Posts

The FBI (or NSA?)’s Bulk National Security Letters

/11 Comments/in /by

Say, did you notice that the NSA Review Group, like the Leahy-Sensenbrenner bill before it, endorsed dramatic restrictions on National Security Letters?

Both efforts set out to address the most extreme privacy risks posed by — the perception was — the NSA, yet both would impose new rules on NSLs, which are primarily used by the FBI. And both efforts would attempt to at least limit (and therefore presumably end) any bulk collection with NSLs.

Leahy-Sensenbrenner provides specific changes to both the statute authorizing communications collection and the one authorizing financial data collection. In the case of toll records, the changes look like this:

Required Certification.— The Director of the Federal Bureau of Investigation, or his designee in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director may request the name, address, length of service, and local and long distance toll billing records of a person or entity if the Director (or his designee) certifies in writing to the wire or electronic communication service provider to which the request is made that—

(1) the name, address, length of service, and toll billing records sought are relevant and material to an authorized investigation to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the First Amendment to the Constitution of the United States; and

(2) there are reasonable grounds to believe that the name, address, length of service, and toll billing records sought pertain to—

(A) a foreign power or agent of a foreign power;

(B) the activities of a suspected agent of a foreign power who is the subject of such authorized investigation; or

(C) an individual in contact with, or known to, a suspected agent of a foreign power. [my emphasis]

In addition, Leahy-Sensenbrenner would make NSL gags harder to sustain.

The Review Group went even further with respect to the basic NSL requests. It recommended (as its 2nd and 3rd recommendations, stuck right in the middle of its Section 215 discussion!) not only limiting bulk collection with NSLs, but requiring judicial review and adding minimization procedures to them.

Recommendation 2 We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that:

(1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and

(2) like a subpoena, the order is reasonable in focus, scope, and breadth.

Recommendation 3 We recommend that all statutes authorizing the use of National Security Letters should be amended to require the use of the same oversight, minimization, retention, and dissemination standards that currently govern the use of section 215 orders. [my emphasis]

There are two possible reasons why Leahy-Sensenbrenner and the Review Group would offer such similar reforms. First, it’s possible they worry that limiting bulk collection on Section 215 without limiting it on NSLs would lead the government to use NSLs instead.

Far more likely, both would propose such reforms because they know NSLs had already been used for bulk collection. (We know DOJ used bulk NSLs in its efforts to fix its exigent letter problems, but that involved just 3 bulk orders, all 3 issued in 2006.)

Which would be alarming because — as the Review Group points out — in FY2012 (which extends from October 1, 2011 to September 30, 2012), the FBI issued 21,000 NSLs, “primarily for subscriber information.” DOJ’s reports to Congress reported 16,511 NSL requests in 2011 and 15,229 in 2012 that weren’t subscriber information only, so roughly 5,500 of that 21,000 were just subscriber information. But the FBI could very well be issuing bulk orders for both toll records and financial records.

That’s a lot of potential bulk orders.

And, as the Review Group makes clear in its list of reasons the NSLs are ripe for abuse, the FBI doesn’t treat this data with the same care that NSA purportedly treats the phone dragnet data.

[T]he oversight and minimization requirements governing the use of NSLs are much less rigorous than those imposed in the use of section 215 orders.

So data from potentially thousands of bulk orders, covering both toll and financial records, may be sitting on FBI’s servers, with few access, dissemination, and age-off restrictions.

No wonder the Review Group thinks the NSLs should be subject to the same kind of judicial scrutiny as the other laws repurposed for bulk collection.

There is one final—and important— issue about NSLs. For all the well-established reasons for requiring neutral and detached judges to decide when government investigators may invade an individual’s privacy, there is a strong argument that NSLs should not be issued by the FBI itself. Although administrative subpoenas are often issued by administrative agencies, foreign intelligence investigations are especially likely to implicate highly sensitive and personal information and to have potentially severe consequences for the individuals under investigation. We are unable to identify a principled reason why NSLs should be issued by FBI officials when section 215 orders and orders for pen register and trap-and-trace surveillance must be issued by the FISC.

Which is precisely the reason why the Administration is fighting this.

While the focus on reforms Obama may reject has centered on the phone dragnet collection, anonymous sources are also saying the government can’t accept the Review Group proposal for NSLs.

Civil liberties groups would like Obama to rein in the government’s use of so-called “national security letters,” which allow the FBI and other agencies to compel individuals and organizations to turn over business records without any independent or judicial review.

A senior administration official said no final decisions had been made yet, but some operational agencies have concerns about limiting the use of these letters because it would raise the bar for intelligence investigations above that for criminal ones.

Which is understandable, so long as you ignore the high likelihood these are bulk orders. But once you imagine how many Americans’ records this might include if any significant number of NSLs are bulk orders, then it seems utterly shocking no judge reviews the requests.

That’s presumably one of the reasons the Administration wants to rush through its recommendations before we think too hard about the implications of bulk NSL orders.

The Maneuvers to Get Ahead of the NSA Review Group Recommendations

/8 Comments/in , /by

Here’s a quick summary of all the events happening in response to the NSA Review Group report:

Tuesday, January 7: James Clapper “and other Intelligence Community Leaders” meet with Geoffrey Stone, Cass Sunstein, and Peter Swire; SSCI holds closed briefing with Review Group

Wednesday, January 8: Obama meets with Intelligence Community leaders; Obama meets with PCLOB; NatSec Aides and Congressional staffers meet in Situation Room

Thursday, January 9: Obama meets with (reportedly invited) Dianne Feinstein, Saxby Chambliss, Mike Rogers, Dutch Ruppersberger, Pat Leahy, Chuck Grassley, Bob Goodlatte, John Conyers, Ron Wyden, Mark Udall, and Jim Sensenbrenner

Tuesday, January 14: Review Group testifies publicly before Senate Judiciary Committee

PCLOB, which I believe has a better understanding of the dragnet than several members of the Review Group, was supposed to present its own recommendations sometime this month, and the White House claims to be conducting its own internal review which is finishing up work.

I raise this schedule to point to the several times when Obama will meet with advocates for reform in a venue where some horse-trading can go on. Not only will he meet with PCLOB before their recommendations come out (as he met with the Review Group), but he will have the sponsors of legislation that would reform NSA and FBI’s counterterrorism programs, as well as Wyden and Udall, in a room with a larger number of opponents of reform.

Jay Carney said today Obama will introduce his own “reforms” before the State of the Union on January 28. But I wouldn’t be surprised if Obama moved to pre-empt these other discussions even earlier than that, as he did with the Review Group suggestion that the Director of the NSA position be split from the Cybercommand position.

Will he try to get an agreement from the legislative critics to withdraw their legislation if he makes some changes as executive prerogative?

Richard Leon: A Phone Dragnet Is Not a Special Need

/10 Comments/in , /by

As I noted briefly in this post, Judge RIchard Leon ruled that Judicial Watch’s Larry Klayman is very likely to succeed in his suit challenging the phone dragnet on Constitutional grounds. He issued an injunction requiring NSA to take out Klayman’s data, but stayed that decision pending appeal.

While many civil liberties lawyers are hailing the decision, the its strength might be measured by the fact that Mark Udall and Jim Sensenbrenner both used it as a call to pass Leahy-Sensenbrenner; they did not celebrate the demise of the dragnet itself. That is, it is almost certain that this decision will not, by itself, end the dragnet.

I suspect this ruling will serve to break the ice for other judges (there are several other suits, a number of them launched by entities — like the ACLU — that I expect to have better command of the details of the dragnet and the reasons it is unconstitutional, which may lead to a stronger opinion). And to the extent it stands (don’t hold your breath) it will begin to chip away at NSA’s claims that searches don’t happen on collection, but on database access.

And on one point, I think Leon’s ruling provides a really important baseline on the matter of special needs.

As Orin Kerr sketches out roughly here (and I agree with much of what he says about Leon’s ruling), Leon basically held that Smith v. Maryland didn’t apply in the era of smart phones. From there, he moved onto Fourth Amendment analysis, which involves an analysis of whether the special need of hunting terrorists merits the huge privacy infringement of collecting all phone records in the US. After reviewing the precedents on special needs, Leon writes,

To my knowledge, however, no court has ever recognized a special need sufficient to justify continuous, daily searches  of virtually every American citizen without any particularized suspicion. In effect, the Government urges me to be the first non-FISC judge to sanction such a dragnet.

Then Leon goes on to challenge the government’s claims about the need involved.

The Government asserts that the Bulk Telephony Metadata Program serves the “programmatic purpose” of “identifying unknown terrorist operatives and preventing terrorist attacks.”

[snip]

A closer examination of the record, however, reveals the Government’s interest is a bit more nuanced–it is not merely to investigate potential terrorists, but rather, to do so faster than other investigative methods might allow.

Which brings him to the same issue Ron Wyden and Mark Udall keep pointing to: the NSA simply doesn’t have evidence of this actually having worked.

Yet, turning to the efficacy prong, the Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection actually stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time-sensitive in nature. In fact, none of the three “recent episodes” cited by the Government that supposedly “illustrate the role that telephony metadata analysis can play in preventing and protecting against terrorist attack” involved any urgency.

Now, I actually think the NSA and FBI declarants in this case begin to hint at the real purpose of the dragnet — I’ll come back to that once PACER recovers from what everyone jokes is NSA retaliation for this ruling.

But with regards to accomplishing the purpose the NSA claims the dragnet serves, there’s no evidence to show. Leon finds that absent real proof that the dragnet works, Klayman’s privacy interests outweigh the Government’s need.

Given the limited record before me at this point in the litigation–most notably, the utter lack of evidence that a terrorist attack has ever been prevented because searching the NSA database was faster than other investigative tactics–I have serious doubts about the efficacy of the metadata collection program as a means of conducting time-sensitive investigations in cases involving imminent threats of terrorism.

[snip]

Thus, plaintiffs have a substantial likelihood of showing that their privacy interests outweigh the Government’s interest in collecting and analyzing build telephony metadata and therefore the NSA’s bulk collection program is indeed an unreasonable search under the Fourth Amendment.

Now, to be clear, before Leon gets here, he has to get by Smith v. Maryland, and I agree with Kerr that his argument there isn’t all that strong (though I disagree with Kerr that it couldn’t be).

But one big takeaway from this ruling –whether the DC Circuit overturns it or not — is that it will be very hard for the government to make the case that the need the dragnet serves outweighs the privacy cost.

Probably not with this ruling, but it may not be long before the government has to face up to the fact that its dragnet really hasn’t shown any results.

Update: New Yorker’s Amy Davidson writes, “But what his ruling does is deprive the N.S.A. of the argument of obviousness: the idea that what it is doing is plainly legal, plainly necessary, and nothing for decent people to worry about.” That’s about what I mean by Leon breaking the ice.

“We’re Not Going to Leave It To the Guy Who Lies to Congress with Impunity Anymore”

/25 Comments/in , /by

The regular outlets for NSA leakers are presenting details of the recommendations the NSA Review Committee has given to President Obama (Gorman, Sanger). Curiously, Siobhan Gorman suggests that because the recommendations closely following the Leahy-Sensenbrenner bill, it bodes well for passage of that bill.

The panel’s idea “aligns very closely” with a bill offered by House Judiciary Committee Chairman James Sensenbrenner (R., Wis.) and Senate Judiciary Chairman Patrick Leahy (D., Vt.), said one person familiar with the report, suggesting it could give ammunition to congressional efforts.

From what I’ve seen so far, I’m not sure that’s actually true. Moreover, that’s not how intelligence reform generally works. Rather, usually the executive adopts changes asked by Congress, thereby dissuading Congress from actually passing those changes into enforceable law. With Jim Sensenbrenner correctly calling Dianne Feinstein’s Fake FISA Fix “a joke” and growing number of co-sponsors for Sensenbrenner’s bill, I can imagine why the Executive would want to pre-empt actual law.

Significantly, the proposed recommendations don’t end the concept of a phone dragnet; they just move administration of it elsewhere — either a third party or the telecoms — equally prone for abuse. The Review Committee apparently didn’t review efficacy of these programs.

Besides, according to David Sanger, the proposals predictably focus  more on Angela Merkel’s privacy than the hundreds of millions of others whose privacy the NSA compromises.

The advisory group is also expected to recommend that senior White House officials, including the president, directly review the list of foreign leaders whose communications are routinely monitored by the N.S.A. President Obama recently apologized to Chancellor Angela Merkel of Germany for the N.S.A.’s monitoring of her calls over the past decade, promising that the actions had been halted and would not resume. But he refused to make the same promise to the leaders of Mexico and Brazil.

Administration officials say the White House has already taken over supervision of that program. “We’re not leaving it to Jim Clapper anymore,” said one official, referring to the director of national intelligence, who appears to have been the highest official to review the programs regularly.

[snip]

[National Security Council spokesperson Caitlin Hayden] added that the review was especially focused on “examining whether we have the appropriate posture when it comes to heads of state; how we coordinate with our closest allies and partners; and what further guiding principles or constraints might be appropriate for our efforts.”

It’s that James Clapper line that ought to be the tell, however: that folks within the Administration are boldly stating that James Clapper won’t be able to run amok anymore.

The same James Clapper, of course, on whom the White House imposed no consequences for lying to Congressional overseers.

Which brings me to my favorite detail, from the NYT:

One of the expected recommendations is that the White House conduct a regular review of those collection activities, the way covert action by the C.I.A. is reviewed annually.

Obama suggested last week he serves in no more than an advisory role for the Deep State, someone who can propose changes, but not someone who can order them. That an advisory committee has to tell the President that the NSA operates with less oversight than the CIA whose covert operations have systematically exceeded the claimed authority granted by the President says something.

I do fear this Review will pre-empt some of the most important legislative fixes.

But I also hope we’ll finally see heightened distance between the Deep State and the Executive that is overdue for reining it in.

Was DOJ Hiding a Section 215 Gun Registry from Congress?

/14 Comments/in , /by

Among other documents, ODNI released  on Monday all the Attorney General Reports on Section 215 use from 2005 to 2011 (2006200720082009201020112012).

This is the classified version of a report that also gets released in unclassified form as part of a larger report to Congress on FISA numbers (20052006200720082009201020112012; ODNI did not release the report covering 2012 because it lay outside the scope of ACLU’s FOIA). And the paragraph of each of these reports that lays out the following information remains redacted in all of them.

(3) the number of such orders either granted, modified, or denied for the production of each of the following:

(A) Library circulation records, library patron lists, book sales records, or book customer lists.

(B) Firearms sales records.

(C) Tax return records.

(D) Educational records.

(E) Medical records containing information that would identify a person.

Nevertheless, the reports show us two new things.

Screen shot 2013-11-22 at 8.52.29 AM

First, while we knew the number of modifications has gone up significantly in the last three years (we now know that many of the modifications in 2009 had to do with phone dragnet violations), the latest reports ODNI released say this:

The FISC modified the proposed orders submitted with forty-three such applications in 2010 (primarily requiring the Government to submit reports describing implementation of applicable minimization procedures).

The FISC modified the proposed orders submitted with 176 such applications in 2011 (requiring the Government to submit reports describing implementation of applicable minimization procedures).

Julian Sanchez had speculated that’s what was going on in a post (I can’t find the link right now) noting that NSL use had halved while Section 215 use had gone up. Remember, too, the government has not released a 2010 opinion on Section 215 that may explain why the FISC got much more involved in policing the government’s minimization.

Still, it is almost certain that the need to double check government minimization stems from bulk collections. If those bulk collections were also on a 90-day renewal cycle, then we might be looking at 44 bulk collection programs in 2011.

One more thing. As was reflected in the ACLU Vaughn Index, it appears DOJ never provided these reports to Congress starting with the report covering 2008. It did do so for the report covering 2011, but the report isn’t dated, so it’s not clear it was done in April 2012, when it should have been provided to Congress. Furthermore, that production was cc’ed to John Bates, which the tardy August 16, 2010 production of FISC opinions also was, which makes me wonder whether Bates had to force the Executive to fulfill the requirements in the PATRIOT Reauthorization (both these reports and the pre-2008 “significant constructions of law” requirement stems from the 2006 reauthorization). [4/19/14 correction: The “significant constructions of law” stems from the FISA Amendments Act]

Now, maybe DOJ was just being lazy in not fulfilling the clear legal requirement. But given that it seems to have had no problem fulfilling the requirement for unclassified numbers during the same period, I wonder whether DOJ just didn’t want to reveal that it was collecting on one or more of the specified categories, such as firearms sales records (though I’ve long wondered whether DOJ was also collecting DNA records).

Read more

If the Executive Had Followed Clear Minimization Requirements of PATRIOT, Dragnet Abuses Might Have Been Avoided

/13 Comments/in , /by

For 4 years, it has been clear that DOJ Inspector General Glenn Fine used his 2008 report on the FBI’s use of Section 215 to address how it had been used for what was then a secret program. For that reason, I want to look more closely at what he had to say about minimization.

Glenn Fine reveals how FBI minimization procedures are self-referential nonsense

As I noted, as part of a congressionally-mandated review completed in March 2008, DOJ’s Inspector General Glenn Fine reviewed whether DOJ had complied with PATRIOT Reauthorization’s requirement that the Attorney General craft minimization procedures to use with Section 215 collection.

He described how, in advance of a September 5, 2006 deadline, two parts of DOJ squabbled over what the minimization procedures should be.

Several months after enactment of the Reauthorization Act, the Office of Intelligence Policy and Review (OIPR) and the FBI — both of whom had been developing minimization procedures related to Section 215 orders — exchanged draft procedures. The drafts differed in fundamental respects, ranging from definitions to the scope of the procedures.

The fight seems to have been significantly fought between OIPR’s Counsel James Baker (who had a record of trying to get DOJ to follow the law) and FBI’s General Counsel Valerie Caproni (who got confirmed as a Federal Judge for NY this year literally at the same moment the Administration started releasing the most damning details on the dragnet).

Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.

A couple of months would put this debate squarely in the time period when the first dragnet order would be signed (two months would be May 9; the first order was signed May 24).

And you can see how these issues would go squarely to the heart of whether or not the government could use Section 215 to authorize the dragnet. The dragnet introduces immediate retention issues, given that it authorizes collection on data not yet in existence; imagine if OIPR mandated an immediate search, with all non-responsive numbers to be destroyed. NSA itself treated phone numbers as “identifiers,” and yet this entire program fails to meet the most basic dissemination limits if you treat them as identifiers here. We know NSA had recurrent problem with receiving data that was beyond the scope, including credit card numbers and international data. Unloading this into the FBI database presents immense problems, given that the foreign intelligence value of a query is based on a algorithm, not more concrete evidence. And of course, Fine’s mention of the debate over “handling large or sensitive data collections” must implicate the dragnet, which is the quintessential large and sensitive data collection.

Almost the entirety of the detailed discussion of these issues is redacted.

Read more

In Which Ben Wittes Proves Ben Wittes Is NAKED

/12 Comments/in , /by

160 days ago, Jim Sensenbrenner released a letter to Eric Holder expressing concern about the way DOJ had interpreted Section 215. In it, he did some creative editing to hide that he had had an opportunity to learn about that interpretation before he voted to reauthorize the PATRIOT Act.

160 days ago, I was (I believe) the first person to point out that obfuscation.

In those 160 days, I have also documented the serial lies and obfuscations of people like Keith Alexander, James Clapper, Robert Mueller, Mike Rogers, Valerie Caproni, Dianne Feinstein, Raj De, and Robert Litt. (one, two, three, four, five, six, seven, eight, nine, ten, eleven, twelve, thirteen, fourteen, fifteen, sixteen, seventeen, eighteen, nineteen, twenty, twenty-one, twenty-two, twenty-three, twenty-four, twenty-five, twenty-six, twenty-seven, twenty-eight, twenty-nine, thirty, thirty-one, thirty-two, thirty-three; trust me, this is just a quick survey). The most recent of these lies came last week when Raj De and Robert Litt claimed Congress had been fully informed about the authorities they were voting on, a claim which the Executive Branch’s own record proves to be false.

In spite of the clear imbalance between the lies NSA critics have told and those NSA apologists have told, Ben Wittes has made it a bit of a hobby to use Sensenbrenner’s single (egregious) lie to try to discredit NSA critics (without, of course, pointing out the serial, at times even more egregious, lies NSA apologists were telling). Of late, Wittes has harangued that, because he told a lie 160 days ago, Sensenbrenner is operating in bad faith when he criticizes NSA’s programs now. (See also this post.)

I have never questioned the good faith of Senators Patrick Leahy, Ron Wyden, or Rand Paul. They are legislators with a perspective. That’s how Congress works.

Rep. James Sensenbrenner is a different matter.

Since the bulk metadata program broke, the former chairman of the House Judiciary Committee has been on a campaign of denunciation of both agency activity under the Patriot Act—the law he helped write. And he has been denouncing the administration for having misled him about how Section 215 is being used too. He has done so with a breathtaking dishonesty that puts him in a different category from those members who have a policy dispute with the administration. [my emphasis]

Mind you, Wittes did not examine the content of Sensenbrenner’s more recent claims. Had he done so, he might have realized that the record supports Sensenbrenner’s complaints, even if the messenger for those complaints might be less than perfect.

It ignored restrictions painstakingly crafted by lawmakers and assumed a plenary authority never imagined by Congress. Worse, the NSA has cloaked its operations behind such a thick cloud of secrecy that, even if our trust was restored, Congress and the American people would lack the ability to verify it.

Note, we’re still learning the full extent of how the Executive Branch blew off limits placed on the PATRIOT authorities.

Wittes might even have noted Sensenbrenner’s apparent commitment to do his own job better.

“I hope that we have learned our lesson and that oversight will be a lot more vigorous,” Sensenbrenner said.

Even ignoring Wittes’ remarkable double standard, in which he suggests Sensenbrenner’s one lie should disqualify him from speaking on this topic forever while Clapper and Alexander’s seeming addiction to lies apparently shouldn’t even be mentioned in polite company, a highly regarded expert recently laid out new evidence for why Sensenbrenner has good reason to be angry, regardless of his role in passing PATRIOT in 2001 or 2006 or 2010 or even 2011.

The expert?

Ben Wittes.

Read more

The Phone Dragnet Did Not (and May Still Not) Meet the PATRIOT Act’s Minimization Requirements

/3 Comments/in , /by

While a number of the changes to Section 215 passed just before the government started relying on it to create a database of all phone-based relationships in the United States watered down the law, one provision made the law stricter.

The 2006 Reauthorization required the Attorney General to establish minimization procedures for the data collected under the program.

(g) Minimization Procedures and Use of Information- Section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) is further amended by adding at the end the following new subsections:

(g) Minimization Procedures-

(1) IN GENERAL- Not later than 180 days after the date of the enactment of the USA PATRIOT Improvement and Reauthorization Act of 2005, the Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this title.

(2) DEFINED- In this section, the term `minimization procedures’ means–

(A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 101(e)(1), shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and

(C) notwithstanding subparagraphs (A) and (B), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.

(h) Use of Information- Information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title concerning any United States person may be used and disclosed by Federal officers and employees without the consent of the United States person only in accordance with the minimization procedures adopted pursuant to subsection (g). No otherwise privileged information acquired from tangible things received by the Federal Bureau of Investigation in accordance with the provisions of this title shall lose its privileged character. No information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title may be used or disclosed by Federal officers or employees except for lawful purposes.’.

But from the very start, the FISA Court and the Administration set out to ignore this requirement. After all, well before anyone did any analysis about the foreign intelligence value of the phone dragnet data, the FBI disseminated all of it, by having the telecoms hand it over directly to the NSA. And phone numbers are US person identifiers (best demonstrated by NSA’s use of phone numbers as identifiers to conduct searches in other contexts).

Thus, before any Agency even touched the data, the phone dragnet scheme violated this provision by disseminating non-publicly available information about US person identifiers on every single American without their consent.

According to FISC’s original Section 215 phone dragnet order, the NSA only had to abide by the existing SID-18 minimization procedures.

[D]issemination of U.S. person information shall follow the standard NSA minimization procedures found in the Attorney General-approved guidelines (U.S. Signals Intelligence Directive 18). [link added]

And the FBI only applied the minimization procedures it used to fulfill the statute after the NSA had already run queries on it.

With respect to any information the FBI receives as a result of this Order (information that is passed or “tipped” to it by NSA), the FBI shall follow as minimization procedures the procedures set forth in The Attorney General’s Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (October 31, 2003). [link added]

Even after this initial order, the Attorney General did not comply with the mandate to come up with minimization procedures specific to Section 215. Instead, then Attorney General Alberto Gonzales just adopted four sections of the National Security Investigations Guidelines.

In analysis included in a 2008 review of the FBI’s use of Section 215, DOJ Inspector General Glenn Fine deemed this measure to fall short of the statute’s requirements.

These interim minimization procedures use general hortatory language stating that all activities conducted in relation to national security investigations must be “carried out in conformity with the Constitution.” However, we believe this broad standard does not provide the specific guidance for minimization procedures that the Reauthorization Act appears to contemplate.

[snip]

[T]he Reauthorization Act required the Department to adopt “specific procedures” reasonably designed to “minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” We believe that the interim procedures do not adequately address this requirement, and we recommend that the Department continue its efforts to construct specific minimization procedures relating to Section 215 orders, rather than rely on general language in the Attorney General’s NSI Guidelines.

As I’ll show in a follow-up post, presumably in response to Fine’s report, Attorney General Michael Mukasey adopted new, arguably even more general guidelines to fulfill this requirement, the AG Guidelines for Domestic FBI Operations. (I strongly suspect the August 20, 2008 FISC opinion the government won’t release authorizes the language that would appear in those Guidelines).

But the implications of this have more immediate significance.

After all, the only known American who got busted based on a Section 215 tip, Basaaly Moalin, argues for a new trial tomorrow. And he was tipped based on dissemination that took place in 2007 — that is, before DOJ even tried to address these problematic minimization procedures. He was tipped based on dissemination that — under the letter of the PATRIOT Act — should never have happened.

Update: With regards to Moalin’s case, this seems pertinent.

As of early December 2007, the [Director of National Intelligence] working group [trying to harmonize defintions] had not defined “U.S. person identifying information.

This means that, at the time he was identified in the dragnet, the entire intelligence community was still fighting over whether phone numbers constituted US person identifying information entitled to additional protection.

Update: In an address to the EU Parliament, Jim Sensenbrenner accuses NSA of ignoring civil liberty protections in the PATRIOT Act.

“I firmly believe the Patriot Act saved lives by strengthening the ability of intelligence agencies to track and stop potential terrorists, but in the past few years, the National Security Agency has weakened, misconstrued and ignored the civil liberty protections we drafted into the law,” he said, adding that the NSA “ignored restrictions painstakingly crafted by lawmakers and assumed a plenary authority we never imagined.”

The Leahy-Sensenbrenner Language on Back Door Searches Improves But Doesn’t Eliminate the Back Door

/8 Comments/in , /by

As the top Intelligence Community lawyers have made clear, the IC maintains it can search US person data incidentally collected under Section 702 without any suspicion, as well as for the purposes of making algorithms, cracking encryption, and to protect property.

The Leahy-Sensenbrenner bill tries to rein in this problem. And its fix is far better than what we’ve got now. But it almost certainly won’t fix the underlying problem.

Here’s what the law would do to the “Limitations” section of Section 702. The underlined language is new.

(b) Limitations

(1) IN GENERAL.—An acquisition

(A) may not intentionally target any person known at the time of acquisition to be located in the United States;

(B) may not intentionally target a person reasonably believed to be located outside the United States if a significant purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;

(C) may not intentionally target a United States person reasonably believed to be located outside the United States;

(D) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and

(E) shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.

(2) CLARIFICATION ON PROHIBITION ON SEARCHING OF COLLECTIONS OF COMMUNICATIONS OF UNITED STATES PERSONS.—

(A) IN GENERAL.—Except as provided in subparagraph (B), no officer or employee of the United States may conduct a search of a collection of communications acquired under this section in an effort to find communications of a particular United States person (other than a corporation).

Read more

Leahy-Sensenbrenner Would Shut the Section 702 Cybersecurity Loophole

/4 Comments/in , /by

Section 702 Reporting HighlightI’m going to have a few posts on the Leahy-Sensenbrenner bill, which is the most likely way we’ll be able to rein in NSA spying. In addition to several sections stopping bulk collection, it has a section on collection of US person data under FISA Amendments Act (I’ll return to the back-door loophole later).

But I’m particularly interested in what it does with upstream collection. It basically adds a paragraph to section d of Section 702 that limits upstream collection to two uses: international terrorism or WMD proliferation.

(C) limit the acquisition of the contents of any communication to those communications—

(i) to which any party is a target of  the acquisition; or

(ii) that contain an account identifier of a target of an acquisition, only if such communications are acquired to protect against international terrorism or the international proliferation of weapons of mass destruction.;

And adds a definition for “account identifier” limiting it to identifiers of people.

(1) ACCOUNT IDENTIFIER.—The term ‘account identifier’ means a telephone or instrument number, other subscriber number, email address, or  username used to uniquely identify an account.

I believe the effect of this is to prevent NSA from using Section 702 to conduct cyberdefense in the US.

As I have noted, there are reasons to believe that NSA uses Section 702 for just 3 kinds of targets:

  • International terrorism
  • WMD proliferation
  • Cybersecurity

There are many reasons to believe one primary use of Section 702 for cybersecurity involves upstream collection targeted on actual pieces of code (that is, the identifier for a cyberattack, rather than the identifier of a user). As an example, the slide above, which I discuss in more detail here, explains that one of the biggest Section 702 successes involves preventing an attacker from exfiltrating 150 Gigs of data from a defense contractor. The success involved both PRISM and STORMBREW, the latter of which is upstream collection in the US.

In other words, the government has been conducting upstream collection within the US to search for malicious code (I’m not sure how they determine whether the code originated in a foreign country though given that they refuse to count domestic communications collected via upstream collection, I doubt they care).

So what these two sections of Leahy-Sensenbrenner would do is 1) limit the use of upstream collection to terrorists and proliferators, thereby prohibiting its use for cybersecurity, and 2) define “account identifier” to exclude something like malicious code.

There’s one more interesting aspect of this fix. Unlike many other sections of the bill, it doesn’t go into effect right away.

EFFECTIVE DATE.—The amendments made by subsections (a) and (b) shall take effect on the date that is 180 days after the date of the enactment of this Act.

The bill gives the Executive 6 months to find an alternative to this use of Section 702 — presumably, to pass a cybersecurity bill explicitly labeled as such.

Keith Alexander and others have long talked about the need to scan domestic traffic to protect against cyberattacks. But it appears — especially given the 6 month effective date on these changes — they’re already doing that, all in the name of foreign intelligence.