Posts

Jim Comey Scolds the Press for Reporting on a Court Filing

/8 Comments/in /by

Jim Comey, seemingly intent on squandering once limitless credibility in record time, has written a letter to the NYT to explain two of the FBI’s deceptive operations reported recently. The one that’s getting the attention — his admission that an agent posed as an AP reporter to catch a teenager making bomb threats — actually comes off as the less indefensible response.

Relying on an agency behavioral assessment that the anonymous suspect was a narcissist, the online undercover officer portrayed himself as an employee of The Associated Press, and asked if the suspect would be willing to review a draft article about the threats and attacks, to be sure that the anonymous suspect was portrayed fairly.

[snip]

That technique was proper and appropriate under Justice Department and F.B.I. guidelines at the time. Today, the use of such an unusual technique would probably require higher level approvals than in 2007, but it would still be lawful and, in a rare case, appropriate.

Sure, the FBI decided to dress up as the press to catch someone who hadn’t yet done real harm. Sure, they did it to deliver malware, basically a classic hack. Sure, it could have played to this kid’s narcissistic tendencies using any number of other fake identities. Sure, this was ultimately going to get made at least as public as a court docket, which does undermine the credibility of a brand name press outlet. But it was a fairly limited operation, that wouldn’t have generated this much attention if Chris Soghoian (in the process of writing a brief to prevent the FBI to hack with even fewer limits) weren’t such a meddling hippie.

Having insulted the press by asserting that the FBI playing dress up as the press is legal (though dodging somewhat on whether to do so to catch a teenager would be “proper” today), Comey then responded to the FBI’s other recent black eye — being accused of shutting off cable and then pretending to be cable repairmen to access hotel rooms without a warrant — this way.

The Las Vegas case is still in litigation, so there is little we can say, but it would have been better to wait for the government’s response and a court decision before concluding that the F.B.I. engaged in abusive conduct.

Every undercover operation involves “deception,” which has long been a critical tool in fighting crime. The F.B.I.’s use of such techniques is subject to close oversight, both internally and by the courts that review our work.

“It would have been better to wait for the government’s response and a court decision before concluding that the F.B.I. engaged in abusive conduct”???

Now, the reason the press picked up on this story is because the well-heeled defendants have superb lawyers who wrote a brief that is both engaging and chock full of evidence. The brief starts by laying out the stakes that matter for you and I, even if in this case they affect a bunch of Malaysian men who may have ties to Asian organized crime.

The next time you call for assistance because the internet service in your home is not working, the “technician” who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and–when he shows up at your door, impersonating a technician–let him in. He will walk through each room of your home, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have “consented” to an intensive search of your home.

Jim Comey thinks the press shouldn’t report on this until after the government has had its shot at rebuttal? Does he feel the same about the army of FBI leakers who pre-empt defense cases all the time? Does Comey think it improper for his FBI to have released this press release, upon defendant Wei Seng Phua’s arrest, asserting that he is a member of organized crime as a fact and mentioning a prior arrest (not a conviction) that may or may not be deemed admissible to this case?

According to the criminal complaint, Wei Seng Phua, is known by law enforcement to be a high ranking member of the 14K Triad, an Asian organized crime group. On or about June 18, 2013, Phua was arrested in Macau, along with more than 20 other individuals, for operating an illegal sport book gambling business transacting illegal bets on the World Cup Soccer Tournament. Phua posted bail in Macau and was released. 

I didn’t see the FBI Director complaining about press stories, written in response to the press release, reported before the defense had been able to present their side.

The point is, one reason we have laws governing open access to court documents — which the government limits all the time (including with claims about a broad need to hide the methods of its deception) — is so both sides get a bid to make their case, both before judges and before the public. Another reason is so that the press can act as a check on something that may be legal, but probably shouldn’t be.

It may well be that FBI gets to use the evidence from their cable repairman scheme (given that superstar appellate lawyer Tom Goldstein is on the case, the defendants probably don’t think this is as big of a slam dunk as the press has, probably because Caesars, a competitor with the Asian mob in the gambling industry, was a willing participant in the scheme, including turning off the cable service). But that’s an entirely different question from whether they should, for precisely the reason the brief lays out: because if the FBI can turn off our cable to set up a cable repairman cover, then it undermines the principle of consensual searches.

These guys may or may not be douchebag Asian mobsters. But they are also being tried in the United States, which still subjects its criminal procedure to fairly broad but by no means unlimited press scrutiny.

Which means the press gets to weigh in. The defense gets to make their case, and if they make a compelling case, the press will report it, just as they almost always report FBI press releases on face value, as they did in this case (to say nothing of FBI’s leaks).

Jim Comey, himself a master at working the press, should expect that, and if he wants his FBI to remain credible, should ensure their undercover operations are not just “legal” and “proper” but also “wise.”

Classified Briefings: For When Your Public Claims Don’t Hold Up to Scrutiny

/2 Comments/in /by

As I laid out when he gave his speech at Brookings, Jim Comey’s public explanation for needing back doors to Apple and Android phones doesn’t hold up. He conflated stored communication with communication in transit, ignored the risk of a back door (which he called a front door), and the law enforcement successes he presented, across the board, do not support his claim to need a back door.

So yesterday Comey and others had a classified briefing, where no one would be able to shred his flawed case.

FBI and Justice Department officials met with House staffers this week for a classified briefing on how encryption is hurting police investigations, according to staffers familiar with the meeting.

The briefing included Democratic and Republican aides for the House Judiciary and Intelligence Committees, the staffers said. The meeting was held in a classified room, and aides are forbidden from revealing what was discussed.

[snip]

Comey called for Congress to revise the law to create a “level playing field” so that Google, Apple, and Facebook have the same obligation as AT&T and Verizon to help police.

National Journal listed out those companies, by the way — Facebook, for example, did not appear in Comey’s Brooking’s speech where he used the “level the playing field comment.”

I was puzzled by Comey’s inclusion of Facebook here until I saw this news.

To make their experience more consistent with our goals of accessibility and security, we have begun an experiment which makes Facebook available directly over Tor network at the following URL:

https://facebookcorewwwi.onion/

[ NOTE: link will only work in Tor-enabled browsers ]

Facebook Onion Address

Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud.

The idea is that the Facebook onion address connects you to Facebook’s Core WWW Infrastructure – check the URL again, you’ll see what we did there – and it reflects one benefit of accessing Facebook this way: that it provides end-to-end communication, from your browser directly into a Facebook datacentre.

All that got me thinking about what Comey said in the classified briefing — in the real reason he wants to make us all less secure.

And I can’t help but wonder whether it’s metadata.

The government aspires to get universal potential coverage of telephony (at least) metadata under USA Freedom Act, with the ability to force cooperation. But I’m not sure that Apple, especially, would be able to provide iMessage metadata, meaning iPhone users can text without leaving metadata available to either AT&T (because it bypasses the telecom network) or Apple itself (because they no longer have guaranteed remote object).

And without metadata, FBI and NSA would be unable to demonstrate the need to do a wiretap of such content.

Ah well, once again I reflect on what a pity it is that FBI didn’t investigate the theft of data from these same companies, providing them a very good reason to lock it all up from sophisticated online criminals like GCHQ.

Why Isn’t FBI Investigating the Hackers Who Broke into Google’s Cables?

/12 Comments/in /by

At his Brookings event yesterday, Jim Comey claimed that there is a misperception, in the wake of the Snowden releases, about how much data the government obtains.

In the wake of the Snowden disclosures, the prevailing view is that the government is sweeping up all of our communications. That is not true. And unfortunately, the idea that the government has access to all communications at all times has extended—unfairly—to the investigations of law enforcement agencies that obtain individual warrants, approved by judges, to intercept the communications of suspected criminals.

[snip]

It frustrates me, because I want people to understand that law enforcement needs to be able to access communications and information to bring people to justice. We do so pursuant to the rule of law, with clear guidance and strict oversight. 

He goes onto pretend that Apple and Google are default encrypting their phone solely as a marketing gimmick, some arbitrary thing crazy users want.

Both companies are run by good people, responding to what they perceive is a market demand. But the place they are leading us is one we shouldn’t go to without careful thought and debate as a country.

[snip]

Encryption isn’t just a technical feature; it’s a marketing pitch. But it will have very serious consequences for law enforcement and national security agencies at all levels. Sophisticated criminals will come to count on these means of evading detection. It’s the equivalent of a closet that can’t be opened. A safe that can’t be cracked. And my question is, at what cost?

He ends with a plea that “our private sector partners … consider changing course.”

But we have to find a way to help these companies understand what we need, why we need it, and how they can help, while still protecting privacy rights and providing network security and innovation. We need our private sector partners to take a step back, to pause, and to consider changing course.

There’s something missing from Comey’s tale.

An explanation of why the FBI has not pursued the sophisticated criminals who stole Google’s data overseas.

At a recent event with Ron Wyden, the Senator asked Schmidt to weigh in on the phone encryption “kerfuffle.” And Schmidt was quite clear: the reason Google and Apple are doing this is because the NSA’s partners in the UK stole their data, even while they had access to it via PRISM.

The people who are criticizing this should have expected this. After Google was attacked by the British version of the NSA, we were annoyed and so we put end-to-end encryption at rest, as well as through our systems, making it essentially impossible for interlopers — of any kind — to get that information.

Schmidt describes the default encryption on the iPhone, notes that it has been available for the last 3 years on Android phones, and will soon be standard, just like it is on iPhone.

Law enforcement has many many ways of getting information that they need to provide this without having to do it without court orders and with the possible snooping conversation. The problem when they do it randomly as opposed to through a judicial process is it erodes user trust.

If everything Comey said were true, if this were only about law enforcement getting data with warrants, Apple — and Google especially — might not have offered their customers the privacy they deserved. But it turns out Comey’s fellow intelligence agency decided to just go take what they wanted.

And FBI did nothing to solve that terrific hack and theft of data.

I guess FBI isn’t as interested in rule of law as Comey says.

Jim Comey’s Confused Defense of Front Door Back Doors and Storage Intercepts

/12 Comments/in /by

I said somewhere that those wailing about Apple’s new default crypto in its handsets are either lying or are confused about the difference between a phone service and a storage device.

For the moment, I’m going to put FBI Director Jim Comey in the latter category. I’m going to do so, first, because at his Brookings talk he corrected his false statement — which I had pointed out — on 60 Minutes (what he calls insufficiently lawyered) that the FBI cannot get content without an order. Though while Comey admitted that FBI can read content it has collected incidentally, he made another misleading statement. He said FBI does so during “investigations. They also do so during “assessments,” which don’t require anywhere near the same standard of evidence or oversight to do.

I’m also going to assume Comey is having service/device confusion because that kind of confusion permeated his presentation more generally.

There was the confusion exhibited when he tried to suggest a “back door” into a device wasn’t one if FBI simply called it a “front door.”

We aren’t seeking a back-door approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law. We are completely comfortable with court orders and legal process—front doors that provide the evidence and information we need to investigate crime and prevent terrorist attacks.

And more specifically, when Comey called for rewriting CALEA, he called for something that would affect only a tiny bit of what Apple had made unavailable by encrypting its phones.

Current law governing the interception of communications requires telecommunication carriers and broadband providers to build interception capabilities into their networks for court-ordered surveillance. But that law, the Communications Assistance for Law Enforcement Act, or CALEA, was enacted 20 years ago—a lifetime in the Internet age. And it doesn’t cover new means of communication. Thousands of companies provide some form of communication service, and most are not required by statute to provide lawful intercept capabilities to law enforcement. [my emphasis]

As I have noted, the main thing that will become unavailable under Apple’s new operating system is iMessage chats if the users are not using default iCloud back-ups (which would otherwise keep a copy of the chat).

But the rest of it — all the data that will be stored only on an iPhone if people opt out of Apple’s default iCloud backups — will be unaffected if what Comey is planning to do is require intercept ability for every message sent.

Now consider the 5 examples Comey uses to claim FBI needs this. I’ll return to these later, but in almost all cases, Comey seems to be overselling his case.

First, there’s the case of two phones with content on them.

In Louisiana, a known sex offender posed as a teenage girl to entice a 12-year-old boy to sneak out of his house to meet the supposed young girl. This predator, posing as a taxi driver, murdered the young boy, and tried to alter and delete evidence on both his and the victim’s cell phones to cover up his crime. Both phones were instrumental in showing that the suspect enticed this child into his taxi. He was sentenced to death in April of this year.

On first glance this sounds like a case where the phones were needed. But assuming this is the case in question, it appears wrong. The culprit, Brian Horn, was IDed by multiple witnesses as being in the neighborhood, and evidence led to his cab. There was DNA evidence. And Horn and his victim had exchange texts. Presumably, records of those texts, and quite possibly the actual content, were available at the provider.

Then there’s another texting case.

In Los Angeles, police investigated the death of a 2-year-old girl from blunt force trauma to her head. There were no witnesses. Text messages from the parents’ cell phones to one another, and to their family members, proved the mother caused this young girl’s death, and that the father knew what was happening and failed to stop it.

Text messages also proved that the defendants failed to seek medical attention for hours while their daughter convulsed in her crib. They even went so far as to paint her tiny body with blue paint—to cover her bruises—before calling 911. Confronted with this evidence, both parents pled guilty.

This seems to be another case where the texts were probably available in other places, especially given how many people received them.

Then there’s another texting story — this is the only one where Comey mentioned warrants, and therefore the only real parallel to what he’s pitching.

In Kansas City, the DEA investigated a drug trafficking organization tied to heroin distribution, homicides, and robberies. The DEA obtained search warrants for several phones used by the group. Text messages found on the phones outlined the group’s distribution chain and tied the group to a supply of lethal heroin that had caused 12 overdoses—and five deaths—including several high school students.

Again, these texts were likely available with the providers.

Then Comey lists a case where the culprits were first found with a traffic camera.

In Sacramento, a young couple and their four dogs were walking down the street at night when a car ran a red light and struck them—killing their four dogs, severing the young man’s leg, and leaving the young woman in critical condition. The driver left the scene, and the young man died days later.

Using “red light cameras” near the scene of the accident, the California Highway Patrol identified and arrested a suspect and seized his smartphone. GPS data on his phone placed the suspect at the scene of the accident, and revealed that he had fled California shortly thereafter. He was convicted of second-degree murder and is serving a sentence of 25 years to life.

It uses GPS data, which would surely have been available from the provider. So traffic camera, GPS. Seriously, FBI, do you think this makes your case?

Perhaps Comey’s only convincing example involves exoneration involving a video — though that too would have been available elsewhere on Apple’s default settings.

The evidence we find also helps exonerate innocent people. In Kansas, data from a cell phone was used to prove the innocence of several teens accused of rape. Without access to this phone, or the ability to recover a deleted video, several innocent young men could have been wrongly convicted.

Again, given Apple’s default settings, this video would be available on iCloud. But if it was only available on the phone, and it was the only thing that exonerated the men, then it would count.

Update: I’m not sure, but this sounds like the Daisy Coleman case, which was outside Kansas City, MO, but did involve a phone video that (at least as far as I know) was never recovered. I don’t think the video ever was found. The guy she accused of raping her plead guilty to misdemeanor child endangerment — he dumped her unconscious in freezing weather outside her house.

I will keep checking into these, but none of these are definite cases. All of this evidence would normally, given default settings, be available from providers. Much of it would be available on phones of people besides the culprit. In the one easily identifiable case, there was a ton of other evidence. In two of these cases, the evidence was important in getting a guilty plea, not in solving the crime.

But underlying it all is the key point: Phones are storage devices, but they are primarily communication devices, and even as storage devices the default is that they’re just a localized copy of data also stored elsewhere. That means it is very rare that evidence is only available on a phone. Which means it is rare that such evidence will only be available in storage and not via intercept or remote storage.

60 Minutes Comey Refutes 60 Minutes Comey

/2 Comments/in /by

Jim ComeyToday, Jim Comey will give what will surely be an aggressively moderated (by Ben Wittes!) talk at Brookings, arguing that Apple should not offer its customers basic privacy tools (congratulations to NYT’s Michael Schmidt for beating the rush of publishing credulous reports on this speech).

Mr. Comey will say that encryption technologies used on these devices, like the new iPhone, have become so sophisticated that crimes will go unsolved because law enforcement officers will not be able to get information from them, according to a senior F.B.I. official who provided a preview of the speech.

Never mind the numbers, which I laid out here. While Apple doesn’t break out its device requests last year, it says the vast majority of the 3,431 device requests it responded to last year were in response to a lost or stolen phone request, not law enforcement seeking data on the holder. Given that iPhones represent the better part of the estimated 3.1 million phones that will be stolen this year, that’s a modest claim. Moreover, given that Apple only provided content off the cloud to law enforcement 155 times last year, it’s unlikely we’re talking a common law enforcement practice.

At least not with warrants. Warrantless fishing expeditions are another issue.

As far back as 2010, CBP was conducting 4,600 device searches at the border. Given that 20% of the country will be carrying iPhones this year, and a much higher number of the Americans who cross international borders will be carrying one, a reasonable guess would be that CBP searches 1,000 iPhones a year (and it could be several times that). Cops used to be able to do the same at traffic stops until this year’s Riley v, California decision; I’ve not seen numbers on how many searches they did, but given that most of those were (like the border searches) fishing expeditions, it’s not clear how many will be able to continue, because law enforcement won’t have probable cause to get a warrant.

So the claims law enforcement is making about needing to get content stored on and only on iPhones with a warrant doesn’t hold up, except for very narrow exceptions (cops may lose access to iMessage conversations if all users in question know not to store those conversations on iCloud, which is otherwise the default).

But that’s not the best argument I’ve seen for why Comey should back off this campaign.

As a number of people (including the credulous Schmidt) point out, Comey repeated his attack on Apple on the 60 Minutes show Sunday.

James Comey: The notion that we would market devices that would allow someone to place themselves beyond the law, troubles me a lot. As a country, I don’t know why we would want to put people beyond the law. That is, sell cars with trunks that couldn’t ever be opened by law enforcement with a court order, or sell an apartment that could never be entered even by law enforcement. Would you want to live in that neighborhood? This is a similar concern. The notion that people have devices, again, that with court orders, based on a showing of probable cause in a case involving kidnapping or child exploitation or terrorism, we could never open that phone? My sense is that we’ve gone too far when we’ve gone there

What no one I’ve seen points out is there was an equally charismatic FBI Director named Jim Comey on 60 Minutes a week ago Sunday (these are actually the same interview, or at least use the same clip to marvel that Comey is 6’8″, which raises interesting questions about why both these clips weren’t on the same show).

That Jim Comey made a really compelling argument about how most people don’t understand how vulnerable they are now that they live their lives online.

James Comey: I don’t think so. I think there’s something about sitting in front of your own computer working on your own banking, your own health care, your own social life that makes it hard to understand the danger. I mean, the Internet is the most dangerous parking lot imaginable. But if you were crossing a mall parking lot late at night, your entire sense of danger would be heightened. You would stand straight. You’d walk quickly. You’d know where you were going. You would look for light. Folks are wandering around that proverbial parking lot of the Internet all day long, without giving it a thought to whose attachments they’re opening, what sites they’re visiting. And that makes it easy for the bad guys.

Scott Pelley: So tell folks at home what they need to know.

James Comey: When someone sends you an email, they are knocking on your door. And when you open the attachment, without looking through the peephole to see who it is, you just opened the door and let a stranger into your life, where everything you care about is.

That Jim Comey — the guy worried about victims of computer crime — laid out the horrible things that can happen when criminals access all the data you’ve got on devices.

Scott Pelley: And what might that attachment do?

James Comey: Well, take over the computer, lock the computer, and then demand a ransom payment before it would unlock. Steal images from your system of your children or your, you know, or steal your banking information, take your entire life.

Now, victim-concerned Jim Comey seems to think we can avoid such vulnerability by educating people not to click on any attachment they might have. But of course, for the millions who have their cell phones stolen, they don’t even need to click on an attachment. The crooks will have all their victims’ data available in their hand.

Unless, of course, users have made that data inaccessible. One easy way to do that is by making easy encryption the default.

Victim-concerned Jim Comey might offer 60 Minute viewers two pieces of advice: be careful of what you click on, and encrypt those devices that you carry with you — at risk of being lost or stolen — all the time.

Of course, that would set off a pretty intense fight with fear-monger Comey, the guy showing up to Brookings today to argue Apple’s customers shouldn’t have this common sense protection.

That would be a debate I’d enjoy Ben Wittes trying to debate.

Jim Comey Lied When He Claimed FBI Needs a Judge to Read Your Email

/13 Comments/in /by

I believe that Americans should be deeply skeptical of government power. You cannot trust people in power. The founders knew that. That’s why they divided power among three branches, to set interest against interest. — FBI Director Jim Comey

As part of a piece on James Risen’s stories, 60 Minutes did an interview with Jim Comey. It rehearsed his role in running up hospital steps in 2004 to prevent Andy Card from getting an ill John Ashcroft to rubber stamp illegal surveillance — without mentioning that Comey and the other hospital heroes promptly got the same program authorized by bullying the FISA Court. Trevor Timm called out this aspect of 60 Minutes’ report here.

CBS also permitted Comey to engage in Apple encryption fear-mongering without challenge. CNN, to its credit, called Comey on his misrepresentations here.

But perhaps Comey’s biggest stretcher came when Scott Pelley asked him whether FBI engages in surveillance without a court order.

Scott Pelley: There is no surveillance without court order?

James Comey: By the FBI? No. We don’t do electronic surveillance without a court order.

Scott Pelley: You know that some people are going to roll their eyes when they hear that?

James Comey: Yeah, but we cannot read your emails or listen to your calls without going to a federal judge, making a showing of probable cause that you are a terrorist, an agent of a foreign power, or a serious criminal of some sort, and get permission for a limited period of time to intercept those communications. It is an extremely burdensome process. And I like it that way.

Comey was admittedly careful to caveat his answer, stating that FBI does not engage in “electronic surveillance” without a court order. That probably excludes FBI’s use of National Security Letters. Though as DOJ’s Inspector General has made clear, FBI uses NSLs for a number of things — including communities of interest, obtaining one or possibly two degree collection of phone records, as well as a bunch of other things that remain redacted — that the NSL law didn’t envision. Indeed, FBI’s NSL requests have gotten so exotic that some Internet companies started to refuse — successfully — in 2009 to comply with the requests, forcing FBI to use Section 215 orders instead.

But the second part of that exchange — Comey’s claim that “we cannot read your emails without going to a federal judge” is egregiously false.

As both ODNI and PCLOB have made clear, FBI can and does query incidentally collected data obtained under Section 702 (PRISM) — that is, it accesses email content — without a warrant. Alarmingly, it does so at the assessment level, before FBI even has any real evidence of wrong-doing.

Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts.

That’s not conducting electronic surveillance — because FBI gets the email after the electronic surveillance has already occurred. But that does entail warrantless access of US person content, and does so without any review by a judge. Indeed, with Section 702 collection, a judge never even reviews the foreign targets, much less the US incidental collection accessed by the FBI.

Now I get that Jim Comey is a terrifically charismatic guy, with great PR instincts. But still, 60 Minutes is supposed to be a journalism show. Why, when Comey was telling 60 Minutes straight out they should not trust the government, did they let him make so many bogus claims?

The FBI Has Significant Problems Counting Its National Security Letters

/3 Comments/in , /by

NSL numbersToday’s Inspector General Report on FBI’s use of National Security Letters has set off a bunch of alarm bells in my head.

At issue are two unexplained problems.

First, the Inspector General identified a huge drop in NSL use for the years covering this report: FBI obtained 49,425 NSLs in 2006, the year before this report. It obtained 54,935 afterwards. The years in-between — the 3 years covered by this report — NSLs dropped off a relative cliff, with 20% fewer in 2007 and even fewer in 2009.

The IG wasn’t able to offer any explanation for this, besides the possibility that increased scrutiny on NSL use led people to use other methods to get this information.

However, two supervisors and a division counsel told us that they believe agents use NSLs less often now than they did five years ago. These individuals told us that because of increased scrutiny on NSL use agents employ alternative investigative tools when possible.

In testimony last year, Jim Comey said FBI agents would just use grand jury subpoenas rather than NSLs if the NSLs became too onerous, so that may be where the activity disappeared to.

Hey, if 20% of FBI NSLs could be grand jury subpoenas without any problem, let’s make them do that!

It’s FBI’s other counting problems — and its non-answers — that have me even worried.

According to the IG, the FBI is not reporting as much as 7.3% [update, 10/16: I think the correct number is 6.8%] of its NSL use to Congress. For example, when the IG tried to pull NSLs by NSL type (that is, toll billing, financial records, electronic transaction records), it found a significant discrepancy between what had been reported to Congress and what FBI’s internal spreadsheets showed.

[T]he NSL data in the itemized spreadsheets does not exactly match the NSL data reported to Congress in 2008 and 2009. The total number of requests reported for each year [by transaction type] is more than the total number of NSL requests reported to Congress by 2,894 and 2,231 requests, respectively. (63)

So for 2009, where FBI requested just 30,442 NSLs, FBI did not report 7.3% of the NSLs it requested.

(I can’t double check my math here because FBI redacted some of these tables, but I guess that’s one of the hazards of overclassifying things.)

That’s troubling enough, as is FBI’s lackadaisical attitude towards correcting the disparity.

After reviewing the draft of this report, the FBI told the OIG that while 100 percent accuracy can be a helpful goal, attempting to obtain 100 percent accuracy in the NSL subsystem would create an undue burden without providing corresponding benefits. The FBI also stated that it has taken steps to minimize error to the greatest extent possible.

Ho hum, we’re just the FBI, why expect us to be able to police ourselves?

But it gets weirder.

First, the one theory the IG came up with to explain the discrepancy is that FBI is not counting all the manual NSLs that bypass their automatic counting system implemented in response to the first IG Reports on NSLs.

In fact, they’re not: FBI’s Inspection Division found they’re not counting some significant (not single digit) percentage number of their manual NSLs (they redact how much they’re not counting on page 39).

But the IG seems to suspect there may be even more manual requests that are not being counted at all.

[T]he total number of manually generated NSLs that the FBI inspectors identified is relatively small compared to the total number of 30,442 NSL requests issued by the FBI that year. What remains unknown, however is, whether the FBI inspectors identified all the manually identified generally NSLs issued by the FBI or whether a significant number remains unaccounted for and unreported.(58)

If you guessed that FBI redacted under what circumstances FBI permits agents to bypass this automatic counting system, you’d be right. That discussion is in footnote 35 on page 17, and again on pages 113-115.

But I worry, given one observation from the IG, that they’re bypassing the automatic system in cases of “sensitive” investigations. Some apparent moron tried to explain why the IG found higher numbers for NSLs than Congress because the NSLs related to sensitive investigations were being reported to Congress but not the IG.

After reviewing the draft of this report, the FBI told the OIG for the first time that the NSL data provided to Congress would almost never match the NSL data provided to the OIG because the NSL data provided to Congress includes NSLs issued from case files marked “sensitive,” whereas the NSL data provided to the OIG does not. According to the FBI, the unit that provided NSL data to the OIG does not have access to the case files marked “sensitive” and was therefore unable to provide complete NSL data to the OIG. The assertion that the FBI provided more NSL data to Congress than to the OIG does not explain the disparities we found in this review, however, because the disparities we found reflected that the FBI reported fewer NSL requests to Congress than the aggregate totals. (58)

Aside from the revelation that FBI doesn’t understand how numbers work — that if Congressional reporting reflected a larger universe of NSLs than what the IG got to see, Congressional numbers should be higher, now lower — this also seems to mean that the IG is not being permitted to review the NSLs relating to sensitive investigations.

Now, it’s not entirely clear what FBI means by “sensitive” in this circumstance. But generally, “sensitive” investigations at FBI are those that investigate reporters, faith leaders, and politicians.

So it seems possible the FBI is not permitting the IG to review precisely the practices he should review.

Which brings me to another matter that is almost entirely redacted.

As I’ve reported repeatedly, one thing the last IG report on Exigent Letters showed is that a number of journalists have had their phone records collected by FBI. In addition, the 2011 DIOG made it acceptable to use NSLs to do so. Here’s the section of the executive summary of this report that describes whether FBI has resolved this issue.

Journalist NSLs

From which I can only assume that FBI is continuing to use NSLs to collect journalist records (if FBI would like to declassify this language to prove me wrong, I welcome their transparency!).

So to sum up:

  • FBI can’t figure out why its NSL numbers dropped of a cliff for the years in question
  • FBI can’t figure out what happened to up to 7.3% of its NSLs
  • The IG thinks it is possible there are even more NSLs missing from those numbers
  • When asked, the FBI said maybe discrepancies come from files on sensitive investigations that the IG has no access to
  • The FBI does appear to be continuing its use of NSLs to hunt down journalists’ sources, which qualifies under the DIOG as a “sensitive” investigation, along with faith leaders and politicians

All that could be badly wrong — much of this information is redacted from both me, and in some cases, from Congress.

But doesn’t it raise some awfully big questions?

FBI Hides More and More of its National Security Letter Use

/1 Comment/in /by

Recently I have started blogging occasionally over at Expose Facts — an entity serving whistleblowers and transparency. There’s even a SecureDrop, if you want to drop me secret documents to read!

Things will remain the same over here; I just hope to broaden my readership and support an important cause. I post links here to the more interesting posts over there.

Today, I’ve got a second post on the DOJ IG Report on FBI’s use of National Security Letters. It examines the extent to which FBI and the President’s Intelligence Oversight Board, which reviews legal violations of intelligence agencies, have classified information about FBI’s use of NSLs, even information that had been public in prior DOJ IG reports.

That is, both in the unclassified and the classified reports, FBI and President’ Obama’s oversight board demanded Horowitz hide information that had been released in some form in the 3 earlier reports DOJ’s IG did on NSLs.

FBI or PIAB are hiding:

  • What kind of information FBI collects using NSLs
  • What kind of violations FBI reports (or doesn’t report) to its overseers
  • PIAB’s judgements about FBI’s compliance with NSL statute

This information is, of course, central to Congress and the public’s understanding of whether FBI continues to abuse the NSL statute, as it did for the first 5 years after 9/11 (this report only covers NSL use until 2009; FBI’s more current use remains unexamined).

FBI’s suppression of this information is all the more troublesome given that the USA Freedom Act currently being debated in the Senate addresses some of the FBI’s use of NSLs.

Go read the rest!

The Hospital Confrontation Heroes of Rule of Law Gutted Separation of Powers

/8 Comments/in , /by

Remember that cinematic story of how Jim Comey and Jack Goldsmith and Robert Mueller stood up to Bush and Cheney and forced them to shut down their illegal dragnet to defend the rule of law in 2004?

It turns out, what Comey and Goldsmith did in secret two months later was not so heroic. As I lay out over at Salon, the memo of law they used to get their illegal dragnet blessed by the FISA court argued both Judge Colleen Kollar-Kotelly and the Congress that passed the PRTT law in the first place had no choice but to cede to Executive power.

Essentially, they argued both she — an Article III judge — and Congress must have their power gutted to protect the president’s power.

[snip]

The same heroes of the hospital confrontation, lionized for the last decade for their courageous defense of the rule of law, thereby gutted the separation of powers, in secret. All to serve still more secrecy … and the power of the presidency they purportedly reined in two months earlier.

They may have won Bush — and themselves, who otherwise would have signed off on an illegal program — legal cover by doing so. But in the process they corroded the balance of powers enshrined by the Constitution, turning the FISC into a place where expansive executive branch programs get rubber-stamped in secret.

Here’s how they justified not getting Congress to write a new law to authorize the spying they themselves refused to approve.

The memo’s focus on Congress — at least what appears in unredacted form — is much more circumspect, but perhaps even more disturbing.

DOJ pointed to language showing Congress intended pen registers to apply to the Internet; they pointed to the absence of language prohibiting a pen register from being used to collect data from more than a single user, as if that’s the same as collecting from masses of people and as if that proved congressional intent to wiretap everyone.

And then they dismissed any potential constitutional conflict involved in such broad rereadings of statutes passed by Congress. “In almost all cases of potential constitutional conflict, if a statute is construed to restrict the executive, the executive has the option of seeking additional clarifying legislation from Congress,” the heroes of the hospital confrontation admitted. The White House had, in fact, consulted Majority Leader Tom DeLay about doing just that, but he warned it would be too difficult to get new legislation. So two months later, DOJ argued Congress’ prerogative as an independent branch of government would just have to give way to secrecy. “In this case, by contrast, the Government cannot pursue that route because seeking legislation would inevitably compromise the secrecy of the collection program the Government wishes to undertake.”

You remember that part of the Constitution where it says Congress passes the laws, unless the Executive Branch wants the laws to be secret, in which case they can do it?

Nope, neither do I.

Ashcroft, Comey, Goldsmith, and Baker: “All” Is the “Best” Reading of “Relevant”

/5 Comments/in /by

Four MusketeersTowards the end of the Memorandum of Law in support of the Internet dragnet — which was signed by those guys ———-> — DOJ makes a claim that its reading of “relevant” to mean “almost all” was the best possible reading.

Here, by contrast, reading the term “relevant” to permit the collection of this critical information during wartime is a construction rooted in the text that requires no stretching of the ordinary meaning of the terms of the statute at all. In fact, for all the reasons outlined above, interpreting section 402 to authorize the collection the Government has requested in the best reading of the plain terms of the Act.

This is why you should not have secret courts.

I get making an aggressive push to authorize dragnet surveillance.

I get mining old and foreign dictionaries to come up with a definition that suits your needs.

But after you’ve made your best ditch effort to stretch the meaning of words, secretly, beyond all recognition, don’t then, secretly, pat yourself on the back pretending that wasn’t the game you just pulled.

But hey. Who’s the chump? After all, we now know that Misters Ashcroft, Comey, Goldsmith, and Baker pulled this off.

Yet no one is making any effort to put the English language back on some kind of sane footing. Nothing in any of the “reform” efforts before Congress attempts to put sanity back into the word “relevant.”