Posts

If Section 215 Lapsed, Would the Government Finally Accede to ECPA Reform?

/1 Comment/in , /by

Now that the Section 215 Sunset draws nearer, the debate over what reformers should do has shifted away from whether USA Freedom Act is adequate reform to whether it is wise to push for Section 215 to sunset.

That debate, repeatedly, has focused almost entirely on the phone dragnet that Section 215 authorizes. It seems most of the people engaging in this debate or reporting on it are unaware or uninterested in what the other roughly 175 Section 215 orders authorized last year did (just 5 orders authorized the phone dragnet).

But if Section 215 sunsets in June, those other 175 orders will be affected too (though thus far it looks like FISC is approving fewer 215 orders than they did last year). Yet the government won’t tell us what those 175 orders do.

We know — or suspect — some of what these other orders do. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year (and would have been unaffected and hidden in transparency reporting under USA Freedom Act).

The FBI has previously confirmed that it used Section 215 to collect records of explosives precursors — things like large quantities of acetone, hydrogen peroxide, fertilizer, and (probably now) pressure cookers; given that the Presidential Review Group consulted with ATF on its review of Section 215, it’s likely these are programmatic collection. (If the government told us it was, we might then be able to ask why these materials couldn’t be handled the same way Sudafed is handled, too, which might force the government to tie it more closely to actual threats.) This too would have been unaffected by USAF.

The government also probably uses Section 215 to collect hotel records (which is what it was originally designed for, though not in the bulk it is probably accomplished). This use of Section 215 will likely be reinforced if and when SCOTUS affirms the collection of hotel records in Los Angeles v. Patel.

But the majority of those 175 Section 215 orders, we now know, are for some kind of Internet records that may or may not relate to cyber investigations, depending on whether you think FBI talks out of its arse when trying to keep authorities, but which they almost certainly collect in sufficient bulk that FISC imposed minimization procedures on FBI.

Which brings me to my argument that reauthorizing Section 215 will forestall any ECPA reform.

We know most Section 215 orders are for Internet records because someone reliable — DOJ’s Inspector General in last year’s report on National Security Letters — told us that a collection of Internet companies successfully challenged FBI’s use of NSLs to collect this stuff after DOJ published an opinion on ECPA in 2008.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

That report went on to explain that FBI considered fixing this problem by amending the definition for toll records in Section 2709, but then bagged that plan and just moved all this collection to Section 215, which takes longer.

In the absence of a legislative amendment to Section 2709, [2.5 lines redacted]. [Deputy General Counsel of FBI’s National Security Law Branch] Siegel told us that the process of generating and approving a Section 215 application is similar to the NSL process for the agents and supervisors in the field, but then the applications undergo a review process in NSLB and the Department’s National Security Division, which submits the application to the Foreign Intelligence Surveillance Court (FISA Court). According to Siegel, a request that at one time could be accomplished with an NSL in a matter of hours if necessary, now takes about 30-40 days to accomplish with a standard Section 215 application.

In addition to increasing the time it takes to obtain transactional records, Section 215 requests, unlike NSL requests, require the involvement of FBI Headquarters, NSD, and the FISA Court. Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

The government is, according to the report, going through all sorts of hoop-jumping on these records rather than working with Congress to pass ECPA reform.

Why?

That’s not all the Report told us. Even earlier than that problem, in 2007, the IG identified other uncertainties about what the FBI should be obtaining with an NSL, and FBI actually put together a proposal to Congress. The proposed definition included both financial information and what could be construed as location data in toll records. That bill has never been passed.

But while Internet companies have shown reluctance to let the FBI secretly expand the meaning of toll record, two telecoms have not (a third, which I suspect is Verizon, backed out of closer cooperation on NSLs in 2009, and presumably a fourth, which probably is T-Mobile, was never a part of it).

And here’s what happened to the kinds of records FBI has been obtaining (almost certainly from AT&T) in the interim:

Screen Shot 2015-03-19 at 5.15.23 PM

 

FBI is collecting 7 kinds of things from (probably) AT&T that the Inspector General doesn’t think fits under ECPA.

Now, I’m not sure precisely why ECPA reform has gone nowhere in the last 8 years, but all this redaction suggests one reason is the government doesn’t want to be bound by a traditional definition of toll record, so much so it’s willing to put up with the aggravation of getting Section 215 orders for (what may be the same kind of) information from Internet companies in order to not be bound by limits on its telecom (or at least AT&T) NSLs.

Don’t get me wrong. I’d rather have the Internet stuff be under Section 215 orders, where it will be treated with some kind of minimization (the FBI is still completely ignoring the 2006 language in Section 215 requiring it to adopt minimization procedures for that section, but FISC has stepped into the void and imposed some itself).

But ultimately what’s going on — in addition to the adoption of a dragnet approach for phone records (that might have been deemed a violation of 18 USC 2302-3 if litigated with an adversary) and financial records (that might have been deemed a violation of 12 USC 3401-3422 if litigated with an adversary), is that the government is also, apparently, far exceeding the common understanding of NSLs without going back to Congress to get them to amend the law (and this goes well beyond communities of interest — two or maybe three hop collection under an NSL — which isn’t entirely redacted in this report).

It may be moot anyway. I actually wonder whether Internet companies will use the immunity of CISA, if and when it passes, to turn whatever they’re turning over without a Section 215 order.

And it’s not like Pat Leahy and Mike Lee have been successful in their efforts to get ECPA reform that protects electronic communications passed. ECPA isn’t happening anyway.

But maybe it might, if Section 215 were to lapse and the government were forced to stop kluging all the programs that have never really been approved by Congress in the first place into Section 215.

FBI Now Holding Up Michael Horowitz’ Investigation into the DEA

/7 Comments/in /by

Man, at some point Congress is going to have to declare the FBI legally contemptuous and throw them in jail.

They continue to refuse to cooperate with DOJ’s Inspector General, as they have been for basically 5 years. But in Michael Horowitz’ latest complaint to Congress, he adds a new spin: FBI is not only obstructing his investigation of the FBI’s management impaired surveillance, now FBI is obstructing his investigation of DEA’s management impaired surveillance.

I first reported on DOJ IG’s investigation into DEA’s dragnet databases last April. At that point, the only dragnet we knew about was Hemisphere, which DEA uses to obtain years of phone records as well as location data and other details, before it them parallel constructs that data out of a defendant’s reach.

But since then, we’ve learned of what the government claims to be another database — that used to identify Shantia Hassanshahi in an Iranian sanctions case. After some delay, the government revealed that this was another dragnet, including just international calls. It claims that this database was suspended in September 2013 (around the time Hemisphere became public) and that it is no longer obtaining bulk records for it.

According to the latest installment of Michael Horowitz’ complaints about FBI obstruction, he tried to obtain records on the DEA databases on November 20, 2014 (of note, during the period when the government was still refusing to tell even Judge Rudolph Contreras what the database implicating Hassanshahi was). FBI slow-walked production, but promised to provide everything to Horowitz by February 13, 2015. FBI has decided it has to keep reviewing the emails in question to see if there is grand jury, Title III electronic surveillance, and Fair Credit Reporting Act materials, which are the same categories of stuff FBI has refused in the past. So Horowitz is pointing to the language tied to DOJ’s appropriations for FY 2015 which (basically) defunded FBI obstruction.

Only FBI continues to obstruct.

There’s one more question about this. As noted, this investigation is supposed to be about DEA’s databases. We’ve already seen that FBI uses Hemisphere (when I asked FBI for comment in advance of this February 4, 2014 article on FBI obstinance, Hemisphere was the one thing they refused all comment on). And obviously, FBI access another DEA database to go after Hassanshahi.

So that may be the only reason why Horowitz needs the FBI’s cooperation to investigate the DEA’s dragnets.

Plus, assuming FBI is parallel constructing these dragnets just like DEA is, I can understand why they’d want to withhold grand jury information, which would make that clear.

Still, I can’t help but wonder — as I have in the past — whether these dragnets are all connected, a constantly moving shell game.

That might explain why FBI is so intent on obstructing Horowitz again.

Does the FBI STILL Have an Identity Crisis?

/2 Comments/in /by

I’ve finished up my working threads on the NSA, CIA, and FBI Section 702 minimization procedures. And they suggest that FBI has an identity crisis. Or rather, an inability to describe what it means by “identification of a US person” in unclassified form.

Both the NSA and CIA minimization procedures have some form of this definitional paragraph (this one is NSA’s):

Identification of a United States person means (1) the name, unique title, or address of a United States person; or (2) other personal identifiers of a United States person when appearing in the context of activities conducted by that person or activities conducted by others that are related to that person. A reference to a product by brand name, or manufacturer’s name or the use of a name in a descriptive sense, e.g., “Monroe Doctrine,” is not an identification of a United States person.

Even though the FBI minimization procedures have a (briefer than NSA and CIA’s) definitional section and gets into when someone counts as US person from a geographical standpoint, it doesn’t have the equivalent paragraph on what they consider US person identifying information, which is central to minimization procedures.

Now, I might assume that this is just an oversight, something FBI forgot to incorporate as it was writing its own 702 minimization procedures incorporating what NSA has done.

Except that we know the FBI has suffered from this same kind of identity crisis in the past, in an analogous situation. As Glenn Fine described in the 2008 Inspector General Report on Section 215 (the one the successor for which has been stalled for declassification review for over 6 months), the FBI never got around to (and almost certainly still hasn’t gotten around to, except under modifications from the FISA Court) complying with Section 215’s requirement that it adopt minimization procedures specific to Section 215.

One holdup was disagreement over what constituted US person identifying information.

Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.

(Note, there’s very good reason to believe FBI is still having all these problems, not least because several of them showed up in Michael Horowitz’ NSL IG Report last year.)

One problem Fine pointed out is that the AG Guidelines adopted in lieu of real minimization procedures don’t provide any guidance on when US identifying information is necessary to share.

When we asked how an agent would determine, for example, whether the disclosure of U.S. person identifying information is necessary to understand foreign intelligence or assess its importance, the FBI General Counsel stated that the determination must be made on a case-by-case basis.

While NSA’s 702 SMPs do lay out cases when FBI can and cannot share US person identifying information (those are, in some ways, less permissive than CIA’s sharing guidelines, if you ignore the entire criminal application and FBI’s passive voice when it comes to handling “sensitive” collections), if the guidelines for what counts as PII are not clear — or if they’re expansive enough to exempt (for example) Internet handles such as “emptywheel” that would clearly count as PII under NSA and CIA’s SMPs, then it would mean far more information on Americans can be shared in unminimized form.

And remember, FBI’s sharing rules are already far more lenient than NSA’s, especially with regards to sharing with state, local, and other law enforcement partners.

Call me crazy. But given the FBI’s past problems defining precisely this thing, I suspect they’re still refusing to do so.

DOJ IG Michael Horowitz Points Out How Premature 215 Reauthorization Would Be. Again.

/in /by

Back in November, I pointed out how batshit crazy it was to rush to pass USA Freedom Act — legislation purporting to provide new transparency requirements and requiring new IG Reports — when a report that was pending for 1,616 days was being held up in declassification review.

Today, in a report on the most significant challenges faced by the government, the IG explains what happened to the review: it is caught up in declassification review.

Ongoing OIG work, such as our reviews of the Department’s requests for and use of business records under Section 215 of the USA PATRIOT Reauthorization Act and the Department’s use of pen register and trap-and-trace devices under the Foreign Intelligence Surveillance Act (FISA), also address privacy concerns implicated by the use of national security authorities to collect data.  Although the OIG completed both of these reviews months ago, and we have provided classified briefings to Congress regarding them, we have been unable to release the classified reports to Congress or non-classified reports to the public because the classification review being conducted by the intelligence community, which includes the FBI, is still ongoing.

This is craziness! Congress is actively legislating on this topic … tomorrow! There’s also the matter of the secret FBI PRTT program, that I strongly suspect is a location dragnet, which this report likely covers.

But the IC is suppressing a report that has been in the works for over 4 years with a slow declassification review?

My common sense observation that we should not pass new legislation on Section 215 without benefitting from an independent review of what really happened back in 2009 (and to a lesser degree, what was going on now, and what has been going on with PRTT) was met with a remarkable din of crickets.

Today, DOJ Inspector General Michael Horowitz made the same point again.

Department of Justice Inspector General Michael E. Horowitz today issued a classified report entitled, The Federal Bureau of Investigation’s Use of Section 215 Orders:  Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 through 2009.  The Department of Justice (DOJ) Office of the Inspector General (OIG) provided a final draft of the report to the Intelligence Community in June 2014 for a classification review, but the OIG has not been informed of when that review will be completed.  We have therefore provided today’s classified report, with certain information redacted, to the relevant Congressional oversight and intelligence committees, as well as to DOJ leadership offices.  We will issue a public, unclassified version of the report, with any necessary redactions, at the conclusion of a separate and final classification review currently being conducted by the FBI.

If anyone is counting (well, I am) that review has now been pending for 1,701 days.

Um, hello??? How can the IC be considered a good faith partner in passing dragnet reform, including requirements for IG review, if by stalling for over 6 months on declassification it can make such IG review useless?

What the Reporting on the Re-Released DOJ IG Report on Section 215 Missed about FBI’s Misuse of Terrorism Tools

/3 Comments/in /by

I’ve been meaning to return to coverage of the re-release of the DOJ IG Reports on Section 215 liberated by Charlie Savage just before Christmas. I’ve been seeing a lot of focus on posts like this which “report” that FBI used NSLs to get data the FISA Court would not approve under Section 215 for First Amendment reasons. Such a focus drives me batshit for 3 reasons:

  • It is not news that the FBI used an NSL to get data the FISC deemed improper under the First Amendment
  • There are actual, current problems with NSL practice to be more concerned about
  • In addition, the FBI has been sitting on a current Section 215 IG Report

It is not news that the FBI used an NSL to get data the FISC deemed improper under the First Amendment

As I noted (and as most outlets seem to have missed) these two reports are re-releases of old DOJ IG reports, part of a series of re-released reports in response to a Charlie Savage lawsuit. And while this release is not quite so bad as the previous release — in which FBI actually reclassified previously public words!  — there’s still very little that’s new. In addition to the phone dragnet appendix we’ve all been waiting for (which I wrote about here), the most significant newly released material pertains to how FBI shares Section 215 information with foreign governments (including the declassification of descriptions of that use, as on page 27, 29). The most interesting new material may be a reference on page 20 that reveals OIPR only temporarily stopped using combination orders in 2006 after the passage of the PATRIOT Reauthorization. This suggests they may have resumed using them to get location data, as I laid out here(and as clearly admitted by James Cole here).

But that’s, for the most part, it. There are only words here or there that are newly released.

Not only was the NSL-replacing-a-215-request not new, but there were congressional hearings on it when the report initially got released.

Indeed if you compare this passage from the original 2008 release:

Screen Shot 2015-01-03 at 11.12.50 AM,

With the same passage from the re-release:

Screen Shot 2015-01-03 at 11.13.05 AM

 

You can see that the revelation about the use of an NSL where the court had already rejected a Section 215 order has not changed (there are a few new words revealed elsewhere).

Read more

In Response to NYT Lawsuit, FBI Reclassifies 26 Words

/2 Comments/in , /by

Last week, a number of people hailed the further declassification of DOJ Inspector General’s Report on FBI’s use of Exigent Letters.

That enthusiasm is misplaced, however. What too few people noticed is the thankless work Charlie Savage did to identify what was newly declassified. He had FOIAed the IG Report, which is what set off the declassification review.

In fact, FBI redacted three things that had previously been visible. On page 55/PDF 68, it redacted the title, “Diagram 2.1: Calling Circle or “Community of Interest.” On page 105/PDF 118 they redacted language indicating they use a certain kind of “language” to order what are probably also communities of interest. Finally, on page 207/PDF 220, FBI newly redacted the title, “Chart 4.3 Records for 10 Telephone Numbers Uploaded to FBI Databases With the Longest Periods of Overcollection.”

So the NYT sued the FBI to declassify language that should be declassified, given everything we’ve learned about related programs subsequent to the Snowden leaks, and FBI responded by trying to pretend we don’t know they were getting (and still get, per DOJ IG’s most recently report) call chains from telecoms.

To be fair, FBI did declassify some new stuff. That includes:

  • Roughly 44 uses of some form of the word “search”
  • Roughly 33 uses of some form of “target”
  • Roughly 24 references to years, either 2004 or 2005
  • The names of 3 of a number of journalists whose records had been improperly collected and details of the collection

About the  most interesting declassification was a citation to a Carrie Johnson story, published well over a year before the IG Report came out, describing the collection on those 3 journalists. The IG Report invoked this language in the story…

Mueller called the top editors at The Washington Post and the New York Times to express regret that agents had not followed proper procedures when they sought telephone records under a process that allowed them to bypass grand jury review in emergency cases.

… as evidence to support a footnote, which (except for the reference to Johnson’s article) had been unclassified, explaining,

In addition to the letter, Director Mueller called the editors of the two newspapers to express regret that the FBI agents had not followed proper procedures when they sought the reporters’ telephone records.

That is, they had classified reference to a published news article as S/NF! (Though I suppose it is possible that the fact they were hiding is that Glenn Fine had to read the WaPo to figure out what happened here, because Mueller wasn’t speaking directly to him.)

Congratulations to Carrie Johnson who I guess now classifies as a state secret!

I asked the Savage (and through him, NYT’s lawyer, David McCraw) how the NYT felt about FBI classifying, rather than declassifying language in response to his suit, and he suggested NYT expects DOJ to pay them for their time. “We have incurred no outside counsel fees and anticipate that the government will be required to pay us for the time spent by in-house counsel.”

Still, I think Savage (and FOIA requesters generally) should get finder’s fees every time the government newly classifies stuff years later … impose some kind of fine for stupid overclassification.

Update: Corrected timing on Johnson story which came out in August 2008, so 17 months before the IG Report.

Even as Congress Prepares to Legislate, Intelligence Community Stalling on Section 215 IG Report

/4 Comments/in /by

I’ve been covering the DOJ Inspector General’s billion-day old review of Section 215.

  • June 2010: Then DOJ IG Glenn Fine lays out investigation
  • June 2013: Transition to Michael Horowitz stalls PATRIOT investigation
  • August 2013: The investigation has been ongoing
  • September 2013: Pat Leahy calls for an IC IG investigation into 215 and 702; IC IG Charles McCullough declines
  • December 2013: Horowitz states current investigation limited by AG/DNI declassification of earlier reports
  • April 2014: The Section 215 review has a baby!

If my calculation is correct, that report has been pending for 1,616 days.

Today, in a report on the most significant challenges faced by the government, the IG explains what happened to the review: it is caught up in declassification review.

Ongoing OIG work, such as our reviews of the Department’s requests for and use of business records under Section 215 of the USA PATRIOT Reauthorization Act and the Department’s use of pen register and trap-and-trace devices under the Foreign Intelligence Surveillance Act (FISA), also address privacy concerns implicated by the use of national security authorities to collect data.  Although the OIG completed both of these reviews months ago, and we have provided classified briefings to Congress regarding them, we have been unable to release the classified reports to Congress or non-classified reports to the public because the classification review being conducted by the intelligence community, which includes the FBI, is still ongoing.

This is craziness! Congress is actively legislating on this topic … tomorrow! There’s also the matter of the secret FBI PRTT program, that I strongly suspect is a location dragnet, which this report likely covers.

But the IC is suppressing a report that has been in the works for over 4 years with a slow declassification review?

Update: From Glenn Fine’s original letter scoping out the review, here’s some of what it includes.

It will examine the number of Section 215 applications filed from 2007 through 2009, how the FBI is using the tool today, and describe any reported improper or illegal uses of the authority. Our review also will examine the progress the FBI has made in addressing recommendations contained in our prior reports that the FBI draft and implement minimization procedures specifically for information collected under Section 215 authority.

We also intend to conduct a programmatic review of the FBI’s use of its pen register and trap and trace authority under the FISA. That part of the review will examine issues such as how the FBI uses the authority to collect information, what the FBI does with the information it collects, and whether there have been any improper or illegal uses of the authority either reported by the FBI or identified by the OIG.

In addition to identifying any improper uses of these authorities (the report should provide some sense of how rigorous the First Amendment review is), it will certainly lay out how FBI has refused to implement minimization procedures are required by law and recommended in DOJ IG’s last Section 215 report (we know this to be the case because the FISC is imposing minimization procedures itself, and requiring compliance reviews).

All that would be rather important to know before extending Section 215 for another 3 years.

Jim Comey Lied When He Claimed FBI Needs a Judge to Read Your Email

/13 Comments/in /by

I believe that Americans should be deeply skeptical of government power. You cannot trust people in power. The founders knew that. That’s why they divided power among three branches, to set interest against interest. — FBI Director Jim Comey

As part of a piece on James Risen’s stories, 60 Minutes did an interview with Jim Comey. It rehearsed his role in running up hospital steps in 2004 to prevent Andy Card from getting an ill John Ashcroft to rubber stamp illegal surveillance — without mentioning that Comey and the other hospital heroes promptly got the same program authorized by bullying the FISA Court. Trevor Timm called out this aspect of 60 Minutes’ report here.

CBS also permitted Comey to engage in Apple encryption fear-mongering without challenge. CNN, to its credit, called Comey on his misrepresentations here.

But perhaps Comey’s biggest stretcher came when Scott Pelley asked him whether FBI engages in surveillance without a court order.

Scott Pelley: There is no surveillance without court order?

James Comey: By the FBI? No. We don’t do electronic surveillance without a court order.

Scott Pelley: You know that some people are going to roll their eyes when they hear that?

James Comey: Yeah, but we cannot read your emails or listen to your calls without going to a federal judge, making a showing of probable cause that you are a terrorist, an agent of a foreign power, or a serious criminal of some sort, and get permission for a limited period of time to intercept those communications. It is an extremely burdensome process. And I like it that way.

Comey was admittedly careful to caveat his answer, stating that FBI does not engage in “electronic surveillance” without a court order. That probably excludes FBI’s use of National Security Letters. Though as DOJ’s Inspector General has made clear, FBI uses NSLs for a number of things — including communities of interest, obtaining one or possibly two degree collection of phone records, as well as a bunch of other things that remain redacted — that the NSL law didn’t envision. Indeed, FBI’s NSL requests have gotten so exotic that some Internet companies started to refuse — successfully — in 2009 to comply with the requests, forcing FBI to use Section 215 orders instead.

But the second part of that exchange — Comey’s claim that “we cannot read your emails without going to a federal judge” is egregiously false.

As both ODNI and PCLOB have made clear, FBI can and does query incidentally collected data obtained under Section 702 (PRISM) — that is, it accesses email content — without a warrant. Alarmingly, it does so at the assessment level, before FBI even has any real evidence of wrong-doing.

Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts.

That’s not conducting electronic surveillance — because FBI gets the email after the electronic surveillance has already occurred. But that does entail warrantless access of US person content, and does so without any review by a judge. Indeed, with Section 702 collection, a judge never even reviews the foreign targets, much less the US incidental collection accessed by the FBI.

Now I get that Jim Comey is a terrifically charismatic guy, with great PR instincts. But still, 60 Minutes is supposed to be a journalism show. Why, when Comey was telling 60 Minutes straight out they should not trust the government, did they let him make so many bogus claims?

Working Thread: NSL IG Report

/4 Comments/in /by

I give up. I’m going to have to do a working thread on the IG Report on FBI’s use of NSLs. Here goes. References are to page numbers, not PDF numbers (PDF numbers are page+15).

ix: The report noted that NSL numbers dropped off what they had been 2007 to 2009. It speculates that may have been because of heightened scrutiny. I wonder it wasn’t because they were misusing the phone and Internet dragnet programs and getting the information that way. In 2009, after which the NSL numbers grew again, Reggie Walton shut that option down.

x: About half of NSLs during this period were used to investigate USPs.

x: “certain Internet providers refused to provide electronic communication transactional records in response to ECPA NSLs.”

xii: They’re hiding the current status of permitting the use of NSLs to get journo contacts. Which would seem to confirm they are doing so.

xiii: They’re also hiding the status of the OLC memo they used to say they could get phone records voluntarily (see this post for why). They don’t hide things very well.

2: It just makes me nuts we’re only now reviewing NSL use from 2009. Know what has happened in the interim, for example? A key player in this stuff, Valerie Caproni, has become a lifetime appointed judge.

11: Report  notes that FBI tends to always use “overproduction” whether or not it was unauthorized or simply too broad.

17: Footnote 35 seems to suggest they have exceptions to the mandatory reporting requirements. What could go wrong?

39: So as recently as 2009, the tracking system did not alert OGC of manual NSLs in some percentage of the cases.

57 The numbers reported to Congress are off from the numbers shown to IG by as much as 2,800.

58: Love footnote 73, which aims to explain why the NSL numbers reported to Congress are significantly lower than those reported to OIG.

After reviewing the draft of this report, the FBI told the OIG for the first time that the NSL data provided to Congress would almost never match the NSL data provided to the OIG because the NSL data provided to Congress includes NSLs issued from case files marked “sensitive,” whereas the NSL data provided to the OIG does not. According to the FBI, the unit that provided NSL data to the OIG does not have access to the case files marked “sensitive” and was therefore unable to provide complete NSL data to the OIG. The assertion that the FBI provided more NSL data to Congress than to the OIG does not explain the disparities we found in this review, however, because the disparities we found reflected that the FBI reported fewer NSL requests to Congress than the aggregate totals.

The FBI just gives up on 100% accuracy in its NSL numbers.

After reviewing the draft of this report, the FBI told the OIG that while 100 percent accuracy can be a helpful goal, attempting to obtain 100 percent accuracy in the NSL subsystem would create an undue burden without providing corresponding benefits. The FBI also stated that it has taken steps to minimize error to the greatest extent possible.

59: On the discrepancies, OIG points out the obvious:

[T]he total number of manually generated NSLs that the FBI inspectors identified is relatively small compared to the total number of 30,442 NSL requests issued by the FBI that year. What remains unknown, however is, whether the FBI inspectors identified all the manually identified generally NSLs issued by the FBI or whether a significant number remains unaccounted for and unreported.

61: The database tracking 2007 requests — a year where there were discrepancies for 215 orders too — “is retired and unavailable.”

62: The report doesn’t have subscriber only data, which I suspect is obtained in bulk.

63: There is a significant change in the make-up of what FBI is getting in 2009, from subscriber records and toll and financial records in 2008 to toll records, then subscriber and electronic communication records in 2009. I strongly suspect that says some of the 214 and 215 collection moved to NSLs.

71: Apparently it was the release of an earlier OLC memo that led at least 2 Internet companies to refuse NSLs.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electornic communication transactional records because that term does not appear in subsection (b).

Read more

The Majority of 215 Orders Come from Internet Companies that Refuse NSLs

/2 Comments/in /by

According to the new DOJ IG report on FBI’s use of NSLs, there are some Internet companies that have been refusing NSLs for some data since 2009 (this discussion appears on pages 71- 73).

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

For a number of reasons I wonder whether this pertains to Internet searches, rather than email communication.

In any case, because the Internet companies have apparently been successful at refusing these NSLs (there’s zero discussion in the unredacted section of court challenges, but they must have happened), FBI has been getting Section 215 orders instead. As a result, the bulk of the Section 215 orders in recent years have been for these kinds of Internet transaction records.

In the absence of a legislative amendment to Section 2709, [2.5 lines redacted]. [Deputy General Counsel of FBI’s National Security Law Branch] Siegel told us that the process of generating and approving a Section 215 application is similar to the NSL process for the agents and supervisors in the field, but then the applications undergo a review process in NSLB and the Department’s National Security Division, which submits the application to the Foreign Intelligence Surveillance Court (FISA Court). According to Siegel, a request that at one time could be accomplished with an NSL in a matter of hours if necessary, now takes about 30-40 days to accomplish with a standard Section 215 application.

In addition to increasing the time it takes to obtain transactional records, Section 215 requests, unlike NSL requests, require the involvement of FBI Headquarters, NSD, and the FISA Court. Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

We asked whether the disagreement and uncertainty over electronic communication transactional records has negatively affected national security investigations. An Assistant General Counsel in NSLB told us that the additional time it takes to obtain transactional records through a Section 215 application slows down national security investigations, all of which he said are time-sensitive. He said that an investigative subject can cease activities or move out of the country within the time-frame now necessary to obtain a FISA order. [my emphasis]

And bizarrely, the IG report doesn’t discuss the pending USA Freedom legislation — not even what appears retrospectively like HPSCI’s effort to turn this kind of production into programmatic orders.

There’s still a lot I don’t get from this discussion. But the explanation that the explosion of 215 orders (remember — with their attached minimization procedures) since 2009 stems from a couple of Internet companies sure is interesting.

Update: Page 124 reveals what the Administration wanted ECPA to include.

The proposed amendment would authorize the FBI to obtain name, address, local and long distance connection records (or sessions times and durations), length and types of service, telephone or instrument number (or other subscriber number or identity, including any temporarily assigned network address), means and source of payment (including credit card or bank account number), and records identifying the origin, routing, or destination of electronic communications.