Posts

Hot Numbers and the 2009 Troubles

/1 Comment/in , /by

Starting in 2007, DOJ’s Inpector General Glenn Fine did a series of reports on the FBI’s use of National Security Letters and Exigent Letters. In response (and as the FBI tried to clean up the mess from its inappropriate use of those tools), in 2007 the government asked OLC for an interpretation on the Electronic Communications Privacy Act. That opinion, which was issued on November 8, 2008, ruled that ECPA barred telecom providers from responding to certain kinds of requests without legal process.

Finally, you have asked whether a provider, in answer to an oral request before service of an NSL, may tell the FBI whether a particular account exists. This information would be confined to whether a provider serves a particular subscriber or a particular phone number. We believe that ECPA ordinarily bars providers from complying with such requests.

In the last of his IG Reports on NSLs and Exigent Letters, Fine argued that that OLC opinion made two of FBI’s practices with exigent letters — “sneak peeks” and “hot numbers” — illegal.

[T]he Department’s Office of Legal Counsel concluded, and we agree, that the ECPA ordinarily bars communications service providers from telling the FBI, prior to service of legal process, whether a particular account exists. We also concluded that if that type of information falls within the ambit of “a record or other information pertaining to a subscriber to or customer of such service” under 18 USC 2702(a)(3), so does the existence of calling activity by particular hot telephone numbers, absent a qualifying emergency under 18 USC 2702(c)(4).

[snip]

Therefore, we believe that the practice of obtaining calling activity information about how numbers in these matters without service of legal process violated the ECPA.

[snip]

We believe the FBI should carefully review the circumstances in which FBI personnel asked the on-site communications service providers [redacted] “hot numbers” to enable the Department to determine if the FBI obtained calling activity information under circumstances that trigger discovery or other obligations in any criminal investigations or prosecutions.

The “hot number” practice is functionally equivalent to the “alert list” the NSA used on the Section 215 dragnet database, in which it checked daily incoming calls to see if there had been any US contact with both approved and unapproved identifiers; if there was activity in both cases, it would spark further investigation.

The practice Fine focused on in this report was the requests FBI would get onsite telecom providers to fill without a subpoena. But at the same time Fine was working on that series of reports (the last one wasn’t issued until 2010) he was also working on a report on the FBI’s 2006 use of Section 215 (issued in March 2008), which included two classified appendices on bulk collection programs including (presumably) the phone dragnet from May until December 2006, and the 2009 Joint IG Report on the illegal wiretap program (which would have covered the dragnet program through May 2006).

We now know that both the pre May 2006 dragnet program and the post May 2006 dragnet program included a practice that, in wake of that OLC opinion (and perhaps before), Fine would find required some legal attention (the Pen Register equivalent in a grand jury context might put the post May 2006 practice in good stead, the 2008 opinion would seem to make the use of alerts earlier illegal, along with everything else).

Which may be why the government asked Judge Reggie Walton to consider whether the dragnet program complied with ECPA for his December 12, 2008 opinion.

That’s just a hypothesis (though the December 2008 would have been the first dragnet application after the OLC memo).

But if it’s right, it makes the NSA”s “discovery” of the alert process the following month all the more ridiculous. The alert process had been in place for years. FBI was being scolded for an equivalent practice (that ended in 2006) within FBI. And yet NSA somehow didn’t think to tell Walton about it until he had ruled ECPA did not present a problem for the dragnet more generally.

These three programs — the illegal program and the exigent letters, which both became the early dragnet in 2006 — are all closely related. Once you read them in tandem, though, it makes NSA”s claims to ignorance completely incredible.

Which brings me back to a reminder I’ve made several times. In the wake of the 2009 discoveries, Pat Leahy tried to mandate a DOJ review of the ongoing Section 215 activity, an effort the Administration thwarted. Fine agreed to do one anyway … then left. His replacement, Michael Horowitz, keeps claiming he’s still working on that investigation (but only covering the activities through 2009). That investigation has been going on 1,191 days now.

Update: Another interesting timing detail. According to the White Paper, the Intelligence and Judiciary Committees had all received the initial application and Primary Order on the dragnet by December 2008. So did they wait until the Walton opinion? Or did they know the Judiciary Committees would get them as part of DOJ IG reports?

If by “New” IG Investigation You Mean 1,155 Days Old

/6 Comments/in /by

Shane Harris reads the DOJ IG Report on its civil liberties related work and reports that it is investigating the use of Section 215 of the PATRIOT Act.

The Department of Justice Inspector General, which has issued several critical reports over the years about FBI surveillance, is again looking into the bureau’s use of powerful and secretive orders for information about Americans.

A new review is examining “any improper or illegal uses” of the FBI’s surveillance authorities under Section 215 of the Patriot Act. That’s the portion of the law that allows the government to collect Americans’ phone records en masse. And in what appears to be a first review of its kind, the IG will also look at the FBI’s use of pen register and trap-and-trace authority under the Foreign Intelligence Surveillance Act. These are the authorities that allow the bureau to track the metadata of communications made to and from phone numbers and email accounts.

Only this is not a new review. Now-retired DOJ IG Glenn Fine first laid out his plans for the investigation on June 15, 2010 in a letter to Pat Leahy. I reported on the April update on that investigation and the related back story here, 6 weeks ago.

By my math, that means this IG Investigation of abuses we know occurred in 2009 has been going on  1,155 days. And the investigation remains focused on abuses that happened 2 PATRIOT Act extensions ago, rather than what is going on with the program now.

DOJ’s IG, at least under Fine, was very good at rooting out problems with intelligence programs. But we have yet to hear much from his replacement, Michael Horowitz (who has been on the job for 16 months after a long delay in both nominating and confirming him), to indicate one way or another whether he’ll be as good as Fine.

We do know he’s taking his sweet time reviewing problems that happened 4 years ago.

On the Refusal to Exercise Oversight over Vast Surveillance Programs, Episode 117

/6 Comments/in , /by

The Joint IG Report on the illegal wiretap program left out all discussion of what happened to the Internet and (to a lesser extent) phone metadata collection that got moved into Pen Register/Trap&Trace and Section 215 collection, respectively, as described by the NSA Draft IG Report (see page 39 ff).

The transition of certain PSP-authorized activities to FISC orders is described in detail in Section 5 of the classified report and Chapter Five of the DOJ OIG Report. Further details regarding this transition are classified and therefore cannot be addressed in this unclassified report.

But the report did make it clear that Glenn Fine, then DOJ’s Inspector General, had recommended DOJ and other Intelligence Committee agencies track whether these programs were useful in their new form.

As noted above, certain activities that were originally authorized as part of the PSP have subsequently been authorized under orders issued by the FISC. The DOJ OIG believes that DOJ and other IC agencies should continue to assess the value of information derived from such activities to the government’s counterterrorism efforts.

[snip]

Finally, the collection activities pursued under the PSP, and under FISA following the PSP’s transition to that authority, involved unprecedented collection activities. We believe the retention and use by IC organizations of information collected under the PSP and FISA should be carefully monitored.

The Joint IG Report came out in July 2009. The debate over extending the PATRIOT Act started in earnest in September 2009.

Yet not only wasn’t that review baked into the extension, but when Patrick Leahy tried to include additional oversight that would include, among other things,

  • Mandate further audits of some of these provisions, such as the use of pen registers
  • Give the Court oversight over the minimization procedures for the use of Section 215 and pen register and trap and trace devices
  • Require that Section 215 and pen registers only be granted if authorities can show that the requested information has ties to terrorism

Dianne Feinstein got Leahy to take much of that out in a substitute bill, and then Jeff Sessions, seemingly working on behalf of the Administration, gutted things further in the Senate markup. It was fairly clear then that the IC — if not the Administration personally — wanted to make sure this oversight did not get added to the PATRIOT Act.

And it didn’t.

The next year, Glenn Fine — who, of course, was the guy who recommended increased oversight in the first place — said he’d do the reviews anyway.

We intend to initiate another review examining the FBI’s use of NSLs and Section 215 orders for business records. Among other issues, our review will assess the FBI’s progress in responding to the OIG’s recommendations in the prior reports. In addition, we intend to examine the number of NSLs issued by the FBI from 2007 through 2009, and we will closely examine the automated system to generate and track NSLs that the FBI implemented to address the deficiencies identified in the OIG reports.

In addition, our review will cover the FBI’s use of Section 215 orders for business records. It will examine the number of Section 215 applications filed from 2007 through 2009, how the FBI is using the tool today, and describe any reported improper or illegal uses of the authority. Our review will also examine the progress the FBI has made in addressing recommendations contained our prior reports that the FBI draft and implement minimization procedures specifically for information collected under Section 215 authority.

We also intend to conduct a programmatic review of the FBI’s use of its pen register and trap and trace authority under the FISA. That part of the review will examine issues such as how the FBI uses the authority to collect information, what the FBI does with the information it collects, and whether there have been any improper or illegal uses of the authority either reported by the FBI or identified by the OIG. [my emphasis]

Writing in 2010, when both metadata collection programs were still ongoing under these authorities, this basically laid out a plan to review all the secret metadata collection hidden inside these authorities.

Fine wrote that in June; in November of that year, he announced his resignation, saying he wanted to pursue new professional challenges.

Read more

The Intelligence Community’s Willful Ignorance about Americans Caught in 702 Surveillance

/12 Comments/in , /by

Given the Intelligence Community’s reluctant and partial disclosures on the Section 702 (PRISM/FAA) collection, I want to return to a squabble from last fall, before Congress reauthorized FAA.

As you’ll recall, Ron Wyden tried to get the IC to disclose the number of Americans whose communication had been reviewed under Section 702. The IC dicked around long enough to ensure Wyden didn’t get an answer in time to make a political stink about it. When they finally gave him an answer, they said providing such a number would violate the privacy of Americans.

I defer to [the NSA Inspector General’s] conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission. He further stated that his office and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons.

Ultimately, this statement seemed to be as much about resource allocation as anything else — the NSA and IC IGs would need more staff to accomplish the tast. (I must say, I do find it interesting the ICIG has time to investigate 375 leaks but not enough time to find out how many Americans are being spied on.)

But look at how closely the government is purportedly tracking US person data.

These procedures require that the acquisition of information is conducted, to the greatest extent reasonably feasible, to minimize the acquisition of information not relevant to the authorized foreign intelligence purpose.

Any inadvertently acquired communication of or concerning a U.S. person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.

[snip]

Any information collected after a foreign target enters the U.S. –or prior to a discovery that any target erroneously believed to be foreign was in fact a U.S. person– must be promptly destroyed unless that information meets specific, limited criteria approved by the Foreign Intelligence Surveillance Court.

The dissemination of any information about U.S. persons is expressly prohibited unless it is necessary to understand foreign intelligence or assess its importance; is evidence of a crime; or indicates a threat of death or serious bodily harm.

Now, these passages ought to make people more worried about privacy than not. Stated clearly, it says the government believes it can collect and keep US person content if it deems that content “relevant” to the reason they collected the information.

Remember two things: this collection is not limited to use with terrorism; it can be used for espionage investigations, hacking, or any foreign intelligence purpose. And the government has already deemed every single one of our phone records to be “relevant” to an umbrella terror investigation, so the definition of relevance the government has developed in secret is unbelievably broad and persmissive.

That collection — the people whose content is reviewed and deemed relevant and kept — is the universe of people Wyden wanted to count. And the government is making decisions about the relevance of them in secret, but not tracking the process by which they do so.

Note too that the government can disseminate US person communications if “it is necessary to understand foreign intelligence.” This is not news (which is why it is so appalling that people were fighting over whether the government could listen to US person calls or read their emails). It is part of traditional FISA, too. (It was using that excuse that John Bolton was learning about what his rivals were negotiating with the North Koreans.) But given how much more information an analyst can access both because she is accessing all Internet activity and not just phone, but also because more associated communications are sucked up with a target, it means many more US persons’ communications might be disseminated. It’s not clear, by the way, such dissemination would exclude privileged conversations between lawyers and clients, or discussions between journalists and sources.

And this second group of people — the ones whose communications are being circulated — are counted.

Though we’re not allowed to know what those numbers are.

Here’s what the DOJ Inspector General Michael Horowitz had to say about a statutorily required review of the 702 collection he recently completed (I think, but it’s not entirely clear, that Horowitz didn’t finish this review until after FAA was renewed last year — I know he didn’t finish it before the Judiciary and Intelligence Committees passed it out).

Inspector General Michael E. Horowitz of the United States Department of Justice Office of the Inspector General (OIG) recently issued a report examining the activities of the Federal Bureau of Investigation (FBI) under Section 702 of the Foreign Intelligence Surveillance Act Amendments Act of 2008 (Act). Section 702 authorizes the targeting of non-U.S. persons reasonably believed to be outside the United States for the purpose of acquiring foreign intelligence information. The Act required that the Inspector General conduct a review of the Department’s role in this process and, in conjunction with this review, the OIG reviewed the number of disseminated FBI intelligence reports containing a reference to a U.S. person identity, the number of U.S. person identities subsequently disseminated in response to requests for identities not referred to by name or title in the original reporting, the number of targets later determined to be located in the United States, and whether communications of such targets were reviewed. See 50 U.S.C. 1881a(l)(2)(B) and (C). The OIG also reviewed the FBI’s compliance with the targeting and minimization procedures required under the Act.

The final report has been issued and delivered to the relevant Congressional oversight and intelligence committees, as well as leadership offices. Because the report is classified, its contents cannot be disclosed to the public.

In other words, the DOJ IG counted — because the law required him to — the following:

  • The number of US person-related communication that got disseminated in a first dissemination of intelligence 
  • The number of US persons whose identity identified in a follow-up on an original dissemination
  • The number of targets originally believed to be foreign who end up being US persons (note, the NSA conveniently doesn’t explain what the specific criteria are that would allow the government to keep these communications … I wonder why?)

But it did not count how many US persons’ communications were reviewed but not disseminated, many of which may be retained under the relevance standard.

In general, when the government chooses not to count things, there’s a reason it doesn’t want to.