jury-rigged structure may finally be starting to work as the DNI responds to budget pressures and the scandals surrounding National Security Agency’s surveillance programs. Clapper has recently taken steps that forced the National Security Agency (NSA) to accept greater transparency and stopped the military agencies from wasteful spending on duplicative satellite imagery.

[snip]

One example is Clapper’s pressure on the NSA to disclose more about its surveillance programs. The NSA initially wanted to “redact” (a fancy word for censor) far more of a 2011 ruling by the Foreign Intelligence Surveillance Court that the agency had engaged in illegally broad surveillance. Clapper thought NSA lawyers were suppressing too much, so he instructed his general counsel, Robert Litt, to go back through the document and make public more information. Clapper ignored NSA and Justice Department protests, including to the White House, and backed Litt’s less-redacted version.

That 2011 opinion is one of the most important disclosures so far (and the more I think about it the more I’m convinced it was a dangerous rubber stamp). So I’m grateful as much of it was released as it was.

But I’m intrigued by what this account says of upstream collection (and the searching on US person data collected under FISA Amendments Act) generally.

As the screen cap above shows, even while the opinion made it clear what “upstream” collection is (and other documents released, Dianne Feinstein’s public comments, and the footnote below have made it clear the telecoms conduct the collection), it kept the actual language describing the process redacted.

Screen shot 2013-10-26 at 12.53.09 PM

 

Assuming Ignatius description that Clapper pushed for this level of disclosure is correct, consider Clapper’s gimmicky efforts to deny or refuse to discuss other upstream collection under EO 12333. That would say Clapper pushed to make more of this FAA upstream collection public, but has gone to some effort to deny the other direct collection under EO 12333.

Meanwhile, remember the way David Kris’ paper, which was reviewed by DOJ, managed to raise Internet metadata and EO 12333, but largely indirectly.

They’re awfully squirrely about the upstream collection, perhaps because they are increasingly targeting US persons using EO 12333. But it’s worth following.

“Too much transparency defeats the very purpose of democracy”

In truly bizarre testimony he will deliver to the House Intelligence Committee next week, Paul Rosenzweig argues that “too much transparency defeats the very purpose of democracy.” He does so, however, in a piece arguing that the government needs what amounts to be almost full transparency on all its citizens.

The first section of Rosenzweig analysis talks about the power of big data. It doesn’t provide any actual evidence that big data works, mind you. On the contrary, he points to one failure of big data.

When we speak of the new form of “dataveillance,” we are not speaking of the comparatively simple matching algorithms that cross check when a person’s name is submitted for review¾when, for example, they apply for a job. Even that exercise is a challenge for any government, as the failure to list Abdulmutallab in advance of the 2009 Christmas bombing attempt demonstrates.[11] The process contains uncertainties of data accuracy and fidelity, analysis and registration, transmission and propagation, and review, correction, and revision. Yet, even with those complexities, the process uses relatively simple technologically—the implementation is what poses a challenge.

By contrast, other systems of data analysis are far more technologically sophisticated. They are, in the end, an attempt to sift through large quantities of personal information to identify subjects when their identities are not already known. In the commercial context, these individuals are called “potential customers.” In the cyber conflict context, they might be called “Anonymous” or “Russian patriotic hackers.” In the terrorism context, they are often called “clean skins” because there is no known derogatory information connected to their names or identities. In this latter context, the individuals are dangerous because nothing is known of their predilections. For precisely this reason, this form of data analysis is sometimes called “knowledge discovery,” as the intention is to discover something previously unknown about an individual. [my emphasis]

Nevertheless, having not provided evidence big data works, he concludes that “There can be little doubt that data analysis of this sort can prove to be of great value.”

The reference to Abdulmutallab is curious. At the beginning of his testimony he repeats the reference.

In considering this new capability we can’t have it both ways.  We can’t with one breath condemn government access to vast quantities of data about individuals, as a return of “Big Brother”[4] and at the same time criticize the government for its failure to “connect the dots” (as we did, for example, during the Christmas 2009 bomb plot attempted by Umar Farouk Abdulmutallab.

This formulation — and the example of Abdulmutallab even more so — is utterly crazy. Having big data is not the same thing as analyzing it correctly. Criticism that the Intelligence Community failed to connect the dots — with the UndieBomb attack, but even with 9/11 — assumes they had the dots but failed to analyze them or act on that analysis (as the IC did fail, in both cases). Indeed, having big data may actually be an impediment to analyzing it, because it drowns you. And while Rosenzweig suggests the only big data failure with Abdulmutallab involved not placing him on a watch list, that’s false. The NSA had wiretaps on Anwar al-Awlaki which, according to the government, collected information tying Abdulmutallab to an attack.

Yet they didn’t respond to it.

And you know what? We measly citizens don’t know why they didn’t respond to it — though we do know that the FBI agents who were analyzing the Awlaki data were … you guessed it! Overwhelmed.

Before anyone involved in government claims that big data helps — rather than hinders — they should have to explain why a full-time tap on Anwar al-Awlaki didn’t find the guy who was texting him about a terrorist attack. Read more

James “Too Cute By Half” Clapper’s Denial

James Clapper made a somewhat unprecedented denial of Le Monde’s report (French, English) about the NSA’s dragnet, denying the eye-popping numbers on the volume of French spying (70.3 million in a month) we do.

October 22, 2013

Recent articles published in the French newspaper Le Monde contain inaccurate and misleading information regarding U.S. foreign intelligence activities.  The allegation that the National Security Agency collected more than 70 million “recordings of French citizens’ telephone data” is false.

While we are not going to discuss the details of our activities, we have repeatedly made it clear that the United States gathers intelligence of the type gathered by all nations.  The U.S. collects intelligence to protect the nation, its interests, and its allies from, among other things, threats such as terrorism and the proliferation of weapons of mass destruction.

The United States values our longstanding friendship and alliance with France and we will continue to cooperate on security and intelligence matters going forward.

Now, for what it’s worth, this seems the product of somewhat bad translation of the English for the Le Monde article, which started as this,

Parmi les milliers de documents soustraits à la NSA par son ex-employé figure un graphique qui décrit l’ampleur des surveillances téléphoniques réalisées en France. On constate que sur une période de trente jours, du 10 décembre 2012 au 8 janvier 2013, 70,3 millions d’enregistrements de données téléphoniques des Français ont été effectués par la NSA.

And then a worse translation back into English, which produced this,

Amongst the thousands of documents extracted from the NSA by its ex-employee there is a graph which describes the extent of telephone monitoring and tapping (DNR – Dial Number Recognition) carried out in France. It can be seen that over a period of thirty days – from 10 December 2012 to 8 January 2013, 70,3 million recordings of French citizens’ telephone data were made by the NSA.

I’m not going to explain this perfectly, but effectively it took a verbal that could mean the tape recording or the data notation of calls and turned it into a gerund that has the connotation in English of a discrete tape recording (note also the really cloddish use of the passive in a situation where you wouldn’t use it in English).

And from that, Clapper pounced on the “recordings” and presented them — in a quotation taken out of context — as discrete phone calls recorded individually. NSA’s not doing that, he says.

But we knew that. What they’re doing is intercepting call data in bulk and then sorting through what they want to keep.

It’s worth noting that the comment on the Boundless Informant screen Le Monde gets this from, however, refers to a more accurate calls “interceptées.” None of that excuses Le Monde’s presentation of it as such, particularly not its weak English translation which Clapper exploited (which isn’t, however, the actual language that has given François Hollande an opportunity to pretend to be shocked, and his English-only gotcha would be useful in refuting this for actual French readers). But that’s one source of the gotcha.

Now, as I said, this is relatively unprecedented. In the recent “interview” with Keith Alexander, NSA issued non-denial denials about info sharing with Israel. But there have been few very specific denials like this one.

And why would there be? Should we now assume all the other facts that have come out, anywhere in the world, are true? That Clapper has gone out of his way to do so, it seems, suggests the IC doesn’t dispute any other facts, which is almost certainly not the case, but nevertheless a fair assumption given their attention to this discrete point.

The one exception to this general rule, though, suggests why Clapper may have used this bad translation to claim gotcha! It just so happens to pertain to the WSJ story on upstream Internet collection, Read more

Intelligence Committees: Not Informed about Torture, Not Informed about Drone Casualties, Not Informed about US Person Spying

Amnesty International and Human Rights Watch released reports on US drone killings today. For the moment, I’m going to outsource reading the reports to Sarah Knuckey’s excellent post.

Both reports (per Knuckey) point to individual drone strikes on civilians that may or probably violate international law.

Specific US strikes killed civilians in violation of the law and US policy.  These are the first major reports by each organization detailing field investigations into specific strikes.  HRW reviewed six strikes in Yemen (occurring between December 2009 and April 2013). HRW concluded that two of the strikes violated international law (pp. 54, 67), four may have (pp. 30, 39, 43, 60), and none of the six appeared to have complied with Obama’s May 2013 Presidential Policy Guidance (p. 89).  AI reviewed all 45 reported Pakistan strikes between January 2012-August 2013, and investigated nine in detail.  AI’s legal findings include that “evidence indicates” that an October 2012 strike unlawfully killed a grandmother and injured eight children (p. 23), and AI had “serious concerns” that a July 2012 strike that killed 18 and injured 22 (p. 24) may have been a war crime or extrajudicial execution (p. 27).  AI also investigated a number of strikes on apparent rescuers (those who came to the scene of a first strike to help the wounded), which it concluded may have been illegal (pp. 28-30).  Neither report seeks to assess the total number or rate of civilian casualties for all strikes.

[snip]

Investigations and accountability obligations. AI states that the US has legal obligations to investigate any cases where there are “reasonable grounds to indicate that unlawful killings have occurred,” and to prosecute, and remedy where appropriate (pp. 35-37).  HRW similarly states that the US has a duty to investigate violations of the laws of war, and that government secrecy effectively denies victims’ right to redress (p. 87).  Both reports also state the US should provide compensation or condolence payments for any civilian harm, but that neither organization is aware of the US having done this (AI, p. 39; HRW, p. 88).

This documentation of civilian casualties, of course, provides further evidence Dianne Feinstein and Mike Rogers’ claims about civilian casualties are false.

But we knew that.

Which means, in addition to the fact that we’re violating international law with some of our drone killings, we also are seeing a recurrent trend.

Even the CIA’s own lawyer agreed that CIA didn’t properly inform Congress, including the Intelligence Committees, about torture.

We’re learning that vast parts of the NSA’s spying — including spying that collects US person data — remains largely hidden from the Intelligence Committees.

And we have yet more proof they have been misinformed about drone killings.

Is there some dubiously legal program the Intelligence Community has fully informed Congress on?

False Prophet of Adequate Congressional Oversight Finds Congressional Ignorance Unnewsworthy

I was going to leave this post, in which Ben Wittes complains that WaPo published details of NSA’s collection of millions of contact lists, which he didn’t find at all newsworthy, well enough alone.

Here the public interest in disclosure seems, at least to me, remarkably weak, after all. At the policy level, the entire story amounts to nothing more than the proposition that NSA is under 12333 collecting large volumes of live-stream data, storing it, and protecting U.S. person material within that data only through minimization requirements. We knew all of that already.

So what does this story reveal that we didn’t already know? A specific collection method that people can now frustrate and a particular interest in collecting contact lists. In other words, here the Post does not seem to be balancing the costs of the disclosure against its benefit to the public interest. The costs, rather, are the benefit to the public interest. Put another way, I can’t quite shake the feeling that my old newspaper is now blowing secrets merely for the sake of doing so.

But his response to this post from Conor Freidersdorf convinced me to do a post. He’s written about 40 tweets in response, asserting things like, “there is no good argument that this sort of activity is illegal under current law.” In all that tweeting, he did not, however, respond to what I thought was a pretty decent argument this sort of activity might be illegal under current law.

Two years ago, then FISA Court Judge John Bates considered the legality of content collected off US switches. He found the practice, as had been conducted for over 3 years, violated both Section 702 of FISA Amendments Act and the Fourth Amendment because it intentionally collected US person data (NSA’s apologists usually obscure this last point, but Bates’ opinion was quite clear that this was intentional collection). To make the collection “reasonable” under a special needs exception, he required NSA to follow more stringent minimization procedures than already required under Section 702, effectively labeling some of the data and prohibiting the NSA from using US person data except in limited circumstances.

That collection differs from the contact list collection revealed by the WaPo in several ways:

The contact lists are collected overseas

WaPo’s sources are quite clear: this collection would be illegal in the US. They get around that restriction by collecting the data overseas.

The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss the classified program. “None of those are on U.S. territory.”

It’s not clear whether the contact list counts as metadata or content

The collection reviewed by Bates was clearly content: Internet messages collected because a selector appeared in the body of the message. With the contact lists, I could see the government claiming it was just metadata, and therefore (incorrectly, in my opinion but not in current law) subject to a much lower standard of protection. Except (as noted) WaPo’s sources admit this would be illegal if collected in the US, probably because NSA is collecting content as well.

Each day, the presentation said, the NSA collects contacts from an estimated 500,000 buddy lists on live-chat services as well as from the inbox displays of Web-based e-mail accounts.

[snip]

Contact lists stored online provide the NSA with far richer sources of data than call records alone. Address books commonly include not only names and e-mail addresses, but also telephone numbers, street addresses, and business and family information. Inbox listings of e-mail accounts stored in the “cloud” sometimes contain content, such as the first few lines of a message.

This data is subjected to a much lower standard of minimization than that imposed by Bates

In his flurry of tweets, Ben keeps repeating that the US person contact lists collected under this program are protected by minimization, so it’s all good. But minimization for Executive Order 12333 collection is not as rigorous as minimization under Section 702, and certainly doesn’t include the special handling that Bates required to make the Section 702 upstream collection compliant with the Fourth Amendment. So even for those who believe minimization on bulk collection gets you to compliance with the Fourth Amendment, it’s unclear whether the minimization provided for this collection does, and given Bates’ ruling, there’s reason to believe it does not.

Neither Congress nor the FISA Court oversee this collection closely

This is the part of the WaPo story that a guy like Ben who wails NAKED! every time someone questions whether there’s adequate oversight ought to have noted. A single source claimed this program includes checks and balances. But as WaPo lays out, these aren’t checks and balances like those protecting other US person collections.

A senior U.S. intelligence official said the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.”

NSA analysts, he said, may not search within the contacts database or distribute information from it unless they can “make the case that something in there is a valid foreign intelligence target in and of itself.”

In this program, the NSA is obliged to make that case only to itself or others in the executive branch. With few exceptions, intelligence operations overseas fall solely within the president’s legal purview. The Foreign Intelligence Surveillance Act, enacted in 1978, imposes restrictions only on electronic surveillance that targets Americans or takes place on U.S. territory.

[snip]

Sen. Dianne Feinstein, the California Democrat who chairs the Senate Intelligence Committee, said in August that the committee has less information about, and conducts less oversight of, intelligence gathering that relies solely on presidential authority. Read more

James Clapper Proves Inadequate Oversight by Refusing to Answer EO 12333 Questions

The headlines from today’s Senate Judiciary Committee hearing on NSA will no doubt be that Pat Leahy forced Keith Alexander to admit they’ve been lying about whether the 54 “plots” they “thwarted” were really “plots” or “thwarted” in the first place. Perhaps just two were.

More astute reporters might note that, in response to questions about the NYT’s report on the dossiers created in the course of foreign intelligence collection analysis, Keith Alexander offered several equivocations first claiming NYT got things wrong, then realizing that was a too broad claim. More interesting, he ultimately admitted that the NSA conducts some of this under Executive Order 12333 — the collection David Kris outlined in his paper.

There was even some follow-up on the NSA’s use of EO 12333, with James Clapper and Alexander claiming Congress had some oversight of that collection (in spite of Dianne Feinstein’s admission that they don’t get news of EO 12333 violations even when they involve Americans).

But the most telling exchange occurred between Amy Klobuchar, Keith Alexander, and James Clapper. (after 1:25) Klobuchar asked why they hadn’t told the Committee of the violations reported in an internal NSA review when they last appeared before the committee. After Alexander tried to filibuster (actually addressing the report in question and noting only ODNI and DOJ get those numbers, not FISC or Congress), Clapper interrupted and pretended she had asked about the LOVEINT incidents just reported to Charles Grassley. Clapper claimed those hadn’t been reported because they were 12333 violations.

Clapper: I think the answer to the question, Senator, was that the subject of the hearing was 215 and 702, and these 12 violations over 10 occurred under the foreign collection under the auspices of Executive Order 12333. [Sits back]

Klobuchar: I thought we were broadly asking questions and it would have been nice to have heard about it there but it’s behind us now.

But Clapper is absolutely incorrect. The review Klobuchar asked about reported 195 FISA violations. Of those, 20% were due diligence violations — of an analyst not following Standard Operating Procedures she has been trained on. 31% are what amount to insufficient intelligence (these are called “resource violations”), resulting in searches on targets who shouldn’t be targeted. A number of the incidents included not detasking someone quickly enough.

In other words, while this may (or may not) be minor, they are real violations of FISA authorities, the stuff that Congress and the Courts are supposed to oversee. And Clapper just blew off the question by saying they don’t have to disclose any violations pertaining to EO 12333 (even though a chunk of these violations weren’t EO 12333 violations).

Which of course demonstrates a further point. The Intelligence Community is basically refusing to discuss any EO 12333 violations and/or programs, even while it also picks up US person information at least incidentally.

And yet they claimed there was adequate oversight over those programs.

David Kris Outlines the Internet Dragnet Elephant

Way back on page 64 (of 67) of former Assistant Attorney General for National Security David Kris’ paper “On the Bulk Collection of Tangible Things,” he invokes the elephant metaphor the President used to promise more NSA disclosures on multiple programs.

What I’m going to be pushing the IC to do is rather than have a trunk come out here and leg come out there and a tail come out there, let’s just put the whole elephant out there so people know exactly what they’re looking at.

In keeping with the President’s direction, the Intelligence Community has released many new details about the bulk telephony metadata collection program, as described above. In addition, as also noted above, the FISC itself has released significant new information. The key remaining question is whether there will be additional, authorized releases concerning intelligence activity that has not been subject to prior, unauthorized releases. [my emphasis]

Kris uses the President’s elephant to ask whether they really will disclose their intelligence programs. He mentions just the phone dragnet (even though the Administration, in response to two FOIAs, also released information about their Section 702 upstream collection programs), even as he suggests the Administration might do well to admit to other programs before they are exposed by an Edward Snowden leak.

Which is interesting, because Kris’ paper — in spite of his title and in spite of that reference to the phone dragnet — is really about what the government has declassified (the phone dragnet) as well as what the government has left partly hidden (the Internet dragnet and broader phone dragnet).

Kris discusses the PATRIOT-authorized Internet dragnet along with the phone dragnet

Kris, after all, provides the following facts about the PATRIOT-authorized Internet dragnet, citing the named sources:

  • Internet and telephony metadata was collected starting in 2001, until the 2004 hospital disagreement led to the former being moved to Pen Register/Trap & Trace authority in 2004, which was the first bulk order (“purported” NSA IG Report)
  • One company — which the “purported” IG report makes clear was an Internet one and is probably Yahoo — did not participate in the illegal wiretap program (“purported” NSA IG Report)
  • The Internet metadata collection ended in 2011 (an ODNI spokesperson in a Charlie Savage story)

Kris also points to four different Administration acknowledgements of the Internet metadata program. He refers to the 2009 and 2011 notice letters to Congress (though he focuses on the phone dragnet language in them), and the James Clapper response to Wyden and 25 other Senators. Perhaps most interestingly, Kris notes that government witness(es) have confirmed the program and the use of PR/TT to authorize it…

At a July 17, 2013 hearing of the House Judiciary Committee, government witnesses confirmed the pen-trap bulk collection.

But unlike just about every other comment in a hearing cited in his paper, Kris doesn’t quote the exchange, which went like this.

SUZAN DELBENE: The public also now knows that the telephone metadata collection is under Section 215, the Business Records provision of FISA, and that allows for the collection of tangible things. But we’ve also seen reports of a now-defunct program collecting email metadata. With regard to the email metadata program that is no longer being operated, can you confirm that the authority used to collect that data was also Section 215?

GEN. COLE: It was not. It was the Pen Register Trap and Trace Authority under FISA, which is slightly different, but it amounts to the same kind of thing. It does not involve any content. It is, again, only to and from. It doesn’t involve, I believe, information about identity. It’s just email addresses. So it’s very similar, but not under the same provision.

REP. DELBENE: And could you have used Section 215 to collect that information?

GEN. COLE: It’s hard to tell. I’d have to take a look at that.

The transcript from this hearing is up at the I Con the Record site, so it’s unclear why Kris didn’t quote it.  Read more

Has Federal Use of Drones Violated EO 12333?

The Privacy and Civil Liberties Oversight Board just sent a letter to Eric Holder and James Clapper requesting that they have all the Intelligence Committee agencies update what are minimization procedures (though the letter doesn’t call them that), “to take into account new developments including technological developments.”

As you know, Executive Order 12333 establishes the overall framework for the conduct of intelligence activities by U.S. intelligence agencies. Under section 2.3 of the Executive Order, intelligence agencies can only collect, retain, and disseminate information about U.S. persons if the information fits within one of the enumerated categories under the Order and if it is permitted under that agency’s implementing guidelines approved by the Attorney General after consultation with the Director of National Intelligence.

The Privacy and Civil Liberties Oversight Board has learned that key procedures that form the guidelines to protect “information concerning United States person” have not comprehensively been updated, in some cases in almost three decades, despite dramatic changes in information use and technology.

The whole letter reads like the public record of a far more extensive and explicit classified discussion. Which makes me wonder what PCLOB found, in particular.

There are many technological issues that might be at issue — especially location data, but also generally Internet uses. Then there’s the advance in database technology, making the sharing of information much more invasive because of the way it can be used. But I wonder if this letter isn’t a demand that members of the intelligence community correct their use of drones.

The letter seems to point to something in EO 12333 Section 2.3 as its concern. Among the other potential enumerated categories of interest is this one:

Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order. Those procedures shall permit collection, retention and dissemination of the following types of information:

[snip]

(h) Information acquired by overhead reconnaissance not directed at specific United States persons; [my emphasis]

We recently learned that the FBI has used drones in the following situations:

UAVs have been used for surveillance to support missions related to kidnappings, search and rescue operations, drug interdictions, and fugitive investigations. Since late 2006, the FBI has conducted surveillance using UAVs in eight criminal cases and two national security cases.  For example, earlier this year in Alabama, the FBI used UAV surveillance to support the successful rescue of the 5-year-old child who was being held hostage in an underground bunker by Jimmy Lee Dykes.

[snip]

The FBI does not use UAVs to conduct “bulk” surveillance or to conduct general surveillance not related to an investigation or an assessment.

It goes on to cite the Domestic Investigations and Operations Guide as its internal authority for the use of drones.

And while FBI’s use of drones to catch a kidnapper may not fall under the FBI’s intelligence mandate (and therefore may not violate EO 12333, which is about intelligence collection), it seems the two national security uses would.

If the subject of those national security investigations was a US person, it would seem to be a violation of EO 12333.

Note, too, that drones are listed among PCLOB’s focus items (see page 13).

That’s just a guess. I would also imagine that minimization procedures need updated given the more prevalent use of databases (NCTC’s access of government databases is another of PCLOB’s focuses). I would imagine that some intelligence community members (including both the NCTC and DHS) are in violation of the mandate that the FBI collect foreign intelligence within the US. And PCLOB also cites GPC use as another of its foci, which is one of the technologies that has developed in the last 30 years.

But given the timing of it all, I wonder if this is a push to get the FBI to stop using drones for intelligence collection.