Posts

Wyden and Udall: They’re Blowing Smoke about Phone and Other Bulk Record Safety

/6 Comments/in , /by

When I wrote about the letter from Ron Wyden, Mark Udall, and 24 other Senators to James Clapper a month ago, I focused on the specter that Section 215 would be used to collect gun records (in response to which, the NRA let its political guns drop from flaccid fingers).

Given yesterday’s response from Wyden and Udall to Clapper’s response, I should have focused on this passage:

Senior officials have noted that there are rules in place governing which government personnel are allowed to review the bulk phone records data and when. Rules of this sort, if they are effectively enforced, can mitigate the privacy impact of this large-scale data collection, if they do not erase it entirely. Furthermore, over its history the intelligence community has sometimes failed to keep sensitive information secure form those who would misuse it, and even if these rules are well-intentioned they will not eliminate all opportunities for abuse.

In response to that passage, Clapper spent one paragraph talking about when the government can access this data and another describing the oversight over it, including,

Implementation of the program is regularly reviewed not only by NSA, but by outside lawyers from the Department of Justice and by my office, as well as by Inspectors General. The Executive Branch reports all compliance incidents on to the FISC.

Later, in response to a question specifically about violations, Clapper wrote,

Since the telephony metadata collection program under section 215 was initiated, there have been a number of compliance problems that have been previously identified and detailed in reports to the Court and briefings to Congress as a result of Department of Justice reviews and internal NSA oversight. However, there have been no findings of any intentional or bad-faith violations.

These problems generally involved human error or highly sophisticated technology issues related to NSA’s compliance with particular aspects of the Court’s orders. As required, those matters, including details and appropriate internal remedial actions, are reported to the NSA’s Inspector General, the Department of Justice, the Office of the Director of National Intelligence, the FISC and in reports provided to Congress and other oversight organizations.

To which Wyden and Udall insisted,

Their [in context, probably meaning NSA’s, though they did not specify] violations of the rules for handling and accessing bulk phone information are more troubling than have been acknowledged and the American people deserve to know more details.

Now, there are a couple of different things going on here.

First, as Wyden and Udall also note, Clapper didn’t answer their question, “How long has the NSA used the PATRIOT Act authorities to engage in bulk collection of Americans’ records? Was this collection underway when the law was reauthorized in 2006?” Clapper instead answered how long NSA was using Section 215 to get telephony metadata, answering May 2006. But we know that collection was briefed before passage of the PATRIOT reauthorization, and it appears the government used a kluged hybrid order to get it from at least the time the illegal program was revealed in 2005 until the reauthorization passed.  So this earlier use may implicate earlier violations.

Nevertheless, what Clapper claims to be human error seems to be something more, the querying of records pertaining to phone numbers that aren’t clearly terrorists (or Iranians).

And given the revelation the government has gone three hops deep into this data, the reference to “highly sophisticated technology issues” suggests more sophisticated data mining than a game of half-Bacon.

Finally, one more thing. In the debate over the Amash-Conyers amendment the other day, House Intelligence Chair Mike Rogers also boasted of the controls that — according to Wyden and Udall — have proven insufficient. But in the process of boasting, he admitted other agencies have less effective oversight than the NSA.

It is that those who know it best support the program because we spend as much time on this to get it right, to make sure the oversight is right. No other program has the legislative branch, the judicial branch, and the executive branch doing the oversight of a program like this. If we had this in the other agencies, we would not have problems. [my emphasis]

When Wyden and Udall asked this question originally, they asked specifically, “Have there been any violations of the court orders permitting this bulk collection, or of the rules governing access to these records?” While most of their questions specified NSA, that one didn’t. The FBI, not NSA, is the primary user of Section 215, though it shares its counterterrorism (and counterespionage) data with the National Counterterrorism Center.

And even Mike Rogers appears to believe “the other agencies” have problems with this kind of data.

All of which seems to suggest there have been serious problems with the NSA’s use of the phone record dragnet. But there have been even more serious problems with bulk records on other subjects as used by other agencies.

What will John Brennan do, Suspend his operations?

/15 Comments/in /by

Brennan with Torture

These with a thousand small deliberations

Protract the profit of their chilled delirium,

Excite the membrane, when the sense has cooled,

With pungent sauces, multiply variety

In a wilderness of mirrors. What will the spider do,

Suspend its operations, will the weevil

Delay?

–T.S. Eliot, Gerontian

This image — captioned, “President Barack Obama talks with CIA Director John Brennan, center, and Chief of Staff Denis McDonough in a West Wing hallway of the White House, May 10, 2013” — may officially be my new favorite official White House photograph.

I first learned of it when Katherine Hawkins pointed to this MuckRock FOIA request, which noted that the document in Brennan’s hand was titled, “The Central Intelligence Agency’s Response to The Senate Select Committee on Intelligence Study of the CIA’s Detention and Interrogation Program.”

In other words, John Brennan was speaking to Obama and the Chief of Staff about CIA’s complaints about the SSCI Torture Report on May 10. And White House photographer Pete Souza had framed the event amidst reflections and dark lighting that would make even James Jesus Angleton weep.

I’m fond of the photo, too, for what it shows.

As you recall, SSCI’s torture report was completed last December. CIA was initially supposed to respond to SSCI about the report by February 15, but that got held up, in part, because of Brennan’s confirmation, during which he appeared to avoid reading the report to avoid saying anything about it before being confirmed. Almost immediately after Brennan was confirmed, the CIA started leaking about how much they didn’t like it (even while claiming they still hadn’t finished reviewing the document). It turns out those leaks were factually incorrect. On April 11, Brennan was still stalling about the content of the review and completely ignoring any possibility it would be released publicly (though had spoken with Dianne Feinstein and Saxby Chambliss earlier that week about it). On May 1, Mark Udall got shrill, advising the President he could “excise the demons” of torture by releasing the report. On May 7, CIA was still compiling its “defiant” response to the report; National Security Council Spokesperson Caitlin Hayden told me the White House was still reviewing the document. Also on May 7, a collection of human rights organizations called on the White House to appoint someone to oversee the release of the report.

3 days later, Brennan was in the White House with a report on CIA’s complaints about the report, all written up.

But here’s the thing: that meeting was May 10. It was almost 7 weeks later before Brennan would present that report (again with leaks about how inaccurate millions of CIA cables are) — in the company of Joe Biden — to Dianne Feinstein and Saxby Chambliss (though there were reports that they ended up discussing other issues instead).

CIA has had its complaints all typed up for over two months now. And the only sign of any discussion about declassifying the report that describes how many lies CIA told about this program is Feinstein’s request to Jim Comey in his confirmation hearing that he would read it, why by itself seems a concession that we all won’t get to.

So did the White House decide not to release the report two months ago and just never tell us all?

In These Times We Can’t Blindly Trust Government to Respect Freedom of Association

/39 Comments/in , , , /by

One of my friends, who works in a strategic role at American Federation of Teachers, is Iranian-American. I asked him a few weeks ago whom he called in Iran; if I remember correctly (I’ve been asking a lot of Iranian-Americans whom they call in Iran) he said it was mostly his grandmother, who’s not a member of the Republican Guard or even close. Still, according to the statement that Dianne Feinstein had confirmed by NSA Director Keith Alexander, calls “related to Iran” are fair game for queries of the dragnet database of all Americans’ phone metadata.

Chances are slim that my friend’s calls to his grandmother are among the 300 identifiers the NSA queried last year, unless (as is possible) they monitored all calls to Iran. But nothing in the program seems to prohibit it, particularly given the government’s absurdly broad definitions of “related to” for issues of surveillance and its bizarre adoption of a terrorist program to surveil another nation-state. And if someone chose to query on my friend’s calls to his grandmother, using the two-degrees-of-separation query they have used in the past would give the government — not always the best friend of teachers unions — a pretty interesting picture of whom the AFT was partnering with and what it had planned.

In other words, nothing in the law or the known minimization rules of the Business Records provision would seem to protect some of the AFT’s organizational secrets just because they happen to employ someone whose grandmother is in Iran. That’s not the only obvious way labor discussions might come under scrutiny; Colombian human rights organizers with tangential ties to FARC is just one other one.

When I read labor organizer Louis Nayman’s “defense of PRISM,” it became clear he’s not aware of many details of the programs he defended. Just as an example, Nayman misstated this claim:

According to NSA officials, the surveillance in question has prevented at least 50 planned terror attacks against Americans, including bombings of the New York City subway system and the New York Stock Exchange. While such assertions from government officials are difficult to verify independently, the lack of attacks during the long stretch between 9/11 and the Boston Marathon bombings speaks for itself.

Keith Alexander didn’t say NSA’s use of Section 702 and Section 215 have thwarted 50 planned attacks against Americans; those 50 were in the US and overseas. He said only around 10 of those plots were in the United States. That works out to be less than 20% of the attacks thwarted in the US just between January 2009 and October 2012 (though these programs have existed for a much longer period of time, so the percentage must be even lower). And there are problems with three of the four cases publicly claimed by the government — from false positives and more important tips in the Najibullah Zazi case, missing details of the belated arrest of David Headley, to bogus claims that Khalid Ouazzan ever planned to attack NYSE. The sole story that has stood up to scrutiny is some guys who tried to send less than $10,000 to al-Shabaab.

While that doesn’t mean the NSA surveillance programs played no role, it does mean that the government’s assertions of efficacy (at least as it pertains to terrorism) have proven to be overblown.

Yet from that, Nayman concludes these programs have “been effective in keeping us safe” (given Nayman’s conflation of US and overseas, I wonder how families of the 166 Indians Headley had a hand in killing feel about that) and defends giving the government legal access (whether they’ve used it or not) to — among other things — metadata identifying the strategic partners of labor unions with little question.

And details about the success of the program are not the only statements made by top National Security officials that have proven inaccurate or overblown. That’s why Nayman would be far better off relying on Mark Udall and Ron Wyden as sources for whether or not the government can read US person emails without probable cause than misstating what HBO Director David Simon has said (Simon said that entirely domestic communications require probable cause, which is generally but not always true). And not just because the Senators are actually read into these programs. After the Senators noted that Keith Alexander had “portray[ed] protections for Americans’ privacy as being significantly stronger than they actually are” — specifically as it relates to what the government can do with US person communications collected “incidentally” to a target — Alexander withdrew his claims.

Nayman says, “As people who believe in government, we cannot simply assume that officials are abusing their lawfully granted responsibility and authority to defend our people from violence and harm.” I would respond that neither should we simply assume they’re not abusing their authority, particularly given evidence those officials have repeatedly misled us in the past.

Nayman then admits, “We should do all we can to assure proper oversight any time a surveillance program of any size and scope is launched.” But a big part of the problem with these programs is that the government has either not implemented or refused such oversight. Some holes in the oversight of the program are:

  • NSA has not said whether queries of the metadata dragnet database are electronically  recorded; both SWIFT and a similar phone metadata program queries have been either sometimes or always oral, making them impossible to audit
  • Read more

Wyden and Udall: As with Torture, Intelligence Committee Lies about Efficacy

/13 Comments/in , /by

Mark Udall and Ron Wyden have persistently repeated one of the findings from the Senate Intelligence Committee torture report: the CIA gave inaccurate information about the program, and it wasn’t very effective.

So it’s unsurprising that they would go beyond their past questions whether the Section 215 dragnet of US person call records is effective to make it clear they had pushed for the Internet metadata program to be ended because it, too, is ineffective.

We are quite familiar with the bulk email records collection program that operated under the USA Patriot Act and has now been confirmed by senior intelligence officials. We were very concerned about this program’s impact on Americans’ civil liberties and privacy rights, and we spent a significant portion of 2011 pressing intelligence officials to provide evidence of its effectiveness. They were unable to do so, and the program was shut down that year.

[snip]

Intelligence officials have noted that the bulk email records program was discussed with both Congress and the Foreign Intelligence Surveillance Court. In our judgment it is also important to note that intelligence agencies made statements to both Congress and the Court that significantly exaggerated this program’s effectiveness. This experience demonstrates to us that intelligence agencies’ assessments of the usefulness of particular collection programs – even significant ones – are not always accurate. This experience has also led us to be skeptical of claims about the value of the bulk phone records collection program in particular.

We believe that the broader lesson here is that even though intelligence officials may be well-intentioned, assertions from intelligence agencies about the value and effectiveness of particular programs should not simply be accepted at face value by policymakers or oversight bodies any more than statements about the usefulness of other government programs should be taken at face value when they are made by other government officials. It is up to Congress, the courts and the public to ask the tough questions and press even experienced intelligence officials to back their assertions up with actual evidence, rather than simply deferring to these officials’ conclusions without challenging them.

We look forward to continuing the debate about the effectiveness of the ongoing Patriot Act phone records collection program in the days and weeks ahead.

This is actually what the Inspectors General have implied: that it’s not clear these programs are effective.

So why are we collecting dragnets of American communications for no good reason?

On the Meanings of “Dishonor” and “Hack”

/22 Comments/in , , /by

The former NSA IG (and current affiliate of the Chertoff Group profiteers, though he didn’t disclose that financial interest) Joel Brenner has taken to the pages of Lawfare to suggest anyone trying to force some truth out of top Intelligence Community officials is dishonorable.

On March 12 of this year, Senator Ron Wyden asked James Clapper, the director of national intelligence, whether the National Security Agency gathers “any type of data at all on millions or hundreds of millions of Americans.”

“No, sir,” replied the director, visibly annoyed. “Not wittingly.”

Wyden is a member of the Senate Select Committee on Intelligence and had long known about the court-approved metadata program that has since become public knowledge. He knew Clapper’s answer was incorrect. But Wyden, like Clapper, was also under an oath not to divulge the story. In posing this question, he knew Clapper would have to breach his oath of secrecy, lie, prevaricate, or decline to reply except in executive session—a tactic that would implicitly have divulged the secret. The committee chairman, Senator Diane Feinstein, may have known what Wyden had in mind. In opening the hearing she reminded senators it would be followed by a closed session and said,  “I’ll ask that members refrain from asking questions here that have classified answers.” Not dissuaded, Wyden sandbagged he [sic] director.

This was a vicious tactic, regardless of what you think of the later Snowden disclosures. Wyden learned nothing, the public learned nothing, and an honest and unusually forthright public servant has had his credibility trashed.

Brenner of course doesn’t mention that Clapper had had warning of this question, so should have provided a better non-answer. Later in his post, he understates how revealing telephone metadata can be (and of course doesn’t mention it can also include location). He even misstates how often the phone metadata collection has been queried (it was queried on 300 selectors, not “accessed only 300 times”).

But the really hackish part of his argument is in pretending this whole exchange started on March 12.

It didn’t. It started over a year ago and continued through last week when Keith Alexander had to withdraw a “fact sheet” purporting to lay out the “Section 702 protections” Americans enjoy (see below for links to these exchanges).

The exchange didn’t start out very well, with two Inspectors General working to ensure that Wyden and Mark Udall would not get their unclassified non-answer about how many Americans are surveilled under Section 702’s back door until after the Intelligence Committee marked up the bill.

But perhaps the signature exchange was this October 10, 2012 Wyden letter (with 3 other Senators) to Keith Alexander and Alexander’s November 5, 2012 response.

On July 27, 2012, Alexander put on a jeans-and-t-shirt costume and went to DefCon to suck up to hackers. After giving a schmaltzy speech including lines like, “we can protect the networks and have civil liberties and privacy,” DefCon founder Jeff Moss asked Alexander about recent Bill Binney allegations that the NSA was collecting communications of all Americans. Wired reported the exchange here.

It was this exchange — Keith Alexander’s choice to make unclassified statements to a bunch of hackers he was trying to suck up to — that underlies Wyden’s question. And Wyden explicitly invoked Alexander’s comments in his March 12 question to Clapper.

In Wyden’s letter, he quoted this, from Alexander.

We may, incidentally, in targeting a bad guy hit on somebody from a good guy, because there’s a discussion there. We have requirements from the FISA Court and the Attorney General to minimize that, which means nobody else can see it unless there’s a crime that’s been committed.

Wyden then noted,

We believe that this statement incorrectly characterized the minimization requirements that apply to the NSA’s FISA Amendments Act collection, and portrays privacy protections for Americans’ communications as being stronger than they actually are.

This is almost precisely the exchange that occurred last week, when Wyden and Udall had to correct Alexander’s public lies about Section 702 protections again. 8 months later and Alexander is reverting to the same lies about protections for US Persons.

In the letter, Wyden quoted from Alexander again,

You also stated, in response to the same question, that “…the story that we have millions or hundreds of millions of dossiers on people is absolutely false. We are not entirely clear what the term “dossier” means in this context, so we would appreciate it if you would clarify this remark.

And asked,

Are you certain that the number of American communications collected is not “millions or hundreds of millions”? If so, then clearly you must have some ability to estimate the scale of this number, at least some range in which you believe it falls. If this is the case, how large could this number possibly be? How small could it possibly be?

Does the NSA collect any type of data at all on “millions or hundreds of millions of Americans”?

This last question was precisely the question Wyden asked Clapper 5 months later on March 12 (Alexander’s response in November didn’t even acknowledge this question — he just blew it off entirely).

As Wyden emphasized, Alexander is the one who chose to make misleading assertions in unclassified form, opening up the door for demands for an unclassified response.

Since you made your remarks in an unclassified forum, we would appreciate an unclassified response to these questions, so that your remarks can be properly understood by Congress and the public, and not interpreted in a misleading way.

In other words, Brenner presents the context of Wyden’s question to Clapper completely wrong. He pretends this exchange was about one cleared person setting up another cleared person to answer a question. But Brenner ignores (Wyden’s clear invocation of it notwithstanding) that this exchange started when a cleared person, General Alexander, chose to lie to the public.

And now that we’ve seen the minimization standards, we know just how egregious a lie Alexander told to the hackers at DefCon. It’s bad enough that Alexander didn’t admit that anything that might possibly have a foreign intelligence purpose could be kept and, potentially, disseminated, a fact that would affect all Americans’ communications.

But Alexander was talking to high level hackers, probably the group of civilians who encrypt their online communications more than any other.

And Alexander knows that the NSA keeps encrypted communications indefinitely, and with his say-so, can keep them even if they’re known to be entirely domestic communications.

In other words, in speaking to the group of American civilians whose communications probably get the least protections from NSA (aside from the encryption they themselves give it), Alexander suggested their communications would only be captured if they were talking to bad guys. But the NSA defines “those who encrypt their communications” as bad guys by default.

He was trying to suck up to the hackers, even as he lied about the degree to which NSA defines most of them as bad guys.

Brenner gets all upset about his colleagues being “forced” to lie in public. But that’s not what’s going on here: James Clapper and, especially, Keith Alexander are choosing to lie to the public.

And if it is vicious for an intelligence overseer to call IC officials on willful lies to the public, then we’ve got a very basic problem with democracy. Read more

Shorter Mark Udall: Why Can’t John Brennan “Honor the Oath”?

/15 Comments/in , /by

Still reading the NSA IG Report, so I’ll just quote right from Mark Udall’s release:

As a member of the Senate Intelligence Committee, I am concerned to see news reports about the CIA’s response to the Committee’s Study of the CIA’s Detention and Interrogation Program before the information was provided to the committee. Committee members have not yet seen this response, which we have been expecting for nearly six months.

The American people’s trust in intelligence agencies requires transparency and strong congressional oversight. This latest leak–the latest incident in a long string of leaks from unnamed intelligence officials who purport to be familiar with the Committee’s Study and the CIA’s official response to it–is wholly unacceptable. Even as these reports emerged today and over the past several months, the CIA and the White House have repeatedly rejected requests to discuss the Committee’s report with Members or Committee staff.

The continual leaks of inaccurate information from unnamed intelligence officials are embarrassing to the agency and have only hardened my resolve to declassify the full Committee Study, which is based on a review of more than six million pages of CIA records, comprises more than 6,000 pages in length and includes more than 35,000 footnotes. The report is based on CIA records including internal memoranda, cables, emails, as well as transcripts of interviews and Intelligence Committee hearings. The Study is fact-based, and I believe, indisputable.

I am confident the American people will agree once they have the opportunity to read the Study, as well as the CIA’s official response, that this program was a failure and a tragic moment in America’s history. The only way to correct the inaccurate information in the public record on this program is through the sunlight of declassification.

The other thing that leaked in the last day, in addition to CIA’s claim that millions of its reports are inaccurate, is this news:

CIA Director John Brennan is launching a new campaign aimed at pressuring CIA officers to keep the intelligence agency’s secrets secret, after a series of leaks to the media.

In a memo to the CIA workforce this week, Brennan says the “Honor the Oath,” campaign is intended to “reinforce our corporate culture of secrecy” through education and training.

Some leadership on “our corporate culture of secrecy” Brennan is showing, huh?

Keith Alexander’s Secret Lie: Retention and Distribution of Domestic Encrypted and Hacking Communications?

/19 Comments/in , , /by

As I noted in my last two posts, Keith Alexander has admitted that the classified lie Mark Udall and Ron Wyden accused him of telling “could have more precisely described the requirements of collection under FISA Amendments Act.”

He then goes onto repeat the many claims about Section 702, which are different forms of saying that it may not collect information on someone knowingly in the US.

Which leads me to suspect that the lie Udall and Wyden described is that the program can retain and distribute domestic communications, which are defined as “communications in which the sender and all intended recipients are reasonably believed to be located in the United States at the time of acquisition.”

The minimization procedures actually describe four kinds of domestic communications that can be distributed with written NSA Director determination. Three of those — significant foreign intelligence information, evidence of a crime imminently being committed, and threat of serious harm to life or property — were generally known. But there is a fourth which I think is probably huge collection:

Section 5(3)

The communication is reasonably believed to contain technical data base information, as defined in Section 2(i), or information necessary to understand or assess a communications security vulnerability. Such communication may be provided to the FBI and/or disseminated to other elements of the United States Government. Such communications may be returned for a period sufficient to allow a thorough exploitation and to permit access to data that are, or are reasonably believed likely to become, relevant to a current or future foreign intelligence requirement. Sufficient duration may vary with the nature of the exploitation.

a. In the context of a cryptanalytic effort, maintenance of technical data bases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any time period during which encrypted material is subject to, or of us in, cryptanalysis.

b. In the case of communications that are not enciphered or otherwise thought to contain secret meaning, sufficient duration is five years unless the Signal Intelligence Director, NSA, determines in writing that retention for a longer period is required to respond to authorized foreign intelligence or counterintelligence requirements,

Technical data base information, according to the definitions, “means information retained for cryptanalytic, traffic analytic, or signal exploitation purposes.”

In other words, hacking.

Encrypted communications and evidence of hacking have secretly been included in a law purportedly about foreign intelligence collection. And they can keep that information as long as it takes, exempting it from normal minimization requirements.

To be clear, the government still has to get the communication believing (according to its 51% rule) that it has one foreign component. But if Keith Alexander says so, NSA can keep it, forever, even after it finds out it is a domestic communication.

Update: Here’s the July 2012 letter to Clapper. Here’s Clapper’s August 2012 response — the good bits of which are all classified.

NSA’s Querying of US Person Data, Take Two

/12 Comments/in , /by

Update: Alexander’s office has conceded Udall and Wyden’s point about the classified inaccuracy. It also notes:

With respect to the second point raised in your 24 June 2013 letter, the fact sheet did not imply nor was it intended to imply “that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”

He then cites two letters from James Clapper’s office which I don’t believe have been published.

Joshua Foust tries to refute this post and in doing so proves once again he doesn’t understand the meaning of “target” under Section 702.

Out of courtesy to him, I’m going to rewrite this post to help him understand it. The issue is not whether the US can “target” a US person without a warrant. They can’t. The issue is what the US does with US person data they collect incidentally off a legal target (which must be a foreigner overseas collected for a legitimate intelligence purpose).

At issue is this sentence in the Mark Udall/Ron Wyden letter to Keith Alexander.

Separately, this same fact sheet states that under Section 702, “Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.” We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.

The passage says that the claim, “any inadvertently acquired communication of or concerning a US person must be promptly destroyed” is “somewhat misleading,” for two reasons:

  1. It implies that the NSA has the ability to determine how many American communications it has collected under section 702
  2. It implies that the law does not allow the NSA to deliberately search for the records of particular Americans

Now, before I get into bullet point 2, which is the one in question, note that this entire passage is talking about “inadvertently acquired communication of or concerning a US person.” This is not information on someone who has been targeted. It discusses what happens to information collected along with the communications of those who’ve been targeted (say, by emailing the target). Therefore, this entire passage is irrelevant to the issue of what happens with the targeted person’s communication. The Udall/Wyden claim is not about targeting in the least; it is about incidental collection.

Okay, bullet point 2: Udall and Wyden claim that Alexander’s fact sheet is misleading because it implies the law does not allow the NSA to deliberately search for the records of particular Americans. They could be wrong, but their claim is that it is misleading for Alexander to suggest that the law does not allow the NSA to deliberately search for the records of particular Americans. That means they believe the law does allow the NSA to deliberately search for the records of particular Americans, otherwise they wouldn’t think his statement was misleading.

Now, if it were just Udall and Wyden making this claim, it’d be a he-said/he-said. But  pointed out that this claim is not new at all. It’s not even one limited to Udall and Wyden. In the FAA report released by Dianne Feinstein last year, it said,

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession.

First, the report describes a debate the committee had:

The Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained.

The committee debated two things:

  1. Whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited.
  2. Whether querying information collected under Section 702 to find communications of a particular United States person should be more robustly constrained.

Bullet point 1 makes it clear they were debating whether they should prohibit this activity. If they had to consider that, it means that it is not prohibited (which is precisely what Udall and Wyden say–that the law allows it). Bullet point 2 says they also considered whether they should “more robustly constrain” it, which suggests (though does not prove) that it is going on now, otherwise there’d be nothing to constrain.

The IC IGs won’t tell us how much of this goes on–they claim they have no way of counting it, which ought to alarm you, because it says they’re not actually tracking it via some kind of auditing function.

I defer to his conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission. He further stated that his office and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons.

Now, as I already laid out, what we’re talking about is not targeting a US person–focusing collection on that person. What we’re talking about is what you can do with the US person data collected “incidentally” with the communications collected of that targeted person. That information–as the minimization guidelines describe–is lawfully collected. The big question is what you can do with it once you have collected it, and in many but not all cases there are restrictions against circulating that information before you’ve hidden the identity of the US person in question.

The last part of the passage from the SSCI says,

With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession.

Again, some amount of US person data is collected under Section 702 along with the data of the targeted person (if it weren’t, they wouldn’t need minimization procedures). It is lawfully collected. The question is what you’re allowed to do with it. And as part of the debate the committee had about whether they were going to “prohibit” or “more robustly constrain” the querying of US person data that was lawfully collected as incidental data, SSCI describes the Intelligence Community (which includes, in part, the NSA, the CIA, and the FBI) providing several reasons why it might need to conduct queries of this data. And the committee agreed that these reasons were “legitimate foreign intelligence needs.”

The minimization procedures from 2009, at least, require destruction of US person data if it is “clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information).” (3(b)(1)) What is not immediately destroyed may be kept for up to 5 years. But it only destroys the stuff that is “clearly not relevant,” not data that might be relevant to the purpose of the investigation.

Now, while the language is not exact, the SSCI report’s description of data that has a “legitimate foreign intelligence” surely includes “foreign intelligence information.” This is kind of backwards (which may be part of complaint from Udall and Wyden), but unless the information is clearly not relevant — and the intelligence community says some of this data has legitimate intelligence purposes — then it is retained. This is probably why Udall and Wyden think Alexander’s “must be promptly destroyed” is misleading, because if the IC thinks they might need to query it because it would serve a legitimate foreign intelligence purpose, then it is not.

So who makes this decision whether to keep the data? “NSA analyst(s) will determine whether it … is reasonably believed to contain foreign intelligence information.” (3(b)(4)) The NSA, not FBI or CIA.

And this data cannot just be retained. It can also be “forwarded to analytic personnel responsible for producing intelligence information from the collected data.” (3(b)(2))

Now, in most cases, that information must be anonymized (which is what Kurt Eichenwald discusses here, which Foust cites). But it has always been the case there are exceptions to that rule. Some exceptions are if:

  • The Director of NSA specifically determines, in writing, that the communication is reasonably believed to contain significant foreign intelligence information. (5(1)) In that case the information goes to the FBI. [Update: This distribution is permitted with domestic communication–that is, US to US person.]
  • A recipient requiring the identity of such person for the performance of official duties needs the identity of the United States person to understand foreign intelligence information or assess its importance. (6(b)(2) This sometimes, but not always, happens after an initial distribution.

There are actually a slew more exceptions but these two should suffice. Again, these rules on distribution (except as they affect technical data base information, which might be relevant here, but not necessary) are not new with FAA. They’ve long been in place.

Again, this is all about what happens to incidentally collected data, not the data of the person actually targeted. Which is why these two passages are irrelevant to the entire point (the second of which Foust thought I was leaving out because it hurt my point).

As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause.

[snip]

The Department of Justice and Intelligence Community reaffirmed that any queries made of Section 702 data will be conducted in strict compliance with applicable guidelines and procedures and do not provide a means to circumvent the general requirement to obtain a court order before targeting a U.S. person under FISA.

What they say is that the government is prohibited from targeting a US person without a warrant and that any other things done with incidentally collected data must be conducted in strict compliance with applicable guidelines, which are the minimization procedures I just reviewed (though again, those are from 2009 so they may have changed somewhat). The passage very clearly envisions making queries of the data and very clearly considers such queries to be distinct from the targeting of a US person.

And the minimization procedures make it clear that if data is not “clearly not foreign intelligence,” (that is, if it might be foreign intelligence, as this queried data is, according to the IC) then it is retained, at least through the initial (NSA-conducted) review. Where it can be queried, so long as the other minimization procedures are met.

One final thing. Foust is actually wrong when he suggests the IC asked for new authority (in any case, the only conclusion would be that they got it). Rather, in both the SSCI and the Senate Judiciary Committee, Senators tried to limit this authority. In SJC, Mike Lee,  Dick Durbin, and Chris Coons submitted an amendment to (among other things) prohibit,

the searching of the contents of communications acquired under this section [702] in an effort to find communications of a particular United States person…

…Except with an emergency authorization.

Dianne Feinstein fought the amendment by arguing such a prohibition would have made it harder to find Nidal Hasan (whom we didn’t find anyway, and whose communications with Anwar al-Awlaki may well have been traditional FISA collection). But at one level that makes sense.

Sheldon Whitehouse said that such a restriction would “kill this program.”

I may not like what Whitehouse stated. But I do trust his judgement about how central to this program is access to US person communications.

That doesn’t say how much of this stuff goes on (though it does seem to suggest it does). But it does say we ought to at least track it.

Confirmed: NSA Does Search Section 702 Data for Particular US Person Data

/18 Comments/in , /by

Update: To help Joshua Foust understand this topic, I did a second, really basic version of this post here. So if you’re fairly new to all this stuff, you might start there and then come back.

Update: Alexander’s office has conceded Udall and Wyden’s point about the classified inaccuracy. It also notes:

With respect to the second point raised in your 24 June 2013 letter, the fact sheet did not imply nor was it intended to imply “that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”

He then cites two letters from James Clapper’s office which I don’t believe have been published.

I’ve seen some people complaining that Ron Wyden and Mark Udall didn’t explicitly describe what Keith Alexander’s lies were in the NSA handout on Section 702 collection (note, as of 1PM, NSA has taken down their handout from their server). I’m okay with them leaving big breadcrumbs instead, not least because until we fix intelligence oversight, we’re going to need people like them who manage to stay on the committees but lay these signposts.

That said, I think people are underestimating how big of a signpost they did leave. Consider this, from their letter:

Separately, this same fact sheet states that under Section 702, “Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.” We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans. [my emphasis]

Last year’s SSCI report on extending the FISA Amendments Act strongly implied that the government interpreted the law to mean it could search for records of particular Americans.

During the Committee’s consideration of this legislation, several Senators expressed a desire to quantify the extent of incidental collection under Section 702. I share this desire. However, the Committee has been repeatedly advised by the ODNI that due to the nature of the collection and the limits of the technology involved, it is not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under Section 702 authority. Senators Ron Wyden and Mark Udall have requested a review by the Inspector General of the NSA and the Inspector General of the Intelligence Community to determine whether it is feasible to estimate this number. The Inspectors General are conducting that review now, thus making an amendment on this subject unnecessary.

Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession. [my emphasis]

This passage made it clear that the Intelligence Community had demanded the ability to search on US person data already collected. Wyden and Udall’s letter makes that even more clear.

And the minimization procedures leaked last week support this (though note, these date to 2009 and might have been ruled to violate the Fourth Amendment since, though I suspect they haven’t).

They make it clear that US person communications will be retained if they contain foreign intelligence information (a term not defined in the procedures), including those they collected because (they claim) they’re unable to filter it out.

3(b)

(1) Personnel will exercise reasonable judgment in determining whether information acquired must be minimized and will destroyed inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle at which such communication can be identified either: as clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information)

[snip]

The communications that may be retained include electronic communications acquired because of limitations on NSA’s ability to filter communications.

(2) Communications of or concerning United States persons that may be related to the authorized purpose of the acquisition may be forwarded to analytic personnel responsible for producing intelligence information from the collected data.

The procedures make it clear that, with authorization from the NSA Director, even communications entirely between US persons may be retained (see section 5) if they are of significant intelligence value. Communications showing a communications security vulnerability may also be retained (this permission, related to cybersecurity, was not made public in the NSA handout).

And here’s perhaps the most interesting way of keeping US person data.

6(c)

(1) NSA may provide to the Central Intelligence Agency (CIA) unminimized communications acquired pursuant to section 702 of the Act. CIA will identify to NSA targets for which NSA may provide unminimized communications to CIA. CIA will process any such unminimized communications received from NSA in accordance with CIA minimization procedures …

(2) NSA may provide to the FBI unminimized communications acquired pursuant to section 702 of the Act. FBI will identify to NSA targets for which NSA may provide unminimized communications to the FBI. FBI will process any such unminimized communications received from NSA in accordance with FBI minimization procedures …

This is a kind of collection that Pat Leahy seems to believe escapes review by current Inspector General reviews of the program, as he tried to mandate such reviews in last year’s reauthorization.

The minimization procedures also appear to support Julian Sanchez’ guesstimate of how they could pull up US person contacts, since a phone number or unique name are not explicitly included among the identifiers that would constitute IDing a US person.

Now, all that doesn’t specifically address the other lie Wyden and Udall invoked, which they describe “portrays protections for Americans’ privacy as being significantly stronger than they actually are.” But I think the points I’ve laid out above — particularly the cybersecurity collection that is entirely unmentioned in the 702 sheet — probably lays out the gist of Alexander’s lies.

The government has spent the entire time since these documents were revealed trying to lie to Americans about whether their contacts with foreigners can be retained and read. And those lies keep getting exposed.

Wyden & Udall to Alexander: Why Do You People Keep Lying?

/10 Comments/in , /by

According to a letter Ron Wyden and Mark Udall sent Keith Alexander, the NSA is still lying publicly. At issue are two inaccuracies in the information sheet the NSA released about Section 702 implementation.

We were disappointed to see that this fact sheet contains an inaccurate statement about how the section 702 authority has been interpreted by the US government. In our judgment this inaccuracy is significant, as it portrays protections for Americans’ privacy as being significantly stronger than they actually are.

While I’m not certain what inaccuracy they’re talking about here, I suspect it has to do with the US person contact info collected along with targets. Even a comparison of the minimization order and the NSA’s claims make it clear US person communication can be swept up more easily than they claim.

Then there’s this complaint, which explicitly objects to the suggestion that the government manages to purge US person data, which of course they also claim they don’t track.

Separately, this same fact sheet states that under Section 702, “Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.” We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans. In fact, the intelligence community has told us repeatedly that it is “not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under the authority” of the FISA Amendments Act.

They make it clear the claim this information gets purged is false.