Posts

Surveillance Reform Can No Longer Ignore EO 12333

Yesterday, a bunch of civil liberties groups issued a letter calling for FISA 702 reform as part of the Section 215 reauthorization this year. I agree that the reauthorization this year should address the problems with 702 that weren’t addressed last year, though even on FISA, the letter doesn’t go far enough. DOJ IG will soon issue a report partly addressing the Carter Page FISA application, and that will provide an opportunity to push to make reforms to traditional (individual) FISA, such as making it clear that some defendants must get to review the underlying affidavit. Similarly, it doesn’t make sense reforming Section 215’s subpoena function without, at the same time, reforming the subpoena authority that DEA uses for a similar dragnet that undergoes far less oversight, particularly given that Bill Barr is the guy who first authorized that DEA dragnet in his first go-around as authoritarian Attorney General.

But it’s also the case that the surveillance community could — and arguably has an opportunity to — address EO 12333 as well.

The Executive branch has been exploiting the tension between EO 12333 (foreign surveillance that, because it is “foreign,” is conducted under the exclusive authority of Article II) and FISA (“domestic” surveillance overseen by the FISA court) since Dick Cheney launched Stellar Wind on bogus claims the collection on foreign targets in the US amounted to “foreign” surveillance. From 2004 to 2008, Congress moved parts of that under FISA. But at several points since, the government has reacted to FISA restrictions by moving their surveillance under EO 12333, most notably when it moved much of its collection of Internet metadata under EO 12333 in 2012.

Unfortunately, most of the surveillance community and reporters covering such issues have been woefully unaware of even the limited public disclosures on EO 12333 surveillance (which for a time was branded as SPCMA). That made activism around Section 215 far less effective, as few people understood that Section 215 data was and remains just a small part of a larger, duplicative dragnet, and a lot of the claims made about the need for USA Freedom Act didn’t account for precisely what role the Section 215 dragnet played in the larger whole.

As one of its last acts, the Obama Administration institutionalized EO 12333 sharing across intelligence agencies, formalizing what Dick Cheney had been aiming for all along, just before Donald Trump took over.  At least as soon as that happened, the FBI (and other agencies, including but not limited to CIA) obtained a source of content that paralleled (and like the metadata dragnet, surely is significantly duplicative with) Section 702 collection.

That means the Section 702 opinion released last week discusses querying methods that may also be applied, in the same systems, to EO 12333 data. Indeed, one aspect of the querying procedures FBI finally adopted — that queries limited “such that it cannot retrieve unminimized section 702-acquired information” — is the kind of setting that NSA used to re-run queries that returned FISA information so as to return, instead, only EO 12333 data that could be shared under different rules with less oversight. Furthermore, the regime set up under EO 12333, which already includes squishy language about queries “for the purpose of targeting” a US person (suggesting other purposes are permissible), has the same kind of internal approval process that the government wanted to adopt with 702.

If FBI is querying both 702 and EO 12333 raw content in the same queries, it means the standards laid out by James Boasberg in his opinion should apply. Notably, Boasberg wrote at some length about what constituted “reasonable” procedures to govern querying, and under a balancing analysis, found that the procedures in place did not comply with the Fourth Amendment.

Whether the balance of interests ultimately tips in favor of finding the procedures to be inconsistent with the Fourth Amendment is a close question. Reasonableness under the Fourth Amendment does not require perfection. See In Re Directives, 551 F.3d at J 015 (“the fact that there is some potential for error is not a sufficient reason to invalidate” surveillances as unreasonable under the Fourth Amendment). Nonetheless, if “the protections that are in place for individual privacy interests are … insufficient to alleviate the risks of government error and abuse, the scales will tip toward a finding of unconstitutionality.” kl at 1012. Here, there are demonstrated risks of serious error and abuse, and the Court has found the government’s procedures do not sufficiently guard against that risk, for reasons explained above in the discussion of statutory minimization requirements.

By contrast, under the EO 12333 procedures, the only reasonableness review takes place when NSA decides whether to share its SIGINT, which doesn’t include risk of error and abuse.

Reasonableness. Whether approving the request is reasonable in light of all the circumstances known at the time of the evaluation of the request, including but not limited to:

[snip]

e. (U) The likelihood that sensitive U.S. person information (USPI) will be found in the information and, if known, the amount of such information;

f. (U) The potential for substantial harm, embarrassment, inconvenience, or unfairness to U.S. persons if the USPI is improperly used or disclosed;

And that’s with the additional minimization procedures under 702 that are stronger than the dissemination rules under the EO 12333 rules.

There are limits to this. Boasberg based his Fourth Amendment review in statutory considerations, statute that doesn’t yet exist with 12333. He did not determine that the act of querying, by itself, warranted Fourth Amendment protection (though the amici pushed him to do so).

But that shouldn’t stop Congress from requiring that FBI adhere to the same practices of querying with EO 12333 collected data as it does with Section 702 collected data, which would in turn limit the value, to FBI, of engaging in surveillance arbitrage by doing things under EO 12333 that it couldn’t do under 702.

How Twelve Years of Warning and Six Years of Plodding Reform Finally Forced FBI to Do Minimal FISA Oversight

Earlier this week, the government released the reauthorization package for the 2018 Section 702 certificates of FISA. With the release, they disclosed significant legal fights about the way FBI was doing queries on raw data, what we often call “back door searches.” Those fights are, rightly, being portrayed as Fourth Amendment abuses. But they are, also, the result of the FISA Court finally discovering in 2018, after 11 years, that back door searches work like some of us have been saying they do all along, a discovery that came about because of procedural changes in the interim.

As such, I think this is wrong to consider “FISA abuse” (and I say that as someone who was very likely personally affected by the practices in question). It was, instead, a case where the court discovered that FBI using 702 as it had been permitted to use it by FISC was a violation of the Fourth Amendment.

As such, this package reflects a number of things:

  • A condemnation of how the government has been using 702 (and its predecessor PAA) for 12 years
  • A (partial — but thus far by far the most significant one) success of the new oversight mechanisms put in place post-Snowden
  • An opportunity to reform FISA — and FBI — more systematically

This post will explain what happened from a FISA standpoint. A follow-up post will explain why this should lead to questions about FBI practices more generally.

The background

This opinion came about because every year the government must obtain new certificates for its 702 collection, the collection “targeted” at foreigners overseas that is, nevertheless, designed to collect content on how those foreigners are interacting with Americans. Last we had public data, there were three certificates: counterterrorism, counterproliferation, and “foreign government,” which is a too-broadly scoped counterintelligence function. As part of that yearly process, the government must get FISC approval to any changes to its certificates, which are a package of rules on how they will use Section 702. In addition, the court conducts a general review of all the violations reported over the previous year.

Originally, those certificates included proposed targeting (governing who you can target) and minimization (governing what you can do once you start collecting) procedures; last year was the first year the agencies were required to submit querying procedures governing the way agencies (to include NSA, CIA, National Counterterrorism Center, and FBI) access raw data using US person identifiers. The submission of those new querying procedures are what led to the court’s discovery that FBI’s practices violated the Fourth Amendment.

In the years leading up to the 2018 certification, the following happened:

  • In 2013, Edward Snowden’s leaks made it clear that those of us raising concerns about Section 702 minimization since 2007 were correct
  • In 2014, the Privacy and Civil Liberties Oversight Board (which had become operational for the first time in its existence almost simultaneously with Snowden’s leaks) recommended that CIA and FBI have to explain why they were querying US person content in raw data
  • In 2015, Congress passed the USA Freedom Act, the most successful reform of which reflected Congress’ intent that the FISA Court start consulting amicus curiae when considering novel legal questions
  • In 2015, amicus Amy Jeffress (who admitted she didn’t know much about 702 when first consulted) raised questions about how queries were conducted, only to have the court make minimal changes to current practice — in part, by not considering what an FBI assessment was
  • In the 2017 opinion authorizing that year’s 702 package, Rosemary Collyer approved an expansion of back door searches without — as Congress intended — appointing an amicus to help her understand the ways the legal solution the government implemented didn’t do what she believed it did; that brought some (though not nearly enough) attention to whether FISC was fulfilling the intent of Congress on amici
  • In the 2017 Reauthorization (which was actually approved in early 2018), Congress newly required agencies accessing raw data to submit querying procedures along with their targeting and minimization procedures in the annual certification process, effectively codifying the record-keeping suggestion PCLOB had made over two years earlier

When reviewing the reauthorization application submitted in March 2018, Judge James Boasberg considered that new 2017 requirement a novel legal question, so appointed Jonathan Cederbaum and Amy Jeffress, the latter of whom also added John Cella, to the amicus team. By appointing those amici to review the querying procedures, Boasberg operationalized five years of reforms, which led him to discover that practices that had been in place for over a decade violated the Fourth Amendment.

When the agencies submitted their querying procedures in March 2018, all of them except FBI complied with the demand to track and explain the foreign intelligence purpose for US person queries separately. FBI, by contrast, said they already kept records of all their queries, covering both US persons and non-US persons, so they didn’t have to make a change. One justification it offered for not keeping US person-specific records as required by the law is that Congress exempted it from the reporting requirements it imposed on other agencies in 2015, even though FBI admitted that it was supposed to keep queries not just for the public reports from which they argued they were exempted, but also for the periodical reviews that DOJ and ODNI make of its queries for oversight purposes. FBI Director Christopher Wray then submitted a supplemental declaration, offering not to fix the technical limitations they built into their repositories, but arguing that complying with the law via other means would have adverse consequences, such as diverting investigative resources. Amici Cedarbaum and Amy Jeffress challenged that interpretation, and Judge James Boasberg agreed.

The FBI’s querying violations

It didn’t help FBI that in the months leading up to this dispute, FBI had reported six major violations to FISC involving US person queries. While the description of those are heavily redacted, they appear to be:

  • March 24-27, 2017: The querying of 70K facilities “associated with” persons who had access to the FBI’s facilities and systems. FBI General Counsel (then run by Jim Baker, who had had these fights in the past) warned against the query, but FBI did it anyway, though did not access the communications. This was likely either a leak or a counterintelligence investigation and appears to have been discovered in a review of existing Insider Threat queries.
  • December 1, 2017: FBI conducted queries on 6,800 social security numbers.
  • December 7-11, 2017, the same entity at FBI also queried 1,600 queries on certain identifiers, though claimed they didn’t mean to access raw data.
  • February 5 and 23, 2018: FBI did approximately 30 queries of potential sources.
  • February 21, 2018: FBI did 45 queries on people being vetted as sources.
  • Before April 13, 2018: an unspecified FBI unit queried FISA acquired metadata using 57,000 identifiers of people who work in some place.

Note, these queries all took place under Trump, and most of them took place under Trump’s hand-picked FBI Director. Contrary to what some Trump apologists have said about this opinion, it is not about Obama abuse (though it reflects practices that likely occurred under him and George Bush, as well).

These violations made it clear that Congress’ mandate for better record-keeping was merited. Boasberg also used them to prove that existing procedures did not prevent minimization procedure violations because they had not in these instances.

As he was reviewing the violations, Boasberg discovered problems in the oversight of 702 that I had noted before, based off my review of heavily redacted Semiannual Reports (which means they should have been readily apparent to everyone who had direct access to the unredacted reports). For example, Judge Boasberg noted how few of FBI’s queries actually get reviewed during oversight reviews (something I’ve pointed out repeatedly, and which 702 boosters have never acknowledged the public proof of).

As noted above, in 2017 the FBI conducted over three million queries of FISA-acquired information on just one system, [redacted]. See Supplemental FBI Declaration at 6. In contrast, during 2017 NSD conducted oversight of approximately 63,000 queries in [redacted] and 274,000 queries in an FBI system [redacted]. See Gov’t Response at 36.

Personnel from the Office of Intelligence (OI) within the Department of Justice’s National Security Division (NSD) visit about half of the FBI’s field offices for oversight purposes in a given year. Id at 35 & n 42. Moreover OI understandably devotes more resources to offices that use FISA authorities more frequently, so those offices [redacted] are visited annually, id at 35 n. 42, which necessitates that some other offices go for periods of two years or more between oversight visits. The intervals of time between oversight visits at a given location may contribute to lengthy delays in detecting querying violations and reporting them to the FISC. See, e.g., Jan. 18, 2019, Notice [redacted] had been conducting improper queries in a training context since 2011, but the practice was not discovered until 2017).

He also noted that the records on such queries don’t require contemporaneous explanation from the Agent making the query, meaning any review of them will not find problems.

The FBI does not even record whether a query is intended to return foreign-intelligence information or evidence of crime. See July 13, 2018, Proposed Tr. at 14 (DOJ personnel “try to figure out” from FBI query records which queries were run for evidence of crime purposes). DOJ personnel ask the relevant FBI personnel to recall and articulate the bases for selected queries. Sometimes the FBI personnel report they cannot remember. See July 9, 2018, Notice.

Again, I noted this in the past.

In short, as Boasberg was considering Wray’s claim that the FBI didn’t need the record-keeping mandated by Congress, he was discovering that, in fact, FBI needs better oversight of 702 (something that should have been clear to everyone involved, but no one ever listens to my warnings).

FISC rules the querying procedures do not comply with the law or Fourth Amendment

In response to Boasberg’s demand, FBI made several efforts to provide solutions that were not really solutions.

The FBI’s first response to FISC’s objections was to require General Counsel approval before accessing the result of any “bulk” queries like the query that affected 70K people — what it calls “categorical batch queries.”

Queries that are in fact reasonably likely to return foreign-intelligence information are responsive the government’s need to obtain and produce foreign-intelligence information, and ultimately to disseminate such information when warranted. For that reason, queries that comply with the querying standard comport with § 1801 (h), even insofar as they result in the examination of the contents of private communications to or from U.S. persons. On the other hand, queries that lack a sufficient basis are not reasonably related to foreign intelligence needs and any resulting intrusion on U.S. persons’ privacy lacks any justification recognized by§ 1801 (h)(l). Because the FBI procedures, as implemented, have involved a large number of unjustified queries conducted to retrieve information about U.S. persons, they are not reasonably designed, in light of the purpose and technique of Section 702 acquisitions, to minimize the retention and prohibit the dissemination of private U.S. person information.

But Boasberg was unimpressed with that because the people who’d need to consult with counsel would be the most likely not to know they did need to do so.

He also objected to FBI’s attempt to give itself permission to use such queries at the preliminary investigation phase (before then, FBI was doing queries at the assessment stage).

The FBI may open a preliminary investigation with even less of a factual predicate: “on the basis of information or an allegation indicating the existence of a circumstance” described in paragraph a. orb. above. Id. § II.B.4.a.i at 21 (emphasis added). A query using identifiers for persons known to have had contact with any subject of a full or preliminary investigation would not require attorney approval under § IV.A.3, regardless of the factual basis for opening the investigation or how it has progressed since then.

Boasberg’s Fourth Amendment analysis was fairly cautious. Whereas amici pushed for him to treat the queries as separate Fourth Amendment events, on top of the acquisition (which would have had broad ramifications both within FISA practice and outside of it), he instead interpreted the new language in 702 to expand the statutory protection under queries, without finding queries of already collected data a separate Fourth Amendment event.

Similarly, both Boasberg and the amici ultimately didn’t push for a written national security justification in advance of an actual FISA search. Rather, they argued FBI had to formulate such a justification before accessing the query returns (in reality, many of these queries are automated, so it’d be practically impossible to do justifications before the fact).

Boasberg nevertheless required the FBI to at least require foreign intelligence justifications for queries before an FBI employee accessed the results of queries.

The FBI was not happy. Having been told they have to comply with the clear letter of the law, they appealed to the FISA Court of Review, adding apparently new arguments that fulfilling the requirement would not help oversight and that the criminal search requirements were proof that Congress didn’t intend them to comply with the other requirements of the law. Like Boasberg before them, FISCR (in a per curium opinion from the three FISCR judges, José Cabranes, Richard Tallman, and David Sentelle) found that FBI really did need to comply with the clear letter of the law.

The FBI chose not to appeal from there (for reasons that go beyond this dispute, I suspect, as I’ll show in a follow-up). So by sometime in December, they will start tracking their backdoor searches.

FBI tried, but failed, to avoid implementing a tool that will help us learn what we’ve been asking

Here’s the remarkable thing about this. Something like this has been coming for two years, and FBI is only now beginning to comply with the requirement. That’s probably not surprising. Neither the Director of National Intelligence (which treated its intelligence oversight of FBI differently than it did CIA or NSA) nor Congress had demanded that FBI, which can have the most direct impact on someone’s life, adhere to the same standards of oversight that CIA and NSA (and an increasing number of other agencies) do.

Nevertheless, 12 years after this system was first moved under FISA (notably, two key Trump players, White House Associate Counsel John Eisenberg and National Security Division AAG John Demers were involved in the original passage), we’re only now going to start getting real information about the impact on Americans, both in qualitative and quantitative terms. For the first time,

  • We will learn how many queries are done (the FISC opinion revealed that just one FBI system handles 3.1 million queries a year, though that covers both US and non US person queries)
  • We will learn that there are more hits on US persons than previously portrayed, which leads to those US persons to being investigated for national security or — worse — coerced to become national security informants
  • We will learn (even more than we already learned from the two reported queries that this pertained to vetting informants) the degree to which back door searches serve not to find people who are implicated in national security crimes, but instead, people who might be coerced to help the FBI find people who are involved in national security crimes
  • We will learn that the oversight has been inadequate
  • We will finally be able to measure disproportionate impact on Chinese-American, Arab, Iranian, South Asian, and Muslim communities
  • DOJ will be forced to give far more defendants 702 notice

Irrespective of whether back door searches are themselves a Fourth Amendment violation (which we will only now obtain the data to discuss), the other thing this opinion shows is that for twelve years, FISA boosters have been dismissing the concerns those of us who follow closely have raised (and there are multiple other topics not addressed here). And now, after more than a decade, after a big fight from FBI, we’re finally beginning to put the measures in place to show that those concerns were merited all along.

FISC Makes Far Better Amicus Choices Than I Expected

I’ve long been skeptical about the potential efficacy of the amicus provision in USA Freedom Act, especially because the government can always withhold information.

But the FISC (and FISCR’s, they make clear) choices for potential amici is far better than I expected.

Screen Shot 2015-11-25 at 2.09.12 PM

Laura Donohue, besides being an important voice on surveillance reform, is one of the few people who has as weedy an understanding of the details of the surveillance programs as I do. Plus, unlike me, she can argue the legal aspects of it with authority.

Marc Zwillinger has represented at least one corporation — Yahoo, in its 2007-8 challenge to Protect American Act — before FISC already (as well as an industry push for the right to provide more transparency numbers), and is currently representing Apple in an EDNY discussion about back doors. He even has experience not receiving notice of unclassified details necessary to his arguments before FISC!! At a PCLOB hearing on this topic, he and others predicted he’d likely be among those picked. Voila!

John Cline is probably best known to readers of this blog for the representation he gave Scooter Libby. But he did so because he has represented a wide range of defendants dealing with classified information — he’s one of the best on such issues. That perspective is one that even most (though not all) judges on the FISC lack, and I’m impressed they would let someone have vision on both processes.

Jonathan Cedarbaum was acting head at OLC for a while, though mostly worked on domestic policy issues. Though I think he did work on some cybersecurity issues. The closest tie I know of to counterterrorism came in his role on the Boumedienne case, for which he was targeted by right wingers while at DOJ.

I’m perhaps least thrilled about Amy Jeffress (whose father also represented Scooter Libby) on the panel. She has a ton of experience on all kinds of national security cases — but overwhelmingly as a prosecutor. She almost got the Assistant Attorney for National Security job until it was given to John Carlin. While a top advisor to Eric Holder, she likely saw some things that might get debated at FISC (in the same way Rachel Brand and Elisabeth Collins Cook were involved in things at DOJ during the Bush Administration that PCLOB has reviewed), which might lead her to be more invested in the government outcome than I’d like. But from everything I know she’s a very good lawyer.

All in all, a far better collection of lawyers than I expected, and any of them is a better choice than Preston Burton.

 

One Acting OLC Head Replaces Another

Charlie Savage reports that Acting OLC head David Barron is returning to spend more time with his law students at Harvard, to be replaced by Jonathan Cedarbaum. Unlike several of the legal jobs that have turned over under this Administration, this one doesn’t appear to be tied to a fight over counter-terrorism policy.

David J. Barron, the acting head of the Justice Department’s powerful Office of Legal Counsel, will step down next month and be replaced by one of his current deputies, Jonathan G. Cedarbaum, the department said Thursday.

Mr. Barron has run the office, which advises the president and executive branch whether proposed actions would be lawful, since January 2009. He is returning to Harvard Law School, which limits tenured professors to two years of leave, and he said in an interview that wants to move back to Massachusetts before the start of the school year because he has three young children.

And so we move on to yet another Acting head of the OLC that has been in place since the last Senate-confirmed head of the OLC–Jack Goldsmith–left six years ago.

Savage notes that Cedarbaum is one of the lawyers Liz “BabyDick” Cheney targeted in a witch hunt of all the Obama Administration lawyers who had ever represented a Gitmo detainee.

Mr. Barron’s replacement, Mr. Cedarbaum, came to public attention earlier this year after Fox News named him as one of several Justice Department lawyers who had previously advocated for detainees.[snip]

At a partner at the WilmerHale law firm, he was one of several lawyers whose name appeared on a Supreme Court brief in a case involving six Algerian detainees who had been arrested in Bosnia, and who were seeking a right to a habeas-corpus hearing.

Which means both the Acting Solicitor General, Neal Katyal, and the Acting Assistant Attorney General for OLC are among those who defended our legal system by representing detainees. (Of course, Eric Holder himself represented some terrorist supporters, but the board of Chiquita are a bunch of rich white Republican terrorist supporters who don’t offend BabyDick in the least.)