Posts

The Heroic IRS Agent Story Should Raise More Questions about Silk Road Investigation

/11 Comments/in , /by

“In these technical investigations, people think they are too good to do the stupid old-school stuff. But I’m like, ‘Well, that stuff still works.’ ”

The NYT got this and many other direct quotes from IRS agent Gary Alford for a complimentary profile of him that ran on Christmas day. According to the story, Alford IDed Ross Ulbricht as a possible suspect for the Dread Pirate Roberts — the operator of the Dark Web site Silk Road — in early June 2013, but it took until September for Alford to get the prosecutor and DEA and FBI Agents working the case to listen to him. The profile claims Alford’s tip was “crucial,” though a typo suggests NYT editors couldn’t decide whether it was the crucial tip or just crucial.

In his case, though, the information he had was the crucial [sic] to solving one of the most vexing criminal cases of the last few years.

On its face, the story (and Alford’s quote) suggests the FBI is so entranced with its hacking ability that it has neglected very, very basic investigative approaches like Google searches. Indeed, if the story is true, it serves as proof that encryption and anonymity don’t thwart FBI investigations as much as Jim Comey would like us to believe when he argues the Bureau needs to back door all our communications.

But I don’t think the story tells the complete truth about the Silk Road investigation. I say that, first of all, because of the timing of Alford’s efforts to get others to further investigate Ulbricht. As noted, the story describes Alford IDing Ulbricht as a potential suspect in early June 2013, after which he put Ulbricht’s name in a DEA database of potential suspects, which presumably should have alerted anyone else on the team that US citizen Ross Ulbricht was a potential suspect in the investigation.

Mr. Alford’s preferred tool was Google. He used the advanced search option to look for material posted within specific date ranges. That brought him, during the last weekend of May 2013, to a chat room posting made just before Silk Road had gone online, in early 2011, by someone with the screen name “altoid.”

“Has anyone seen Silk Road yet?” altoid asked. “It’s kind of like an anonymous Amazon.com.”

The early date of the posting suggested that altoid might have inside knowledge about Silk Road.

During the first weekend of June 2013, Mr. Alford went through everything altoid had written, the online equivalent of sifting through trash cans near the scene of a crime. Mr. Alford eventually turned up a message that altoid had apparently deleted — but that had been preserved in the response of another user.

In that post, altoid asked for some programming help and gave his email address: [email protected]. Doing a Google search for Ross Ulbricht, Mr. Alford found a young man from Texas who, just like Dread Pirate Roberts, admired the free-market economist Ludwig von Mises and the libertarian politician Ron Paul — the first of many striking parallels Mr. Alford discovered that weekend.

When Mr. Alford took his findings to his supervisors and failed to generate any interest, he initially assumed that other agents had already found Mr. Ulbricht and ruled him out.

But he continued accumulating evidence, which emboldened Mr. Alford to put Mr. Ulbricht’s name on the D.E.A. database of potential suspects, next to the aliases altoid and Dread Pirate Roberts.

At the same time, though, Mr. Alford realized that he was not being told by the prosecutors about other significant developments in the case — a reminder, to Mr. Alford, of the lower status that the I.R.S. had in the eyes of other agencies. And when Mr. Alford tried to get more resources to track down Mr. Ulbricht, he wasn’t able to get the surveillance and the subpoenas he wanted.

Alford went to the FBI and DOJ with Ulbricht’s ID in June 2013, but FBI and DOJ refused to issue even subpoenas, much less surveil Ulbricht.

But over the subsequent months, Alford continued to investigate. In “early September” he had a colleague do another search on Ulbricht, which revealed he had been interviewed by Homeland Security in July 2013 for obtaining fake IDs.

In early September, he asked a colleague to run another background check on Mr. Ulbricht, in case he had missed something.

The colleague typed in the name and immediately looked up from her computer: “Hey, there is a case on this guy from July.”

Agents with Homeland Security had seized a package with nine fake IDs at the Canadian border, addressed to Mr. Ulbricht’s apartment in San Francisco. When the agents visited the apartment in mid-July, Mr. Ulbricht answered the door, and the agents identified him as the face on the IDs, without having any idea of his potential links to Silk Road.

When Alford told prosecutor Serrin Turner of the connection (again, this is September 2013), the AUSA finally did his own search in yet another database, the story claims, only to discover Ulbricht lived in the immediate vicinity of where Dread Pirate Roberts was accessing Silk Road. And that led the Feds to bust Ulbricht.

I find the story — the claim that without Alford’s Google searches, FBI did not and would not have IDed Ulbricht — suspect for two reasons.

First, early June is the date that FBI Agent Christopher Tarbell’s declaration showed (but did not claim) FBI first hacked Silk Road. That early June date was itself suspect because Tarbell’s declaration really showed data from as early as February 2013 (which is, incidentally, when Alford was first assigned to the team). In other words, while it still seems likely FBI was always lying about when it hacked into Silk Road, the coincidence between when Alford says he went to DOJ and the FBI with Ulbricht’s ID and when the evidence they were willing to share with the defense claimed to have first gotten a lead on Silk Road is of interest. All the more so given that the FBI claimed it could legally hack the server because it did not yet know the server was run by an American, and so it treated the Iceland-based server as a foreigner for surveillance purposes.

One thing that means is that DOJ may not have wanted to file paperwork to surveil Ulbricht because admitting they had probable cause to suspect an American was running Silk Road would make their hack illegal (and/or would have required FBI to start treating Ulbricht as the primary target of the investigation; it seems FBI may have been trying to do something else with this investigation). By delaying the time when DOJ took notice of the fact that Silk Road was run by an American, they could continue to squat on Silk Road without explaining to a judge what they were doing there.

The other reason I find this so interesting is because several of the actions to which corrupt DEA agent Carl Force pled guilty — selling fake IDs and providing inside information — took place between June and September 2013, during the precise period when everyone was ignoring Alford’s evidence and the fact that he had entered Ulbricht’s name as a possible alias for the Dread Pirate Roberts into a DEA database. Of particular note, Force’s guilty plea only admitted to selling the fake IDs for 400 bitcoin, and provided comparatively few details about that action, but the original complaint against Force explained he had sold the IDs for 800 bitcoin but refunded Ulbricht 400 bitcoin because “the deal for the fraudulent identification documents allegedly fell through” [emphasis mine].

Were those fake IDs that Force sold Ulbricht the ones seized by Homeland Security and investigated in July 2013? Did the complaint say the deal “allegedly” fell through because it didn’t so much fall through as get thwarted? Did something — perhaps actions by Force — prevent other team members from tying that seizure to Ulbricht? Or did everyone know about it, but pretend not to, until Alford made them pay attention (perhaps with a communications trail that other Feds couldn’t suppress)? Was the ID sale part of the investigation, meant to ID Ulbricht’s identity and location, but Force covered it up?

In other words, given the record of Force’s actions, it seems more likely that at least some people on the investigative team already knew what Alford found in a Google search, but for both investigative (the illegal hack that FBI might have wanted to extend for other investigative reasons) and criminal (the money Force was making) reasons, no one wanted to admit that fact.

Now, I’m not questioning the truth of what Alford told the NYT. But even his story (which is corroborated by people “briefed on the investigation,” but only one person who actually attended any of the meetings for it; most of those people are silent about Alford’s claims) suggests there may be other explanations why no one acted on his tip, particularly given the fact that he appears to have been unable to do database searches himself and that they refused to do further investigation into Ulbricht. (I also wonder whether Alford’s role explains why the government had the IRS in San Francisco investigate Force and corrupt Secret Service Agent Shaun Bridges, rather than New York, where agents would have known these details.)

Indeed, I actually think this complimentary profile might have been a way for Alford to expose further cover-ups in the Silk Road investigation without seeming to do so for any but self-interested reasons. Bridges was sentenced on December 7. Ulbricht was originally supposed to have submitted his opening appellate brief — focusing on Fourth Amendment issues that may be implicated by these details — on December 11, but on December 2, the court extended that deadline until January 12.

I don’t know whether Ulbricht’s defense learned these details. I’m admittedly not familiar enough with the public record to know, though given the emphasis on Tarbell’s declaration as the explanation for how they discovered Ulbricht and the NYT’s assertion Alford’s role and the delay was “largely left out of the documents and proceedings that led to Mr. Ulbricht’s conviction and life sentence this year,” I don’t think it is public. But if they didn’t, then the fact that the investigative team went out of their way to avoid confirming Ulbricht’s readily accessible identity until at least three and probably seven months after they started hacking Silk Road, even while key team members were stealing money from the investigation, might provide important new details about the government’s actions.

And if Alford gets delayed credit for doing simple Google searches as a result, all the better!

A Remarkable Date for the Virgin Birth of the Silk Road Investigation

/2 Comments/in /by

As Wired first reported, there’s been an interesting exchange in the Silk Road prosecution. In September, the former FBI Agent who helped to bust accused Silk Road operator Ross Ulbricht, Christopher Tarbell, submitted a declaration explaining the genesis of the investigation by claiming the FBI got access to the Silk Road server because it became accessible via a non-Tor browser. In response, Ulbricht lawyer Joshua Horowitz submitted a declaration claiming Tarbell’s claims were implausible because the FBI wouldn’t have been able to get into Silk Road’s back end. The government responded by claiming that even if it did hack the website, it would not have been illegal.

Given that the SR Server was hosting a blatantly criminal website, it would have been reasonable for the FBI to “hack” into it in order to search it, as anysuch “hack” would simply have constituted a search of foreign property known to contain criminal evidence, for which a warrant was not necessary .

On Friday, Judge Katherine Forrest rejected Ulbricht’s efforts to throw out the evidence from the alleged hack, accepting the government’s argument that Ulbricht had no expectation of privacy on that server regardless of when and how the government accessed it.

The temporal problems with the government’s story

Most of the coverage on this exchange has focused on the technical claims. But just as interesting are the temporal claims. Horowitz summarizes that problem this way:

[S]everal critical files provided in discovery contain modification dates predating the first date Agent Tarbell claims Icelandic authorities imaged the Silk Road Server, thereby casting serious doubt on the chronology and methodology of his account;

The government claims that server was first imaged on July 23,2013.

As I’ll lay out below, Horowitz and Tarbell provide a lot of details suggesting something — perhaps the imaging of the server, perhaps something more — happened six weeks earlier.

But before we get there, consider the date: June 6, 2013.

June 6, 2013 was the day after the afternoon publication of the first Snowden leak, and the day before the Guardian made it clear their leak included cyberwar materials.

That is, the FBI claims to have officially “found” the Silk Road server at the same time the Snowden leaks started, even while they date their investigation to 6 weeks later.

The June 6 materials

FBI’s Tarbell is much vaguer about this timing than Ulbricht’s team is. As Tarbell tells it, on some unknown date in early June 2013, he and a colleague were sniffing Silk Road data when they discovered an IP not known to be tied to Tor.

In or about early June 2013, another member of CY-2 and I closely examined the traffic data being sent from the Silk Road website when we entered responses to the prompts contained in the Silk Road login interface.

That led them to look further, according to Tarbell. When he typed the IP into a non-Tor browser, he discovered it was leaking.

When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was “leaking” from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.

That led the government to ask Iceland, on June 12, to image the server. Iceland didn’t do so, according to the official narrative, until the next month.

The defense doesn’t buy this — in part, because Tarbell claims he didn’t adhere to forensics standard procedure by keeping copies of his packet sniffing.

Failure to preserve packet logs recorded while investigating the Silk Road servers would defy the most basic principles of forensic investigative techniques.

[snip]

[T]he government’s position is that former SA Tarbell conducted his investigation of Silk Road, and penetrated the Silk Road Server, without documenting his work in any way.

According to the government, the only record of Tarbell’s access to the server from this period is from access logs dated June 11.

[A]n excerpt of 19 lines from Nginx access logs, attached hereto as Exhibit 5, supposedly showing law enforcement access to the .49 server from a non-Tor IP address June 11, 2013, between 16:58:36 and 17:00:40. According to the Government, this is the only contemporaneous record of the actions described by the Tarbell Declaration at ¶¶ 7-8.9

Given that this bears a particular date, I find it all the more curious that Tarbell doesn’t date when he was doing the packet sniffing.

There are a number of other details that point back to that June 6 date. Perhaps most significant is that Iceland imaged a server Silk Road had earlier been using on June 6.

There are a total of 4 tarballs in the first item of discovery: home, var, all, and orange21 – all contained in .tar.gz files. The mtime for orange21.tar.gz is consistent with the July 23, 2013 image date. However, the other 3 tarballs have an mtime of June 6, 2013, as shown below22:

  • root 30720 Jun 6 2013 home.tar.gz
  • root 737095680 Jun 6 2013 var.tar.gz
  • root 1728276480 Jun 6 2013 all.tar.gz
  • root 22360048285 Jul 23 2013 orange21.tar.gz

The modification date of the tarballs is consistent with an imaging date of June 6, 2013, a full six weeks before the July 23, 2013, imaging of the .49 Server, a fact never mentioned in the Tarbell Declaration.

Though — as the defense points out — Tarbell didn’t mention that earlier imaging. He notes an earlier “lead” on the Silk Road server that resolved by May, and he notes that after Ulbricht’s arrest they obtained record of him noting leaks in the server.

5 After Ulbricht’s arrest, evidence was discovered on his computer reflecting that IP address leaks were a recurring problem for him. In a file containing a log Ulbricht kept of his actions in administering the Silk Road website, there are multiple entries discussing various leaks of IP addresses of servers involved in running the Silk Road website and the steps he took to remedy them.  For example, a March 25, 2013 entry states that the server had been “ddosd” – i.e., subjected to a distributed denial of service attack, involving flooding the server with traffic – which, Ulbricht concluded, meant “someone knew the real IP.” The entry further notes that it appeared someone had “discovered the IP via a leak” and that Ulbricht “migrated to a new server” as a result. A May 3, 2013 entry similarly states: “Leaked IP of webserver to public and had to redeploy/shred [the server].” Another entry, from May 26, 2013, states that, as a result of changes he made to the Silk Road discussion forum, he “leaked [the] ip [address of the forum server] twice” and had to change servers.

[snip]

7 Several months earlier, the FBI had developed a lead on a different server at the same Data Center in Iceland (“Server-1”), which resulted in an official request for similar assistance with respect to that server on February 28, 2013. See Ex. B. Due to delays in processing the request, Icelandic authorities did not produce traffic data for Server-1 to the FBI until May 2013. See Ex. A. By the time the FBI received the Server-1 traffic data, there was little activity on Server-1, indicating that it was no longer hosting a website. (As a result, the FBI did not request that Icelandic authorities proceed with imaging Server-1.) There was still some outbound Tor traffic flowing from Server-1, though, consistent with it being used as a Tor node; yet Server-1 was not included in the public list of Tor nodes, see supra n.4. Based on this fact, I believed, by the time of the June 12 Request, that the administrator of Silk Road was using Server-1 as a Tor “bridge” when connecting to the SR Server, as indicated in the June 12 Request. See Ex. A, at 1. (A Tor “bridge” is a private Tor node that can be used to access the Tor network, as opposed to using a
public Tor node that could be detected on one’s Internet traffic. See Tor: Bridges, available at http://torproject.org/docs/bridges.) To be clear, however, the traffic data obtained for Server-1 did not reflect any connection to, or otherwise lead to the identification of, the Subject IP Address. The Subject IP Address was independently identified solely by the means described above – i.e., by examining the traffic data sent back from the Silk Road website when we interacted with its user login interface.

The two other details that point to June 6 may not actually exonerate Ulbricht. Silk Road’s live-ssl config file was altered on June 7, which is the earliest date for the site configuration provided in discovery (though page 23 has some additional dates).

The mtime for the live-ssl configuration file provided in Item 1 of discovery is June 7, 2013, and the phpmyadmin configuration is July 6, 2013.8

8 Since Item 1 is the oldest image provided in discovery the defense does not have site configuration data prior to June 7, 2013.

And, as Horowitz reiterates, the earliest date for which the defense was provided discovery of a server imaging was June 6.

According to the government, the earliest image was captured June 6, 2013, and the latest in November 2013.

From a technical stand point, I’m not sure what to make of this.

A remarkable coincidence

It’s clear, however, that FBI was tracking Silk Road well before June, and for some reason decided to make June the official start date (and, perhaps more significantly, official discovery start date; they’ve refused earlier discovery because it won’ t be used in trial) of their investigation. At the same time, it seems that Ulbricht’s defense seems reluctant to explain why they’re asking for earlier discovery; perhaps that’s because they’d have to admit Ulbricht was aware of probes of the website before then. Forrest rejected their argument because Ulbricht refused to submit a declaration that this was his server.

But I am rather struck by the timing. As I said, the first Edward Snowden story — the June 5, 2013 Verizon release that could have no tie to the Silk Road investigation and, the next day, the WaPo and Guardian PRISM releases (there were very late Google and Facebook requests that seem like parallel construction, but since Ulbricht is a US citizen, his communications should not have been available via PRISM) — was roughly the day before the day Iceland imaged the other server.

I asked both Glenn Greenwald and Bart Gellman, and it seems the earliest the government could have had official notice of that story may have been late on June 4 though probably June 5 (things get funny with the Guardian, apparently, because of Greenwich Mean Time). A more relevant leak to the Silk Road investigation was the President’s Policy Directive on cyberwar — which Guardian published on June 7 (they may not have warned the government until that morning however).

So it may all be one big coincidence — that the government created a virgin birth for the Silk Road investigation that happened to be the same day that a torrent of leaks on the NSA and GCHQ started, ultimately revealing things like the government’s targeting of the Tor network (just days after Ulbricht was arrested on October 2, 2013).

But it certainly seems possible that those investigating Silk Road felt the need to begin to roll up the investigation as that torrent of leaks started, perhaps worrying that the methods they (or GCHQ) were using might be exposed before they had collected the evidence.

Update: A few more points about this. My suspicion is that, if there is a tie between the Snowden leaks and the Silk Road investigation, it stems from the government’s recognition that some of the methods it used to find Ulbricht would become known through Snowden’s leaks, so it moved to establish an alternate means of discovery before Ulbricht might learn of those actual methods. As one example, recall that subsequent to Snowden’s leaks about XKeyscore, Jacob Appelbaum got information showing XKeyscore tracks those who use Tor. While there are a number of things it seems Ulbricht’s lawyers believe were parallel constructed (unnamed “law enforcement officers” got warrants for his Gmail and Facebook accounts in September), they most aggressively fought the use of a Title III Pen Register to track IP addresses personally associated with Ulbricht, also in September. It seems that would have been available via other means, especially XKeyscore, especially since by encrypting communication Ulbricht’s communications could be retained indefinitely under NSA’s minimization procedures.

Additionally, the language the government used to refuse information on a range of law enforcement and spying agencies sure sounds like they clean teamed this investigation.

The Government also objects to the unbounded definition of the term “government” set forth in the September 17 Requests. Specifically, the requests ask the prosecution to search for information within “not only the United States Attorney’s Office for the Southern District of New York, but also the Offices in all other Districts, any and all government entities and law enforcement agencies, including but not limited to the Federal Bureau of Investigation, Central Intelligence Agency, Drug Enforcement Administration, Immigration and Customs Enforcement Homeland Security Investigations, National Security Agency, and any foreign government and/or intelligence agencies, particularly those with which the U.S. has a cooperative intelligence gathering relationship, i.e., Government Communications Headquarters (“GCHQ”), the British counterpart to the NSA.”

Even in the Brady context, the law is clear that a prosecutor has a duty to learn only of “evidence known to . . . others acting on the government’s behalf in the case.”

The government is not denying they had other means to identify Ulbricht (nor is it denying that it worked with partners like GCHQ on this). Rather, it is just claiming that the FBI officers involved in this prosecution didn’t see those methods.

Is the Government Hiding FISC’s “Erroneous” 215 Opinion Until After Basaaly Moalin’s Hearing for a New Trial?

/4 Comments/in , /by

As I mentioned in this post, the government is due to turn over the remaining documents in the ACLU FOIA for Section 215 documents on November 18. Among the documents it may release is a February 24, 2006 FISC opinion. This may be the only comprehensive opinion written to authorize the Section 215 dragnet … and if it’s not, no comprehensive opinion authorized the opinion until August 29, 2013.

In short, that release will answer a lot of questions about what former Assistant Attorney General David Kris suggests may have been an erroneous decision authorizing the entire phone dragnet. We’ll learn more November 18.

But that won’t help Basaaly Moalin, who on Wednesday, November 13, will argue he should have a new trial in light of disclosures that the government only started wiretapping him after being tipped by the Section 215 dragnet. If the Judge in his case, Jeffrey Miller, decides he doesn’t merit a new trial, then he will be sentenced on November 18. And then, later that same day, the government will release what could be evidence that the very foundations of the Section 215 dragnet that caught Moalin are “erroneous.”

That seems to be the way things have gone for Moalin since June 18, when the government pushback on the Snowden leaks first led Moalin to learn his entire prosecution rested on the Section 215 dragnet, and since August 28, when Moalin first started pushing for a delay in sentencing so he could push for a new trial.

Back in July, the ACLU demanded the government turn over all responsive documents by August 12. That would have brought the release of all documents a month before Moalin’s then-scheduled sentencing. Instead, the government asked to have until September 15, the day before the date scheduled for his sentencing. That request would have been almost two weeks after the 60 day extension James Clapper asked for on July 5, 2013.

On August 16, Judge Pauley set up this production schedule.

The Government will review the Foreign Intelligence Surveillance Court (FISC) Opinions at issue and release any segreable information not exempt under FOIA by September 10, 2013. The Government will review a second tranche of documents and release any segreable information not exempt under FOIA by October 10, 2013. The Government will review the remaining documents at issue, excluding the FISC orders in the final row of the Government’s Vaughn index, and release any segreable information not exempt under FOIA by 10/31/2013. The parties will submit a status report to the Court by 11/8/2013.

The October 10 and 31 dates got pushed back because of the shut-down (which, of course, was not DOJ’s fault).

But the results has been to limit the argument Moalin should be able to make. In the Motion for a new trial (submitted on September 5), for example, Moalin’s team relies on the October 3, 2011 John Bates opinion (released on August 21) rather than the slew of documents showing systemic problems with the very program that tipped Moalin admitted in 2009 (released September 10). The government even taunts them about it in their Response.

Defendants’ reliance on an October 3, 2011 FISC Opinion is misplaced. The opinion documented the FISC’s judicial review of the Government’s Certifications of Collection and Interception pursuant to Section 702 of FISA and is hence irrelevant here were Section 702 is not at issue.

Of course. But the only reason the defendants weren’t able to make the very same argument — that the NSA had almost no meaningful controls over the querying they were doing of the Section 215 dragnet — and make it with collection closer to the time when the dragnet tipped Moalin is because ODNI sat on the Section 215 disclosures until after Moalin submitted his motion.

Of particular concern is the delay in revealing details of contact chaining (and that at the time Moalin was tipped, it was possible to chain a fourth hop in). The defense clearly focused on the government’s admission that Moalin had been indirectly in contact with Aden Ayro. That’s a point the government almost entirely ignored in their response. Add in that the government is still largely hiding how it uses the phone dragnet to find burner phones (and the evidence the government used Moalin’s calls with Ayro to find the warlords new phone after he had ditched an old one), and the defense was only given delayed access to some of the details that might best undermine the case that such indirect contacts might constitute probable cause for a FISA warrant.

The defense integrated some of the revelations about the 2009 disclosures in their reply, submitted October 10. That left unavailable the documents released on October 28, some of which showed the government in violation of FISA Amendment’s Act’s requirement to provide all significant FISC opinions on the topic at hand to the Intelligence and Judiciary Committees. Those documents would also present additional challenges to the legitimacy of the two reauthorizations of the dragnet since 2006.

Now, maybe this is just coincidental, that the one person who might challenge his conviction through the use of Section 215 would be prevented from using documents that might show the program itself is “erroneous.”

But as people like Dianne Feinstein squawk that the program is “legal,” they’d be well advised to consider the remarkable way that Moalin was deprived of the documents that might allow a challenge to the law as erroneous from the very start.

What Does the Government Consider “Protected” First Amendment Activities?

/13 Comments/in , /by

[youtube]GDFIVVmXE-g[/youtube]

The other day, AP’s Matt Lee called out State Department spokesperson Jen Psaki’s suggestion that Edward Snowden is not entitled to free speech.

QUESTION: Okay. Then I just don’t understand. I think this is an incredibly slippery slope that you’re going down here, that the U.S. Government is going down here, if you are coming up and saying to us that you’re trying to prevent an American citizen – albeit one who has been accused of serious crimes – from exercising his right to free speech. You don’t agree with that?

MS. PSAKI: I believe that what I’ve conveyed most proactively here is our concern about those who helped facilitate this event —

QUESTION: Yes.

MS. PSAKI: — and make it into a propaganda platform.

QUESTION: Right. And —

QUESTION: Or a public asylum —

QUESTION: — the propaganda platform aside, free speech covers propaganda. Last time I checked, it covers a lot of things. And I don’t see, unless he’s somehow violated U.S. law by speaking at this – at the Russian – the transit line at the Russian airport, I don’t see why you would be disappointed in the Russians for, one, facilitating it, but also, apparently from what it sounds like, tried to discourage them from – tried to discourage this – them from allowing this event to take place in the – to take place at all.

MS. PSAKI: Well, Matt, this isn’t happening, clearly, because we wouldn’t be talking about it, in a vacuum. And this is an individual, as we all know, who has been accused of felony crimes in the United States. We have expressed strongly our desire to have him returned —

QUESTION: I understand.

MS. PSAKI: — to face those charges. This is all applicable context to these circumstances.

QUESTION: But as you have also said, he is a U.S. citizen.

MS. PSAKI: He is, yes.

QUESTION: He remains a U.S. citizen, and he enjoys certain rights as a U.S. citizen. One of those rights, from your point of view, is that he has the right to come back and face trial for the crimes he’s committed. But the rights that you’re not talking about are his right to free speech, his right to talk with whoever he wants to, freedom to assemble. I don’t understand why those rights are – why you ignore those and simply say that he has – that he’s welcome to come back to the United States to exercise his right to be tried by a jury of his peers. Why is that the only right that he gets, according to this Administration? [my emphasis]

As it happens, I read it about the same time i read this passage, from the government’s opposition to Basaaly Saeed Moalin’s challenge to the FISA-derived evidence against him (see this post for more background).

Moalin claims he was fargeted for FISC-authorized surveillance in violation of FISA’s stipulation that no United States person may be considered a foreign power or an agent of a foreign power solely on the basis of activities protected by the First Amendment. Docket No 92 at 18-19 (citing 50 U.S.C. §§ 1805(a)(2)(A), 1824(a)(2)(A)). Although protected First Amendment activities canot form the sole basis for FISC-authorized electronic surveillance or physical search, not all speech-related activities fall within the protection of the First Amendment. See infra at 70.

That is, when faced with limitations on surveillance based on First Amendment activities, the government claimed that not all speech is protected.

(Note, I’m not certain because the page numbers listed in this unclassified motion are to the pagination of the classified motion, but I believe that reference to speech that is not protected is redacted.)

That’s important because of the narrative the government presented in this motion (which is different from what Sean Joyce presented to the House Intelligence Committee — I believe both narratives are in fact badly misleading).

In the materials presented in this case, the government suggests FISA-authorized surveillance on Moalin’s calls with al-Shabaab warlord Aden Ayrow started, out of the blue, in December 2007, several months before al-Shabaab was listed as a Foreign Terrorist Organization. I’m not aware of any evidence it presents that precedes these calls. Yet these early calls show no evidence of criminal behavior.

Thus, the evidence suggests that merely calling someone considered a terrorist but whose group was not yet officially designated as such by the government makes one an agent of a foreign power.

Read more

The 8-FISA Judge 11-Docket Spying Authorization to Identify Less than $10,000 to Al-Shabaab

/8 Comments/in , /by

In a hearing last month, FBI Deputy Director Sean Joyce described a case in which the phone metadata database helped catch terrorists. (after 1:07)

Lastly, the FBI had opened an investigation shortly after 9/11. We did not have enough information, nor did we find links to terrorism, so we shortly thereafter closed the investigation. However, the NSA, using the business record FISA, tipped us off that this individual had indirect contacts with a known terrorist overseas. We were able to reopen this investigation, identify additional individuals through legal process, and were able to disrupt this terrorist activity.

While he didn’t name it, subsequent discussions of the case made it clear he meant Basaaly Saeed Moalin, a Somali-American convicted with three others in February for sending less than $10,000 to al-Shabaab (altogether Moalin was charged with sending $17,000 to Somalia, the balance of it to non-Shabaab figures the government claims are also terrorists).

Moalin’s lawyer Joshua Dratel unsuccessfully challenged the government’s use of material derived from FISA (the judge’s opinion rejecting the challenge has never been released). Yet even with that challenge, Dratel was never informed of the use of Section 215 in the case.

All that said, the government’s opposition to his challenge is utterly fascinating, even with huge chunks redacted. I’m going to do a weedy post on it shortly. But for now, I want to point to three indicia that reveal how much more complex this surveillance was than Joyce described to the House Intelligence Committee.

First, as part of the introduction, the government provided an (entirely redacted) Overview of the FISA Collection at Issue. While we have no idea how long that passage is, the government needed 9 footnotes to explain the collection (they are also entirely redacted). Similarly, a section arguing “The FISA Applications Established Probable Cause” has the following structure and footnotes (the content is entirely redacted):

[footnote to general material]

1.

a.

2.

a. [6 footnotes]

b.

i. [2 footnotes]

ii.

iii. [1 footnote]

iv. [2 footnotes]

v. [3 footnotes]

Now it may be that section 1 here pertains to physical collection, and section 2 pertains to electronic collection (both were used, though I suspect the physical collection was metaphorical in some way). But even there, there seem to be at least 6 and possibly far more orders involved, with two types of collection — perhaps one pertaining to bulk 702-style collection (most of the intercepts happened under Protect America Act) and the other to the use of Section 215.

Then, as part of a discussion about the minimization requirements tied to the application(s) involved, the government revealed 8 different FISC judges signed off on orders pertaining to the collection.

In order to fulfill the statutory requirements discussed above, the Attorney General has adopted standard minimization procedures for FISC-authorized electronic surveilance and physical search that are on file with the FISC and that are incorporated by reference into every relevant FISA application that is submitted to the FISC. As a result, the eight FISC judges who issued the orders authorizing the FISA collections at issue in this case found that the applicable standard minimization procedures met FISA’s statutory requirements. The FISC orders in the dockets at issue directed the Governent to follow the approved minimization procedures in conducting the FISA collection. [my emphasis]

But it appears this surveillance involved even more than 8 orders. In a section claiming that this surveillance is not complex, the government cited 11 sealed exhibits that include the dockets at issue.

There is nothing extraordinary about this case that would prompt the Court to be the first to order the disclosure of highly sensitive and classified FISA materials. Disclosure is not necessar for the Court to determine the legality of the collection. Here, the FISA dockets – at Sealed Exhibits 16-26 – are well-organized and easily reviewable by the Court in camera and ex parte. The Index of Materials in the Government’s Sealed Exhibit and this memorandum serve as a road map through the issues presented for the Court’s in camera and ex parte determination. The FISA materials contain ample information from which the Court can make an accurate determination of the legality of the FISA collection; indeed, they are “relatively straightforward and not complex.” [my emphasis]

15 footnotes addressing probable cause approved by 8 judges over 11 different dockets.

This is not a simple check of the phone database. (I’ll explain what I think actually happened with the surveillance we know about in a future post.)

Now, some of this clearly invokes the iterative approval of programmatic orders as described by Eric Lichtblau and the WSJ. The May 2006 opinion authorizing the use of Section 215 to collect phone records for every American surely is one of the authorizations cited. That opinion may rely on the 2004 one that authorized the use of Pen Register/Trap and Trace to collect all the Internet metadata in the country. I suspect there may be several orders authorizing collection on al-Shabaab and/or Somalia generally — one that precedes Protect America Act, one that collects under PAA, and probably one that collects under FISA Amendments Act (the key conversations took place in late 2007 through much of 2008). I suspect, too, there’s an order governing collection of all signals off some switch. Then there may be traditional FISA warrants to collect on Moalin and his co-conspirator Mohamud Abdi Yusuf (the other co-conspirators appear not to have been targets of collection).

Still, that only gets you to 8 dockets, even assuming they used a new one for Somalia each time.

“Relatively straightforward … not complex,” the government said, in arguing the defendant shouldn’t get a look at this jerry-rigged system of surveillance. And we still can’t see the logic Judge Jeffrey Miller used to agree with them.