Posts

FISA Warranted Targets and the Phone Dragnet

/3 Comments/in , /by

The identifiers (such as phone numbers) of people or facilities for which a FISA judge has approved a warrant can be used as identifiers in the phone dragnet without further review by NSA.

From a legal standpoint, this makes a lot of sense. The standard to be a phone dragnet identifier is just Reasonable Articulable Suspicion of some tie to terrorism — basically a digital stop-and-frisk. The standard for a warrant is probable cause that the target is an agent of a foreign government — and in the terrorism context, that US persons are preparing for terrorism. So of course RAS already exists for FISC targets.

So starting with the second order and continuing since, FISC’s primary orders include language approving the use of such targets as identifiers (see ¶E starting on page 8-9).

But there are several interesting details that come out of that.

Finding the Americans talking with people tapped under traditional FISA

First, consider what it says about FISC taps. The NSA is already getting all the content from that targeted phone number (along with any metadata that comes with that collection). But NSA may, in addition, find cause to run dragnet queries on the same number.

In its End-to-End report submission to Reggie Walton to justify the phone dragnet, NSA claimed it needed to do so to identify all parties in a conversation.

Collections pursuant to Title I of FISA, for example, do not provide NSA with information sufficient to perform multi-tiered contact chaining [redacted]Id. at 8. NSA’s signals intelligence (SIGINT) collection, because it focuses strictly on the foreign end of communications, provides only limited information to identify possible terrorist connections emanating from within the United States. Id. For telephone calls, signaling information includes the number being called (which is necessary to complete the call) and often does not include the number from which the call is made. Id. at 8-9. Calls originating inside the United States and collected overseas, therefore, often do not identify the caller’s telephone number. Id. Without this information, NSA analysts cannot identify U.S. telephone numbers or, more generally, even determine that calls originated inside the United States.

This is the same historically suspect Khalid al-Midhar claim, one they repeat later in the passage.

The language at the end of that passage emphasizing the importance of determining which calls come from the US alludes to the indexing function NSA Signals Intelligence Division Director Theresa Shea discussed before — a quick way for the NSA to decide which conversations to read (and especially, if the conversations are not in English, translate).

Section 215 bulk telephony metadata complements other counterterrorist-related collection sources by serving as a significant enabler for NSA intelligence analysis. It assists the NSA in applying limited linguistic resources available to the counterterrorism mission against links that have the highest probability of connection to terrorist targets. Put another way, while Section 215 does not contain content, analysis of the Section 215 metadata can help the NSA prioritize for content analysis communications of non-U.S. persons which it acquires under other authorities. Such persons are of heightened interest if they are in a communication network with persons located in the U.S. Thus, Section 215 metadata can provide the means for steering and applying content analysis so that the U.S. Government gains the best possible understanding of terrorist target actions and intentions. [my emphasis]

Though, as I have noted before, contrary to what Shea says, this by definition serves to access content of both non-US and US persons: NSA is admitting that the selection criteria prioritizes calls from the US. And in the case of a FISC warrant it could easily be entirely US person content.

In other words, the use of the dragnet in conjunction with content warrants makes it more likely that US person content will be read.

Excluding bulk targets

Now, my analysis about the legal logic of all this starts to break down once the FISC approves bulk orders. In those programs — Protect America Act and FISA Amendments Act — analysts choose targets with no judicial oversight and the standard (because targets are assumed to be foreign) doesn’t require probable cause. But the FISC recognized this. Starting with BR 07-16, the first order approved (on October 18, 2007) after the PAA  until the extant PAA orders expired, the primary orders included language excluding PAA targets. Starting with 08-08, the first order approved (on October 18, 2007) after FAA until the present, the primary orders included language excluding FAA targets.

Of course, this raises a rather important question about what happened between the enactment of PAA on August 5, 2007 and the new order on October 18, 2007, or what happened between enactment of FAA on July 10, 2008 and the new order on August 19, 2008. Read more

The 3 Hop Scotch of Civil Liberties and Privacy

/33 Comments/in , , , , , , , /by

I was in court, so I didn’t see it, but apparently there was a little hearing over at House Judiciary Committee this morning on “Oversight of the Administration’s Use of FISA Authorities“. There was an august roll of Administration authorities and private experts: Mr. James Cole, United States Department of Justice; Mr. John C. Inglis, National Security Agency; Mr. Robert S. Litt, ODNI; Ms. Stephanie Douglas, FBI National Security Branch; Mr. Stewart Baker; Mr. Steven G. Bradbury; Mr. Jameel Jaffer; and Ms. Kate Martin.

Hmmm, let’s take a look and see if anything interesting occurred (as reported by Pete Yost of AP). Uh, well, there was THIS:

For the first time, NSA deputy director John C. Inglis disclosed Wednesday that the agency sometimes conducts what’s known as three-hop analysis. That means the government can look at the phone data of a suspect terrorist, plus the data of all of his contacts, then all of those people’s contacts, and finally, all of those people’s contacts.

If the average person calls 40 unique people, three-hop analysis could allow the government to mine the records of 2.5 million Americans when investigating one suspected terrorist.
….
The government says it stores everybody’s phone records for five years. Cole explained that because the phone companies don’t keep records that long, the NSA had to build its own database.

Go read all of Yost’s report, there is quite a bit in there that is stunning in the blithe attitude the Administration takes on this hoovering of data and personal information. Also clear: Congress has no real grasp or control of the government’s actions. The Article I brakes are out and the Article II car is accelerating and careening down the road.

Yahoo, the Law-Abiding Free Email Provider

/34 Comments/in , /by

[NSA presentation, PRISM collection dates, via Washington Post]The FISA Court has officially agreed to declassify that Yahoo was the company that challenged a Protect Amendment Act order in 2007.

Once this PRISM slide was published, it was always pretty likely that Yahoo — or maybe Google — was the company in question. Yahoo started complying around the time the FISC decision was reached; Google joined in after the FISCR decision was unsealed.

Which leaves … Microsoft, which started cooperating before the law and then the FISA Court forced it to (though collection may not have begun until after PAA passed and, as Rayne has pointed out, Microsoft’s code was being exploited by the government for entirely different purposes in precisely that timeframe).

Now might be a good time to review what happened with the 7 companies the government asked to participate in an illegal wiretap program based solely on the President’s say-so. Per the 2009 NSA Draft IG Report, the companies are:

  • Telecoms A, B, and C (probably AT&T, Verizon, and — definitely– MCI, respectively, since they were the 3 telecoms working onsite at FBI’s direct access office under another program). These companies were approached by people from NSA’s Special Source Operations unit as soon as the program was approved, and they agreed to participate “voluntarily.” In 2003, MCI got cold feet and demanded a letter from John Ashcroft stating that the request was lawful, in which he “directed” them to comply with NSA’s requests.
  • Telecom E (Qwest). It was approached by SSO personnel in 2002, purportedly for collections related to the Olympics. After some discussion, Qwest’s General Counsel decided to not support the operation.
  • Internet Provider D (probably Microsoft). This company was approached by “NSA legal and operational personnel” (not SSO) in September 2002. In response, this company provided “minimal” support, spanning roughly from October 9, 2002 through just after September 11, 2003. No person at this company was ever cleared to store letters from the NSA.
  • Internet Provider F (probably Yahoo). This company was approached in October 2002 by NSA legal and operational personnel. In response to NSA’s request, Internet Provider F asked for a letter from Attorney General Ashcroft certifying the legality of the program. While in December 2002, NSA’s Commercial Technologies Group through Internet Provider F was participating, NSA’s GC says they did not because of corporate liability concerns.
  • Private Sector Company G. This company was approached in April 2003 by NSA legal and operational personnel. This company’s GC said he or she wanted to consult outside counsel. NSA chose to drop the request. I have no idea what company this would be (CISCO?); any thoughts?

Here’s what these companies provided:

Screen shot 2013-06-29 at 3.33.46 PM

This table tells us a great deal about the program–and also the legal problems behind it.

Internet provider D — the one of two that cooperated — only did so for 7 months in 2003, and only provided Internet content (probably primarily Hotmail emails), not metadata.

Which left the government to get the other Internet data off of AT&T and Verizon’s switches (we know C is MCI because February 2005 is when Verizon bought it, which explains why it started handing over Internet content and metadata then). As the IG Report explains,

A, B, and C provided access to the content of Al Qaeda and Al Qaeda-affiliate email from communication links they owned and operated.

[snip]

The last category of private sector assistance was access to Internet Protocol (IP) metadata associated with communications of al Qaeda (and affiliates) from data links owned or operated by COMPANIES A, B, and C.

In other words, Microsoft and Yahoo, the biggest free email providers, were not crazy about providing content (though one, probably Microsoft, did for a period). And they were completely unwilling to provide IP metadata.

So the government just went to AT&T and Verizon’s switches and took it there.

Read more

FISA Amendments Act Minimization: Preventing Serious Harm to Corporate Persons

/8 Comments/in , , /by

As I was working through some other things last night, I had an opportunity to compare the minimization standards for the FISA Amendments Act (see section h) with the standards under which the actual minimization procedures allow the retention of purely domestic communications (that is, between parties that are all within the United States). These procedures are in addition to procedures that affect foreign communications (with one of the participants a non-US person outside the US).

Last night, I suggested there were 3 “normal” standards and one that doesn’t appear in the law pertaining to cybersecurity and encrypted communications. But that’s not entirely right. The last standard in the actual law reads,

(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.

That is, the actual law allows retention of information for up to 72 hours (presumably to process, which is moot anyway, since they’re actually keeping this data 5 years), unless the court or the Attorney General says it must be kept longer because it pertains to threat of death of serious bodily harm.

But in the minimization standards themselves, here’s how that reads.

A communication identified as a domestic communication will be promptly destroyed upon recognition unless the Director (or Acting Director) of NSA specifically determines, in writing, that:

the communication contains information pertaining to a threat of serious harm to life or property. [my emphasis]

In plain language, the law seems to be about saving human lives. But in paragraphs marked Secret, the government has redefined threat of death or “serious bodily harm to any person” as “serious harm to life or property.”

And while it’s just a guess here, I’m guessing that they switched this language, protecting property, not people, to protect corporate people.

In any case, spying on entirely domestic communications to protect against threats entirely to property, not life, sure seems like a giant loophole in a program that is supposed to be focused exclusively on foreign intelligence.

Why Would You Segregate the FISA Orders, But Not the Directives?

/17 Comments/in , /by

The FBI, according to Eli Lake, thinks someone besides Edward Snowden may be responsible for leaking the Section 215 order to Verizon ordering them to turn over the metadata on all their American customers’ calls. They claim to think so because digital copies of such orders exist in only two places: computers at the FISA Court and FBI’s National Security Division that are segregated from the Internet. (Note: where Lake says “warrant” in this passage, he means “order.”)

Those who receive the warrant—the first of its kind to be publicly disclosed—are not allowed “to disclose to any other person” except to carry out its terms or receive legal advice about it, and any person seeing it for those reasons is also legally bound not to disclose the order. The officials say phone companies like Verizon are not allowed to store a digital copy of the warrant, and that the documents are not accessible on most NSA internal classified computer networks or on the Joint Worldwide Intelligence Communications System, the top-secret internet used by the U.S. intelligence community.

The warrants reside on two computer systems affiliated with the Foreign Intelligence Surveillance Court and the National Security Division of the Department of Justice. Both systems are physically separated from other government-wide computer networks and employ sophisticated encryption technology, the officials said. Even lawmakers and staff lawyers on the House and Senate intelligence committees can only view the warrants in the presence of Justice Department attorneys, and are prohibited from taking notes on the documents.

Now, when the order first leaked, I actually suspected the leaker might be in this general vicinity. If that’s right, then I also suspect the FBI is interested in finding this person because he or she would be reacting to the FBI’s own wrong-doing on another matter. Heck, the FBI could conduct a manhunt in this general vicinity just for fun to make sure their own wrong-doing doesn’t get exposed.

Such is the beauty of secret counterintelligence investigations.

That said, Lake’s reporting is an example of something I suggested in the first day of this leak: we’re going to learn more about how the NSA works from leaks about the investigation of it than from the leaks themselves.

And this story provides a lot of evidence that the government guards its generalized surveillance plans more jealously than it guards it particularized surveillance targets. (See this post for a description of the difference between orders and directives specifying targets.)

Consider what kinds of documents the FISA Court produces:

  • Standing Section 215 orders such as the Verizon one in question
  • Particularized Section 215 orders; an example might be an order for credit card companies and Big Box stores to turn over details on all purchases of pressure cookers in the country
  • FISA Amendments Act orders generally mapping out the FAA collection (we don’t know how detailed they are; they might describe collection programs at the “al Qaeda” and “Chinese hacker” level, or might be slightly more specific, but are necessarily pretty general)
  • Particularized FISA warrants, targeted at individual US persons (though most of this spying, Marc Ambinder and others have claimed, is conducted by the FBI under Title III)

Aside from those particularized warrants naming US persons, FISA Court doesn’t, however, produce (or even oversee) lists of the great bulk of people who are being spied on. Those are the directives NSA analysts draw up on their own, without court supervision. Those directives presumably have to be shared with the service providers in some form, though all the reporting on it suggests they don’t see much of it. But, Lake’s remainder that Google’s list of surveillance targets had been hacked by China to identify which of its agents in the US we had identified and were surveilling makes it clear they do get the list in some form.

In April, CIO.com quoted Microsoft’s Dave Aucsmith, the senior director of the company’s Institute for Advanced Technology in Governments, saying a 2009 hack of major U.S. Internet companies was a Chinese plot to learn the targets of email and electronic surveillance by the U.S. government. In May, the Washington Post reported Chinese hackers had accessed a Google database that gave it access to years’ worth of federal U.S. surveillance records of counter-intelligence targets.

But the prior hack makes obvious something that has been apparent since the Verizon order leaked: China doesn’t have much use for information that shows NSA is compiling a database of all calls made in the US. It does, however, have a great use for the list of its spies we’ve identified.

What this report seems to suggest, among other things (including that the Congressional committees don’t have enough scrutiny over these orders because they’re not allowed to keep their own copy of them), is that details on the particularized spying is more widely dispersed, in part because it has to be. Someone’s got to implement that particularized spying, after all, and that requires communication that traverses multiple servers.

But the generalized stuff — the stuff the FISA Court actually oversees — is locked up in a vault like the family jewels.

You might ask yourself why the government would go to greater lengths to lock up the generalized stuff — the stuff that makes it clear the government is spying on Americans — and not the particularized stuff that has far more value for our adversaries.

Update: After the hearing today, Keith Alexander said Snowden is the source of the order, and he got it during training at Fort Meade.

Alexander told reporters after a House Intelligence Committee hearing that the man who’s acknowledged being the source of the recent leaks, Booz Allen Hamilton information technology specialist Edward Snowden, had access to the Foreign Intelligence Surveillance Court order and related materials during an orientation at NSA.

“The FISA warrant was on a web server that he had access to as an analyst coming into the Threat Operations Center,” Alexander said. “It was in a special classified section that as he was getting his training he went to.”

Which suggests the leaking about someone in the FISA Court may, as I thought, be an effort to impugn people in the vicinity of the court the FBI would like to shut up.

James Clapper Throws a Concentrated Nugget of Orwellian Turd-Splat

/22 Comments/in , /by

Hooboy.

I was going to leave the whole CNET thing well enough alone after Jerry Nadler issued a statement retracting his sort-of suggestion that the NSA could wiretap Americans without a warrant (more on that below).

But I can’t remember seeing a more concentrated piece of Orwellian turd-splat than this statement addressing the issue from James Clapper.

The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress. Members have been briefed on the implementation of Section 702, that it targets foreigners located overseas for a valid foreign intelligence purpose, and that it cannot be used to target Americans anywhere in the world.

The claim that NSA doesn’t wittingly “collect” data on millions of Americans was just an opening act for James Clapper, it seems. I know it won’t work this way for those who trust this program, but Clapper’s statement should raise more questions whether the thrust of what Nadler said, rather than four words taken out of context, are in fact true.

Let’s take this slowly.

I’ve put my transcription of the exchange between Jerry Nadler and Robert Mueller below for your reference. But one thing to keep in mind as you read Clapper’s turd-splat is that Nadler first described “getting the contents of the [American] phone” identified using the metadata database and, in repeating the question he had earlier asked a briefer who actually knows about how these programs are used, “getting specific information from that telephone.” It is true that in response to Mueller, he spoke of “listening to the phone,” the four words taken out of context, and his walk-back describes “listening to the content.” But the range of Nadler’s language suggests the distinct possibility the briefer discussed a different kind of collection, and Nadler never once explicitly described setting a dedicated wiretap on the phone of an American identified from conversations with suspected terrorists (which is what CNET blew it up as).

With that in mind, I offer you turd-splat:

The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization and was not briefed to Congress.

Clapper has set up a straw man that differs in at least three key ways from what Nadler asked about. First, he is addressing only eavesdropping, monitoring a phone in real time going forward, not accessing historic collections (though one thing these two programs in conjunction do is collapse historic and ongoing communications). I’m especially amused by this move, because it replicates a mistake that many have made when discussing these programs (especially the metadata one) as wiretapping. Clapper is only addressing the most inflammatory language Nadler used, not the language he used first and last in this exchange.

Then Clapper introduces the idea of domestic communications. This has no source in Nadler’s comment whatsoever, at least so long as you believe the only way NSA uses the metadata database is to see which Americans are talking to suspected foreign terrorist phone numbers. Given the government’s improbable claim they’re only making 300 queries a year, we may well be talking about domestic communications, but that’s not what Nadler addressed, which was about the American participant in a call with a suspected foreign terrorist phone number.

Nadler asked about an analyst deciding, on the basis of metadata analysis, that a US phone number looks suspicious, to “get the content” from that number. He implies that he has been told an analyst has that authority. Clapper addresses only whether an analyst without proper legal authorization can get US person content. That is, in response to Nadler’s question whether an analyst does have the legal authority to get content based on suspicion, Clapper says an analyst can’t get content without the proper legal authority. Nadler’s entire (implied) question was whether an analyst would have the legal authority to do so. Clapper doesn’t answer it.

So in other words, Clapper alters Nadler’s comment in three fundamental ways, changing its entire meaning, and then asserts Clapper’s now only tangentially related distortion of Nadler’s comment was not briefed to Congress.

No. Of course not. And Nadler hadn’t said it was, either.

And then Clapper describes what (he claims) members were briefed. Splat!

Members have been briefed on the implementation of Section 702, that it targets foreigners located overseas for a valid foreign intelligence purpose, and that it cannot be used to target Americans anywhere in the world.

Whoa! Do you see what Clapper did there? Nadler asked a question about how an analyst would move from metadata analysis — the Section 215 program — and then use it to access content, via whatever means. Nadler mentioned Section 215 specifically. Yet Clapper claims this is all about the implementation of Section 702. (Note, I find this interesting in part because Mueller suggests Nadler might be talking about another program entirely, which remains a possibility.)

I have pointed out on several times how desperate the Administration is to have you believe that Section 215 metadata collection and Section 702 content collection are unrelated, even if surrogates can’t keep them straight themselves. Clapper’s ploy is more of the same.

As is his emphasis that Section 702 targets foreigners located overseas for a valid foreign intelligence purpose. Now, just to make clear, the government has always held that any collection of information on what foreigners are doing is a valid foreign intelligence purpose. While Clapper doesn’t engage in suggesting this as directly as he and others have in past weeks, for Section 702 there is clearly no limitation of this authority to terrorism or counterintelligence or proliferation or hacking (the Administration and surrogates have suggested there is a terrorism limit for the Section 215 dragnet, but if there is, it comes from court-ordered minimization, not the law). But the real cherry here is the word “target,” which has become almost as stripped of common meaning as “collect” in this context.

In the 702 context, “target” refers to the node of communication at which collection is focused, not to all communications associated with that collection. So a directive to Verizon might ask for all communications that the original suspected terrorist phone number engages in (including its surfing and texting and pictures and email). But at a minimum that would include everyone the suspected terrorist communicates via his Verizon service, and there’s very good reason to believe it includes at least one and probably more degrees of separation out, if Verizon has it.

So when Clapper says 702 cannot be used to target Americans anywhere in the world, he means Americans cannot be the communication node on which collection is focused unless you have a FISA warrant (which is the practice Marc Ambinder, who is far more impressed with Clapper’s turd-splat than I am, addresses in this piece).

But what has never been answered — except perhaps in an off-hand comment in a debate defeating language that would actually prevent what everyone says is already prevented — is whether the government can, um, “collect” the content of Americans who communicate with those who are, um, “targeted.”

I’m not saying I have the answer to that question — though it is a concern that has been raised for years by the very same people who have been vindicated in their warnings about Section 215. But let’s be very clear what Clapper did here. He completely redefined Nadler’s comment, then divorced that redefined comment from the context of Section 215, and then threw the Orwellian term “target” at it to make it go away.

He could have denied Nadler’s more general assertions. That, he did not do.   Read more

Russ Feingold: Yahoo Didn’t Get the Info Needed to Challenge the Constitutionality of PRISM

/16 Comments/in , , /by

The NYT has a story that solves a question some of us have long been asking: Which company challenged a Protect America Act order in 2007, only to lose at the district and circuit level?

The answer: Yahoo.

The Yahoo ruling, from 2008, shows the company argued that the order violated its users’ Fourth Amendment rights against unreasonable searches and seizures. The court called that worry “overblown.”

But the NYT doesn’t explain something that Russ Feingold pointed out when the FISA Court of Review opinion was made public in 2009 (and therefore after implementation of FISA Amendments Act): the government didn’t (and still didn’t, under the PAA’s successor, the FISA Amendments Act, Feingold seems to suggests) give Yahoo some of the most important information it needed to challenge the constitutionality of the program.

The decision placed the burden of proof on the company to identify problems related to the implementation of the law, information to which the company did not have access. The court upheld the constitutionality of the PAA, as applied, without the benefit of an effective adversarial process. The court concluded that “[t]he record supports the government. Notwithstanding the parade of horribles trotted out by the petitioner, it has presented no evidence of any actual harm, any egregious risk of error, or any broad potential for abuse in the circumstances of the instant case.” However, the company did not have access to all relevant information, including problems related to the implementation of the PAA. Senator Feingold, who has repeatedly raised concerns about the implementation of the PAA and its successor, the FISA Amendments Act (“FAA”), in classified communications with the Director of National Intelligence and the Attorney General, has stated that the court’s analysis would have been fundamentally altered had the company had access to this information and been able to bring it before the court.

In the absence of specific complaints from the company, the court relied on the good faith of the government. As the court concluded, “[w]ithout something more than a purely speculative set of imaginings, we cannot infer that the purpose of the directives (and, thus, of the surveillance) is other than their stated purpose… The petitioner suggests that, by placing discretion entirely in the hands of the Executive Branch without prior judicial involvement, the procedures cede to that Branch overly broad power that invites abuse. But this is little more than a lament about the risk that government officials will not operate in good faith.” One example of the court’s deference to the government concerns minimization procedures, which require the government to limit the dissemination of information about Americans that it collects in the course of its surveillance. Because the company did not raise concerns about minimization, the court “s[aw] no reason to question the adequacy of the minimization protocol.” And yet, the existence of adequate minimization procedures, as applied in this case, was central to the court’s constitutional analysis. [bold original, underline mine]

This post — which again, applies to PAA, though seems to be valid for the way the government has conducted FAA — explains why.

The court’s ruling makes it clear that PAA (and by association, FAA) by itself is not Constitutional. By itself, a PAA or FAA order lacks both probable cause and particularity.

The programs get probable cause from Executive Order 12333 (the one that John Yoo has been known to change without notice), from an Attorney General assertion that he has probable cause that the target of his surveillance is associated with a foreign power.

And the programs get particularity (which is mandated from a prior decision from the court, possibly the 2002 one on information sharing) from a set of procedures (the descriptor was redacted in the unsealed opinion, but particularly given what Feingold said, it’s likely these are the minimization procedures both PAA and FAA required the government to attest to) that give it particularity. The court decision makes it clear the government only submitted those — even in this case, even to a secret court — ex parte.

The petitioner’s arguments about particularity and prior judicial review are defeated by the way in which the statute has been applied. When combined with the PAA’s other protections, the [redacted] procedures and the procedures incorporated through the Executive Order are constitutionally sufficient compensation for any encroachments.

The [redacted] procedures [redacted] are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. [redacted] Although the PAA itself does not mandate a showing of particularity, see 50 USC 1805b(b), this pre-surveillance procedure strikes us as analogous to and in conformity with the particularity showing contemplated by Sealed Case.

In other words, even the court ruling makes it clear that Yahoo saw only generalized descriptions of these procedures that were critical to its finding the order itself (but not the PAA in isolation from them) was constitutional.

Incidentally, while Feingold suggests the company (Yahoo) had to rely on the government’s good faith, to a significant extent, so does the court. During both the PAA and FAA battles, the government successfully fought efforts to give the FISA Court authority to review the implementation of minimization procedures.

The NYT story suggests that the ruling which found the program violated the Fourth Amendment pertained to FAA.

Last year, the FISA court said the minimization rules were unconstitutional, and on Wednesday, ruled that it had no objection to sharing that opinion publicly. It is now up to a federal court.

I’m not positive that applies to FAA, as distinct from the 215 dragnet or the two working in tandem.

But other reporting on PRISM has made one thing clear: the providers are still operating in the dark. The WaPo reported from an Inspector General’s report (I wonder whether this is the one that was held up until after FAA renewal last year?) that they don’t even have visibility into individual queries, much less what happens to the data once the government has obtained it.

But because the program is so highly classified, only a few people at most at each company would legally be allowed to know about PRISM, let alone the details of its operations.

[snip]

According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process. [my emphasis]

This gets to the heart of the reason why Administration claims that “the Courts” have approved this program are false. In a signature case where an Internet provider challenged it — which ultimately led the other providers to concede they would have to comply — the government withheld some of the most important information pertaining to constitutionality from the plaintiff.

The government likes to claim this is constitutional, but that legal claim has always relied on preventing the providers and, to some extent, the FISA Court itself from seeing everything it was doing.

NSA PRISM Slides: Notice Anything Unusual or Missing?

/76 Comments/in , , /by

We haven’t seen (and likely will never see) all of the NSA slides former Booz Allen employee Edward Snowden shared with the Guardian-UK and the Washington Post. But the few that we have seen shared by these two news outlets tell us a lot — even content we might expect to see but don’t tells us something.

First, let’s compare what appears to be the title slide of the presentation — the Guardian’s version first, followed by the WaPo’s version. You’d think on the face of it they’d be the same, but they aren’t.

[NSA presentation, title slide via Guardian-UK]

[NSA presentation, title slide, via Guardian-UK]

[NSA presentation, title slide, via Washington Post]

[NSA presentation, title slide, via Washington Post]

Note the name of the preparer or presenter has been redacted on both versions; however, the Guardian retains the title of this person, “PRISM Collection Manager, S35333,” while the WaPo completely redacts both name and title.

This suggests there’s an entire department for this program requiring at least one manager. There are a number of folks who are plugging away at this without uttering a peep.

More importantly, they are working on collection — not exclusively on search.

The boldface reference to “The SIGAD Used Most in NSA Reporting” suggests there are more than the PRISM  in use as SIGINT Activity Designator tools. What’s not clear from this slide is whether PRISM is a subset of US-984XN or whether PRISM is one-for-one the same as US-984XN.

Regardless of whether PRISM is inside or all of US-984XN, the presentation addresses the program “used most” for reporting; can we conclude that reporting means the culled output of mass collection? Read more

Once Upon a Time the PRISM Companies Fought Retroactive Immunity

/12 Comments/in , /by

Screen shot 2013-06-09 at 8.30.08 AMSince the disclosure of the PRISM program, I have thought about a letter the industry group for some of the biggest and earliest PRISM participants — Google, Microsoft, and Yahoo — wrote to then House Judiciary Chair John Conyers during the 2008 debate on FISA Amendments Act. (The screen capture reflects a partial list of members from 2009.)

Remarkably, the letter strongly condemned the effort to grant companies that had broke the law under Bush’s illegal wiretap program immunity.

The Computer & Communications Industry Association (CCIA) strongly opposes S. 2248, the “FISA Amendments Act of 2007,” as passed by the Senate on February 12, 2008. CCIA believes that this bill should not provide retroactive immunity to corporations that may have participated in violations of federal law. CCIA represents an industry that is called upon for cooperation and assistance in law enforcement. To act with speed in times of crisis, our industry needs clear rules, not vague promises that the U.S. Government can be relied upon to paper over Constitutional transgressions after the fact.

CCIA dismisses with contempt the manufactured hysteria that industry will not aid the United States Government when the law is clear. As a representative of industry, I find that suggestion insulting. To imply that our industry would refuse assistance under established law is an affront to the civic integrity of businesses that have consistently cooperated unquestioningly with legal requests for information. This also conflates the separate questions of blanket retroactive immunity for violations of law, and prospective immunity, the latter of which we strongly support.

Therefore, CCIA urges you to reject S. 2248. America will be safer if the lines are bright. The perpetual promise of bestowing amnesty for any and all misdeeds committed in the name of security will condemn us to the uncertainty and dubious legalities of the past. Let that not be our future as well. [my emphasis]

Microsoft, Yahoo, and Google all joined PRISM within a year of the date of the February 29, 2008 letter (Microsoft had joined almost six months before, Google would join in January 2009).

Screen shot 2013-06-07 at 11.08.29 AMClearly, the demand that the companies that broke the law not receive retroactive immunity suggests none of the members had done so. It further suggests that those companies that did break the law — the telecoms, at a minimum — had done something the email providers wanted them held accountable for. This suggests, though doesn’t prove, that before PRISM, the government may have accessed emails from these providers by taking packets from telecom switches, rather than obtaining the data from the providers themselves.

Google had also fought a DOJ subpoena in 2006 for a million URLs and search terms, purportedly in the name of hunting child pornographers.

And those of us who follow this subject have always speculated (with some support from sources) that the plaintiff in a 2007 FISA Court challenge to a Protect America Act (the precursor to FISA Amendments Act) was an email provider.

All of those details suggest, at the very least, that email providers (unlike telecoms, which we know were voluntarily giving over data shortly after 9/11) fought government efforts to access their data.

But it also suggests that the email providers may have treated PRISM as a less worse alternative than the government accessing their data via other means (which is a threat the government used to get banks to turn over SWIFT data, too).

It seems likely the way the government “negotiates” getting data companies to willingly turn over their data is to steal it first.

James Clapper’s Tip for Avoiding Lies: Don’t Do Talking Points

/13 Comments/in , /by

[youtube]QwiUVUJmGjs[/youtube]

For a guy who warned for years about an abuse of the FISA Amendments Act and Section 215 of the PATRIOT Act, I have to admit Ron Wyden was pretty circumspect  yesterday. He issued a statement, partly to reiterate his call to make this public, partly to suggest the program isn’t worth much.

The administration has an obligation to give a substantive and timely response to the American people and I hope this story will force a real debate about the government’s domestic surveillance authorities. The American people have a right to know whether their government thinks that the sweeping, dragnet surveillance that has been alleged in this story is allowed under the law and whether it is actually being conducted. Furthermore, they have a right to know whether the program that has been described is actually of value in preventing attacks. Based on several years of oversight, I believe that its value and effectiveness remain unclear.

And he sent out three tweets:

Of course, it’s the second tweet — showing the Director of National Intelligence lying in testimony to Congress about whether the NSA collects “any data at all on millions or hundreds of millions of Americans” — I found most interesting.

Wyden always has had a knack for exposing people as liars.

By the end of the day the National Journal had contacted Clapper to provide him an opportunity to explain why this lie to Congress wasn’t a lie. He offered a nonsensical explanation.

Director of National Intelligence James Clapper said Thursday that he stood by what he told Sen. Ron Wyden, D-Ore., in March when he said that the National Security Agency does not “wittingly” collect data on millions of Americans.

What I said was, the NSA does not voyeuristically pore through U.S. citizens’ e-mails. I stand by that,” Clapper told National Journal in a telephone interview.

On March 12, at a hearing of the Senate Intelligence Committee, Wyden asked Clapper: “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?” Clapper responded: “No, sir.” When Wyden followed up by asking, “It does not?” Clapper said: “Not wittingly. There are cases where they could, inadvertently perhaps, collect—but not wittingly.” Clapper did not specify at the time that he was referring to e-mail. [my emphasis]

Clapper’s lie — that he took Wyden’s “collected any type of data at all” to mean “voyeuristically pore through emails” — is all the worse for how bad a non-sequitur it is. Caught in a lie, the head of our Intelligence Community responded with word salad.

Given that abysmal attempt to explain away his lie, I find it all the more curious the Administration decided Clapper, newly exposed as a liar, would be the guy to head pushback to the revelations of the last few days. Late in the day Clapper issued first one, then another “statement” on the revelations.

Both, of course, issued stern condemnations of leaks revealing that he had lied (and that Americans have no privacy).

The unauthorized disclosure of a top secret U.S. court document threatens potentially long-lasting and irreversible harm to our ability to identify and respond to the many threats facing our nation.

[snip]

The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.

Those are hollow warnings, of course, for the reasons I laid out here.

Clapper then goes on to claim that both stories misrepresent the programs.

The article omits key information regarding how a classified intelligence collection program is used to prevent terrorist attacks and the numerous safeguards that protect privacy and civil liberties.

[snip]

The Guardian and The Washington Post articles refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act.  They contain numerous inaccuracies.

Worlds tiniest violin! After refusing urgent requests from members of Congress who had been briefed on this to be transparent for years, the Intelligence Community has lost its ability to spin this!

Perhaps the most interesting part of Clapper’s two statements, however, is the way Clapper purportedly clarified a detail about the WaPo/Guardian stories on PRISM.

Clapper — and an anonymous statement from a Senior Administration Official issued minutes before Clapper’s — made explicitly clear PRISM operates under Section 702 of the FISA Amendments Act.

Section 702 is a provision of FISA that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States. It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States.

Activities authorized by Section 702 are subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch, and Congress. They involve extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons.

Section 702 was recently reauthorized by Congress after extensive hearings and debate.

Section 702, Section 702, Section 702.

This claim had only been implicit in the reporting in the WaPo and Guardian.

Read more