Posts

About HR 3361, the NSA Surveillance Efficiency Act, AKA USA Freedom Act

The House Intelligence Committee passed a bill out of its committee Thursday, HR 3361, that will reportedly solve a problem (or problems) the NSA has been struggling with since 2009. The bill will now move to the full House for a vote.

The public — and surely a great majority of members of Congress — have no idea precisely what problem this bill will solve is: planted leaks suggest it has to do with difficulties dealing with cell phone records, perhaps because they include location data. If that is part of the problem, then it’s a fairly recent development, perhaps arising after US v. Jones raised new concerns about the legality of collecting location data without a warrant. There’s also the presumably-related issue of an automated query function; NSA has been struggling to resume that function since its alert function got shut down as a legal violation in 2009. The ability to tie multiple identities from the same person together as NSA runs those alerts may be a related issue.

The bill has not been reported as a fix for NSA’s long-term legal and technical struggles (though LAT’s Ken Dilanian has asked why civil liberties groups are so happy about this given that it will expose more data to NSA collection). Rather, it has been called the USA Freedom Act and reported as a reform of the phone dragnet program, a successful effort to “end” “bulk collection.”

The bill does have the critically important effect of ending the government’s practice of collecting and storing some significant portion of all US call records, beyond whatever US person call records it collects overseas. That, by itself, is the equivalent of defusing a nuclear bomb. It is a very important improvement on the status quo.

It remains entirely unclear — and unexamined, as far as I can tell — whether the bill will increase or decrease the number of entirely innocent Americans who will be subjected to the full range of NSA’s analytical tradecraft because they got swept up based on the guilt by association principle behind contact-chaining, or whether the bill will actually expose more kinds of US person records to the scrutiny of the NSA.

The bill the press is calling USA Freedom Act may also — though we don’t know this either — have the salutary benefit of changing the way the NSA currently collects data under other Section 215, Pen Register, and NSL collection efforts.  The bill requires that all Section 215 (both call record and otherwise), Pen Register, and NSL queries be based on a specific selection term that remains vaguely defined (a definition the House Intelligence Committee considered eliminating before Thursday’s hearing). But it remains unclear how much that rule — even ignoring questions about the definition — will limit any current practices. At Wednesday’s hearing Bob Goodlatte said the bill “preserves the individual use of Section 215 under the existing relevancy standard for all business records,” and at least for several NSL authorities, the new “restrictions” almost certainly present no change (and another NSL authority, the Right to Financial Privacy Act, uses the same “entity” language the bill definition does, suggesting it is unlikely to change either). Plus, at least according to DOJ’s public claims and court filings, it ended the bulk domestic collection under PRTT in 2011. So the language “ending” “bulk collection” may do no more than make it harder for FBI to construct its own phone books of phone company and ISP subscribers using NSLs, if it does even that.

What the bill doesn’t do — because this part of the bill was stripped as part of the compromise — is provide the Intelligence Community’s oversight committees detailed reports of what kind of records the government obtains under Section 215 (and for what agencies), and how many Americans are subject to all the FISA authorities, including Section 215. That is, the compromise eliminated the one thing that could measure whether the bill really did “end” “bulk collection” as you or I would understand it. In its stead, the bill largely codifies an existing reporting agreement that AT&T has already demonstrated to be completely deceptive. In Wednesday’s hearing, Zoe Lofgren called provider reporting “the canary in the coal mine” the committee would rely on to understand what collection occurred.

So this bill that “ends” “bulk collection” still prevents us, or even the oversight committees working in our name, from learning whether it does so.

It does, however, have some interesting features, given its other purpose of solving one or more challenges facing the NSA.

The first of those is immunity.

No cause of action shall lie in any court against a person who produces tangible things or provides information, facilities, or technical assistance pursuant to an  order issued or an emergency production required under this section. 

This is another part of the bill the underlying reasons for which the public, and probably much of Congress, doesn’t understand. At one level, it seems to immunize the process that may have telecoms playing a role the NSA previously did, analyzing the data; it may also pertain to providing NSA access to the telecoms’ physical facilities. But given the background to the move to telecoms — NSA’s legal-technical problems dealing with cell phone data because it ties to location — it is possible the immunity gives the telecoms protection if they use but don’t turn over data they have already, such as location data or even Internet metadata, to perform the interim analysis.

Consider how the bill describes the call record query process.

[T]he Government  may require the production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using the results of the production under subclause (I) as the basis for production;

So a 2-hop query goes from a “specific selection term” to “the results of the production” to the “call detail record” handed over to the government. While the definition of call detail records clearly prohibits the final production to the government of either content or cell location, nothing in this process description prevents the telecoms from using such things (most Internet metadata is legally content to the telecoms) in that interim hop; indeed, the “results of the production under subclause (I)” available to the telecoms almost certainly would include some of this information, particularly for smart phones. We know the Hemisphere program (the AT&T-specific program for the DEA) uses cell location in its analysis. Remember, too, how NSA is gobbling up smart phone data (including things like address books) in overseas programs; this may permit analysis of similar data — if not collection of it — domestically.  So at the very least, this scheme seems to give the NSA access to cell location and possibly a whole lot more data for analysis they otherwise couldn’t get (which David Sanger’s sources confirm).

And consider two more details from Wednesday’s House Judiciary hearing. At it, Lofgren repeated a list of business records the government might obtain under Section 215 she got Deputy Attorney General James Cole to confirm at an earlier hearing. It includes:

  • ATM photos
  • location where phone calls made
  • credit card transactions
  • cookies
  • Internet searches
  • pictures captured by CCTV cameras

So long as the word “entity” in the definition of specific selection term remains undefined, so long as FISC precedents permit the tapping of entire circuits in the name of collecting on an entity, the government may still be able to collect massive amounts of this data, not actually targeted at a suspect but rather something defined as an entity (in both the existing 215 program and the new call records one the bill retains the “relevant to” language that has been blown up beyond meaning).

Finally, consider what happened with Lofgren’s last attempted amendment. After having submitted a number of other failed amendments, Lofgren submitted an amendment to fix what she called an inadvertent error in the manager’s amendment specifically prohibiting the collection of content under Section 215.

I believe this amendment fixes — at least I hope — an error that was created in the manager’s amendment that I cannot believe was intended. As you know we have specified that the content is not included in business records. This amendment clarifies that business records do not include the content of communication. We specify that in the new section about call detail records, but but the specification that content was not included somehow got dropped out of the business records section. It was included in your original bill but it didn’t make it into the manager’s amendment. I think this amendment clarifies the ambiguity that could be created and I hope it was not intentional.

This is a problem I pointed out here.

Almost without missing a beat after she introduced this, Jim Sensenbrenner recessed the hearing, citing votes. While there were, in fact, votes, Luis Pierluisi (who cast the decisive vote in favor of an amendment to redefine counterintelligence) and possibly Lofgren got a lecture at the break about how any such amendments might blow up the deal the Committee had with Mike Rogers and HPSCI. After the break, Lofgren withdrew the amendment, expressing hope it could be treated as a clerical fix.

That purported error was not fixed before HPSCI (which explicitly permitted the collection of content under its bill) voted out the bill.

Perhaps it will be “fixed” before it comes to the floor.

But if it doesn’t, it may expand (or, given Lofgren’s stated concerns about what records Section 215 might cover, sustain) the use of Section 215 to collect content, not just metadata. Imagine the possibility this gets yoked to expanded analysis at telecoms under the new CDR program?

We don’t know. This bill has gotten past two committees of Congress (we didn’t get to see any of the debate at HPSCI) without these details becoming clear. But the questions raised by this bill when you consider it as the fix to one or more problems the NSA has been struggling with, it does raise real questions.

Again, I don’t want to make light of the one thing we know this bill will do — take a database showing all phone-based relationships in the country out of NSA’s hands. That eliminates an intolerably risky program. That is an important fix.

But that shouldn’t lead us to ignore the potential expansion of spying that may come with this bill.