Posts

DOJ Refuses to Explain How Executive Gets Away with Serial Lies to the FISA Court

USA Today’s Brad Heath asked DOJ a very good question: why haven’t the Executive Branch’s serial lies to the FISA Court ever been referred to Office of Professional Responsibility?

I’ve talked to a former OPR attorney who says the office
would ordinarily review a case in which a judge used that type of language, and that it should have
at least opened an inquiry into these.

Over the past several days, DOJ’s Brian Fallon has been stupendously prickish about Heath’s questions based on his assertion that Heath is biased in his belief that such gross misrepresentations would normally merit some kind of sanction.

I have an answer from OPR, and a FISC judge. I am not providing it to you because all you will do is seek to write around it because you are biased in favor of the idea that an inquiry should have been launched. So I will save what I have for another outlet after you publish.

[snip]

You are not actually open-minded to the idea of not writing the story. You are running it regardless. I have information that undercuts your premise, and would provide it if I thought you were able to be convinced that your story is off base. Instead, I think that to provide it to you would just allow you to cover your bases, and factor it into a story you still plan to write. So I prefer to hold onto the information and use it after the fact, with a different outlet that is more objective about whether an OPR inquiry was appropriate.

I’ve lost count of the number of times someone in the Executive Branch complains that no one comes to them to get their view on NSA-related questions.

But apparently this is what goes on. If you don’t come in with the Executive Branch’s bias, then they refuse to provide you any information.

I really look forward to seeing which journalist DOJ seems to believe will bring “balance” to this issue.

Update: Heath has published his story.

The Justice Department’s internal ethics watchdog says it never investigated repeated complaints by federal judges that the government had misled them about the NSA’s secret surveillance of Americans’ phone calls and Internet communications.

The Justice Department’s Office of Professional Responsibility routinely probes judges’ allegations that the department’s lawyers may have violated ethics rules that prohibit attorneys from misleading courts. Still, OPR said in response to a Freedom of Information Act request by USA TODAY that it had no record of ever having investigated — or even being made aware of — the scathing and, at the time, classified, critiques from the Foreign Intelligence Surveillance Court between 2009 and 2011.

DOJ insists, however, that 5 years of lying to judges is just the way things are supposed to work.

Justice spokesman Brian Fallon said in a statement Thursday that the department’s lawyers “did exactly what they should have done. The court’s opinions and facts demonstrate that the department attorneys’ representation before the court met the highest professional standards.”

Fallon continued spinning for other journalists.

Of course, if DOJ were going to investigate lawyers — as opposed to Keith Alexander or similar — for misconduct and lies, Lisa Monaco, who headed the National Security Division from 2010 until earlier this year. But she’s at the White House now, so off limits for any accountability.

Share this entry

Any Bets FBI Was Already Searching US Person Data?

If you want to support our work reporting news the WaPo will report as news in two months, please donate!

In the department of news that got reported here two months ago, the WaPo is reporting on FISC’s approval to let the government search through incidentally collected information. Its news hook is that the 2011 move reversed an earlier 2008 ban that the government had asked for.

The court in 2008 imposed a wholesale ban on such searches at the government’s request, said Alex Joel, civil liberties protection officer at the Office of the Director of National Intelligence (ODNI). The government included this restriction “to remain consistent with NSA policies and procedures that NSA applied to other authorized collection activities,” he said.

But in 2011, to more rapidly and effectively identify relevant foreign intelligence communications, “we did ask the court” to lift the ban, ODNI general counsel Robert S. Litt said in an interview. “We wanted to be able to do it,” he said, referring to the searching of Americans’ communications without a warrant.

It may well be that the NSA was prohibited from searching on incidentally collected information, but not all parts of the government were. In his October 3, 2011 FISC opinion, John Bates pointed to some other minimization procedures allowing such searches to justify his approval for NSA to do so.

This relaxation of the querying rules does not alter the Court’s prior conclusion that NSA minimization procedures meet the statutory definition of minimization procedures. [2 lines redacted] contain an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information. See [redacted] In granting [redacted] applications for electronic surveillance or physical search since 2008, including applications targeting United States persons and persons in the United States, the Court has found that the [redacted] meet the definition of minimization procedures at 50 U.S.C. §§ 1801 (h) and 1821(4). It follows that the substantially similar querying provision found at Section 3(b)(5) of the amended NSA minimization procedures should not be problematic in a collection that is focused on non-United States persons located outside the United States and that, in the aggregate, is less likely to result in the acquisition of nonpublic information regarding non-consenting United States persons.

We already had reason to believe other agencies do this, because when the Senate Intelligence Committee discussed it, they described the intelligence community generally wanting such searches.

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession. [my emphasis]

Bates’ mention of targeting US persons strongly suggests FBI was the agency in question (though the CIA may as well). (If this practice weren’t already permitted, I would bet it got approved in the aftermath of the Nidal Hasan attack, which might explain why so many more Americans who had communicated with Anwar al-Awlaki or Samir Khan were caught in stings after that point.)

So did Ronald Litt and Alex Joel tell Ellen Nakashima this to hide a much more intrusive practice at FBI (which they also oversee)?

Share this entry

3 Tech Issues the Non-Technologist NSA Technical Committee Needs to Address

A number of people are asking why I’m so shocked that President Obama appointed no technologists for his NSA Review Committee.

Here are three issues that should be central to the Committee’s discussions that are, in significant part, technology questions. There are more. But for each of these questions, the discussion should not be whether the Intelligence Community thinks the current solution is the best or only one, but whether it is an appropriate choice given privacy implications and other concerns.

  • Whether the Intelligence Community can accomplish the goals of the Section 215 dragnet without collecting all US person metadata
  • Whether the NSA can avoid collecting Multiple Communication Transactions as part of upstream collection
  • How to oversee unaudited actions of technical personnel

There are just three really obvious issues that should be reviewed by the committee. And for all of them, it would be really useful for someone with the technical background to challenge NSA’s claims to be on the committee.

Whether the Intelligence Community can accomplish the goals of the Section 215 dragnet without collecting all US person metadata

One of the most contentious NSA practices — at least as far as most Americans go — is the collection of all US person phone metadata for the Section 215 dragnet. Yet even Keith Alexander has admitted — here in an exchange with Adam Schiff in a House Intelligence Committee hearing on June 18 — that it would be feasible to do it via other means, though perhaps not as easy.

REP. SCHIFF: General Alexander, I want to ask you — I raised this in closed session, but I’d like to raise it publicly as well — what are the prospects for changing the program such that, rather than the government acquiring the vast amounts of metadata, the telecommunications companies retain the metadata, and then only on those 300 or so occasions where it needs to be queried, you’re querying the telecommunications providers for whether they have those business records related to a reasonable, articulable suspicion of a foreign terrorist connection?

Read more

Share this entry

FISC Judges Should Threaten NSA with Criminal Prosecution More Often

This James Bamford description of NSA efforts to avoid criminal prosecution in a 1975 investigation convinced me to point to evidence that then FISA Chief Judge John Bates — who is normally fairly deferential to the Executive Branch — cowed the government with threats of criminal prosecution.

The story starts in the October 3, 2011 opinion. After having laid out how the government was collecting US person data from the switches, Bates noted that the government wanted to keep on doing so.

The government’s submissions make clear not only that the NSA has been acquiring Internet transactions since before the Court’s approval of the first Section 702 certification in 2008,15 but also that NSA seeks to continue the collection of Internet transactions.

Noting that this collection had been going on longer than the 3 years the government had been using Section 702 of the FISA Amendments Act to justify its collection likely references a time when the NSA — led by Keith Alexander as far back as 2005 — was collecting that US person information with no legal sanction whatsoever as part of Dick Cheney’s illegal program.

Then, in footnote 15, Bates notes that sharing such illegally collected information is a crime.

The government’s revelations regarding the scope of NSA’s upstream collection implicate 50 U.S.C. § 1809(a), which makes it a crime (1) to “engage[] in electronic surveillance under color of law except as authorized” by statute or (2) to “disclose[] or use[] information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized” by statute. See [redacted] (concluding that Section 1809(a)(2) precluded the Court from approving the government’s proposed use of, among other things, certain data acquired by NSA without statutory authority through its “upstream collection”). The Court will address Section 1809(a) and related issues in a separate order. [my emphasis]

Now, I’m particularly interested in the redacted text, because it appears some FISC judge has had to issue this threat in a past (still-redacted) opinion. That threat may have applied to this same upstream collection, but from the time before the government pointed to FAA to justify it (again, Alexander’s tenure would overlap into that illegal period).

Read more

Share this entry

How the NCTC Gets Its NSA Data

I’m working on a more substantive post on the Section 702 Semiannual Compliance Assessment released last week as part of the I Con dump.

But for the moment, I want to point to a passage that begins to answer a question I asked two months ago: how does the data from NSA’s programs get to the National Counterterrorism Center, which then crunches that data and sends it out to other parts of government.

A footnote of the Assessment notes,

The other agency involved in implementing Section 702 is the National Counterterrorism Center (NCTC), which has a limited role, as reflected in the recently approved “Minimization Procedures Used by NCTC in connection with Information Acquired by the FBI pursuant to Section 702 of FISA, as amended.” Under these limited minimization procedures, NCTC is not authorized to receive unminimized Section 702 data. Rather, these procedures recognize that, in light of NCTC’s statutory counterterrorism role and mission, NCTC has been provided access to certain FBI systems containing minimized Section 702 information, and prescribe how NCTC is to treat that information. For example, because NCTC is not a law enforcement agency, it may not receive disseminations of Section 702 information that is evidence of a crime, but which has no foreign intelligence value; accordingly, NCTC’s minimization procedures require in situations in which NCTC personnel discover purely law enforcement information with no foreign intelligence value in the course of reviewing minimized foreign intelligence information that the NCTC personnel either purge that information (if the information has been ingested into NCTC systems) or not use, retain, or disseminate the information (if the information has been viewed in FBI systems). No incidents of noncompliance with the NCTC minimization procedures were identified during this reporting period. The joint oversight team will be assessing NCTC’s compliance with its minimization procedures in the next reporting period.

This passage has some good news, and some bad news.

The good news is that NCTC gets no unminimized collection, which CIA and FBI do. We have no idea what FBI’s minimization procedures  (which does the minimization before NCTC gets it) look like — though elsewhere this Assessment makes it clear that most initial distributions of data from FBI come with US person identity hidden. But at least most US person data will be protected when NCTC gets it.

The bad news is that this is a recent development. It probably post-dates 2011, as John Bates makes no mention of NCTC’s minimization procedures in his October 3, 2011. And the reference to the compliance team reviewing this in the next Assessment (which would cover December 2012 through May 2013) suggests the minimization procedures may be very recent. What has happened with this data in the past?

And explain to me how, if NCTC “may not” receive that US person data that has been referred to FBI because it is evidence of a non-terrorist crime, its minimization procedures explain what to do if they happen to discover such data in their possession. Perhaps the problem is in processing that takes place at FBI (in that such information isn’t adequately segregated), not at NCTC?

Remember, much of the analysis that happens at NCTC can affect US person’s lives, but (unlike much of FBI’s work) doesn’t get reviewed by a court. The data that gets to them might well be particularly sensitive.

Share this entry

The Google/Yahoo Problem: Fruit of the Poison MCT?

OK, this will be my last post (at least today) to attempt to understand why some Internet providers incurred so many costs associated with the response to the FISA Court’s October 3, 2011 decision that the government had improperly collected US person data as part of Multiple Communication Transactions.

For the moment, I’m going to bracket the question of whether Google and Yahoo are included in upstream providers (though I think it more likely for Google than Yahoo). Footnote 3 in the October 3 opinion seems to distinguish upstream collection from collection from Internet service providers. Though note the entirely redacted sentence in that footnote that may modify that easy distinction.

But let’s consider how the violative data might be used. We know from the conference call the I Cons had the other day (you can listen along here) that this is primarily about getting email inboxes.

An intelligence official who would not be identified publicly described the problem to reporters during a conference call on Wednesday.

“If you have a webmail email account, like Gmail or Hotmail, you know that if you open up your email program, you will get a screenshot of some number of emails that are sitting in your inbox, the official said.

“Those are all transmitted across the internet as one communication. For technological reasons, the NSA was not capable of breaking those down, and still is not capable, of breaking those down into their individual [email] components.”

If one of those emails contained a reference to a foreign person believed to be outside the US – in the subject line, the sender or the recipient, for instance – then the NSA would collect the entire screenshot “that’s popping up on your screen at the time,” the official continued.

Now, whether or not this collection comes from the telecoms or the Internet companies themselves, it effectively serves as an index of Internet communications deemed interesting based on the participants or because the email talks about an approved selector.

But it may be that this upstream collection serves primarily to identify which content the government wants to collect.

In his November 30, 2011 opinion, Bates emphasized (see page 10) the limits on what analysts could do with properly segregated upstream MCTs in the future.

An analyst seeking to use (e.g., in a FISA application, in an intelligence report, or in a Section 702 targeting decision) a discrete communication within an Internet transaction that contains multiple discrete communications must document each of the determinations. [my emphasis]

Then, the September 25, 2012 opinion describes how, using threats that he would declare the previous collection a crime under 1809(a)(2), which prohibits the “disclosure” of any information collected illegally, Judge John Bates got the government purge that previous collection and any reports generated from it.

The government informed the Court in October 2011 that although the amended NSA procedures do not by their terms apply to information acquired before October 31, NSA would apply portions of the procedures to the past upstream collection, including certain limitations on the use or disclosure of such information.

That effort, according to Bates, did not begin until “late in 2011.”

But here’s the thing: the government would have “disclosed” this information to email providers if it had used any of the violative MCTs to target emails in their custody — the Section 702 targeting decisions Bates was explicitly concerned about.

So presumably, once Bates made it clear he considered 1809 violations real problems in November 2011, the government would have had to modify any certifications authorizing collection on email addresses identified through the violative upstream collection (regardless of source).

I don’t yet understand why, in adjusting to a series of modified certifications, the providers would incur millions of dollars of costs. But I think expunging poison fruit targeting orders from the certifications would have taken some time and multiple changed certifications.

Update: Footnote 24 in the October 3, 2011 opinion provides more clarity on whether PRISM collection includes MCTs; it doesn’t.

In addition to its upstream collection, NSA acquires discrete Internet communications from Internet service providers such as [redacted] Aug. 16 Submission at 2; Aug. 30 Submission at 11; see also Sept. 7 2011 Hearing Tr. at 75-77. NSA refers to this non-upstream collection as its “PRISM collection.” Aug. 30 Submission at 11. The Court understands that NSA does not acquire Internet transactions” through its PRISM collection. See Aug Submission at 1.

Share this entry

NSA Has a Database Problem

Back in 2009 when the government released what we now know is a FISA Court of Review decision ordering Yahoo to cooperate in PRISM, I questioned a passage of the decision that relied on the government’s claim that it doesn’t keep a database of incidentally collected conversations involving US persons.

In this post, I just want to point to a passage that deserves more scrutiny:

The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26)

To translate, if the government collects information from a US citizen (here or abroad), a legal permanent US resident, a predominantly US organization, or a US corporation in the course of collecting information on someone it is specifically targeting, it it claims it does not keep that in a database (I’ll come back and parse this in a second). In other words, if the government has a tap on your local falafel joint because suspected terrorists live off their falafels, and you happen to call in a take out order, it does not that have in a database.

There are reasons to doubt this claim.

In the rest of the post, I showed how a response from Michaels Mukasey and McConnell to Russ Feingold’s efforts to protect US person incidental collection during the FISA Amendments Act had made it clear having access to this incidentally collected data was part of the point, meaning the government’s reassurances to the FISCR must have been delicate dodges in one way or another. (Feingold’s Amendments would have prevented 3 years of Fourth Amendment violative collection, by the way.)

Did the court ask only about a database consisting entirely of incidentally collected information? Did they ask whether the government keeps incidentally collected information in its existing databases (that is, it doesn’t have a database devoted solely to incidental data, but neither does it pull the incidental data out of its existing database)? Or, as bmaz reminds me below but that I originally omitted, is the government having one or more contractors maintain such a database? Or is the government, rather, using an expansive definition of targeting, suggesting that anyone who buys falafels from the same place that suspected terrorist does then, in turn, becomes targeted?

McConnell and Mukasey’s objections to Feingold’s amendments make sense only in a situation in which all this information gets dumped into a database that is exposed to data mining. So it’s hard to resolve their objections with this claim–as described by the FISA Appeals Court.

Which is part of the reason I’m so intrigued by this passage of John Bates’ October 3, 2011 decision ruling some of NSA’s collection and retention practices violated the Fourth Amendment. In a footnote amending a passage explaining why the retention of entirely US person communications with the permissive minimization procedures the government had proposed is a problem, Bates points back to that earlier comment.

The Court of Review plaining limited its holding regarding incidental collection to the facts before it. See In re Directives at 30 (“On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.” (emphasis added). The dispute in In re Directives involved the acquisition by NSA of discrete to/from communications from an Internet Service Provider, not NSA’s upstream collection of Internet transactions. Accordingly, the Court of Review had occasion to consider NSA’s acquisition of MCTs (or even “about” communications, for that matter). Furthermore, the Court of Review noted that “[t]he government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary.” Id. Here, however, the government proposes measures that will allow NSA to retain non-target United States person information in its databases for at least five years.

Ultimately, Bates’ approval for the government to query on US person identifiers on existing incidentally collected Section 702 material (see pages 22-23) show that he hasn’t really thought through what happens to US person incidental collection; he actually has a shocking (arguably mis-) understanding of how permissive the existing minimization rules are, and therefore how invasive his authorization for searching on incidentally collected information will actually be.

But his complaint with the proposed minimization procedures shows what he believes they should be.

The measures proposed by the government for MCTs, however, largely dispense with the requirement of prompt disposition upon initial review by an analyst. Rather than attempting to identify and segregate information “not relevant to the authorized purpose of the acquisition” or to destroy such information promptly following acquisition, NSA’s proposed handling of MCTs tends to maximize the retention of such information, including information of or concerning United States persons with no direct connection to any target.

As Bates tells it, so long as he’s paying close attention to an issue, the government should ideally destroy any US person data it collects that is not relevant to the authorized purpose of the acquisition. (His suggestion to segregate it actually endorses Russ Feingold’s fix from 2008.)

But the minimization rules clearly allow the government to keep such data (after this opinion, they made an exception only for the multiple communication transactions in question, but not even for the other search identifiers involving entirely domestic communication so long as that’s the only communication in the packet).

All the government has to do, for the vast majority of the data it collects, is say it might have a foreign intelligence or crime or encryption or technical data or threat to property purpose, and it keeps it for 5 years.

In a database.

Back when the FISCR used this language, it allowed the government the dodge that, so long as it didn’t have a database dedicated to solely US person communications incidentally, it was all good. But the language Bates used should make all the US person information sitting in databases for 5 year periods (which Bates seems not to understand) problematic.

Not least, the phone dragnet database, which — after all — includes the records of 310 million people even while only 12 people’s data has proved useful in thwarting terrorist plots.

Update: Fixed the last sentence to describe what the Section 215 dragnet has yielded so far.

Share this entry

NSA’s “Presumption of Regularity”

As you’ve probably heard, the most striking part of the October 3, 2011 FISA opinion finding NSA’s collection violated the Fourth Amendment is Footnote 14.

The Court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.

In March, 2009, the Court concluded that its authorization of NSA’s bulk acquisition of telephone call detail records from [redacted] in the so-called “big business records” matter “ha[d] been premised on a flawed description of how the NSA uses [the acquired] metadata,” and that “[t]his misperception by the FISC existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government’s submissions, and despite a government-devised and Court-mandated oversight regime.” Docket [redacted] Contrary to the governent’s repeated assurances, NSA had been routinely running queries of the metadata using querying terms that did not meet the required standard for querying. The Court concluded that this requirement had been “so frequently and systematically violated that it can fairly be said that this critical element of the overall … regime has never functioned effectively.” Id.

Two more entirely redacted substantial misrepresentations follow.

Footnote 32 reveals how, after NSA did a review of the communications the FISC ultimately found to violate the Fourth Amendment, the FISC caught it in downplaying the number of affected communications. After it sent the NSA back to new analysis, the problem grew from 2,000 to 10,000 a year to 48,000 to 56,000 a year. I guess the FISC found, like I have, that you can’t trust the biggest math organization in the world to do basic math.

Yet in spite of the fact that this opinion lists three substantial misrepresentations the NSA had made in recent history and caught the NSA in bad math, here’s how it decided it could trust the government’s assurances that it didn’t use this abusive communication to target non-targeted people.

Therefore, the Court has no reason to believe that NSA, by acquiring the Internet transactions containing multiple communications, is targeting anyone other than the user of the selected tasked selector. See United States v. Chemical Found., Inc., 272 U.S. 1, 14-15 (1926) (“The presumption of regularity supports the official acts of public officers, and, in the absence of clear evidence to the contrary, courts presume that they have properly discharged their official duties.”).

I’m not surprised FISC invoked this (especially not surprised that John Bates, who can be very deferential, did). It is the law.

But (as the case of Adnan Latif showed) we keep extending the presumption of regularity to the government in spite of abundant evidence we shouldn’t.

Share this entry

Exploitation and High Value Interrogation Group

Quick quiz:

What was the first count that Umar Farouk Abdulmutallab — the UndieBomber — was found guilty of?

Read more

Share this entry

Targeted Killing Timeline

A timeline!

I’ve been working on this timeline for almost nine months, trying to pull together the known dates about strikes against Americans, the evidence supporting the strike against Anwar al-Awlaki, the legal cases surrounding both targeted killing and torture, to which targeted killing is linked via the Memorandum of Notification, and Congressional efforts to exercise oversight.

September 17, 2001: George Bush signs Memorandum of Notification (henceforth, Gloves Come Off MON) authorizing a range of counterterrorism techniques, including torture and targeted killing.

September 18, 2001: Congress passes the Authorization to Use Military Force.

November 3, 2002: US citizen Kamal Derwish killed in drone purportedly targeting Abu Ali al-Harithi.

Late 2008: Ruben Shumpert reported killed in Somalia.

June 24, 2009: Leon Panetta gets briefed on assassination squad program.

June 26, 2009: HPSCI passes a funding authorization report expanding the Gang of Eight briefings.

July 8, 2009: The Administration responds with an insulting appeal to a “fundamental compact” between Congress and the President on intelligence matters.

July 8, 2009: Silvestre Reyes announces CIA lied to Congress.

October 26, 2009: British High Court first orders British government to release language on Binyam Mohamed’s treatment.

October 28, 2009: FBI kills Imam Luqman Asmeen Abdullah during Dearborn, MI arrest raid.

October 29, 2009: Hearing on declassifying mention of Gloves Come Off MON before Judge Alvin Hellerstein; in it, Hellerstein reveals NSA James Jones has submitted declaration to keep mention of MON secret.

November 5, 2009: Nidal Hasan attacks Fort Hood, killing 13.

December 24, 2009: JSOC tries but fails to hit Anwar al-Awlaki. On that day, the IC did not yet believe him to be operational.

December 25, 2009: With Umar Farouk Abdulmutallab attack, FBI develops full understanding of Awlaki’s operational goals.

January 2, 2010: In conversation with David Petraeus, Yemeni President Ali Abdullah Saleh http://www.cablegatesearch.net/cable.php?id=10SANAA4“>speaks as if Awlaki, whom he refers to as a cleric, not an AQAP member, was a designated target of December 24 attack.

Read more

Share this entry