Posts

How Many People Are Included in Contact Chaining with 27,090 Numbers?

/18 Comments/in , /by

I’ve decided that if I could have a nickel for every time I’ve said “I told the apologists so” as I’ve read these documents, I’d be Warren Buffet. But I don’t get a nickel for predicting the NSA is as bad as it is. So I could use your help to keep doing what I do. 

One of the most stunning revelations from ODNI’s conference call with Officials Who Can’t Be Quoted Because They Might Be Lying is that only 11% of the numbers the NSA was comparing daily business record collections against should have been included.

Those numbers are presented in the government’s first response to Reggie Walton’s order for more information.

In short, the system was designed to compare both SIGINT and BR metadata against the identifiers on the alert list but only to permit alerts generated from RAS-approved identifiers to be used to conduct contact chaining [redacted] of the BR metadata. As a result, the majority of telephone identifiers compared against the incoming BR metadata in the rebuilt alert list were not RAS-approved. See id. at 4, 7-8. For example, as of January 15, 2009, the date of NSD’s first notice to the Court regarding this issue, only 1,935 of the 17,835 identifiers on the alert list were RAS-approved. (10-11)

This means that every day, the NSA was comparing names they thought maybe might could be terrorist numbers, as well as numbers they actually had reason to believe actually were, with all the phone records in the US to see if Americans were talking to these people. [Update: And to clarify, the 89% on the list who were “compared” to the daily business record take weren’t contact chained — NSA just checked to see if they should look further.]

As I said, per the Officials Who Can’t Be Quoted Because They Might Be Lying who gave today’s conference call, that’s as bad as it gets.

But it appears to get worse.

You see, as NSA was confessing all this to DOJ’s National Security Division, they were also cleaning up their lists (the January 15 numbers come from a week after NSD first got involved). And it appears that before they started their confessional process (in the days before Obama took over from George Bush), they had far more people on their list. And they were contact-chaining those numbers.

At the meeting on January 9, 2009, NSA and NSA also identified that the reports filed with the Court have incorrectly stated the number of identifiers on the alert list. Each report included the number of telephone identifiers purported on the alert list. See, e.g., NSA 120-Day Report to the FISC (Dec. 11, 2008), docket number BR 08-08 (Ex. B to the Government’s application in docket number BR 08-13), at 11 (“As of November 2, 2008, the last day of the reporting period herein, NSA had included a total of 27,090 telephone identifiers on the alert list . . . .”). In fact, NSA reports that these numbers did not reflect the total number of identifiers on the alert list; they actually represented the total number of identifiers included on the “station table” (NSA’s historical record of RAS determinations) as currently RAS-approved) (i.e., approved for contact chaining [redacted]

This appears to mean the NSA could (they don’t say whether they did) conduct chaining two or three degrees deep on all these potential maybe might could be terrorists.

If those 27,090 talked to 10 people in the US, and those 270,090 people in the US regularly talked to 40 people in the US, and those people talked to 40, then it would potentially incorporate 433 millio–oh wait! That’s more people than live in the US!

That is, there’s a potential that, by contact chaining that many people, this actually represented a comprehensive dragnet of all the networked relationships in the US until the days before Obama became President.

And they lied to Reggie Walton about it as they got their first real legal review of the program.

But honest, all this was really just unintentional.

Update: Later in the filing, the government admits they were doing more than 3 hops until early 2009.

Second, NSA is implementing software changes to its system that will limit to three the number of “hops” permitted from a RAS-approved seed identifier.

This means those 27,090 identifiers that were in use on November 1, 2008 (at which point it became clear Obama would win the election) could have been contact chained far deeper into American contacts. This makes it very likely that that “contact chaining” actually did include everyone in the US.

Shorter NSA: That We Discovered We Had No Fucking Clue How We Use Our Spying Is Proof Oversight Works

/18 Comments/in , /by

It’s fundraising week. Please donate if you can.

James Clapper’s office just released a bunch of documents pertaining to the Section 215 dragnet. It reveals a whole slew of violations which it attributes to this:

The compliance incidents discussed in these documents stemmed in large part from the complexity of the technology employed in connection with the bulk telephony metadata collection program, interaction of that technology with other NSA systems, and a lack of a shared understanding among various NSA components about how certain aspects of the complex architecture supporting the program functioned.  These gaps in understanding led, in turn, to unintentional misrepresentations in the way the collection was described to the FISC.  As discussed in the documents, there was no single cause of the incidents and, in fact, a number of successful oversight, management, and technology processes in place operated as designed and uncovered these matters.

More candidly it admits that no one at NSA understood how everything works. It appears they’re still not sure, as one Senior Official Who Refused to Back His Words admitted,

“I guess they have 300 people doing compliance at NSA.”

“I guess” is how they make us comfortable about their new compliance program.

Ultimately, this resulted them in running daily Section 215 collection on a bunch of numbers that–by their own admission–they did not have reasonable articulable suspicion had some time to terrorism. When they got caught, that number consisted of roughly 10 out of 11 of the numbers they were searching on.

The rest of this post will be a working thread.

Update: Here is the Wyden/Udall statement. It strongly suggests that the other thing the government lied about — as referenced in John Bates’ October 3, 2011 opinion — was the Internet dragnet.

With the documents declassified and released this afternoon by the Director of National Intelligence, the public now has new information about the size and shape of that iceberg. Additional information about these violations was contained in other recently-released court opinions, though some significant information – particularly about violations pertaining to the bulk email records collection program – remains classified.

 

In addition to providing further information about how bulk phone records collection came under great FISA Court scrutiny due to serious and on-going compliance violations, these documents show that the court actually limited the NSA’s access to its bulk phone records database for much of 2009. The court required the NSA to seek case-by-case approval to access bulk phone records until these compliance violations were addressed. In our judgment, the fact that the FISA Court was able to handle these requests on an individual basis is further evidence that intelligence agencies can get all of the information they genuinely need without engaging in the dragnet surveillance of huge numbers of law-abiding Americans.

The original order required NSA to keep the dragnet on “a secure private network that NSA exclusively will operate.” Yet on the conference call, the Secret-Officials-Whose-Word-Can’t-Be-Trusted admitted that some of the violations involved people wandering into the data without knowing where they were. And an earlier violation made it clear in 2012 they found a chunk of this data that tech people had put on their own server.

The order also requires an interface with security limitations. Again, we know tech personnel access the data outside of this structure.

That order also only approves 7 people to approve queries. That number is now 22.

(9) We need to see a copy of the first couple of reports NSA gave to FISC with its reapplications to see how things got so out of control.

(10) This approval was signed by Malcom Howard. Among other things he was in the White House during the Nixon-Ford transition period.

The original authorization for 215 was a hash. Reggie Walton got involved in 2008 and cleaned it up (though not convincingly) in this supplemental order. He relies, significantly, on the “any tangible thing” language passed in 2006. (2-3)

Read more

Keith Alexander’s Pizza Problem

/14 Comments/in /by

We’re having a fundraiser this week. If you can help out, please do!

Shane Harris has a great piece of a bunch of people hanging Keith Alexander out to dry. It shows how Alexander has always grabbed for more data — at times not considering the legal basis for doing so — for ambitious, half-finished products that don’t yield results.

I’m particularly interested in this one:

When he ran INSCOM and was horning in on the NSA’s turf, Alexander was fond of building charts that showed how a suspected terrorist was connected to a much broader network of people via his communications or the contacts in his phone or email account.

“He had all these diagrams showing how this guy was connected to that guy and to that guy,” says a former NSA official who heard Alexander give briefings on the floor of the Information Dominance Center. “Some of my colleagues and I were skeptical. Later, we had a chance to review the information. It turns out that all [that] those guys were connected to were pizza shops.”

As I noted last month, the NSA’s primary order for the Section 215 program allows for technical personnel to access the data, in unaudited form, before the analysts get to it. They do so to identify “high volume identifiers” (and other “unwanted BR metadata”). As I said, I suspect they’re stripping the dataset of numbers that would otherwise distort contact chaining.

I suspect a lot of what these technical personnel are doing is stripping numbers — probably things like telemarketer numbers — that would otherwise distort the contact chaining. Unless terrorists’ American friends put themselves on the Do Not Call List, then telemarketers might connect them to every other American not on the list, thereby suggesting a bunch of harassed grannies in Dubuque are 2 degrees from Osama bin Laden.

I used telemarketers, but Alexander himself has used the example of the pizza joint in testimony.

In other words, it appears Alexander learned from his mistake at INSCOM that pizza joints do not actually represent a meaningful connection. His use of the example seems to suggest that NSA now strips pizza joints from their dataset.

But what if terrorists’ ties to a pizza joint are the most meaningful ones?

Read more

3 Tech Issues the Non-Technologist NSA Technical Committee Needs to Address

/32 Comments/in , /by

A number of people are asking why I’m so shocked that President Obama appointed no technologists for his NSA Review Committee.

Here are three issues that should be central to the Committee’s discussions that are, in significant part, technology questions. There are more. But for each of these questions, the discussion should not be whether the Intelligence Community thinks the current solution is the best or only one, but whether it is an appropriate choice given privacy implications and other concerns.

  • Whether the Intelligence Community can accomplish the goals of the Section 215 dragnet without collecting all US person metadata
  • Whether the NSA can avoid collecting Multiple Communication Transactions as part of upstream collection
  • How to oversee unaudited actions of technical personnel

There are just three really obvious issues that should be reviewed by the committee. And for all of them, it would be really useful for someone with the technical background to challenge NSA’s claims to be on the committee.

Whether the Intelligence Community can accomplish the goals of the Section 215 dragnet without collecting all US person metadata

One of the most contentious NSA practices — at least as far as most Americans go — is the collection of all US person phone metadata for the Section 215 dragnet. Yet even Keith Alexander has admitted — here in an exchange with Adam Schiff in a House Intelligence Committee hearing on June 18 — that it would be feasible to do it via other means, though perhaps not as easy.

REP. SCHIFF: General Alexander, I want to ask you — I raised this in closed session, but I’d like to raise it publicly as well — what are the prospects for changing the program such that, rather than the government acquiring the vast amounts of metadata, the telecommunications companies retain the metadata, and then only on those 300 or so occasions where it needs to be queried, you’re querying the telecommunications providers for whether they have those business records related to a reasonable, articulable suspicion of a foreign terrorist connection?

Read more

FISC Judges Should Threaten NSA with Criminal Prosecution More Often

/6 Comments/in /by

This James Bamford description of NSA efforts to avoid criminal prosecution in a 1975 investigation convinced me to point to evidence that then FISA Chief Judge John Bates — who is normally fairly deferential to the Executive Branch — cowed the government with threats of criminal prosecution.

The story starts in the October 3, 2011 opinion. After having laid out how the government was collecting US person data from the switches, Bates noted that the government wanted to keep on doing so.

The government’s submissions make clear not only that the NSA has been acquiring Internet transactions since before the Court’s approval of the first Section 702 certification in 2008,15 but also that NSA seeks to continue the collection of Internet transactions.

Noting that this collection had been going on longer than the 3 years the government had been using Section 702 of the FISA Amendments Act to justify its collection likely references a time when the NSA — led by Keith Alexander as far back as 2005 — was collecting that US person information with no legal sanction whatsoever as part of Dick Cheney’s illegal program.

Then, in footnote 15, Bates notes that sharing such illegally collected information is a crime.

The government’s revelations regarding the scope of NSA’s upstream collection implicate 50 U.S.C. § 1809(a), which makes it a crime (1) to “engage[] in electronic surveillance under color of law except as authorized” by statute or (2) to “disclose[] or use[] information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized” by statute. See [redacted] (concluding that Section 1809(a)(2) precluded the Court from approving the government’s proposed use of, among other things, certain data acquired by NSA without statutory authority through its “upstream collection”). The Court will address Section 1809(a) and related issues in a separate order. [my emphasis]

Now, I’m particularly interested in the redacted text, because it appears some FISC judge has had to issue this threat in a past (still-redacted) opinion. That threat may have applied to this same upstream collection, but from the time before the government pointed to FAA to justify it (again, Alexander’s tenure would overlap into that illegal period).

Read more

As with Manning Leak, Snowden Leak Reveals DOD Doesn’t Protect Security

/16 Comments/in , /by

MSNBC has an update to the continuing saga of “Omigod the NSA has inadequate security.” It explains why the “thin client” system the NSA had (one source calls it 2003 technology) made it so easy for Edward Snowden to take what he wanted.

In a “thin client” system, each remote computer is essentially a glorified monitor, with most of the computing power in the central server. The individual computers tend to be assigned to specific individuals, and access for most users can be limited to specific types of files based on a user profile.

But Snowden was not most users.

[snip]

As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. “At certain levels, you are the audit,” said an intelligence official.

He was also able to access NSAnet, the agency’s intranet, without leaving any signature, said a person briefed on the postmortem of Snowden’s theft. He was essentially a “ghost user,” said the source, making it difficult to trace when he signed on or what files he accessed.

If he wanted, he would even have been able to pose as any other user with access to NSAnet, said the source.

The story goes on to note that being in Hawaii would have allowed Snowden to access Fort Meade’s computers well after most users were gone.

I’m particularly interested in the assertion that Snowden could pose as any other user with access to NSAnet.

Any other user. Presumably, that includes at least Cybercommander Keith Alexander’s aides.

In a world in which the NSA is increasingly an offensive organization, certain figures within NSA would be engaged in some very interesting communications and compartments, I’d imagine.

Ah well. The US won’t learn. They’ll continue to neglect these holes until someone publicly demonstrates their negligence, all the while leaving them open for whatever paid agents of foreign governments choose to exploit them.

Laura Poitras Chips at the Terrorism Lie

/11 Comments/in , /by

Laura Poitras has another piece in Spiegel laying out NSA’s spying on diplomats — this time focusing on how NSA acquired blueprints of the new EU building in NYC to facilitate tapping it all.

To a significant degree, Poitras lays out how the NSA does what other countries at least try to do as well. While the US has certain advantages in conducting such spying (like having the UN headquartered in NYC and dominating telecom infrastructure), in principle it is assumed spy agents will spy on senior people from other countries.

But a key point of Poitras’ piece is that top officials — up to and including President Obama — have led the American people to believe all this spying focuses only terrorism. Indeed, she points to a line of the speech Obama gave a few weeks back that suggested terrorism was the only reason the government conducted this dragnet (this is the full quote — Poitras breaks up the quote into two; I think it is slightly more ambiguous but at the same time more assertive like this).

I think the main thing I want to emphasize is I don’t have an interest and the people at the NSA don’t have an interest in doing anything other than making sure that where we can prevent a terrorist attack, where we can get information ahead of time, that we’re able to carry out that critical task. We do not have an interest in doing anything other than that.

This was a response to a journalists’ question, not part of Obama’s prepared speech. Nevertheless, the President stood up publicly and claimed that the NSA does not “have an interest in doing anything other than … prevent[ing] a terrorist attack.”

That is a false statement.

Had Obama said preventing terrorism was one of several primary goal, the reported sole focus of the US person phone records dragnet, had he said that he and the NSA have other interests, it might be a fair comment. But it is not the case that the only interest of the NSA is to find advance intelligence on potential terrorist attacks.

And, as Poitras also points out, Obama made these comments in an effort to make people trust the dragnet. The comment came in direct response to a question about trust.

I wanted to ask you about your evolution on the surveillance issues. I mean, part of what you’re talking about today is restoring the public trust. And the public has seen you evolve from when you were in the U.S. Senate to now. And even as recently as June, you said that the process was such that people should be comfortable with it, and now you’re saying you’re making these reforms and people should be comfortable with those. So why should the public trust you on this issue, and why did you change your position multiple times?

And it came in a speech where Obama talked about trust a number of times, including offering his asinine dishwashing metaphor.

Q Can you understand, though, why some people might not trust what you’re saying right now about wanting to —

THE PRESIDENT: No, I can’t.

Q — that they should be comfortable with the process?

THE PRESIDENT: Well, the fact that I said that the programs are operating in a way that prevents abuse, that continues to be true, without the reforms. The question is how do I make the American people more comfortable.

If I tell Michelle that I did the dishes — now, granted, in the White House I don’t do the dishes that much — (laughter) — but back in the day — and she’s a little skeptical, well, I’d like her to trust me, but maybe I need to bring her back and show her the dishes and not just have her take my word for it.

And so the program is — I am comfortable that the program currently is not being abused. I’m comfortable that if the American people examined exactly what was taking place, how it was being used, what the safeguards were, that they would say, you know what, these folks are following the law and doing what they say they’re doing.

But it is absolutely true that with the expansion of technology — this is an area that’s moving very quickly — with the revelations that have depleted public trust, that if there are some additional things that we can do to build that trust back up, then we should do them. [my emphasis]

Obama suggests Snowden’s revelations — and not his, James Clapper’s, and Keith Alexander’s lies about the programs — have chipped away at trust. In a press conference in which Obama falsely claimed this was solely about terrorism.

If Obama and everyone else want to start rebuilding credibility, they need to stop lying, and get rid of the more substantive liars like Clapper and Alexander. But they also need to square with the American people about what this dragnet is for. Congress has repeatedly rejected internet-based surveillance to protect Hollywood IP and to socialize the private cybersecurity risk of corporate owners of critical infrastructure. Even Congress doesn’t approve the use of this technology for some applications.

And until the government stops pretending this is exclusively about terrorism, and stops pretending that terrorism is an existential threat or even the country’s greatest one, it will continue to lose credibility.

Keith Alexander’s Dinner Theater

/8 Comments/in , , /by

A bunch of people have been discussing Stanford Professor Jennifer Granick’s account of a dinner she had with NSA Director and CyberComander Keith Alexander. The main storyline describes how, three weeks ago, Lying Keith promised Granick that seeing the Primary Order for the Section 215 dragnet would make her more comfortable with the program.

It didn’t work out how Lying Keith might have liked.

I had a chance to read the Primary Order the next day, and rather than reassure, it raised substantial concerns.  First, it did not set forth any legal basis for the phone record collection, which Christopher Sprigman and I have argued is illegal.  Second, it confirmed that the FISA court does not monitor compliance with its limitations on the collection program, a problem that, according to a former FISA court judge, is endemic to NSA surveillance programs.

If that weren’t already enough, seeing the FISA Court order released earlier this week, with its revelation that — at least until 2009 — the safeguards on the dragnet program never functioned at all, really ruined Alexander’s efforts to make her feel better.

I remembered our conversation about the Primary Order yesterday while reading the newly declassified FISA court opinion that tangentially raised the phone records surveillance program.  According to the court in 2011, NSA was flagrantly disregarding the dictates of the Primary Order anyway:

[T]he Court concluded that its authorization of NSA’s bulk acquisition of telephone call detail records … in the so-called “big business records” matter “ha[d] been premised on a flawed depiction of how the NSA uses [the acquired] metadata” and that “[t]his misperception by the FISC existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government’s submissions and despite a government-devised and Court-mandated oversight regime.” … Contrary to the government’s repeated assurances, NSA had been routinely running queries of the metadata using querying terms that did not meet the required standard for querying.  The Court concluded that this requirement has been “so frequently and systemically violated that it can fairly be said that this critical element of the overall … regime has never functioned effectively.” (Footnote 14)

How does a good man sit across you from the dinner table and assure you the government is properly constrained, when in reality it lies and disregards even the most anemic purported safeguards?

Granick is far more polite than I am — because my conclusion here would be “a good man doesn’t spin you like this.”

But there’s one further bit of spin she doesn’t mention explicitly. Alexander — as he has done repeatedly since Snowden’s documents started leaking — pretended this was all about terrorism.

I have no doubt that Gen. Alexander loves this country as much as I do, or that his primary motivation is to protect our nation from terrorist attacks. “Never again,” he said over dinner.

[snip]

The General seemed convinced that if only I knew what he knew, I would agree with him. He urged me to visit Pakistan, so that I would better understand the dangers America faces.  I responded that one of my longest-standing friends has relatives there and visits regularly, maybe she would take me.  I did not miss his point, and he did not miss mine.

I’m not saying this isn’t, partly, about terrorism. But if that’s all he’s doing, Alexander can roll up his CyberCommand, all the programs targeting Iran, and more generalized cyberdefense: the things that, until these leaks, were considered more urgent issues. Once again, Alexander wants to use terror terror terror to justify a dragnet that (for the content side) targets far more broadly than just terror.

I asked Granick about this, and she said Alexander said “surprisingly little” about cybersecurity — perhaps just a comment about the applying the rules of armed conflict to cyberwar.

As with his audience at BlackHat, Alexander here was talking to someone that Stanford considers an expert on cybercrime and cybersecurity. All differences of opinion about the phone dragnet aside, he should have spent his dinner with Granick discussing ways to accomplish the objectives of cybersecurity most effectively.

[A]s we go into cyber and look at–for cyber in the future, we’ve got to have this debate with our country. How are we going to protect the nation in cyberspace?

… Alexander claimed when speaking to a group that stood to get rich off of cybersecurity.

And yet, once again, when presented an opportunity to have that debate with one of the experts he needs to win over, Alexander cowered from the debate.

Both These Things Cannot Be True

/18 Comments/in , , /by

Last Friday, NSA’s Compliance Director John DeLong assured journalists the violations NSA reported in 2012 were “miniscule.” (I noted that the report showed some of the most sensitive violations primarily get found through audits and therefore their discovery depend in part on how many people are auditing.)

Today, as part of a story describing that NSA still doesn’t know what Edward Snowden took from NSA, MSNBC quotes a source saying NSA has stinky audit capabilities.

Another said that the NSA has a poor audit capability, which is frustrating efforts to complete a damage assessment.

(We’ve long known this about NSA’s financial auditing function, and there have long been signs they couldn’t audit data either, but apparently MSNBC’s source agree.)

For the past several months, various Intelligence officials have assured Congress and the public that it keeps US person data very carefully guarded, so only authorized people can access it.

Today, MSNBC reports NSA had (has?) poor data compartmentalization.

NSA had poor data compartmentalization, said the sources, allowing Snowden, who was a system administrator, to roam freely across wide areas.

Again, there have long been signs that non-analysts had untracked access to very sensitive data. Multiple sources agree — and possibly not just non-analysts.

While I’m really sympathetic for the people who are reportedly “overwhelmed” trying to figure out what Snowden took, we’re seeing precisely the same thing we saw with Bradley Manning: that it takes a giant black eye for intelligence agencies to even admit to gaping holes in their security and oversight.

And in NSA’s case, it proves most of their reassurances to be false.

More Notice Problems in the 215 Dragnet White Paper

/4 Comments/in , /by

According to the 2009 Draft NSA IG Report, the telecoms asked for some kind of order for the telecom dragnet collection in 2005, just after the NYT revealed the illegal wiretap program.

After the New York Times article was published in December 2005, Mr. Potenza stated that one of the PSP providers expressed concern about providing telephone metadata to NSA under Presidential Authority without being compelled. Although OLC’s May 2004 opinion states that NSA collection of telephony metadata as business records under the Authorization was legally supportable, the provider preferred to be compelled to do so by a court order.

At least for the beginning of 2006, the government responded to these concerns with a letter from Alberto Gonzales.

On 24 January 2006, the Attorney General sent letters to COMPANIES A, B, and C, [AT&T, Verizon, and MCI] certifying under 18 U.S.C. 2511 (2)(a)(ii)(B) that “no warrant or court order was or is required by law for the assistance, that all statutory requirements have been met, and that the assistance has been and is required.

The court first signed an order authorizing the collection of phone metadata on May 24, 2006 — 76 days after Congress had passed the reauthorization of the PATRIOT Act with the new “relevant to” language.

The FISC signed the first Business Records Order on 24 May 2006. The order essentially gave NSA the same authority to collect bulk telephony metadata from business records that it had under the PSP. And, unlike the PRTT, there was no break in collection at transition.

But according to the March 2008 DOJ IG Report on Section 215 use, DOJ’s Office of Intelligence Policy and Review was briefing changes to at least some of the use of the use of Section 215 that would be implemented by the reauthorization before PATRIOT was reauthorized.

OIPR determined that substantive amendments to the statute undermined the legal basis for which OIPR had received authorization [redacted] from the FISA Court. Therefore, OIPR decided not to request [redacted] pursuant to Section 215 until it re-briefed the issue for the FISA Court.24

24 OIPR first briefed the issue to the FISA Court in February 2006, prior to the Reauthorization Act.

The import of the new “relevant to” may well have been the substantive change in question; so this February briefing may have been the start of stripping “relevant to” of all meaning.

Ron Wyden seems to want the government to admit this first court authorization just approved dragnet collection already going on.

When he and 25 other Senators sent James Clapper some questions about Section 215, they asked how long the NSA was conducting dragnet collection under the PATRIOT Act (which remember also includes the PW/TT statute used for the Internet dragnet).

How long has the the NSA used PATRIOT Act authorities to engage in bulk collection of Americans’ records? Was this collection under way when the law was reauthorized in 2006?

And Wyden called out Clapper when he refused to answer.

In addition, the intelligence community’s response fails to indicate when the PATRIOT Act was first used for bulk collection, or whether this collection was underway when the law was renewed in 2006.

Was the government using National Security Letters to collect this information between the NYT scoop and the FISC authorization, I wonder?

In any case, we know the government was collecting phone metadata going back years, we know the government was discussing changes instituted by PATRIOT reauthorization in February 2006, and we know the FISC approved using Section 215 for a phone dragnet in May 2006.

In an interview published yesterday, Ron Wyden (who had already been on the Senate Intelligence Committee for several years in 2006) revealed when he first learned about the phone dragnet.

You went from supporting the Patriot Act in 2001 to pushing relentlessly for its de-authorization. What was the tipping point?
My concerns obviously deepened when I first learned that the Patriot Act was being used to justify the bulk collection of Americans’ records, which was in late 2006 or early 2007.

In other words, the government didn’t get around to briefing all of the Intelligence Committee about this collection until months after it started, and possibly up to a year after they first briefed related issues to the FISC.

Here’s how the White Paper turns that unforgivable delay into a boast.

Moreover, in early 2007, the Department of Justice began providing all significant FISC pleadings and orders related to this program to the Senate and House Intelligence and Judiciary committees. By December 2008, all four committees had received the initial application and primary order authorizing the telephony metadata collection. Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees.

Translation: The Executive Branch stalled for an impermissibly long period of time after this dragnet started before briefing even the Intelligence Committee. And while we might blame the Bush Administration, remember that Keith Alexander was already running the dragnet by this period.

So not only didn’t the government tell Congress it was using PATRIOT to conduct dragnet collection of Internet metadata when it reauthorized it in 2006, but it didn’t even tell all members of SSCI until well after the phone dragnet moved under PATRIOT as well.