Posts

What We Know about the Section 215 Phone Dragnet and Location Data

Last month’s squabble between Marco Rubio and Ted Cruz about USA Freedom Act led a number of USAF boosters to belatedly understand what I’ve been writing for years: that USAF expanded the universe of people whose records would be collected under the program, and would therefore expose more completely innocent people, along with more potential suspects, to the full analytical tradecraft of the NSA, indefinitely.

In an attempt to explain why that might be so, Julian Sanchez wrote this post, focusing on the limits on location data collection that restricted cell phone collection. Sanchez ignores two other likely factors — the probable inclusion of Internet phone calls and the ability to do certain kinds of connection chaining — that mark key new functionalities in the program which would have posed difficulties prior to USAF. But he also misses a lot of the public facts about location collection and cell phones under the Section 215 dragnet.  This post will lay those out.

The short version is this: the FISC appears to have imposed some limits on prospective cell location collection under Section 215 even as the phone dragnet moved over to it, and it was not until August 2011 that NSA started collecting cell phone records — stripped of location — from AT&T under Section 215 collection rules. The NSA was clearly getting “domestic” records from cell phones prior to that point, though it’s possible they weren’t coming from Section 215 data. Indeed, the only known “successes” of the phone dragnet — Basaaly Moalin and Adis Medunjanin — identified cell phones. It’s not clear whether those came from EO 12333, secondary database information that didn’t include location, or something else.

Here’s the more detailed explanation, along with a timeline of key dates:

There is significant circumstantial evidence that by February 17, 2006 — two months before the FISA Court approved the use of Section 215 of the PATRIOT Act to aspire to collect all Americans’ phone records — the FISA Court required briefing on the use of “hybrid” requests to get real-time location data from targets using a FISA Pen Register together with a Section 215 order. The move appears to have been a reaction to a series of magistrates’ rulings against a parallel practice in criminal cases. The briefing order came in advance of the 2006 PATRIOT Act reauthorization going into effect, which newly limited Section 215 requests to things that could be obtained with a grand jury subpoena. Because some courts had required more than a subpoena to obtain location, it appears, FISC reviewed the practice in the FISC — and, given the BR/PR numbers reported in IG Reports, ended, sometime before the end of 2006 though not immediately.

The FISC taking notice of criminal rulings and restricting FISC-authorized collection accordingly would be consistent with information provided in response to a January 2014 Ron Wyden query about what standards the FBI uses for obtaining location data under FISA. To get historic data (at least according to the letter), FBI used a 215 order at that point. But because some district courts (this was written in 2014, before some states and circuits had weighed in on prospective location collection, not to mention the 11th circuit ruling on historical location data under US v. Davis) require a warrant, “the FBI elects to seek prospective CSLI pursuant to a full content FISA order, thus matching the higher standard imposed in some U.S. districts.” In other words, as soon as some criminal courts started requiring a warrant, FISC apparently adopted that standard. If FISC continued to adopt criminal precedents, then at least after the first US v. Davis ruling, it would have and might still require a warrant (that is, an individualized FISA order) even for historical cell location data (though Davis did not apply to Stingrays).

FISC doesn’t always adopt the criminal court standard; at least until 2009 and by all appearances still, for example, FISC permits the collection, then minimization, of Post Cut Through Dialed Digits collected using FISA Pen Registers, whereas in the criminal context FBI does not collect PCTDD. But the FISC does take notice of, and respond to — even imposing a higher national security standard than what exists at some district levels — criminal court decisions. So the developments affecting location collection in magistrate, district, and circuit courts would be one limit on the government’s ability to collect location under FISA.

That wouldn’t necessarily prevent NSA from collecting cell records using a Section 215 order, at least until the Davis decision. After all, does that count as historic (a daily collection of records each day) or prospective (the approval to collect data going forward in 90 day approvals)? Plus, given the PCTDD and some other later FISA decisions, it’s possible FISC would have permitted the government to collect but minimize location data. But the decisions in criminal courts likely gave FISC pause, especially considering the magnitude of the production.

Then there’s the chaos of the program up to 2009.

At least between January 2008 and March 2009, and to some degree for the entire period preceding the 2009 clean-up of the phone and Internet dragnets, the NSA was applying EO 12333 standards to FISC-authorized metadata collection. In January 2008, NSA co-mingled 215 and EO 12333 data in either a repository or interface, and when the shit started hitting the fan the next year, analysts were instructed to distinguish the two authorities by date (which would have been useless to do). Not long after this data was co-mingled in 2008, FISC first approved IMEI and IMSI as identifiers for use in Section 215 chaining. In other words, any restrictions on cell collection in this period may have been meaningless, because NSA wasn’t heeding FISC’s restrictions on PATRIOT authorized collection, nor could it distinguish between the data it got under EO 12333 and Section 215.

Few people seem to get this point, but at least during 2008, and probably during the entire period leading up to 2009, there was no appreciable analytical border between where the EO 12333 phone dragnet ended and the Section 215 one began.

There’s no unredacted evidence (aside from the IMEI/IMSI permission) the NSA was collecting cell phone records under Section 215 before the 2009 process, though in 2009, both Sprint and Verizon (even AT&T, though to a much less significant level) had to separate out their entirely foreign collection from their domestic, meaning they were turning over data subject to EO 12333 and Section 215 together for years. That’s also roughly the point when NSA moved toward XML coding of data on intake, clearly identifying where and under what authority it obtained the data. Thus, it’s only from that point forward where (at least according to what we know) the data collected under Section 215 would clearly have adhered to any restrictions imposed on location.

In 2010, the NSA first started experimenting with smaller collections of records including location data at a time when Verizon Wireless was named on primary orders. And we have two separate documents describing what NSA considered its first collection of cell data under Section 215 on August 29, 2011. But it did so only after AT&T had stripped the location data from the records.

It appears Verizon never did the same (indeed, Verizon objected to any request to do so in testimony leading up to USAF’s passage). The telecoms used different methods of delivering call records under the program. In fact, in August 2, 2012, NSA’s IG described the orders as requiring telecoms to produce “certain call detail records (CDRs) or telephony metadata,” which may differentiate records that (which may just be AT&T) got processed before turning over. Also in 2009, part of Verizon ended its contract with the FBI to provide special compliance with NSLs. Both things may have affected Verizon’s ability or willingness to custom what it was delivering to NSA, as compared to AT&T.

All of which suggests that at least Verizon could not or chose not to do what AT&T did: strip location data from its call records. Section 215, before USAF, could only require providers to turn over records they kept, it could not require, as USAF may, provision of records under the form required by the government. Additionally, under Section 215, providers did not get compensated after the first two dragnet orders.

All that said, the dragnet has identified cell phones! In fact, the only known “successes” under Section 215 — the discovery of Basaaly Moalin’s T-Mobile cell phone and the discovery of Adis Medunjanin’s unknown, but believed to be Verizon, cell phone — did, and they are cell phones from companies that didn’t turn over records. In addition, there’s another case, cited in a 2009 Robert Mueller declaration preceding the Medunjanin discovery, that found a US-based cell phone.

There are several possible explanations for that. The first is that these phones were identified based off calls from landlines and/or off backbone records (so the phone number would be identified, but not the cell information). But note that, in the Moalin case, there are no known land lines involved in the presumed chain from Ayro to Moalin.

Another possibility — a very real possibility with some of these — is that the underlying records weren’t collected under Section 215 at all, but were instead collected under EO 12333 (though Moalin’s phone was identified before Michael Mukasey signed off on procedures permitting the chaining through US person records). That’s all the more likely given that all the known hits were collected before the point in 2009 when the FISC started requiring providers to separate out foreign (EO 12333) collection from domestic and international (Section 215) collection. In other words, the Section 215 phone dragnet may have been working swimmingly up until 2009 because NSA was breaking the rules, but as soon as it started abiding by the rules — and adhering to FISC’s increasingly strict limits on cell location data — it all of a sudden became virtually useless given the likelihood that potential terrorism targets would use exclusively cell and/or Internet calls just as they came to bypass telephony lines. Though as that happened, the permissions on tracking US persons via records collected under EO 12333, including doing location analysis, grew far more permissive.

In any case, at least in recent years, it’s clear that by giving notice and adjusting policy to match districts, the FISC and FBI made it very difficult to collect prospective location records under FISA, and therefore absent some means of forcing telecoms to strip their records before turning them over, to collect cell data.

Read more

About Apple’s Dead Warrant Canary

There were two significant pieces of Apple security news yesterday.

In laudable news, Apple’s new privacy policy makes clear that it will be unable to unlock locally stored content for law enforcement.

On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

I find the comment as interesting for the list of things Apple envisions potentially having to hand over as I do for the security claim (though the security claim is admirable).

  • Photos
  • Messages, including attachments
  • Email
  • Contacts
  • Call history
  • iTunes content
  • Notes
  • Reminders

Though Apple’s promise to protect this kind of data only goes so far; as the NYT makes clear, that doesn’t extend to data stored on Apple’s cloud.

The new security in iOS 8 protects information stored on the device itself, but not data stored on Apple’s cloud service. So Apple will still be able to hand over some customer information stored on iCloud in response to government requests.

Which brings us to the second piece of news. As GigaOm notes, Apple’s warrant canary indicating that it has never received a Section 215 order has disappeared.

When Apple published its first Transparency Report on government activity in late 2013, the document contained an important footnote that stated:

“Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.”

Writer and cyber-activist Cory Doctorow at the time recognized that language as a so-called “warrant canary,” which Apple was using to thwart the secrecy imposed by the Patriot Act.

Warrant canaries are a tool used by companies and publishers to signify to their users that, so far, they have not been subject to a given type of law enforcement request such as a secret subpoena. If the canary disappears, then it is likely the situation has changed — and the company has been subject to such request.

Now, Apple’s warrant canary has disappeared. A review of the company’s last two Transparency Reports, covering the second half of 2013 and the first six months of 2014, shows that the “canary” language is no longer there.

Note, GigaOm goes on to mistakenly state that Section 215 is the basis for PRISM, which doesn’t detract from the importance of noting the dead warrant canary. The original PRISM slides indicate that Apple started complying with Section 702 (PRISM) in October 2012, and the ranges in Apple’s government request data probably reflect at least some of its Section 702 compliance to provide content.

So Apple receiving its first Section 215 order sometime last year would reflect either a different kind of request — one not available by targeting someone overseas, as required under Section 702 — or a request for the kind of information it has already provided via a new authority, Section 215.

Many of the things listed above — at a minimum, call history, but potentially things like contacts and the titles of iTunes content (remember, James Cole has confirmed the government could use Section 215 to get URL searches, and we know they get purchase records) — can be obtained under Section 215.

I find Apple’s dead warrant canary of particular interest given the revelation in the recent DOJ IG Report on National Security Letters that some “Internet companies” started refusing NSLs for certain kinds of content starting in 2009; that collection has moved to Section 215 authority, and it now constitutes a majority of the 200-some Section 215 orders a year.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

[snip]

We asked whether the disagreement and uncertainty over electronic communication transactional records has negatively affected national security investigations. An Assistant General Counsel in NSLB told us that the additional time it takes to obtain transactional records through a Section 215 application slows down national security investigations, all of which he said are time-sensitive. He said that an investigative subject can cease activities or move out of the country within the time-frame now necessary to obtain a FISA order. [my emphasis]

These Internet company refusals must pertain to somewhat exotic requests, otherwise the government would simply take the companies to court one time apiece and win that authority. So we should assume the government was making somewhat audacious requests using NSLs, some companies refused, and it now uses Section 215 to do the collection. Another signal that these requests are fairly audacious is that the FISA Court appears to have imposed minimization procedures, which for individualized content must reflect a good deal of irrelevant content that would be suppressed.

While my wildarse guess is that this production pertains to URL searches, everything cloud providers like Apple store arguably falls under the Third Party doctrine and may be obtained using Section 215.

That’s not to say Apple’s dead canary pertains to this kind of refusal. But it ought to raise new questions about how the government has been using Section 215.

This production will likely be increasingly obtained using USA Freedom Act’s emergency provisions, which permit the government to retain data even if it is not legal, if the bill passes. And the bill’s “transparency” provisions hide how many Americans would be affected.

The Holder-Clapper Letter Ought to Make You Worry about Leahy’s USA Freedom

As the press is reporting right now, James “Too Cute by Half” Clapper and Eric Holder have written Patrick Leahy a letter endorsing his version of the dragnet reform bill. Reports claim this shows that Clapper supports reform.

Consider me unimpressed.

To understand why, it helps to understand what this letter was once supposed to do. According to a Senate source who is skeptical this reform does enough, it was supposed to provide language that would endorse civil libertarians’ understanding of key terms of the bill. I’m not sure if the letter is still supposed to do that work — if it is not, that is a story unto itself. But the language in this letter doesn’t make any commitments on the key points of concern.

As an initial matter, I was told this letter would include language making it clear that the “connection chaining” language I’ve been so concerned about would limit contact chaining to actual calls made. The letter doesn’t address connection chaining at all. Huh. How about that?

Here’s what Clapper’s letter says about the prospective call detail record (CDR) collection:

The bill also provides a mechanism to obtain telephone metadata records in order to identify potential contacts of suspected terrorists inside the United States. The Intelligence Community believes that, based on communications providers’ existing practices in retaining metadata, the bill will retain the essential operational capabilities of the existing bulk telephone metadata program while eliminating bulk collection.

It’s good news the IC is not asking for data retention requirements — but you ought to ask why, given that the most important provider, Verizon, has told the Senate Intelligence Committee that it only keeps billing records — not CDRs — for 18 months.

Note, however, that Clapper doesn’t use CDR language here — he uses “metadata,” which is actually broader — potentially far broader — than CDRs as defined by the bill. We know, for example, that the IC considers location data metadata — and James Cole told Mark Warner they might ask for hybrid orders to get location data. We know from the ICREACH documents that the IC admits it uses a different definition of metadata than the FISA Court does (the IC’s definition of metadata not only includes content, but also substantive information about people). We know that providers store customer things-that-count-as-metadata on their clouds, indefinitely. Adopting metadata here, in short, may back off the otherwise limited definition of CDR, which is one of the bills laudable limiting factors.

The letter’s claim to end bulk collection does nothing to reflect that the IC’s definition of bulk — anything without a discriminator — has nothing to do with the common English definition of it; it certainly doesn’t promise to end the English language definition of bulk. Moreover, it only promises to limit bulk collection to the “greatest extent practicable.”

[T]he bill permits collection under Section 215 of the USA PATRIOT Act using a specific selection term that narrowly limits the scope of the tangible things sought to the greatest extent reasonably practicable, consistent with the purposes for seeking the tangible things. Recognizing that the terms enumerated in the statute may not always meet operational needs, the bill permits the use of other terms, provided there are court-approved minimization procedures that prohibit the dissemination and require the destruction within a reasonable period of time of any information that has not been determined to satisfy certain specific requirements.

That “reasonably practicable” language is a direct quote from the bill. It adds nothing, and given that Bob Litt refuses to limit FBI back door searches because it’s not practicable, what the IC means by practicable could very easily encompass gross privacy violations — ones that have already been approved by FISC! And remember–the IC can use corporate persons as selection terms.

Then the letter all but admits it will use selection terms that violate this principle, but points to the minimization procedures required by the law to rationalize that. As I’ve pointed out, there’s no reason to believe the minimization procedures will be any more stringent than what the FISC currently requires — and there’s at least some reason to suspect they might be weaker than current minimization procedures. (And remember, the retention requirements for the CDR authority almost certainly broadens permitted dissemination to foreign intelligence purpose, which might lead to a similar broadening of it elsewhere under the authority.)

The transparency paragraph includes this language.

the transparency provisions  in this bill … among other things, [] recognize the technical limitations on our ability to report certain types of information.

This is James Clapper saying quite clearly to anyone willing to listen that he sees this bill — which explicitly carves out FBI back door searches from any transparency reporting — as Congressional endorsement of the idea that we should never demand the number of FBI back door searches. This language, by itself, ought to make the bill toxic.

Congratulations NGOs. You’re backing the idea that the FBI should be able to use 702 and 12333 collected information in criminal contexts with zero oversight or accountability.

Finally, Clapper’s letter makes it clear that Leahy’s bill will do nothing to stop ex parte communication between the Executive and FISC. And he even points to John Bates’ ridiculous letter (huh, now we have a better sense of who put Bates up to that!) to warn he’ll carve out even more.

We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

Especially after we learned Bates single-handedly rewrote PATRIOT last year to make it okay to spy on Americans for their protected speech, we should do nothing to accommodate Bates’ wishes, especially since he didn’t speak with the authority of his position. The FISC, as Bates envisions it, doesn’t resemble a real court at all.

In short, there’s one piece of good news in this letter — that the IC won’t ask for data retention requirements — and a whole lot of reason to be even more skeptical of the bill.

Did ACLU and EFF Just Help the NSA Get Inside Your Smart Phone?

EFF ACLUThe ACLU and EFF normally do great work defending the Fourth Amendment. Both have fought the government’s expansive spying for years. Both have fought hard to require the government obtain a warrant before accessing your computer, cell phone, and location data.

But earlier this week, they may have taken action that directly undermines that good work.

On Wednesday, both civil liberties organizations joined in a letter supporting Patrick Leahy’s version of USA Freedom Act, calling it a necessary first step.

We support S. 2685 as an important first step toward necessary comprehensive surveillance reform. We urge the Senate and the House to pass it quickly, and without
making any amendments that would weaken the important changes described above.

ACLU’s Laura Murphy explained why ACLU signed onto the bill in a column at Politico, analogizing it to when, in 2010, ACLU signed onto a bill that lowered, but did not eliminate,  disparities in crack sentencing.

Reform advocates were at a crossroads. Maximalists urged opposition despite the fact the bill would, in a very real way, make life better for thousands of people and begin to reduce the severe racial and ethnic inequality in our prison system. Pragmatists, fearing that opposition to the bill would preclude any reform at all, urged support.

It was a painful compromise, but the ACLU ultimately supported the bill. It passed, astoundingly, with overwhelming support in both chambers.

And then something amazing happened. Conservative lawmakers, concerned about government waste, increasingly came to the table to support criminal justice reform. Liberals realized they could vote their conscience on criminal justice without accusations of being “soft on crime.” It has not been easy and there have been many steps backward, but in recent years, we’ve seen greater public opposition to mandatory minimum sentences and real movement on things like reducing penalties for low-level drug offenses.

The analogy is inapt. You don’t end crack disparities by increasing the number of coke dealers in jail. But Leahy’s USA Freedom Act almost certainly will increase the number of totally innocent Americans who will be subjected to the full brunt of NSA’s analytical authorities indefinitely.

That’s because by outsourcing to telecoms, NSA will actually increase the total percentage of Americans’ telephone records that get chained on; sources say it will be more “comprehensive” than the current dragnet and Deputy NSA Director Richard Ledgett agrees the “the actual universe of potential calls that could be queried against is [potentially] dramatically larger.” In addition, the telecoms are unlikely to be able to remove all the noisy numbers like pizza joints — as NSA currently claims to — meaning more people with completely accidental phone ties to suspects will get sucked in. And USA Freedom adopts a standard for data retention — foreign intelligence purpose — that has proven meaningless in the past, so once a person’s phone number gets turned over to the NSA, they’ll be fair game for further NSA spying, the really invasive stuff, indefinitely.

But that’s not the reason I find ACLU and EFF’s early support for USA Freedom so astounding.

I’m shocked ACLU and EFF are supporting this bill because they don’t know what the NSA will be permitted to do at the immunized telecoms. They have blindly signed onto a bill permitting “connection chaining” without first understanding what connection chaining entails.

As I have reported extensively, while every witness who has talked about the phone dragnet has talked about chaining on phone calls made — all the calls Anwar al-Awlaki made, all the calls those people made — the language describing this chaining process has actually been evolving. Dianne Feinstein’s Fake FISA Fix last fall allowed the NSA to chain on actual calls — as witnesses had described — but also on communications (not just calls) “to or from any selector reasonably linked to the selector.” A February modification and the last two dragnet orders permitted NSA to chain on identifiers “with a contact and/or connection” with the seed, making it clear that a “connection” is something different than a “contact.” The House bill USA Freedumber adopted the same language in a legislative report. Leahy’s bill adopts largely the same language for chaining.

(iii) provide that the Government may require the prompt production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

Now, it’s possible that this language does nothing more than what NSA illegally did until 2009: chain on both the identifier itself, but also on identifiers it has determined to be the same person. Back in 2009, NSA referred to a separate database to determine these other identifiers. Though that’s unlikely, because the bill language suggests the telecoms will be identifying these direct connections.

It’s possible, too, that this language only permits the telecoms to find “burner” phones — a new phone someone adopts after having disposed of an earlier one — and chain on that too.

But it’s also possible that this language would permit precisely what AT&T does for DEA in its directly analogous Hemisphere program: conduct analysis using cell site data. The bill does not permit NSA to receive cell site data, but it does nothing to prohibit NSA from receiving phone numbers identified using cell site data. When Mark Warner asked about this, Ledgett did not answer, and James Cole admitted they could use these orders (with FISC approval) to get access to cell location.

It’s possible, too, that the telecoms will identify direct connections using other data we know NSA uses to identify connections in EO 12333 data, including phone book and calendar data.

The point is, nobody in the public knows what “connections” NSA will be asking its immunized telecom partners to make. And nothing in the bill or even the public record prohibits NSA from asking telecoms to use a range of smart phone information to conduct their analysis, so long as they only give NSA phone identifiers as a result.

In response to questions from Senators about what this means, Leahy’s office promised a letter from James Clapper’s office clarifying what “connections” means (No, I don’t remember the part of Schoolhouse Rock where those regulated by laws get to provide “clarifications” that don’t make it into the laws themselves). That letter was reported to be due on Tuesday, by close of business — several days ago. It hasn’t appeared yet.

I asked people at both EFF and ACLU about this problem. EFF admitted they don’t know what this language means. ACLU calls the language “ambiguous,” but based on nothing they were able to convey to me, insists getting smart phone data under the guise of connection chaining would be an abuse. ACLU also pointed to transparency provisions in the bill, claiming that would alert us if the NSA starting doing something funky with its connection language; that of course ignores that “connection chaining” is an already-approved process, meaning that existing processes won’t ever be need to be released. It also ignores that the Administration has withheld what is probably a directly relevant phone dragnet opinion from both ACLU and EFF in their dragnet FOIA.

I get Laura Murphy’s point about using USA Freedom to start the process of reform. But what I don’t understand is why you’d do that having absolutely no idea whether that “reform” codifies the kind of warrantless probable cause-free access to device data that ACLU and EFF have fought so hard to prevent elsewhere.

ACLU and EFF are supposed to be leaders in protecting the privacy of our devices, including smart phones. I worry with their embrace of this bill, they’re leading NSA right into our smart phones.

Mark Warner Lays Out How USA Freedumber Will Put the NSA in Your Smartphone

I noted this yesterday in a quick post, but I wanted to post the video and my transcription of Mark Warner’s efforts to lay out some of the privacy problems with HR 3361, which I call USA Freedumber.

Warner, who made his fortune as a telecom mogul, points out that USA Freedumber will be able to access calls from smaller cell companies that are currently not included as primary providers to NSA (he doesn’t mention it, but USA Freedumber will also be able to access VOIP).

Warner: It was reported when we think about 215 in the previous program that that collected metadata that was with those entities — those companies — that entered into some relationship with the IC, and I believe there was a February WSJ article that reported — and I don’t want to get into percentages here — that while the large entities, large companies were involved, that in many cases, the fastest growing set of telephone calls, wireless calls, were actually a relatively small percentage. Is that an accurate description of how the press has presented the 215 program prior — previously?

Ledgett: Yes, that’s how the press represented it.

Warner: And if that was an accurate presentation, wouldn’t the universe of calls that are now potentially exposed to these kind of inquiries be actually dramatically larger since any telco, regardless of whether they had a relationship with the IC or not, and any type of call, whether it is wire or wireless, be subject to the inquiries that could be now made through this new process.

Ledgett: Uh Yes, Senator, that’s accurate.

Warner: So, again, with the notion here that under the guise of further protecting privacy, I think on a factual basis, of the number of calls potentially scrutinized, the universe will be exponentially larger than what the prior system was. Is that an accurate statement.

Ledgett: No, Senator, I don’t believe so, because the only calls that the government will see are those that are directly responsive to to the predicate information that we have.

Warner: No, In terms of actual inquiries, correct, but the the universe of potential calls that you could query, when prior to the calls were only queried out of the 215 database that was held at the NSA, which as press reports said did not include — in many cases — the fastest growing number of new calls, wireless calls, now the universe of — even though the number of queries may be the same, because the protections are still the same, the actual universe of potential calls that could be queried against is dramatically larger than what 215 has right now.

Ledgett: Potentially yes, that’s right Senator.

From there, Warner focuses on a more troubling issue: the likelihood that NSA could get cell location data and call detail records with the same request. Read more

Dianne Feinstein: I Believe Specific Selection Term Is Confusing

In the Senate Intelligence Committee hearing on HR 3361 — which I call the USA Freedumber Act because it makes the dragnet worse in several ways — Dianne Feinstein used her opening statement to talk about the role of “specific selection term” in the bill.

She says, in part,

The problem comes with the definition of a “specific selection term,” which is not clear on its face and I believe it’s confusing.

I’m glad that Feinstein is concerned about the same thing I’ve been focusing on for a month.

The problem with trying to prevent “bulk collection” using the definition of selection term — even aside from the fact that the Intelligence Community understands “bulk collection” to mean something entirely different from what normal people understand it to mean — is that it will be abused.

We didn’t even get out of the hearing without such cynicism. At the hearing, Deputy Attorney General James Cole assured Martin Heinrich and Mark Udall that statements in the legislative record indicating a desire to limit such collection would prevent any abuse. This is the same DAG whose DOJ argued — just the day before!!! — that the legislative record of FISA, which clearly indicates the congressional intent that some defendants will get to review their FISA applications, should be ignored in favor of the 36 year history during which no defendants got such review.

Cole’s comments are all the proof we need that the Executive cannot be trusted to cede to Congress’ wishes (not to mention that the legislative record is far more ambivalent than Cole pretended).

So I’m grateful Feinstein is trying to tighten the definition (though I don’t think that is the workable way to improve the bill).

But I’m a bit confused by Feinstein’s confusion.

You see, as I noted some weeks ago, the term “selection term” is already used for Section 215, and has been for at least a year. And at least in phone dragnet Primary Order standard references to FISA content orders (that is, to traditional FISA warrants and the like), they’re using “selection term” as well.

The intelligence community and the FISA Court already have some common understanding of what “selection term” means — and Primary Orders appear to define the term in a classified-to-us-but-not-Feinstein footnote — and yet Feinstein is confused about what “specific selection term” might mean?

Granted, “selection term” is slightly different than “specific selection term.” Still, given that the “selection term” appears to be defined — and used — in the existing program, I would hope that Senator Feinstein would have some clarity about what it means.

Perhaps the way to start this discussion is to publicly explain how the IC is currently using “selection term”?

Mark Warner Confirms USA Freedumber Expands Surveillance

The Senate Intelligence Committee is in the middle of its Snowden Day hearing on the USA Freedumber Act. I’ll have more to say about it later (spoiler alert: the hearing has proven that the overseers don’t understand the program they’re currently overseeing).

The highlight was, surprisingly, when Mark Warner questioned the government witnesses.

Warner (who used to be a telecom mogul) got the government witnesses to concede to two key points.

First, Warner noted that under the new scheme, every telecom would be subject to government requests. As a result, he said, “On factual basis, the number of calls scrutinized universe will be exponentially larger.” Deputy Attorney General James Cole at first tried to prevaricate. But then admitted that more records would be exposed.

Then, Warner noted that telecoms have to keep cell location, and that the current Section 215 program does not obtain cell location. He asked if the NSA could use or obtain cell location going forward. Cole did not deny that; he admitted that sometimes it is very helpful.

Thanks to Mark Warner for getting these two details on the record, as I have been arguing both were true, but now can confirm they are.

 

DOJ Inspector General Investigating DEA’s Use of Parallel Construction under Hemisphere

Screen Shot 2014-04-18 at 11.02.49 AMAs I noted in my last post, DOJ’s Inspector General recently created a page showing their ongoing investigations. It shows some things not described in Inspector General Michael Horowitz’ last report to Congress.

Of particular interest is this investigation.

Administrative Subpoenas

The OIG is examining the DEA’s use of administrative subpoenas to obtain broad collections of data or information. The review will address the legal authority for the acquisition or use of these data collections; the existence and effectiveness of any policies and procedural safeguards established with respect to the collection, use, and retention of the data; the creation, dissemination, and usefulness of any products generated from the data; and the use of “parallel construction” or other techniques to protect the confidentiality of these programs.

The description doesn’t say it, but this is Hemisphere, the program under which DEA submits administrative subpoenas to AT&T for phone records from any carrier that uses AT&T’s backbone. DEA gets information matching burner phones as well as the call records. In addition, it gets some geolocation — and continued to increase what it was getting even after US v Jones raised concerns about such tracking.

The presentation on Hemisphere makes it very clear the government uses “parallel construction” to hide Hemisphere.

Protecting the Program: When a complete set of CDRs are subpoenaed from the carrier, then all memorialized references to relevant and pertinent calls can be attributed to the carrier’s records, thus “walling off” the information obtained from Hemisphere. In other words, Hemisphere can easily be protected if it is used as a pointed system to uncover relevant numbers.

Exigent Circumstances — Protecting the Program: In special cases, we realize that it might not be possible to obtain subpoenaed phone records that will “wall off” Hemisphere. In these special circumstances, the Hemisphere analyst should be contacted immediately. The analyst will work with the investigator and request a separate subpoena to AT&T.

Official Reporting — Protecting the Program: All requestors are instructed to never refer to Hemisphere in any official document. If there is no alternative to referencing a Hemisphere request, then the results should be referenced as information obtained from an AT&T subpoena.

And this is not the only area where DEA Is using parallel construction to hide where it gets its investigative leads. Reuters reported in August that DEA also uses parallel construction to hide the leads it gets from purportedly national security-related wiretapping.

A secretive U.S. Drug Enforcement Administration unit is funneling information from intelligence intercepts, wiretaps, informants and a massive database of telephone records to authorities across the nation to help them launch criminal investigations of Americans.

Although these cases rarely involve national security issues, documents reviewed by Reuters show that law enforcement agents have been directed to conceal how such investigations truly begin – not only from defense lawyers but also sometimes from prosecutors and judges.

The undated documents show that federal agents are trained to “recreate” the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant’s Constitutional right to a fair trial. If defendants don’t know how an investigation began, they cannot know to ask to review potential sources of exculpatory evidence – information that could reveal entrapment, mistakes or biased witnesses.

[snip]

The two senior DEA officials, who spoke on behalf of the agency but only on condition of anonymity, said the process is kept secret to protect sources and investigative methods. “Parallel construction is a law enforcement technique we use every day,” one official said. “It’s decades old, a bedrock concept.”

A dozen current or former federal agents interviewed by Reuters confirmed they had used parallel construction during their careers. Most defended the practice; some said they understood why those outside law enforcement might be concerned.

Presuming that Horowitz is investigating whether DEA’s extensive use of parallel construction complies with the Constitution (and not, as is possible, whether the sources of this information are being adequately buried), this is welcome news indeed.

But it’s also one of several reasons why I’m particularly alarmed, in retrospect, that Horowitz is complaining about his ability to get grand jury information without having to get either Attorney General Holder or Deputy Attorney General James Cole to personally approve it.

After all, the only way you can learn what truly happens in prosecutions that have used parallel construction to hide their sources is to work backward from the actual prosecution. Read more

Why Did 3 Top DOJ Officials Feed Their Dog DOJ’s Homework?

DOJ has submitted what it claims is an explanation for why it materially misstated facts to Reggie Walton in discussions about destroying phone dragnet data. (See this post and this post for background.)

As you recall, Walton had read EFF’s emails closely enough to realize that EFF had asked Civil Division lawyers why they had claimed there was no protection order when they believed they had one.

A review of the E-mail Correspondence indicates that as early as February 26, 2014, the day after the government filed its February 25 Motion, the plaintiffs in Jewel and First Unitarian indeed sought to clarify why the preservation orders in Jewel and Shubert were not referenced in that motion. E-mail Correspondence at 6-7. The Court’s review of the E-mail Correspondence suggests that the DOJ attorneys may have perceived the preservation orders in Jewel and Shubert to be immaterial to the February 25 Motion because the metadata at issue in those cases was collected under what DOJ referred to as the “President’s Surveillance Program” (i.e., collection pursuant to executive authority), as opposed to having been collected under Section 215 pursuant to FISC orders — a proposition with which plaintiffs’ counsel disagreed. Id at 4. As this Court noted in the March 12 Order and Opinion, it is ultimately up to the Northern District of California, rather than the FISC, to determine what BR metadata is relevant to the litigation pending before the court.

As the government is well aware, it has a heightened duty of candor to the Court in ex parte procedings. See MODEL RULES OF PROF’L CONDUCT R. 3.3(d) (2013). Regardless of the government’s perception of the materiality of the preservation orders in Jewel andShubert to its February 25 Motion, the government was on notice, as of February 26, 2014, that the plaintiffs in Jewel and First Unitarian believed that orders issued by the District Court for the Northern District of California required the preservation of the FISA telephony metadata at issue in the government’s February 25 Motion. E-mail Correspondence at 6-7. The fact that the plaintiffs had this understanding of the preservation orders–even if the government had a contrary understanding–was material to the FISC’s consideration of the February 25 Motion. The materiality of that fact is evidenced by the Court’s statement, based on the information provided by the government in the February 25 Motion, that “there is no indication that nay of the plaintiffs have sought discovery of this information or made any effort to have it preserved.” March 7 Opinion and Order at 8-9.

The government, upon learning this information, should have made the FISC aware of the preservation orders and of the plaintiffs’ understanding of their scopre, regardless of whether the plaintiffs had made a “specific request” that the FISC be so advised. Not only did the government fail to do so, but the E-mail Correspondence suggests that on February 28, 2014, the government sought to dissuade plaintiffs’ counsel from immediately raising this issue with the FISC or the Northern District of California. E-mail Correspondence at 5.

DOJ’s excuse for not telling Walton EFF believed they had a protection order is roughly as follows:

1. Notwithstanding a past comment about preservation orders in the matters before Judge Walton, the government claims EFF’s suits are unrelated to the phone dragnet.

[T]he Government has always understood [EFF’s suits] to be limited to certain presidentially authorized intelligence collection activities outside FISA, the Government did not identify those lawsuits, nor the preservation order issued therein, in its Motion for the Second Amendment to Primary Order filed in the above-captioned Docket number on February 25, 2014. For the same reasons, the Government did not notify this Court of its receipt of plaintiffs’ counsel’s February 26, 2014, e-mail.

Note, to sustain this claim, the government withheld both the state secrets declarations that clearly invoke the FISC-authorized dragnets as part of the litigation, even though the government’s protection order invokes it repeatedly, as well as Vaughn Walker’s preservation order which is broader than DOJ’s own preservation plan. Thus, they don’t give Walton the things he needs to be able to assess whether DOJ’s actions in this matter were remotely reasonable.

2. It explains that it never provided EFF with its own 2007 preservation plan (which did not meet the terms of Walker’s order) until March 17, 2014 because Stellar Wind — but not the FISC-authorized programs that the preservation plan excluded — was classified until December 2013.

A classified submission was necessary at that time [in 2007] because the existence of the presidentially-authorized program was classified and remained so until December 2013.

Note, it doesn’t mention that 19 days passed between the time EFF formally raised concerns about the protection order and the date DOJ actually provided the declassified protection plan to them, during which time, it appears, NSA destroyed one of the most damning half year’s worth of data in the program’s history (which I’ll return to in a later post).

3. In spite of EFF telling DOJ their earlier suits were relevant (and not having received the preservation plan which could have been declassified in December), DOJ claims they didn’t think they were relevant so it didn’t tell FISC about EFF’s beliefs.

Because the Government’s Motion for Second Amendment already had sought relief from this Court based on a list of BR metadata pursuant to FISC authorization, see Motion for Second Amendment at 3-5, counsel did not appreciate — even after receiving the email from plaintiffs’ counsel in Jewel — that it would be be important to notify this Court about Jewel and Shubert or the email from counsel for the Jewel plaintiffs about those cases with which the Government disagreed. Rather, counsel viewed any potential dispute about the scope of Jewel and Shubert preservation orders as a mater to be resolved, if possible, by the parties to those cases (though a potential unclassified explanation to plaintiffs’ counsel) or, failing that, by the district court.

Note what DOJ is not mentioning here? That EFF has a Section 215 lawsuit too, and that its understanding of the impact on that suit may have been influenced by the Shubert and Jewel protection orders.

4. DOJ’s Civil Division lawyers did not forward EFF’s email to DOJ’s National Security Division lawyers, they claim, because the Civil Division lawyers did not agree with EFF’s interpretation of the protection order.

For these reasons, counsel did not think to forward the email from Jewel Plaintiffs’ counsel to the attorneys with primary responsibility for interaction with this Court before the Court ruled on the Motion for Second Amendment. The Department wishes to assure the Court that it has always endeavored to maintain close coordination within the Department regarding civil litigation matters that involve proceedings before this Court, and will take even greater care to do so in the future.

5. DOJ told EFF to hold off formally alerting any Court in the belief that it could tell EFF about the preservation plan which could have been declassified in December but did not get declassified until 10 days after FISC issued its initial order requiring DOJ to destroy data, and that would solve everything.

In particular, the request in its February 28 email that counsel for the Jewel plaintiffs “forbear from filing anything with the FISC, or [the district court], until we have further opportunity to confer” was a good faith attempt to avoid unnecessary motions practice in the event that the issue could be worked out among the parties through the Government’s provision of an unclassified explanation concerning its preservation in Jewel and Shubert.

Read more

Judge Reggie Walton Is Pissed that Government Is Making Material Misstatements to FISC, Again

FISA Court Chief Judge Reggie Walton just issued a rather unhappy order requiring the government to explain why it materially misstated the facts about whether any plaintiffs had protection orders that governed the phone dragnet.

Generally, he wants to know why the government didn’t tell him that EFF had protection orders in the Jewel and Shubert cases. More specifically, he wants to know why they didn’t tell him that — as I reported here — the EFF had asked the government how they could claim there was no protection order when they had one in their suits of the larger dragnet.

A review of the E-mail Correspondence indicates that as early as February 26, 2014, the day after the government filed its February 25 Motion, the plaintiffs in Jewel and First Unitarian indeed sought to clarify why the preservation orders in Jewel and Shubert were not referenced in that motion. E-mail Correspondence at 6-7. The Court’s review of the E-mail Correspondence suggests that the DOJ attorneys may have perceived the preservation orders in Jewel and Shubert to be immaterial to the February 25 Motion because the metadata at issue in those cases was collected under what DOJ referred to as the “President’s Surveillance Program” (i.e., collection pursuant to executive authority), as opposed to having been collected under Section 215 pursuant to FISC orders — a proposition with which plaintiffs’ counsel disagreed. Id at 4. As this Court noted in the March 12 Order and Opinion, it is ultimately up to the Northern District of California, rather than the FISC, to determine what BR metadata is relevant to the litigation pending before the court.

As the government is well aware, it has a heightened duty of candor to the Court in ex parte procedings. See MODEL RULES OF PROF’L CONDUCT R. 3.3(d) (2013). Regardless of the government’s perception of the materiality of the preservation orders in Jewel and Shubert to its February 25 Motion, the government was on notice, as of February 26, 2014, that the plaintiffs in Jewel and First Unitarian believed that orders issued by the District Court for the Northern District of California required the preservation of the FISA telephony metadata at issue in the government’s February 25 Motion. E-mail Correspondence at 6-7. The fact that the plaintiffs had this understanding of the preservation orders–even if the government had a contrary understanding–was material to the FISC’s consideration of the February 25 Motion. The materiality of that fact is evidenced by the Court’s statement, based on the information provided by the government in the February 25 Motion, that “there is no indication that nay of the plaintiffs have sought discovery of this information or made any effort to have it preserved.” March 7 Opinion and Order at 8-9.

The government, upon learning this information, should have made the FISC aware of the preservation orders and of the plaintiffs’ understanding of their scopre, regardless of whether the plaintiffs had made a “specific request” that the FISC be so advised. Not only did the government fail to do so, but the E-mail Correspondence suggests that on February 28, 2014, the government sought to dissuade plaintiffs’ counsel from immediately raising this issue with the FISC or the Northern District of California. E-mail Correspondence at 5.

In a number of places, Walton provides an out for the government, suggesting they might just be stupid and not obstructing (those are my words, obviously). He even goes so far as to suggest that DOJ might have an internal communication problem between the Civil Division, which is litigating the EFF suits, and the National Security Division, which works with FISC.

But then he notes that both Civil AAG Stuart Delery and Acting NSD AAG John Carlin submitted the filings to him.

The government’s failure to inform the FISC of the plaintiffs’ understanding that the prior preservation orders require retention of Section 591 telephony metadata may have resulted from imperfect communication or coordination within the Department of Justice rather than from deliberate decision-making.4 Nonetheless, the Court expects the government to be far more attentive to its obligations in its practice before this Court.

4 Attorneys from the Civil Division of the Department of Justice participated in the E-Mail Correspondence with plaintiffs’ counsel. As a general matter, attorneys from the National Security Division represent the government before the FISC. The February 25 Motion, as well as the March 13 Response, were submitted by the Assistant Attorney General for the Civil Division and the Acting Attorney General for the National Security Division.

Frankly, I hope Walton ultimately tries to learn why he wasn’t told about these protection orders in more detail years ago, when the government was deciding whether or not to destroy evidence of lawbreaking that Walton first identified in 2009. I also hope he gets to the bottom of why Deputy Attorney General James Cole had to intervene in this issue. But for now, I’m happy to see DOJ taken to the woodshed for misinforming the Court.

Update: Meanwhile, on the other coast, Judge Jeffrey White issued a protection order that is far broader than the government would prefer it to be. The government had implied that the First Unitarian Church suit only covered Section 215; earlier this week (I’ve got a post half written on it), EFF argued they’re challenging the dragnet, irrespective of what authorization the government used to collect it. Nothing in White’s order limits the protection order to Section 215 and this passage seems to encompass the larger dragnet.

Defendants’ searching of the telephone communications information of Plaintiffs is done without lawful authorization, probable cause, and/or individualized suspicion. It is done in violation of statutory and constitutional limitations and in excess of statutory and constitutional authority. Any judicial, administrative, or executive authorization (including any business records order issued pursuant to 50 U.S.C. § 1861) of the Associational Tracking Program or of the searching of the communications information of Plaintiffs is unlawful and invalid.

Update: fixed a typo in which I inadvertently said Walton caused rather than found the lawbreaking in 2009.