Posts

Massie-Lofgren Would Shut Down ALL Back Door Searches under Section 702

There are two details about the Massie-Lofgren Amendmentwhich passed the house by a 293-123 vote last night — that are currently being missed. First, the bill would shut down all back door searches under Section 702.

Except as provided in subsection (b), none of the funds made available by this Act may be used by an officer or employee of the United States to query a collection of foreign intelligence information acquired under section 702 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1881a) using a United States person identifier.

That means it would apply to FBI, in addition to CIA and NSA (which is what some people are reporting).

That’s the other detail people are missing. According to the John Bates opinion in which he first authorized back door searches for NSA and CIA in 2011, a third agency, which another document says is the FBI, had had that authority going back to 2008. According to the same language, FBI also had the authority to conduct back door searches on traditional FISA taps, which they would retain under this amendment.

 

USA Freedumber Reverses John Bates’ Attempts at Oversight

I’ve written about this here and here, but I’m going to make one more effort at explaining why I believe HR 3361 (AKA USA Freedumber Act) will undo the paltry efforts John Bates made to rein in the NSA.

My argument is that with section 202 of HR 3361, the government is creating something new — Attorney General created “privacy procedures” — that serve to dramatically alter the concept of minimization procedures and in doing so undermining the authority of the FISA Court to limit illegal activities.

The government and NSA’s boosters have long argued that minimization procedures — limits on the collection, retention, and dissemination of US person data — play an affirmative role in protecting US person privacy even while the government “collects it all.” Significantly, they point the the FISA Court’s role in reviewing minimization procedures as a key part of oversight of these massive dragnets.

But they’ve always played a funny game with minimization procedures on the legally most problematic part of their dragnet, the Internet dragnet. And a last minute change to HR 3361 seems to codify that funny game.

Unlike the FISA authorization for content in motion, stored communication, and business record collection, the Pen Register/Trap and Trace provision (50 USC 1842) they used to collect Internet metadata collection includes no provision for minimization procedures. The original USA Freedom Act and the compromise bill added minimization procedures and gave FISC judges the authority to review compliance with them. But at the last minute, the intelligence community replaced that provision with “Privacy Procedures” over which only the Attorney General has sole authority.

SEC. 202. PRIVACY PROCEDURES.

(a) IN GENERAL.—Section 402 (50 U.S.C. 1842) is amended by adding at the end the following new sub-section:

‘(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect national security, include protections for the collection, retention, and use of information concerning United States persons.

Given the history of the PR/TT program, I believe this may (and may be designed to) permit the ongoing acquisition of illegal content.

DOJ argues FISC may only rubber stamp

Before we look at the history of minimization procedures under the FISC-authorized Internet dragnet, understand that even as the government asked the FISC to rubber stamp one of the only parts of the illegal wiretapping program DOJ saw fit to shut down, it also argued that FISC’s authority to do was very limited.

In Colleen Kollar-Kotelly’s July 2004 opinion, she made clear the government believed she could only review the presence of language in the application, not whether it complied with the law, including the “relevance” provision.

In the Government’s view, the Court’s exclusive function regarding this certification would be to verify that it contains the words required by § 1842(c)(2); the basis for a properly worded certification would be of no judicial concern. See Memorandum of Law and Fact at 28-34.

The Court has reviewed the Government’s arguments and authorities and does not find them persuasive.19

19 For example, the Government cites legislative history that “Congress intended to ‘authorize[] FISA judges to issue a pen register or trap and trace upon a certification that the information sought is relevant to'” an FBI investigation. Memorandum of Law and Fact at 30 (quoting S. Rep. No. 105-185, at 27 (1998). However, authorizing the Court to issue an order when a certification is made, and requiring it to do so without resolving doubts about the correctness of the certification are quite different. (26-27)

Six years later, the government was still arguing the FISC could only serve as a rubber stamp. John Bates’ 2010 opinion again had to deal with such a claim.

The Government again argues that the Court should conduct no substantive review of the certification of relevance. See Memorandum of Law at 29. This opinion follows Judge Kollar-Kotelly’s [redacted] Opinion in assuming, without conclusively deciding, that substantive review is warranted. (73 fn 58)

The government’s review that the FISC is no more than a rubber stamp is particularly interesting given the discussion over minimization procedures.

The government invites rubber stamp judges to modify minimization procedures 

Even in spite of DOJ’s view that the FISC should be no more than a rubber stamp on PRTT applications, they nevertheless invited the judges to review and modify minimization procedures submitted in light of the extent of the collection being approved.

Read more

If George Bush Can Close NSA’s Back Door Loophole, Why Can’t Barack Obama?

As per usual, there was a tidbit of news in Ron Wyden’s questions at yesterday’s hearing on the USA Freedumber.

He revealed that the back door loophole was closed during the Bush Administration.

Let me start by talking about the fact that the House bill does not ban warrantless searches for Americans’ emails. And here, particularly, I want to get into this with you, Mr. Ledgett if I might. We’re talking of course about the backdoor search loophole, section 702 of the FISA statute. This allows NSA in effect to look through this giant pile of communications that are collected under 702 and deliberately conduct warrantless searches for the communications of individual Americans.  This loophole was closed during the Bush Administration, but it was reopened in 2011, and a few months ago the Director of National Intelligence acknowledged in a letter to me that the searches are ongoing today. [my emphasis]

I’m not sure precisely what he’s talking about, though I assume either the transition from the illegal program to Protect America Act, or the transition from PAA to FISA Amendments Act, removed NSA’s ability to conduct back door searches. Reading between the redactions in John Bates’ October 3, 2011 opinion, FBI apparently has had the authority to do back door searches on both traditional FISA and warrantless collection from 2008, so from the beginning of FAA.

But from what Wyden said, the NSA had the ability to do back door searches, lost it, and now has it again.

I’d sure like to know more about what happened to lead people to believe NSA should have that authority taken away from it.

Why Is DOJ Hiding Three Phone Dragnet Orders in Plain Sight?

The ACLU and EFF FOIAs for Section 215 documents are drawing to a head. Later this week, EFF will have a court hearing in their suit. And last Friday, the government renewed its bid for summary judgment in the ACLU case.

Both suits pivot on whether the government’s past withholdings on Section 215 were in good faith. Both NGOs are arguing they weren’t, and therefore the government’s current claims — that none of the remaining information may be released — cannot be treated in good faith. (Indeed, the government likely released the previously sealed NSA declaration to substantiate its claim that it had to treat all documents tying NSA to the phone dragnet with a Glomar because of the way NSA and DOJ respectively redact classification mark … or something like that.)

But the government insists it is operating in good faith.

Instead, the ACLU speculates, despite the government’s declarations to the contrary, that there must be some non-exempt information contained in these documents that could be segregated and released. In an attempt to avoid well-established law requiring courts to defer to the government’s declarations, especially in the area of national security, the ACLU accuses the government of bad faith and baldly asserts that the government’s past assertions regarding segregability—made before the government’s discretionary declassification of substantial amounts of information regarding its activities pursuant to Section 215— “strip the government’s present justifications of the deference due to them in ordinary FOIA cases.” ACLU Br. at 25. The ACLU’s allegations are utterly unfounded. For the reasons set forth below, the government’s justifications for withholding the remaining documents are “logical and plausible,”

EFF and ACLU have focused closely on a August 20, 2008 FISC order describing a method to conduct queries; I have argued it probably describes how NSA makes correlations to track correlations.

The government is refusing to identify 3 orders it has already identified

But — unless I am badly mistaken, or unless the government mistakenly believes it has turned over some of these orders, which is possible! — I think there are three other documents being withheld (ones the government hasn’t even formally disclosed to EFF, even while pretending they’ve disclosed everything to EFF) that raise questions about the government’s good faith even more readily: the three remaining phone dragnet Primary Orders from 2009. All three have been publicly identified, yet the government is pretending they haven’t been. They are:

BR 09-09, issued on July 8, 2009. Not only was this Primary Order identified in paragraph 3 of the next Primary Order, but it was discussed extensively in the government’s filing accompanying the end-to-end report. In addition, the non-approval of one providers’ metadata  (I increasingly suspect Sprint is the provider) for that period is reflected in paragraph 1(a) of that next Primary Order.

BR 09-15, issued on October 30, 2009. The docket number and date are both identified on the first page of this supplemental order.

BR 09-19, issued on December 16, 2009. It is mentioned in paragraph 3 of the next Primary Order. The docket number and the date are also referred to in the documents pertaining to Sprint’s challenge recently released. (See paragraph 1 and paragraph 5 for the date.)

Thus, the existence of all three Primary Orders has been declassified, even while the government maintains it can’t identify them in the context of the FOIAs where they’ve already been declassified.

The government has segregated a great deal of the content of BR 09-09

The government’s withholding of BR 09-09 is particularly ridiculous, given how extensively the end-to-end motion details it. From that document, we learn:

  • Pages 5-7 approve a new group for querying. (see footnote 2)
  • Pages 9-10 require those accessing the dragnet be briefed on minimization procedures tied to the dragnet (see PDF 22); this is likely the language that appears in paragraph G of the subsequent order. This specifically includes technical personnel. (see PDF 49)
  • Pages 10-11 require weekly reporting on disseminations. (see PDF 23) This is likely the information that appears in paragraph H in the subsequent order.
  • Page 12 affirmatively authorizes the data integrity search to find “certain non user specific numbers and [redacted] identifiers for purposes of metadata reduction and management” (see footnote 19 and PDF 55)
  • Page 8 and 13-14 lay out new oversight roles, especially for DOJ’s National Security Division (see PDF 22); these are likely the requirements laid out in paragraphs M through R in subsequent orders. Those same pages also require DOJ to share the details of NSD’s meeting with NSA in new FISC applications. (see PDF 23)
  • BR 09-09 included the same reporting requirements as laid out in BR 09-01 and BR 09-06 (see PDF 5)
  • Pages 16 -17 also included these new reporting requirements: (see PDFs 6 and 29 – 30)
    • a full explanation of why the government has permitted dissemination outside NSA of U.S. person information in violation of the Court’s Orders in this matter;
    • a full explanation of the extent to which NSA has acquired call detail records of foreign-to-foreign communications from [redacted] pursuant to orders of the FISC, and whether the NSA’s storage, handling, and dissemination of information in those records, or derived therefrom, complied with the Court’s orders; and
    • either (i) a certification that any overproduced information, as described in footnote 11 of the government’s application [i.e. credit card information), has been destroyed, and that any such information acquired pursuant to this Order is being destroyed upon recognition; or (ii) a full explanation as to why it is not possible or otherwise feasible to destroy such information.
  • BR 09-09 specifically mentioned that NSA had generally been disseminating BR FISA data according to USSID 18 and not the more restrictive dissemination provisions of the Court’s Orders. (see footnote 12)
  • BF 09-09 approved Chief, Information Sharing Services, the Senior Operations Officer, the Signals Intelligence
    Directorate (So) Director, the Deputy Director of NSA, and the Director of NSA to authorize US person disseminations. (see footnote 22 and PDF 28)

Significant parts of at least 13 pages of the Primary Order (the next Primary Order is 19 pages long) have already been deemed segregable and released. Yet the government now appears to be arguing, while claiming it is operating in good faith, that none of these items would be segregable if released with the order itself!

Wildarse speculation about why the government is withholding these orders

Which raises the question of why. Why did the government withhold these 3 orders, alone among all the known regular Primary Orders from the period of EFF and ACLU’s FOIAs? (See this page for a summary of the known orders and the changes implemented in each.)

The reason may not be the same for all three orders. BR 09-09 deals with two sensitive issues — the purging of credit card information and tech personnel access — that seem to have been resolved with that order (at least until the credit card problems returned in March 2011).

But there are two things that all three orders might have in common.

First, BR 09-09 deals closely with dissemination problems — the ability of CIA and FBI to access NSA results directly, and the unfettered sharing of information within NSA. BR 09-15 lays out new dissemination rules, with the supplement in November showing NSA to still be in violation. So it’s likely all 3 orders deal with dissemination violations (and therefore with poison fruit of inappropriate dissemination that may still be in the legal system), and that the government is hiding one of the more significant aspects of the dragnet violations by withholding those orders.

I also think it’s possible the later two (potentially all three, but more likely the later two) orders combine the phone and Internet dragnets. That’s largely because of timing: A June 22, 2009 order — the first one to deal with the dissemination problems formally addressed in BR 09-09 — dealt with both dragnets. There is evidence the Internet dragnet data got shut down (or severely restricted) on October 30, 2009, the date of BR 09-15. And according to the 2010 John Bates Internet dragnet opinion, NSA applied to restart the dragnet in late 2009 (so around the time of BR 09-19). So I think it possible the later orders, especially, deal with both programs,  thereby revealing details about the legal problems with PRTT the government would like to keep suppressed. (Note, if BR 09-15 and BR 09-19 are being withheld because they shut down Internet production, it would mean all three orders shut down some production, as BR 09-09 shut down one provider’s telephone production.)

Another possibility has to do with the co-mingling of EO 12333 and Section 215 data. These three orders all deal with the fact that providers (at least Verizon, but potentially the other two as well) had included foreign-to-foreign phone records along with the production of their domestic ones.That’s the reason production from one provider got shut down in BR 09-09. And immediately after the other withheld records, the Primary Orders always included a footnote on what to do with EO 12333 data turned over pursuant to BR FISA orders (see footnote 7 and footnote 10 for examples). Also, starting in March 2009, the Orders all contain language specifically addressing Verizon. So we know the FISC was struggling to come up with a solution for the fact that NSA had co-mingled data obtainable under EO 12333 and data the telecoms received PATRIOT Act orders from. (I suspect this is why Sprint insisted on legal cover, ultimately demanding the legal authorization of the program with the December order.) So it may be that all these orders reveal too much about the EO 12333 dragnet — and potential additional violations — to be released.

Whatever the reason, there is already so much data in the public domain, especially on BR 09-09, it’s hard to believe withholding it is entirely good faith.

NSA’s Training Programs Are a Mess

OGC Questions
In addition to the way NSA claims to be operating under EO 12333 at times when it might be operating under some law passed by Congress, there’s another reason why Snowden’s question to NSA’s Office of General Counsel is worthwhile (though I doubt it’s why he asked).

NSA’s training programs — at least as released to ACLU and EFF under FOIA — are a horrible contradictory mess.

Two training programs closely related to the one he emailed in response to got released last year (though neither appears to be the training program in question): A “Core Intelligence Oversight Training” dating to sometime in 2009 or later, and this Office of General Counsel Powerpoint that is referred to as a Cryptological School Course, from which the image above was taken. (Side note: I repeat what I have said in the past: from a training methodology standpoint, these “training programs” are unbelievably shitty, which is particularly notable given that DOD does pay for a lot of state-of-the-art training programs on other topics.)

The Core Intelligence Oversight Training isn’t really training at all. It’s just a reproduction of the regulations in question. It includes:

  • The 2008 update of EO 12333, but with the original 1981 date attached
  • DOD 5240 1-R, dated 1982
  • NSA/CSS Policy 1-23, issued on March 11, 2004 (interesting date to update such a policy!), and revised twice, most recently May 29, 2009; it includes an Annex that serves as a classified annex to EO 12333 that is dated April 26, 1988
  • DTM 08-052, dated Jun 17, 2009; it cites EO 12333 “as amended” but doesn’t provide any amendment date

Several of these documents purport to implement or refer to FISA, but only the NSA/CSS Policy post-dates the detailed implementation of FISA Amendments Act (and it precedes key changes to the current minimization procedures tied to FISA).

And read together, these documents are utterly confusing.

My favorite is this part of DOD 5240, which would seem to contradict James “Too Cute by Half” Clapper’s definition of collection.

Collection. Information shall be considered as “collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties. Thus, information volunteered to a DoD intelligence component by a cooperating source would be “collected” under this procedure when an employee of such component officially accepts, in some manner, such information for use within that component. Data acquired by electronic means is “collected” only when it has been processed into intelligible form.

But both its definition of electronic surveillance and its rules on collecting the content of Americans overseas were superseded by FAA’s requirement of an order to collect on US persons overseas (and no longer considers electronic surveillance overseas electronic surveillance).

Except as provided in paragraph C5.2.5., below, DoD intelligence components may conduct electronic surveillance against a United States person who is outside the United States for foreign intelligence and counterintelligence purposes only if the surveillance is approved by the Attorney General.

The “updated” documents don’t help either. Because NSA/CSS Policy 1-23 relies on the annex dating to 1988, it claims NSA can collect on the content of Americans with Attorney General approval for 90 days.

(4) with specific prior approval by the Attorney General based on a finding by the Attorney General that there is probable cause to believe the United States person is an agent of a foreign power and that the purpose of the interception or selection is to collect significant foreign intelligence. Such approvals shall be limited to a period of time not to exceed ninety days for individuals and one year for entities.

Remember, this is purportedly “training,” and yet I’m not clear how an NSA trainee would learn that collecting content on Americans overseas requires a FISA order.

Trainees could get that information from the 2009 Cryptological School Course, which properly defines electronic surveillance and lays out Section 703-5.

But even that training course is out of date. For example, it says NSA cannot use FAA authorities to target “anything/anyone in the US,” but upstream collection under 702 targets those using certain selectors as content in the US. And even the 2011 minimization procedures limiting upstream collection don’t require destruction of upstream communications in which all communicants are in the US.

This program also includes the oblique comment that searching in databases of raw data constitutes a “collection/targeting” activity.

To protect the privacy rights of U.S. citizens, Department of Justice has determined searches of these databases are a collection/targeting activity.

Which would seem to conflict with the definition of collection a trainee got from DOD 5240.

I realize experienced NSA professionals have a better idea of how these various regulations all fit together. And I realize some of this is controlled through access controls that ensure NSA people only access the most up-to-date rules.

But these documents are billed as training, about the core restrictions regarding their collection. And they are downright contradictory.

I don’t think that’s why Snowden asked the OGC the question he did. Though the response he got regarding precedence of the various agency directives — that “DOD and ODNI regulations are afforded similar precedence though subject matter or date could result in one having precedence over another” — would only exacerbate any confusion a trainee had.

But if the training program Snowden was using is anything like these documents, there’d be good reason to believe that inexperienced trainees were not getting a clear idea of what they were allowed to do with US person data.

Update: One more point about these training programs, especially the classified annex to EO 12333 that dates to 1988. This is a problem that both PCLOB and HPSCI have identified and tried to fix (though HPSCI did not include their bill language to do so in either the USA Freedumber or the unclassified parts of the Intelligence Authorization). This shows why it is important: because NSA people are being trained on materials that tell them they can collect US person data overseas without a FISA order.

Four Reasons USA Freedumber is Worse than the Status Quo

In the post-HR 3361 passage press conference yesterday, Jerry Nadler suggested the only reason civil libertarians oppose the bill is because it does not go far enough.

That is, at least in my case, false.

While I have concerns about unintended consequences of outsourcing holding the call data to the telecoms (see my skepticism that it ends bulk collection here and my concerns about high volume numbers here), there are a number of ways that USA Freedumber is worse than the status quo.

These are:

  • The move to telecoms codifies changes in the chaining process that will almost certainly expand the universe of data being analyzed
  • In three ways, the bill permits phone chaining for purposes outside of counterterrorism
  • The bill weakens minimization procedures on upstream collection imposed by John Bates, making it easier for the government to collect domestic content domestically
  • The bill guts the current controls on Pen Register authority, making it likely the government will resume its Internet dragnet

The NSA in your smart phone: Freedumber codifies changes to the chaining process

As I have described, the language in USA Freedumber makes it explicit that the government and its telecom partners can chain on connections as well as actual phone call contacts. While the new automatic search process approved by the FISA Court in 2012 included such chaining, by passing this bill Congress endorses this approach. Moreover, the government has never been able to start running such automatic queries; it appears they have to outsource to the telecoms to be able to do so (probably in part to make legal and technical use of location data). Thus, moving the phone chaining to the telecoms expands on the kinds of chaining that will be done with calls.

We don’t know all that that entails. At a minimum (and, assuming the standard of proof is rigorous, uncontroversially) the move will allow the government to track burner phones, the new cell phones targets adopt after getting rid of an old one.

It also surely involves location mapping. I say that, in part, because if they weren’t going to use location data, they wouldn’t have had to move to the telecoms. In addition, AT&T’s Hemisphere program uses location data, and it would be unrealistic to assume this program wouldn’t include at least all of what Hemisphere already does.

But beyond those two functions, your guess is as good as mine. While the chaining must produce a Call Detail Record at the interim step (which limits how far away from actual phone calls the analysis can get), it is at least conceivable the chaining could include any of a number of kinds of data available to the telecoms from smart phones, including things like calendars, address books, and email.

The fact that the telecoms and subsidiary contractors get immunity and compensation makes it more likely that this new chaining will be expansive, because natural sources of friction on telecom cooperation will have been removed.

Freedumber provides three ways for NSA to use the phone dragnet for purposes besides counterterrorism

As far as we know, the current dragnet may only be used for actual terrorist targets and Iran. But USA Freedumber would permit the government to use the phone dragnet to collect other data by:

  • Requiring only that selection terms be associated with a foreign power
  • Permitting the retention of data for foreign intelligence, not just counterterrorism, purposes
  • Allowing the use of emergency queries for non-terrorism uses

Freedumber permits searches on selection terms associated with foreign powers

On its face, USA Freedumber preserves this counterterrorism focus, requiring any records obtained to be “relevant to” an international terrorist investigation. Unfortunately, we now know that FISC has already blown up the meaning of “relevant to,” making all data effectively relevant.

The judicial approval of the specific selection term, however — the court review that should be an improvement over the status quo — is not that tie to terrorism, but evidence that the selection term is a foreign power or agent thereof.

Thus, the government could cite narcoterrorism, and use the chaining program to investigate Mexican drug cartels. The government could raise concerns that al Qaeda wants to hack our networks, and use chaining to investigate hackers with foreign ties. The government could allege Venezuela supports terrorism and investigate Venezuelan government sympathizers.

There are a whole range of scenarios in which the government could use this chaining program for purposes other than counterterrorism.

Freedumber permits the retention of any data that serves a foreign intelligence purpose

And once it gets that data, the government can keep it, so long as it claims (to itself, with uncertain oversight from the FISC) that the data has a foreign intelligence purpose.

At one level, this is a distinction without a difference from the language that USA Freedumb had used, which required the NSA to destroy the data after five years unless it was relevant to a terrorism investigation (which all data turned over to NSA would be, by definition). But the change in language serves as legislative approval that the use of the data received via this program can be used for other purposes.

That will likely have an impact on minimization procedures. Currently, the NSA needs a foreign intelligence purpose to access the corporate store, but can only disseminate data from it for counterterrorism purposes. I would imagine the changed language of the bill will lead the government to successfully argue that the minimization procedures permit the dissemination of US person data so long as it meets only this flimsy foreign intelligence purpose. In other words, US person data collected in chaining would be circulating around the government more freely.

Freedumber’s emergency queries do not require any tie to terrorism

As I noted, the revisions USA Freedumber made to USA Freedumb explicitly removed a requirement that emergency queries be tied to a terrorism investigation.

(A) reasonably determines that an emergency situation requires the production of tangible things to obtain information for an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to protect against international terrorism before an order authorizing such production can with due diligence be obtained;

That’s particularly troublesome, because even if the FISC rules the emergency claim (certified by the Attorney General) was not legally valid after the fact, not only does the government not have to get rid of that data, but the Attorney General (the one who originally authorized its collection) is the one in charge of making sure it doesn’t get used in a trial or similar proceeding.

In short, these three changes together permit the government to use the phone dragnet for a lot more uses than they currently can.

Freedumber invites the expansion of upstream collection

When John Bates declared aspects of upstream collection to be unconstitutional in 2011, he used the threat of referrals under 50 USC 1809(a) to require the government to provide additional protection both to entirely domestic communications that contained a specific selector, and to get rid of domestic communications that did not contain that specific selector at all. The government objected (and considered appealing), claiming that because it hadn’t really intended to collect this data, it should be able to keep it and use it. But ultimately, that threat (especially threats tied to the government’s use of this data for ongoing FISA orders) led the government to capitulate.

The changes in Freedumber basically allow the government to adopt its old “intentional” claim, reversing Bates’ restrictions. Read more

USA Freedumber Appears to Strengthen RuppRoge’s Affirmative Endorsement of an Internet Dragnet

Working on a detailed comparison of the difference between the USA Freedumb and USA Freedumber bills, one of the most alarming changes is the gutting of Pen Register minimization procedures. They took language not only adding minimization procedures to Pen Register orders,

(b) APPLICATION.—Section 402(c) (50 U.S.C. 1842(c)), as amended by section 201 of this Act, is further amended by adding at the end the following new paragraph:

(4) a statement of proposed minimization procedures.

(c) ORDER.—Section 402(d) (50 U.S.C. 1842(d)) is amended—

(1) in paragraph (1), by inserting ‘‘and that the proposed minimization procedures meet the definition of minimization procedures under this title’’

But permitting the court to review whether the government met those minimization procedures.

(h) At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the minimization procedures by reviewing the circumstances under which information concerning United States persons was retained or disseminated.’

They even specified the government had to follow those minimization procedures!

USA Freedumber changed that by letting the Attorney General review what are are now called “privacy procedures.”

(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard non-publicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect  national security, include protections for the collection, retention, and use of information concerning United States persons.

They limit the extent of these “privacy procedures” “to the extent practicable … with the need to protect national security.” That is, they don’t have to follow these “privacy procedures” if it’ll harm national security, and the change seems to show legislative intent to deprive the FISC of any review.

That’s alarming for a number of reasons:

  • From the very beginning of the Internet dragnet, the government claimed FISC had almost no authority over the approval process (much less compliance) on Pen Registers
  • This language comes right out of — but makes worse — the section of Mike Rogers’ RuppRoge bill that affirmatively approves the (re)creation of an Internet dragnet
  • There’s a curious entry in the NSA classification guide showing FBI conducting a PRTT program after the time NSA’s program got shut down

NSA versus FISC

According to a footnote in the 2010 John Bates opinion on the Internet dragnet, when the government first applied to Colleen Kollar-Kotelly for a FISC order to authorize the dragnet, they claimed she had no authority to do anything but rubber stamp the application.

2010 Bates Opinion footnote

We know that, having made that argument, the government got caught in violating the rules Kollar-Kotelly placed on the collection, but then continued to violate the rules for at least 5 more years, until 2009, when it got shut down for a while.

It would seem that the original language in USA Freedom Act would have clarified this issue, and made clear the FISC could exercise real oversight over any PRTT collection.

Adopting RuppRoge’s Internet Dragnet language

This language adopts the nomenclature from the HPSCI’s RuppRoge bill. (See page 18.)

But these “privacy procedures” seem qualitatively worse than the RuppRoge bill in several ways. RuppRoge provides loosey goosey judicial review of the privacy procedures. And it did not include the “extent practicable” language.

Given the background — given the fact that the government has already told the FISC it shouldn’t have real oversight over PRTT — this language seems to lay clear legislative intent that FISC should have no role whatsoever, especially not with minimization procedures (which, after all, is what they fought with the FISC over for at least  years).

The secrecy behind the FBI’s PRTT orders on behalf of NSA

PRTT1

Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.

These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.

But that the FBI PR/TT program — which seems different than these individual orders — was considered TS/SI/NOFORN.

PRTT2

If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level)  — is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.

This is considered one of the most sensitive secrets in the whole FISA package.

PRTT3

Even minimized PRTT data is considered TS/SCI.

PRTT4

Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.

So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.

Except there’s the date.

This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)

That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.

If FBI had a PRTT program active in 2012 that was separate from the NSA PRTT program (I’m not sure that’s the case; it could be they just didn’t update this part of the classification guide), then is it still active? Has the Internet dragnet just moved to FBI?

If so, it’s no wonder why the Intelligence Community would want to guarantee that FISC had no review of it.

Update: Note, too, that the bill removes reporting requirements related to PRTT.

 

David Barron’s ECPA Memo

Last week, I laid out the amazing coinkydink that DOJ provided Sprint a bunch of FISA opinions — including the December 12, 2008 Reggie Walton opinion finding that the phone dragnet did not violate ECPA — on the same day, January 8, 2010, that OLC issued a memo finding that providers could voluntarily turn over phone records in some circumstances without violating ECPA.

Looking more closely at what we know about the opinion, I’m increasingly convinced it was not a coinkydink at all. I suspect that the memo not only addresses FBI’s exigent letter program, but also the non-Section 215 phone dragnet.

As a reminder, we first learned of this memo when, in January 2010, DOJ’s Inspector General issued a report on FBI’s practice of getting phone records from telecom provider employees cohabiting at FBI with little or no legal service. The report was fairly unique in that it was released in 3 versions: the public unclassified but heavily redacted version, a Secret version, and a Top Secret/SCI version. Given how closely parallel the onsite telecom provider program was with the phone dragnet, that always hinted the report may have touched on other issues.

Roughly a year after the IG Report came out, EFF FOIAed the memo (see page 30). Over the course of the FOIA litigation — the DC Circuit rejected their appeal for the memo in January — DOJ provided further detail about the memo.

Here’s how OLC Special Counsel Paul Colborn described the memo (starting at 25):

The document at issue in this case is a January 8, 2010 Memorandum for Valerie Caproni, General Counsel of the Federal Bureau of Investigation (the “FBI”), from David J. Barron, Acting Assistant Attorney General for the Office of Legal Counsel (the “Opinion”). The OLC Opinion was prepared in response to a November 27, 2009 opinion request from the FBI’s General Counsel and a supplemental request from Ms. Caproni dated December 11, 2009. These two requests were made in order to obtain OLC advice that would assist FBI’s evaluation of how it should respond to a draft Report by the Office of Inspector General at the Department of Justice (the “OIG”) in the course of a review by the OIG of the FBI’s use of certain investigatory procedures.In the context of preparing the Opinion, OLC, as is common, also sought and obtained the views of other interested agencies and components of the Department. OIG was aware that the FBI was seeking legal advice on the question from OLC, but it did not submit its views on the question.

The factual information contained in the FBI’s requests to OLC for legal advice concerned certain sensitive techniques used in the context of national security and law enforcement investigations — in particular, significant information about intelligence activities, sources, and methodology.

Later in his declaration, Colborn makes it clear the memo addressed not just FBI, but also other agencies.

The Opinion was requested by the FBI and reflects confidential communications to OLC from the FBI and other agencies. In providing the Opinion, OLC was serving an advisory role as legal counsel to the Executive Branch. In the context of the FBI’s evaluation of its procedures, the general counsel at the FBI sought OLC advice regarding the proper interpretation of the law with respect to information-gathering procedures employed by the FBI and other Executive Branch agencies. Having been requested to provide counsel on the law, OLC stood in a special relationship of trust with the FBI and other affected agencies.

And FBI Record/Information Dissemination Section Chief David Hardy’s declaration revealed that an Other Government Agency relied on the memo too. (starting at 46)

This information was not examined in isolation. Instead, each piece of information contained in the FBI’s letters of November 27, 2009 and December 11, 2009, and OLC’s memorandum of January 8, 2010, was evaluated with careful consideration given to the impact that disclosure of this information will have on other sensitive information contained elsewhere in the United States intelligence community’s files, including the secrecy of that other information.

[snip]

As part of its classification review of the OLC Memorandum, the FBI identified potential equities and interests of other government agencies (“OGAs”) with regard to the OLC memo. … FBI referred the OLC Memo for consultation with those OGAs. One OGA, which has requested non-attribution, affirmatively responded to our consultation and concurs in all of the classification markings.

Perhaps most remarkably, the government’s response to EFF’s appeal even seems to suggest that what we’ve always referred to as the Exigent Letters IG Report is not the Exigent Letters IG Report!

Comparing EFF’s claims (see pages 11-12) with the government’s response to those claims (see pages 17-18), the government appears to deny the following:

  • The Exigent Letters IG Report was the 3rd report in response to reporting requirements of the USA PATRIOT reauthorization
  • FBI responded to a draft of the IG Report by asserting a new legal theory defending the way it had obtained certain phone records in national security investigations, which resulted in the January 8, 2010 memo
  • The report didn’t describe the exception to the statute involved and IG Glenn Fine didn’t recommend referring the memo to Congress
  • In response to a Marisa Taylor FOIA, FBI indicated that USC 2511(2)(f) was the exception relied on by the FBI to say it didn’t need legal process to obtain voluntary disclosure of phone records

Along with these denials, the government reminded that the report “contained significant redactions to protect classified information and other sensitive information.” And with each denial (or non-response to EFF’s characterizations) it “respectfully refer[red] the Court to the January 2010 OIG report itself.”

The Exigent Letters IG Report is not what it seems, apparently.

With all that in mind, consider two more details. First, as David Kris (who was the Assistant Attorney General during this period) made clear in his paper on the phone (and Internet) dragnet, in addition to Section 215, the government obtained phone records from the telecoms under USC 2511(2)(f), the clause in question.

And look at how the chronology maps.

November 5, 2008: OLC releases opinion ruling sneak peak and hot number requests (among other things) impermissible under NSLs

December 12, 2008: Reggie Walton rules that the phone dragnet does not violate ECPA

Throughout 2009: DOJ confesses to multiple violations of Section 215 program, including:

  • An alert function that serves the same purpose as sneak peaks and also violates Section 215 minimization requirements
  • NSA treated Section 215 derived data with same procedures as EO 12333 data; that EO 12333 data included significant US person data
  • One provider’s (which I originally thought was Sprint, then believed was Verizon, but could still be Sprint) production got shut down because it included foreign-to-foreign data (the kind that, according to the OLC, could be obtained under USC 2511(2)(f)

Summer and Fall, 2009: Sprint meets with government to learn how Section 215 can be used to require delivery of “all” customer records

July 9, 2009: Sprint raises legal issues regarding the order it was under; Walton halts production from provider which had included foreign-to-foreign production

October 30, 2009: Still unreleased primary order BR 09-15

November 27, 2009: Valerie Caproni makes first request for opinion

December 11, 2009: Caproni supplements her request for a memo

December 16, 2009: Application and approval of BR 09-19

December 30, 2009: Sprint served with secondary order

January 7, 2010: Motion to unseal records

January 8, 2010: FISC declassifies earlier opinions; DOJ and Sprint jointly move to extend time when Sprint can challenge order; and OLC releases OLC opinion; FISC grants motion (John Bates approves all these motions)

January 11, 2010: DOJ moves (in a motion dated January 8) to amend secondary order to incorporate language on legality; this request is granted the following day (though we don’t get that order)

January 20, 2010: IG Report released, making existence of OLC memo public

This memo is looking less and less like a coinkydink after all, and more and more a legal justification for the provision of foreign-to-foreign records to accompany the Section 215 provision. And while FBI said it wasn’t going to rely on the memo, it’s not clear whether NSA said the same.

Golly. It’d sure be nice if we got to see that memo before David Barron got to be a lifetime appointed judge.

The Phone Dragnet Adopted “Selection Term” by 2013

As I laid out last week, I’m not convinced the term “specific selection term” is sufficiently narrowly defined to impose adequate limits to the “reformed” Section 215 (and NSL and PRTT) programs. Here’s how the House defined it:

SPECIFIC SELECTION TERM.—The term ‘specific selection term’ means a term used to uniquely describe a person, entity, or account.

That said, as I also noted, the motion to amend January’s primary order used the term to refer to the query term, which may suggest my concerns are unfounded.

I’ve looked further, and the amendment’s use of the term was not new in the phone dragnet.

In fact, the phrase used to refer to the query subject changed over the course of the dragnet. The first Primary Order authorized the search on “particular known phone numbers.” That usage continued until 2008, when Primary Order BR 08-08 introduced the term “particular known identifier.” A completely redacted footnote seems to have defined the term (and always has). Significantly, that was the first Primary Order after an August 20, 2008 opinion authorized some “specific intelligence method in the conduct of queries (term “searches”) of telephony metadata or call detail records obtained pursuant to the FISC’s orders under the BR FISA program.” I think it highly likely that opinion authorized the use of correlations between different identifiers believed to be associated with the same person. 

The September 3, 2009 Primary Order — the first one resuming some normality after the problems identified in 2009 — references a description of identifier in a declaration. And the redaction provides hints that the footnote describing the term lists several things that are included (though the footnote appears to be roughly the same size as others describing identifier).

Identifier Footnote

 

The Primary Orders revert back to the same footnote in all the orders that have been released (the government is still withholding 3 known Primary Orders from 2009). And that continued until at least June 22, 2011, the last Primary Order covered by the ACLU and EFF FOIAs.

But then in the first Primary Order after the 2011-2012 break (and all Primary Orders since), the language changes to “selection term,” which like its predecessor has a footnote apparently explaining the term — though the footnote is twice as long. Here’s what it looks like in the April 25, 2013 Primary Order:

Selection Term Footnote

 

The change in language is made not just to the subject of queries. There’s a paragraph in Primary Orders approving the use of individual FISA warrant targets for querying (see this post for an explanation) that reads,

[Identifiers/selection terms] that are currently the subject of electronic surveillance authorized by the Foreign Intelligence Surveillance Court (FISC) based on the FISC’s finding of probable cause to believe that they are used by agents of [redacted] including those used by U.S. persons, may be deemed approved for querying for the period of FISC-authorized electronic surveillance without review and approval by a designated approving official.

The change appears there too. That’s significant because it suggests a use that would be tied to targets about whom much more would be known, and in usages that would be primarily email addresses or other Internet identifiers, rather than just phone-based ones. I think that reflects a broader notion of correlation (and undermines the claim that a selection term is “unique,” as  it would tie the use of an identity authorized for Internet surveillance to a telephone metadata identifier used to query the dragnet).

Finally, the timing. While the big gap in released Primary Orders prevents us from figuring out when the NSA changed from “identifier” to “selection term,” it happened during the same time period when the automated query process was approved.

This may all seem like a really minor nit to pick.

But even after the language was changed to “selection term” on Primary Orders, top intelligence officials continued to use the term “identifier” to describe the process (see the PCLOB hearing on Section 215, for example). The common usage, it seems, remains “identifier,” though there must be some legal reason the NSA and DOJ use “selection term” with the FISC.

It also means there’s some meaning for selection term the FISA Court has already bought off on. It’s a description that takes 15 lines to explain, one the government maintains is still classified.

And we’re building an entire bill off a vague 17-word definition without first learning what that 15-line description entails.

 

Jim Sensenbrenner Seems to Endorse Two Times Two Hops

I’m working on a larger post about a theory I have about the Internet dragnet. But while working on that, I noticed that in 2009 the government admitted that it had used the Internet dragnet, like the phone dragnet, to contact chain on US emails that were connected with suspect emails, but which had not themselves found to be suspicious (or tied to a foreign power).

This practice involved an analyst running  query using as a seed “a U.S.-based e-mail account” thta had been in direct contact with a properly validated seed account, but had not itself been properly validated under the RAS approval process. [redacted] Response at 2-3. When he granted renewed authorization for bulk PR/TT surveillance on [redacted], Judge Walton ordered the government not to resume this practice without proper Court approval. See Docket No. PR/TT [redacted] Primary Order issued [redacted] at 10.

In its response, the government also described an automated means of querying, which it regarded as consistent with the applicable PR/TT orders. This form of querying involved the determination that an e-mail address satisfied the RAS standard, but for the lack of a connection to one of the Foreign Powers (e.g., there were sufficient indicia that the user of the e-mail address was involved in terrorist activities, but the user’s affiliation with a particular group was unknown).

[snip]

In the event that such an e-mail address was in contact with a RAS-approved seed-account on an NSA “Alert List,” that e-mail address would itself be used as a seed for automatic querying, on the theory that the requisite nexus to one of the Foreign Powers had been established.

Up until 2009, the government was blithely extending the chaining process by declaring US person targets new seeds and chaining from there.

I raise this because the NSA has been struggling, unsuccessfully, since 2009  to resume it’s alert function(s). It may be that’s one reason why NSA embraced outsourcing data retention to the telecoms.

And because, in effort to defeat a Zoe Lofgren amendment at least Wednesday’s markup of the Jim Sensenbrenner seemed to endorse this derivative hop process.

Lofgren’s amendment would have added language limiting upstream collection to that which involved the target of the acquisition.

Lofgren. Mr. Chairman, I believe that this amendment fixes a loophole that was created by the FISA court in its November 2011 decision that is now in the public arena. The amendment clarifies that the government can only use selectors to collect information to or from the target of an authorized investigation. Under the current law, as blessed by the FISA court, NSA is using 702 authority to collect communications that are to, from, or even about a foreign intelligence target so long as these communications are believed not to be wholly between U.S. persons. Now, the USA Freedom Act did not address this loophole, and actually the original PATRIOT Act did not either, this is a court-constructed document, but it allows false positives, and intentional use of vague about criteria could be used to lead to massive collection of U.S. persons’ communication. This amendment would prevent that adverse outcome by limiting the selectors to target and collect communications only when one of the parties to that communication is the target of an authorized investigation.

Sensenbrenner’s response was, at first, on point, claiming that the prohibition targeting that has reverse targeting as a purpose of the acquisition at all.

But then he went into this language about Section 215, a totally different part of FISA.

Sensenbrenner: Say there is a section 215 order that is aimed at a target, it goes two hops and on the second hop, there is a U.S. person who is not at the time of the second hop a target of an authorized investigation. What this amendment does is limits adding that person to a target of an authorized investigation and going the two hops from that. Now, a lot of these conspiracies are more than two hops. But I don’t think that if there is a reasonable suspicion that if it goes for more than two hops that we ought to preclude, finding out who those people are talking to in the furtherance of their plot.

In it, he seemed to say that NSA must be able to declare US person selection terms new RAS approved seeds without having enough evidence to declare them a target of an investigation. But in the process, he seemed to envision derivative seeds, the addition of new US person seeds off of existing contact chains.

Which sounds a lot like the old alert process that FISC ruled improper in 2009 (although this would presumably require a new FISC review).

My theory about the dragnet may explain a bit more about why Sensenbrenner seemed to offer such an inapt argument against Lofgren’s memo (and why Lofgren’s warnings that upstream collection can easily become the new dragnet).

But for the moment, note that Sensenbrenner at least seems to envision the 2 hops permitted by his bill could, in turn, become two more hops without any more reasonable basis for suspicion.