Posts

DOJ: We Can’t Tell Which Secret Application of Section 215 Prevents Us From Telling You How You’re Surveilled

/12 Comments/in , /by

As Mike Scarcella reported yesterday, the government has moved for summary judgment in an Electronic Privacy Information Center FOIA suit for details on the government’s investigation into WikiLeaks. EPIC first FOIAed these materials in June 2011. After receiving nothing, they sued last January.

The government’s motion and associated declarations would be worth close analysis in any case. All the more so, though, in light of the possibility that the government conducted a fishing expedition into WikiLeaks as part of its Aaron Swartz investigation, almost certainly using PATRIOT Act investigative techniques. The government’s documents strongly suggest they’re collecting intelligence on Americans, all justified and hidden by their never ending quest to find some excuse to throw Julian Assange in jail.

EPIC’s FOIA asked for information designed to expose whether innocent readers and supporters of WikiLeaks had been swept up in the investigation. It asked for:

  1. All records regarding any individuals targeted for surveillance for support for or interest in WikiLeaks;
  2. All records regarding lists of names of individuals who have demonstrated support for or interest in WikiLeaks;
  3. All records of any agency communications with Internet and social media companies including, but not limited to Facebook and Google, regarding lists of individuals who have demonstrated, through advocacy or other means, support for or interest in WikiLeaks; and
  4. All records of any agency communications with financial services companies including, but not limited to Visa, MasterCard, and PayPal, regarding lists of individuals who have demonstrated, through monetary donations or other means, support or interest in WikiLeaks. [my emphasis]

At a general level, the government has exempted what files it has under a 7(A) (ongoing investigation) exemption, while also invoking 1 (classified information), 3 (protected by statute), 5 (privileged document), 6 (privacy), 7(C) (investigative privacy), 7(D) (confidential source, which can include private companies like Visa and Google), 7(E) (investigative techniques), and 7(F) (endanger life or property of someone) exemptions.

No one will say what secret law they’re using to surveil Americans

But I’m most interested in how all three units at DOJ — as reflected in declarations from FBI’s David Hardy, National Security Division’s Mark Bradley, and Criminal Division’s John Cunningham — claimed the files at issue were protected by statute.

None named the statute in question. All three included some version of this statement, explaining they could only name the statute in their classified declarations.

The FBI has determined that an Exemption 3 statute applies and protects responsive information from the pending investigative files from disclosure. However, to disclose which statute or further discuss its application publicly would undermine interests protected by Exemption 7(A), as well as by the withholding statute. I have further discussed this exemption in my in camera, ex parte declaration, which is being submitted to the Court simultaneously with this declaration

In fact, it appears the only reason that Cunningham submitted a sealed declaration was to explain his Exemption 3 invocation.

And then, as if DOJ didn’t trust the Court to keep sealed declarations secret, it added this plaintive request in the motion itself.

Defendants respectfully request that the Court not identify the Exemption 3 statute(s) at issue, or reveal any of the other information provided in Defendants’ ex parte and in camera submissions.

DOJ refuses to reveal precisely what EPIC seems to be seeking: what kind of secret laws it is using to investigate innocent supporters of WikiLeaks.

By investigating a publisher as a spy, DOJ gets access to PATRIOT Act powers, including Section 215

There’s a very very large chance that the statute in question is Section 215 of the PATRIOT Act (or some other national security administrative subpoena). After all, the FOIA asked whether DOJ had collected business records on WikiLeaks supporters, so it is not unreasonable to assume that DOJ used the business records provision to do so.

Moreover, the submissions make it very clear that the investigation would have the national security nexus to do so. While the motion itself just cites a Hillary Clinton comment to justify its invocation of national security, both the FBI and the NSD declarations make it clear this is being conducted as an Espionage investigation by DOJ counterintelligence people, which — as I’ve been repeating for over two years — gets you the full PATRIOT Act toolbox of investigative approaches.

Media outlets take note: The government is, in fact, investigating a publisher as a spy. You could be next.

Read more

TSA’s Legal Justification for Gate Grope

/50 Comments/in , /by

The Electronic Privacy Information Center has been suing the Department of Homeland Security because it refused to engage in the public rule-making process before it adopted RapeAScan machines as part of the primary screening at airports. DHS responded to EPIC’s suit the other day. While I think their response will be largely successful as written, they’re playing games with the timing of EPIC’s suit so as to avoid doing any discussion or even administrative privacy assessment of giving passengers a choice between being photographed nude or having their genitalia fondled.

The key to this is that EPIC first requested a request for review of whether DHS should have engaged in rule-making on May 28, 2010, before TSA changed pat-down procedures. It then submitted its brief on November 1, 2010, after the enhanced pat-downs were being rolled out. But the issue still focuses on the machines and not the machines in tandem with the invasive pat-downs. So a central part of DHS’ argument is that passengers are given an alternative to the RapeAScan machines: pat-downs. But its filing never deals with the possibility that pat-downs are more invasive than even the RapeAScan machines.

TSA communicates and provides a meaningful alternative to AIT screening. TSA posts signs at security checkpoints clearly stating that AIT screening is optional, and TSA includes the same information on its website. AR 071.003. Those travelers who opt out of AIT screening must undergo an equal level of screening, consisting of a physical pat-down to check for metallic and nonmetallic weapons or devices. Ibid.

A physical pat-down is currently the only effective alternative method for screening individuals for both metallic and nonmetallic objects that might be concealed under layers of clothing. The physical pat-down given to passengers who opt out of AIT screening is the same as the pat-down given to passengers who trigger an alarm on a walk-through metal detector or register an anomaly during AIT screening. Passengers may request that physical pat-downs be conducted by same gender officers. AR 132.001. Additionally, all passengers have the right to request a private screening. Ibid. More than 98% of passengers selected for AIT screening proceed with it rather than opting out. AR 071.003.

And by focusing on this alternative with no real discussion of what it currently entails, DHS dodges the question of whether the two screening techniques together–RapeAScans and enhanced pat-downs–violate passengers’ privacy. Note, for example, how the filing boasts of two Privacy Impact Assessments TSA’s privacy officer did (plus an update just as EPIC was last complaining about this technology).

Pursuant to 6 U.S.C. § 142, DHS conducted Privacy Impact Assessments (“PIAs”) dated January 2, 2008, and October 17, 2008, to ensure that the use of AIT does not erode privacy protections. AR 011.001-.009, 025.001-.010. The second PIA was updated on July 23, 2009 and lays out several privacy safeguards tied to TSA’s use of AIT. AR 043.001-010.

Now, as a threshold matter, there’s something odd about DHS citing 6 U.S.C. § 142 here. Its requirement for PIAs reads:

The Secretary shall appoint a senior official in the Department to assume primary responsibility for privacy policy, including – (1) assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information; (2) assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974 [5 U.S.C. 552a]; (3) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government; (4) conducting a privacy impact assessment of proposed rules of the Department or that of the Department on the privacy of personal information, including the type of personal information collected and the number of people affected; and (5) preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974 [5 U.S.C. 552a], internal controls, and other matters. [my emphasis]

See how it says the department has to do PIAs “of proposed rules”? That suggests the Privacy Officer treated the plan to use RapeAScans as a rule and did a PIA accordingly. But this entire filing–which explains why DHS refused to accede to EPIC’s request to conduct public rule-making on the use of RapeAScans–argues that the implementation of the machines did not constitute a rule. But they did a PIA as if it was a rule!

But there’s another thing this filing doesn’t say about PIAs: that Congress demanded TSA publish a PIA on the enhanced pat-downs.

In the absence of an Executive branch level Privacy and Civil Liberties Oversight Board that would evaluate decisions such as this, it was crucial that the Department of Homeland Security’s Privacy Officer and Office for Civil Rights and Civil Liberties thoroughly evaluate and publish written assessments on how this decision affects the privacy and civil rights of the traveling public. To date, the Department has not published either a Privacy Impact Assessment (PIA) nor a Civil Liberties Impact Assessment (CLIA) on the enhanced pat down procedures. Without a published PIA or CLIA, we cannot ascertain the extent to which TSA has considered how these procedures should be implemented with respect to certain populations such as children, people with disabilities, and the elderly. By not issuing these assessments, the traveling public has no assurance that these procedures have been thoroughly evaluated for constitutionality.

So while DHS boasts that it did PIAs on the RapeAScans before it rolled them out, it still does not appear to have done a PIA on the groping that serves as DHS’ much touted alternative to RapeAScans, much less a PIA on the two techniques offered together.

Now, DHS is using procedural complaints to object to EPIC’s inclusion of Nadhira Al-Khalili on the complaint, a lawyer with ties to the Muslim community. But their response to EPIC’s freedom of religion complaint seems to suggest they recognize they are vulnerable: suggesting that if a Muslim (or anyone else with documented reason to be opposed to having nude pictures taken and/or their genitalia groped by strangers) were to sue, the procedures would not hold up.

But for now, DHS is treating the RapeAScans separately from the groping so as to be able to argue that in conjunction with the “choice” of being groped, the RapeAScans present no big privacy problem.

What Did BushCo Hide By Not Revealing Surveillance Activities?

/16 Comments/in /by

Via Threat Level, I see the EPIC has written a letter to Pat Leahy complaining about the Bush Administration’s failure to comply with requirements that it release details on the number of "pen register" and "trap and trace" orders.

As a reminder, "pen registers" are when the government collects the metadata from your telecom contacts–the phone numbers you call and the length of calls, as well as whom you email–to figure out who you’re talking to. And "trap and trace" orders are when the government figures out who is calling (or emailing) you. In addition, the EPIC letter explains that law enforcement has recently been using "hybrid" orders to pinpoint cell phone (and therefore, your) location.

Law enforcement agents use "hybrid" orders for cellular location information. Hybrid orders seek to determine a suspect’s past and future location based on non-content data transmitted by the suspect’s cellular phone. The government has engaged in this type of surveillance by invoking a combination of authorities under the Pen Register Act and the Stored Communications Act.

For pen registers and trap and trace, the government doesn’t have to get a warrant (the hybrid stuff is still up in the air). Instead, since 1986, DOJ has been required to report how much of this stuff is going on.

But, as EPIC explains, DOJ didn’t release the report publicly for the years 1999 through 2003, and only gave incomplete information to Congress at all in November 2004. And DOJ  appears not to have released reports at all since 2004.

You probably see where I’m going with this. 

We know, of course, that Bush’s illegal wiretap program involved some kind of data mining aspect.  It appears that they were doing pattern analysis based on things like length and recipient of call–precisely the kind of thing you get from pen registers–to determine whom to further wiretap.

Yet we have only incomplete information from the first three years of Bush’s illegal wiretap program. EPIC explains that DOJ did not include the suspected offenses that law enforcement officers were trying to investigatre, nor did it list which officers were doing the investigations.

And then we have nothing–no data–for the years after Jim Comey and Jack Goldsmith supposedly put the illegal wiretap program back on legal footing (and remember–the data mining aspect of the program was reportedly one of the things that Comey et al went crazy over). 

Read more