Posts

A Dragnet of emptywheel’s Most Important Posts on Surveillance, 2007 to 2017

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten this week.

To celebrate, the emptywheel team has been sharing some of our favorite work from the last decade. This is my massive dragnet of surveillance posts.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2007

Whitehouse Reveals Smoking Gun of White House Claiming Not to Be Bound by Any Law

Just days after opening the new digs, I noticed Sheldon Whitehouse entering important details into the Senate record — notably, that John Yoo had pixie dusted EO 12333 to permit George Bush to authorize the Stellar Wind dragnet. In the ten years since, both parties worked to gradually expand spying on Americans under EO 12333, only to have Obama permit the sharing of raw EO 12333 data in its last days in office, completing the years long project of restoring Stellar Wind’s functionalities. This post, from 2016, analyzes a version of the underlying memo permitting the President to change EO 12333 without providing public notice he had done so.

2008

McConnell and Mukasey Tell Half Truths

In the wake of the Protect America Act, I started to track surveillance legislation as it was written, rather than figure out after the fact how the intelligence community snookered us. In this post, I examined the veto threats Mike McConnell and Michael Mukasey issued in response to some Russ Feingold amendments to the FISA Amendments Act and showed that the government intended to use that authority to access Americans’ communication via both what we now call back door searches and reverse targeting. “That is, one of the main purposes is to collect communications in the United States.”

9 years later, we’re still litigating this (though, since then FISC has permitted the NSA to collect entirely domestic communications under the 2014 exception).

2009

FISA + EO 12333 + [redacted] procedures = No Fourth Amendment

The Government Sez: We Don’t Have a Database of All Your Communication

After the FISCR opinion on what we now know to be the Yahoo challenge to Protect American Act first got declassified, I identified several issues that we now have much more visibility on. First, PAA permitted spying on Americans overseas under EO 12333. And it didn’t achieve particularity through the PAA, but instead through what we know to be targeting procedures, including contact chaining. Since then we’ve learned the role of SPCMA in this.

In addition, to avoid problems with back door searches, the government claimed it didn’t have a database of all our communication — a claim that, narrowly parsed might be true, but as to the intent of the question was deeply misleading. That claim is one of the reasons we’ve never had a real legal review of back door searches.

Bush’s Illegal Domestic Surveillance Program and Section 215

On PATRIOTs and JUSTICE: Feingold Aims for Justice

During the 2009 PATRIOT Act reauthorization, I continued to track what the government hated most as a way of understanding what Congress was really authorizing. I understood that Stellar Wind got replaced not just by PAA and FAA, but also by the PATRIOT authorities.

All of which is a very vague way to say we probably ought to be thinking of four programs–Bush’s illegal domestic surveillance program and the PAA/FAA program that replaced it, NSLs, Section 215 orders, and trap and trace devices–as one whole. As the authorities of one program got shut down by exposure or court rulings or internal dissent, it would migrate to another program. That might explain, for example, why Senators who opposed fishing expeditions in 2005 would come to embrace broadened use of Section 215 orders in 2009.

I guessed, for example, that the government was bulk collecting data and mining it to identify targets for surveillance.

We probably know what this is: the bulk collection and data mining of information to select targets under FISA. Feingold introduced a bajillion amendments that would have made data mining impossible, and each time Mike McConnell and Michael Mukasey would invent reasons why Feingold’s amendments would have dire consequences if they passed. And the legal information Feingold refers to is probably the way in which the Administration used EO 12333 and redacted procedures to authorize the use of data mining to select FISA targets.

Sadly, I allowed myself to get distracted by my parallel attempts to understand how the government used Section 215 to obtain TATP precursors. As more and more people confirmed that, I stopped pursuing the PATRIOT Act ties to 702 as aggressively.

2010

Throwing our PATRIOT at Assange

This may be controversial, given everything that has transpired since, but it is often forgotten what measures the US used against Wikileaks in 2010. The funding boycott is one thing (which is what led Wikileaks to embrace Bitcoin, which means it is now in great financial shape). But there’s a lot of reason to believe that the government used PATRIOT authorities to target not just Wikileaks, but its supporters and readers; this was one hint of that in real time.

2011

The March–and April or May–2004 Changes to the Illegal Wiretap Program

When the first iteration of the May 2004 Jack Goldsmith OLC memo first got released, I identified that there were multiple changes made and unpacked what some of them were. The observation that Goldsmith newly limited Stellar Wind to terrorist conversations is one another reporter would claim credit for “scooping” years later (and get the change wrong in the process). We’re now seeing the scope of targeting morph again, to include a range of domestic crimes.

Using Domestic Surveillance to Get Rapists to Spy for America

Something that is still not widely known about 702 and our other dragnets is how they are used to identify potential informants. This post, in which I note Ted Olson’s 2002 defense of using (traditional) FISA to find rapists whom FBI can then coerce to cooperate in investigations was the beginning of my focus on the topic.

2012

FISA Amendments Act: “Targeting” and “Querying” and “Searching” Are Different Things

During the 2012 702 reauthorization fight, Ron Wyden and Mark Udall tried to stop back door searches. They didn’t succeed, but their efforts to do so revealed that the government was doing so. Even back in 2012, Dianne Feinstein was using the same strategy the NSA currently uses — repeating the word “target” over and over — to deny the impact on Americans.

Sheldon Whitehouse Confirms FISA Amendments Act Permits Unwarranted Access to US Person Content

As part of the 2012 702 reauthorization, Sheldon Whitehouse said that requiring warrants to access the US person content collected incidentally would “kill the program.” I took that as confirmation of what Wyden was saying: the government was doing what we now call back door searches.

2013

20 Questions: Mike Rogers’ Vaunted Section 215 Briefings

After the Snowden leaks started, I spent a lot of time tracking bogus claims about oversight. After having pointed out that, contrary to Administration claims, Congress did not have the opportunity to be briefed on the phone dragnet before reauthorizing the PATRIOT Act in 2011, I then noted that in one of the only briefings available to non-HPSCI House members, FBI had lied by saying there had been no abuses of 215.

John Bates’ TWO Wiretapping Warnings: Why the Government Took Its Internet Dragnet Collection Overseas

Among the many posts I wrote on released FISA orders, this is among the most important (and least widely understood). It was a first glimpse into what now clearly appears to be 7 years of FISA violation by the PRTT Internet dragnet. It explains why they government moved much of that dragnet to SPCMA collection. And it laid out how John Bates used FISA clause 1809(a)(2) to force the government to destroy improperly collected data.

Federated Queries and EO 12333 FISC Workaround

In neither NSA nor FBI do the authorities work in isolation. That means you can conduct a query on federated databases and obtain redundant results in which the same data point might be obtained via two different authorities. For example, a call between Michigan and Yemen might be collected via bulk collection off a switch in or near Yemen (or any of the switches between there and the US), as well as in upstream collection from a switch entering the US (and all that’s assuming the American is not targeted). The NSA uses such redundancy to apply the optimal authority to a data point. With metadata, for example, it trained analysts to use SPCMA rather than PATRIOT authorities because they could disseminate it more easily and for more purposes. With content, NSA appears to default to PRISM where available, probably to bury the far more creative collection under EO 12333 for the same data, and also because that data comes in structured form.

Also not widely understood: the NSA can query across metadata types, returning both Internet and phone connection in the same query (which is probably all the more important now given how mobile phones collapse the distinction between telephony and Internet).

This post described how this worked with the metadata dragnets.

The Purpose(s) of the Dragnet, Revisited

The government likes to pretend it uses its dragnet only to find terrorists. But it does far more, as this analysis of some court filings lays out.

2014

The Corporate Store: Where NSA Goes to Shop Your Content and Your Lifestyle

There’s something poorly understood about the metadata dragnets NSA conducts. The contact-chaining isn’t the point. Rather, the contact-chaining serves as a kind of nomination process that puts individuals’ selectors, indefinitely, into the “corporate store,” where your identity can start attracting other related datapoints like a magnet. The contact-chaining is just a way of identifying which people are sufficiently interesting to submit them to that constant, ongoing data collection.

SPCMA: The Other NSA Dragnet Sucking In Americans

I’ve done a lot of work on SPCMA — the authorization that, starting in 2008, permitted the NSA to contact chain on and through Americans with EO 12333 data, which was one key building block to restoring access to EO 12333 analysis on Americans that had been partly ended by the hospital confrontation, and which is where much of the metadata analysis affecting Americans has long happened. This was my first comprehensive post on it.

The August 20, 2008 Correlations Opinion

A big part of both FBI and NSA’s surveillance involves correlating identities — basically, tracking all the known identities a person uses on telephony and the Internet (and financially, though we see fewer details of that), so as to be able to pull up all activities in one profile (what Bill Binney once called “dossiers”). It turns out the FISC opinion authorizing such correlations is among the documents the government still refuses to release under FOIA. Even as I was writing the post Snowden was explaining how it works with XKeyscore.

A Yahoo! Lesson for USA Freedom Act: Mission Creep

This is another post I refer back to constantly. It shows that, between the time Yahoo first discussed the kinds of information they’d have to hand over under PRISM in August 2007 and the time they got directives during their challenge, the kinds of information they were asked for expanded into all four of its business areas. This is concrete proof that it’s not just emails that Yahoo and other PRISM providers turn over — it’s also things like searches, location data, stored documents, photos, and cookies.

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

Confession: I have an entire chapter of the start of a book on the Yahoo challenge to PRISM. That’s because so much about it embodied the kind of dodgy practices the government has, at the most important times, used with the FISA Court. In this post, I showed that the documents that the government provided the FISCR hid the fact that the then-current versions of the documents had recently been modified. Using the active documents would have shown that Yahoo’s key argument — that the government could change the rules protecting Americans anytime, in secret — was correct.

2015

Is CISA the Upstream Cyber Certificate NSA Wanted But Didn’t Really Get?

Among the posts I wrote on CISA, I noted that because the main upstream 702 providers have a lot of federal business, they’ll “voluntarily” scan on any known cybersecurity signatures as part of protecting the federal government. Effectively, it gives the government the certificate it wanted, but without any of the FISA oversight or sharing restrictions. The government has repeatedly moved collection to new authorities when FISC proved too watchful of its practices.

The FISA Court’s Uncelebrated Good Points

Many civil libertarians are very critical of the FISC. Not me. In this post I point out that it has policed minimization procedures, conducted real First Amendment reviews, taken notice of magistrate decisions and, in some cases, adopted the highest common denominator, and limited dissemination.

How the Government Uses Location Data from Mobile Apps

Following up on a Ron Wyden breadcrumb, I figured out that the government — under both FISA and criminal law — obtain location data from mobile apps. While the government still has to adhere to the collection standard in any given jurisdiction, obtaining the data gives the government enhanced location data tied to social media, which can implicate associates of targets as well as the target himself.

The NSA (Said It) Ate Its Illegal Domestic Content Homework before Having to Turn It in to John Bates

I’m close to being able to show that even after John Bates reauthorized the Internet metadata dragnet in 2010, it remained out of compliance (meaning NSA was always violating FISA in obtaining Internet metadata from 2002 to 2011, with a brief lapse). That case was significantly bolstered when it became clear NSA hastily replaced the Internet dragnet with obtaining metadata from upstream collection after the October 2011 upstream opinion. NSA hid the evidence of problems on intake from its IG.

FBI Asks for at Least Eight Correlations with a Single NSL

As part of my ongoing effort to catalog the collection and impact of correlations, I showed that the NSL Nick Merrill started fighting in 2004 asked for eight different kinds of correlations before even asking for location data. Ultimately, it’s these correlations as much as any specific call records that the government appears to be obtaining with NSLs.

2016

What We Know about the Section 215 Phone Dragnet and Location Data

During the lead-up to the USA Freedom Debate, the government leaked stories about receiving a fraction of US phone records, reportedly because of location concerns. The leaks were ridiculously misleading, in part because they ignored that the US got redundant collection of many of exactly the same calls they were looking for from EO 12333 collection. Yet in spite of these leaks, the few figured out that the need to be able to force Verizon and other cell carriers to strip location data was a far bigger reason to pass USAF than anything Snowden had done. This post laid out what was known about location data and the phone dragnet.

While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704

When Congress passed FISA Amendments Act, it made a show of providing protections to Americans overseas. One authority, Section 703, was for spying on people overseas with help of US providers, and another was for spying on Americans overseas without that help. By May 2016, I had spent some time laying out that only the second, which has less FISC oversight, was used. And I was seeing problems with its use in reporting. So I suggested maybe Congress should look into that?

It turns out that at precisely that moment, NSA was wildly scrambling to get a hold on its 704 collection, having had an IG report earlier in the year showing they couldn’t audit it, find it all, or keep it within legal boundaries. This would be the source of the delay in the 702 reauthorization in 2016, which led to the prohibition on about searches.

The Yahoo Scan: On Facilities and FISA

The discussion last year of a scan the government asked Yahoo to do of all of its users was muddled because so few people, even within the privacy community, understand how broadly the NSA has interpreted the term “selector” or “facility” that it can target for collection. The confusion remains to this day, as some in the privacy community claim HPSCI’s use of facility based language in its 702 reauthorization bill reflects new practice. This post attempts to explain what we knew about the terms in 2016 (though the various 702 reauthorization bills have offered some new clarity about the distinctions between the language the government uses).

2017

Ron Wyden’s History of Bogus Excuses for Not Counting 702 US Person Collection

Ron Wyden has been asking for a count of how many Americans get swept up under 702 for years. The IC has been inventing bogus explanations for why they can’t do that for years. This post chronicles that process and explains why the debate is so important.

The Kelihos Pen Register: Codifying an Expansive Definition of DRAS?

When DOJ used its new Rule 41 hacking warrant against the Kelihos botnet this year, most of the attention focused on that first-known usage. But I was at least as interested in the accompanying Pen Register order, which I believe may serve to codify an expansion of the dialing, routing, addressing, and signaling information the government can obtain with a PRTT. A similar codification of an expansion exists in the HJC and Lee-Leahy bills reauthorizing 702.

The Problems with Rosemary Collyer’s Shitty Upstream 702 Opinion

The title speaks for itself. I don’t even consider Rosemary Collyer’s 2017 approval of 702 certificates her worst FISA opinion ever. But it is part of the reason why I consider her the worst FISC judge.

It Is False that Downstream 702 Collection Consists Only of To and From Communications

I pointed out a number of things not raised in a panel on 702, not least that the authorization of EO 12333 sharing this year probably replaces some of the “about” collection function. Most of all, though, I reminded that in spite of what often gets claimed, PRISM is far more than just communications to and from a target.

UNITEDRAKE and Hacking under FISA Orders

A document leaked by Shadow Brokers reveals a bit about how NSA uses hacking on FISA targets. Perhaps most alarmingly, the same tools that conduct such hacks can be used to impersonate a user. While that might be very useful for collection purposes, it also invites very serious abuse that might create a really nasty poisonous tree.

A Better Example of Article III FISA Oversight: Reaz Qadir Khan

In response to Glenn Gerstell’s claims that Article III courts have exercised oversight by approving FISA practices (though the reality on back door searches is not so cut and dry), I point to the case of Reaz Qadir Khan where, as Michael Mosman (who happens to serve on FISC) moved towards providing a CIPA review for surveillance techniques, Khan got a plea deal.

The NSA’s 5-Page Entirely Redacted Definition of Metadata

In 2010, John Bates redefined metadata. That five page entirely redacted definition became codified in 2011. Yet even as Congress moves to reauthorize 702, we don’t know what’s included in that definition (note: location would be included).

FISA and the Space-Time Continuum

This post talks about how NSA uses its various authorities to get around geographical and time restrictions on its spying.

The Senate Intelligence Committee 702 Bill Is a Domestic Spying Bill

This is one of the most important posts on FISA I’ve ever written. It explains how in 2014, to close an intelligence gap, the NSA got an exception to the rule it has to detask from a facility as soon as it identifies Americans using the facility. The government uses it to collect on Tor and, probably VPN, data. Because the government can keep entirely domestic communications that the DIRNSA has deemed evidence of a crime, the exception means that 702 has become a domestic spying authority for use with a broad range of crimes, not to mention anything the Attorney General deems a threat to national security.

“Hype:” How FBI Decided Searching 702 Content Was the Least Intrusive Means

In a response to a rare good faith defense of FBI’s back door searches, I pointed out that the FBI is obliged to consider the least intrusive means of investigation. Yet, even while it admits that accessing content like that obtained via 702 is extremely intrusive, it nevertheless uses the technique routinely at the assessment level.

Other Key Posts Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

10 Years of emptywheel: Key Non-Surveillance Posts 2016-2017

10 Years of emptywheel: Jim’s Dimestore

The Curious Timing of FBI’s Back Door Searches

The very first thing I remarked on when I read the Yahoo FISCR opinion when it was first released in 2009 was this passage.

The petitioner’s concern with incidental collections is overblown. It is settled beyond peradventure that incidental collections occurring as a result of constitutionally permissible acquisitions do not render those acquisitions unlawful.9 See, e.g., United States v. Kahn, 415 U.S. 143, 157-58 (1974); United States v. Schwartz, 535 F.2d 160, 164 (2d Cir. 1976). The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26 in original release; 30 in current release)

The government claimed to FISCR that it did not maintain a database of incidentally collected information from non-targeted US persons.

Barring some kind of neat parse, I didn’t buy the claim, not even in 2009.

Since then, we’ve found out that — barring some kind of neat parse — I was absolutely right. In fact, they are doing back door searches on this data, especially at FBI.

What I’m particularly intrigued by, now, is the timing.

FISCR said that in an opinion dated August 22, 2008 — over a month after the July 10, 2008 passage of the FISA Amendments Act. I have not yet found evidence of when the government said that to FISCR. It doesn’t appear in the unredacted part of their Jun 5, 2008 Merits brief (which cites Kahn but not Schwartz; see 49-50), though it might appear behind the redaction on 41. Of note, the April 25, 2008 FISC opinion doesn’t even mention the issue in its incidental collection discussion (starting at 95), though it does discuss amended certifications filed in February 2008.

So I’m guessing the government made that representation at the hearing in June, 2008.

We know, from John Bates’ rationale for authorizing NSA and CIA back door searches, such back door searches were first added to FBI minimization procedures in 2008.

When Bates approved back door searches in his October 3, 2011 opinion, he pointed to FBI’s earlier (and broader) authorities to justify approving it for NSA and CIA. While the mention of FBI is redacted here, at that point it was the only other agency whose minimization procedures had to be approved by FISC, and FBI is the agency that applies for traditional FISA warrants.

[redacted] contain an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information. See [redacted]. In granting [redacted] applications for electronic surveillance or physical search since 2008, including applications targeting United States persons and persons in the United States, the Court has found that the [redacted] meet the definitions of minimization procedures at 50 U.S.C. §§ 1801(h) and 1821(4). It follows that the substantially-similar querying provision found at Section 3(b)(5) of the amended NSA minimization procedures should not be problematic in a collection that is focused on non-United States persons located outside the United States and that, in aggregate, is less likely to result in the acquisition of nonpublic information regarding non-consenting United States persons.

So since 2008, FBI has had the ability to do back door searches on all the FISA-authorized data they get, including taps targeting US persons.

The FBI Minimization procedures submitted with the case all date to the 1990s, though a 2006 amendment changing how they logged the identities of US persons collected (note, in 2011, John Bates was bitching at FBI for having ignored an order to reissue all its minimization procedures with updates; I can see why he complained).

As described in the Government’s response of June 16, 2006, identities of U.S. persons that have not been logged are often maintained in FBI databases that contain unminimized information. The procedures now simply refer to “the identities” of U.S. persons, acknowledging that the FBI may not have previously logged such identities.

But there’s reason to believe the FBI minimization procedures — and this logging process — was changed in 2008, because a government document submitted in the Basaaly Moalin case — we know Moalin was wiretapped from December 2007 to April 2008, so during precisely the period of the Yahoo challenge, though he was not indicted until much later — referenced two sets of minimization procedures, seeming to reflect a change in minimization during the period of his surveillance (or perhaps during the period of surveillance of Aden Ayro, which is how Moalin is believed to have been identified).

That is, it all seems to have been happening in 2008.

The most charitable guess would be that explicit authorization for back door searches happened with the FAA, so before the FISCR ruling, but after the briefing.

Except in a letter to Russ Feingold during early debates  on the FAA, Mike Mukasey and Mike McConnell (the latter of whom was involved in this Yahoo fight) strongly shot down a Feingold amendment that would have required the government to segregate all communications not related to terrorism (and a few other things), and requiring a FISA warrant to access them.

The Mukasey-McConnell attack on segregation is most telling. They complain that the amendment makes a distinction between different kinds of foreign intelligence (one exception to the segregation requirement in the amendment is for “concerns international terrorist activities directed against the United States, or activities in preparation therefor”), even while they claim it would “diminish our ability swiftly to monitor a communication from a foreign terrorist overseas to a person in the United States.” In other words, the complain that one of the only exceptions is for communications relating terrorism, but then say this will prevent them from getting communications pertaining to terrorism.

Then it launches into a tirade that lacks any specifics:

It would have a devastating impact on foreign intelligence surveillance operations; it is unsound as a matter of policy; its provisions would be inordinately difficult to implement; and thus it is unacceptable.

As Feingold already pointed out, the government has segregated the information they collected under PAA–they’re already doing this. But to justify keeping US person information lumped in with foreign person information, they offer no affirmative reason to do so, but only say it’s too difficult and so they refuse to do it.

Even 5 years ago, the language about the “devastating impact” segregating non-terrorism data might have strongly suggested the entire point of this collection was to provide for back door searches.

But that letter was dated February 5, 2008, before the FISCR challenge had even begun. While not definitive, this seems to strongly suggest, at least, that the government planned — even if it hadn’t amended the FBI minimization procedures yet — to retain a database of incidentally data to search on, before the government told FISCR they did not.

Update: I forgot a very important detail. In a hearing this year, Ron Wyden revealed that NSA’s authority to do back door searches had been closed some time during the Bush Administration, before it was reopened by John “Bates stamp” Bates.

Let me start by talking about the fact that the House bill does not ban warrantless searches for Americans’ emails. And here, particularly, I want to get into this with you, Mr. Ledgett if I might. We’re talking of course about the backdoor search loophole, section 702 of the FISA statute. This allows NSA in effect to look through this giant pile of communications that are collected under 702 and deliberately conduct warrantless searches for the communications of individual Americans.  This loophole was closed during the Bush Administration, but it was reopened in 2011, and a few months ago the Director of National Intelligence acknowledged in a letter to me that the searches are ongoing today. [my emphasis]

When I noted that Wyden had said this, I guessed that the government had shut down back door searches in the transition from PAA to FAA, but that seems less likely, having begun to review these Yahoo documents, then that it got shut down in response to the hospital confrontation.

But it shows that more extensive back door searches had been in place before the government implied to the FISCR that they weren’t doing back door searches that they clearly were at least contemplating at that point. I’d really like to understand how the government believes they didn’t lie to the FISCR in that comment (though it wouldn’t be the last time they lied to courts about their databases of Americans).

New & Improved USA Freedumb Act, with Twice the Contractors Compensated

Somewhere Booz Allen Hamilton Vice Chairman (and former NSA Director) Mike McConnell just said, “Ka-Ching.”

As I noted, the initial manager’s amendment of HR 3361 (AKA USA Freedumb Act) added compensation language to Section 215 that didn’t originally exist.

(j) COMPENSATION.—The Government shall compensate, at the prevailing rate, a person for producing tangible things or providing information, facilities, or assistance in accordance with an order issued or an emergency production required under this section.

In this latest iteration, the compensation has been expanded beyond just the telecoms to anyone else who assists.

(j) COMPENSATION.—The Government shall compensate a person for reasonable expenses incurred for—

(1) producing tangible things or providing information, facilities, or assistance in accordance with an order issued with respect to an application described in subsection (b)(2)(C) or an emergency production under subsection (i) that, to comply with subsection (i)(1)(D), requires an application described in subsection (b)(2)(C); or

(2) otherwise providing technical assistance to the Government under this section or to implement the amendments made to this section by the USA FREEDOM Act.

There’s reason to believe that contractors (AKA Booz!) does some of the triage work on the data currently. So one solution to that problem might be to move those Booz contractors — with their access directly to the raw data of Americans — over to Verizon and AT&T.

Because why shouldn’t NSA contractors be in bed together, wallowing in all your raw data.

Glad to see this bill is improving Intelligence Contractors bottom line, even if it doesn’t improve the dragnet.

2008’s New and Improved EO 12333: Sharing SIGINT

As part of my ongoing focus on Executive Order 12333, I’ve been reviewing how the Bush Administration changed the EO when, shortly after the passage of the FISA Amendments Act, on July 30, 2008, they rolled out a new version of the order, with little consultation with Congress. Here’s the original version Ronald Reagan issued in 1981, here’s the EO making the changes, here’s how the new and improved version from 2008 reads with the changes.

While the most significant changes in the EO were — and were billed to be — the elaboration of the increased role for the Director of National Intelligence (who was then revolving door Booz executive Mike McConnell), there are actually several changes that affected NSA.

Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.

The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,

In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.

In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.

Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.

In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.

And a more subtle change goes even further. Section 2.5 of the EO delegates authority to the AG to “approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes.” In both the original and the revised EO, that delegation must be done within the scope of FISA (or FISA as amended, in the revision). But in 1981, FISA surveillance had to be “conducted in accordance with that Act [FISA], as well as this Order,” meaning that the limits on US person collection and dissemination from the EO applied, on top of any limits imposed by FISA. The 2008 EO dropped the last clause, meaning that such surveillance only has to comply with FISA, and not with other limits in the EO.

That’s significant because there are at least three things built into known FISA minimization procedures — the retention of US person data to protect property as well as life and body, the indefinite retention of encrypted communications, and the broader retention of “technical data base information” — that does not appear to be permitted under the EO’s more general guidelines but, with this provision, would be permitted (and, absent Edward Snowden, would also be hidden from public view in minimization procedures no one would ever get to see).

Read more

About that May 2007 FISC Opinion

Update, March 11: Docket 07-449 is not an Internet dragnet one (those all have a PR/TT preface). This is one of the bulk collection programs approved in early 2007.

The other day, I pointed to a passage from the October 3, 2011 John Bates opinion,

The Court has effectively concluded that certain communications containing a reference to a targeted selector are reasonably likely to contain foreign intelligence information, including communications between non-target accounts that contain the name of the targeted facility in the body of the message. See Docket No. 07-449, May 31, 2007 Primary Order at 12 (finding probable cause to believe that certain “about” communications were “themselves being sent and/or received by one of the targeted foreign powers”). Insofar as the discrete, wholly domestic “about” communications at issue here are communications between non-target accounts that contain the name of the targeted facility, the same conclusion applies to them.

And suggested the May 31, 2007 order in question was probably the Primary Order for the Internet Dragnet program.

Given the description, it likely was a primary order for the purportedly defunct Internet dragnet program; if so, it would represent the application of an opinion about metadata to collection including content.

Timewise, that might make sense. Colleen Kollar-Kotelly signed the first Pen Register/Trap & Trace order for Internet metadata on July 14, 2004. Accounting for some margin of error in reapplications and the 5 days earlier 90-day authorizations would be each year, a May 31 order 3 years after that first order is not far off what you’d expect.

But the description of the opinion — which pertains to messages identified because they contain information “about” a target — seems to refer to content, not metadata (though packets would blur this issue).

The Court has effectively concluded that certain communications containing a reference to a targeted selector are reasonably likely to contain foreign intelligence information, including communications between non-target accounts that contain the name of the targeted facility in the body of the message. See Docket No. 07-449, May 31, 2007 Primary Order at 12 (finding probable cause to believe that certain “about” communications were “themselves being sent and/or received by one of the targeted foreign powers”).

Moreover, this order would have been issued during the period when two FISC orders allowed the collection of content. And those orders — as the 2009 Draft NSA IG Report explains — formalized the claim that a targeted “facility” could consist of a switch carrying general traffic rather than a specific phone number or IP address.

Ultimately, DoJ decided to pursue a FISC order for content collection wherein the traditional FISA definition of a “facility” as a specific telephone number or email address was changed to encompass the gateway or cable head that foreign targets use for communications. Read more

Article II Is Article II: EO 12333 and Protect America Act, FISA Amendments Act, and FISC

I’m reading a very old SSCI hearing on FISA today — from May 1, 2007, when then Director of National Intelligence Mike McConnell initiated the push for the Protect America Act.

Given recent revelations that NSA continues to conduct some collection under EO 12333 — including the address books of people all over the world, including Americans — I thought this part of the hearing might amuse some of you.

SEN. FEINGOLD: I thank the witnesses for testifying today. Can each of you assure the American people that there is not — and this relates to what — the subject Senator Wyden was just discussing — that there is not and will not be any more surveillance in which the FISA process is side-stepped based on arguments that the president has independent authority under Article II or the authorization of the use of military force?

MR. McCONNELL: Sir, the president’s authority under Article II is – – are in the Constitution. So if the president chose to exercise Article II authority, that would be the president’s call. What we’re attempting to do here with this legislation is to put the process under appropriate law so that it’s conducted appropriately to do two things — protect privacy of Americans on one hand, and conduct foreign surveillance on the other.

SEN. FEINGOLD: My understanding of your answer to Senator Wyden’s last question was that there is no such activity going on at this point. In other words, whatever is happening is being done within the context of the FISA statute.

MR. McCONNELL: That’s correct.

SEN. FEINGOLD: Are there any plans to do any surveillance independent of the FISA statute relating to this subject?

MR. McCONNELL: None that — none that we are formulating or thinking about currently. But I’d just highlight, Article II is Article II, so in a different circumstance, I can’t speak for the president what he might decide.

SEN. FEINGOLD: Well, Mr. Director, Article II is Article II, and that’s all it is. Read more

The Irony of Booz Vice Chair Mike McConnell’s Timing

Please support this kind of weedy journalism

I’m in the process of going really deep in the weeds on this Section 215 stuff, just adjusting my earlier timelines.

Several of us have noted the curious timing of the discovery of the problems with Section 215 dragnet. November 2, 2008 was the stated high number of identifiers which the NSA could contact chain, at 27,090 (though when NSA started cleaning this stuff up they only audited back through November 1, 2008).

On December 10, 2008, two analysts (whom I wildarseguess suspect were actually FBI Agents) start doing searches on unapproved identifiers, doing 280 over the next month and a half.

On December 11 and 12, 2008, Reggie Walton wrote the first systematic opinion on this program and approved a new Primary Order.

On December 15, 2008, the NSA stopped one of its abusive alert system processes.

On January 9, 2009, NSA told folks at DOJ’s National Security Division about them.

By January 15, 2009, NSA had seemingly purged thousands of identifiers from its alert list, because on that day (five days before the inauguration) it had only 17,835, down from 27,090 two days before Obama was elected.

January 20, 2009: Obama took the oath as President, replacing George Bush.

That, of course, led to change at key positions. One which I find remarkably interesting, however was that of Mike McConnell, who had spent two years as Director of National Intelligence (just long enough to get immunity for those who did all this illegally under Cheney’s program). McConnell left on January 27, 2009, leading to a delay on (reported) DNI involvement in this until his replacement Dennis Blair came in on January 29. Blair was briefed on this on his second day in office, January 30, 2009.

I don’t know — because the documents don’t say (see, especially, Keith Alexander’s chart on page 25 of his declaration that is totally non-responsive about anyone in DNI who would have known about these problems)– how much the revolving Intelligence Contractor Exec McConnell knew about NSA’s extension of the illegal Cheney program, illegally, under the FISC sanctioned Section 215 order.

But remember: as Vice Chair of Booz, Mike McConnell was (sort of) Edward Snowden’s boss until the latter absconded with proof of these gross violations under McConnell’s tenure at DNI.

Among other things, this rough outline suggests this wasn’t so much a “discovery” of violations, it was an attempt to hide what at least some people knew were systematic and gross violations of the Section 215 program, just before Obama came in and replaced some of the top players.

But I do find it ironic that McConnell’s company, Booz, played its small part in making all this clear.

NSA Has a Database Problem

Back in 2009 when the government released what we now know is a FISA Court of Review decision ordering Yahoo to cooperate in PRISM, I questioned a passage of the decision that relied on the government’s claim that it doesn’t keep a database of incidentally collected conversations involving US persons.

In this post, I just want to point to a passage that deserves more scrutiny:

The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26)

To translate, if the government collects information from a US citizen (here or abroad), a legal permanent US resident, a predominantly US organization, or a US corporation in the course of collecting information on someone it is specifically targeting, it it claims it does not keep that in a database (I’ll come back and parse this in a second). In other words, if the government has a tap on your local falafel joint because suspected terrorists live off their falafels, and you happen to call in a take out order, it does not that have in a database.

There are reasons to doubt this claim.

In the rest of the post, I showed how a response from Michaels Mukasey and McConnell to Russ Feingold’s efforts to protect US person incidental collection during the FISA Amendments Act had made it clear having access to this incidentally collected data was part of the point, meaning the government’s reassurances to the FISCR must have been delicate dodges in one way or another. (Feingold’s Amendments would have prevented 3 years of Fourth Amendment violative collection, by the way.)

Did the court ask only about a database consisting entirely of incidentally collected information? Did they ask whether the government keeps incidentally collected information in its existing databases (that is, it doesn’t have a database devoted solely to incidental data, but neither does it pull the incidental data out of its existing database)? Or, as bmaz reminds me below but that I originally omitted, is the government having one or more contractors maintain such a database? Or is the government, rather, using an expansive definition of targeting, suggesting that anyone who buys falafels from the same place that suspected terrorist does then, in turn, becomes targeted?

McConnell and Mukasey’s objections to Feingold’s amendments make sense only in a situation in which all this information gets dumped into a database that is exposed to data mining. So it’s hard to resolve their objections with this claim–as described by the FISA Appeals Court.

Which is part of the reason I’m so intrigued by this passage of John Bates’ October 3, 2011 decision ruling some of NSA’s collection and retention practices violated the Fourth Amendment. In a footnote amending a passage explaining why the retention of entirely US person communications with the permissive minimization procedures the government had proposed is a problem, Bates points back to that earlier comment.

The Court of Review plaining limited its holding regarding incidental collection to the facts before it. See In re Directives at 30 (“On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.” (emphasis added). The dispute in In re Directives involved the acquisition by NSA of discrete to/from communications from an Internet Service Provider, not NSA’s upstream collection of Internet transactions. Accordingly, the Court of Review had occasion to consider NSA’s acquisition of MCTs (or even “about” communications, for that matter). Furthermore, the Court of Review noted that “[t]he government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary.” Id. Here, however, the government proposes measures that will allow NSA to retain non-target United States person information in its databases for at least five years.

Ultimately, Bates’ approval for the government to query on US person identifiers on existing incidentally collected Section 702 material (see pages 22-23) show that he hasn’t really thought through what happens to US person incidental collection; he actually has a shocking (arguably mis-) understanding of how permissive the existing minimization rules are, and therefore how invasive his authorization for searching on incidentally collected information will actually be.

But his complaint with the proposed minimization procedures shows what he believes they should be.

The measures proposed by the government for MCTs, however, largely dispense with the requirement of prompt disposition upon initial review by an analyst. Rather than attempting to identify and segregate information “not relevant to the authorized purpose of the acquisition” or to destroy such information promptly following acquisition, NSA’s proposed handling of MCTs tends to maximize the retention of such information, including information of or concerning United States persons with no direct connection to any target.

As Bates tells it, so long as he’s paying close attention to an issue, the government should ideally destroy any US person data it collects that is not relevant to the authorized purpose of the acquisition. (His suggestion to segregate it actually endorses Russ Feingold’s fix from 2008.)

But the minimization rules clearly allow the government to keep such data (after this opinion, they made an exception only for the multiple communication transactions in question, but not even for the other search identifiers involving entirely domestic communication so long as that’s the only communication in the packet).

All the government has to do, for the vast majority of the data it collects, is say it might have a foreign intelligence or crime or encryption or technical data or threat to property purpose, and it keeps it for 5 years.

In a database.

Back when the FISCR used this language, it allowed the government the dodge that, so long as it didn’t have a database dedicated to solely US person communications incidentally, it was all good. But the language Bates used should make all the US person information sitting in databases for 5 year periods (which Bates seems not to understand) problematic.

Not least, the phone dragnet database, which — after all — includes the records of 310 million people even while only 12 people’s data has proved useful in thwarting terrorist plots.

Update: Fixed the last sentence to describe what the Section 215 dragnet has yielded so far.

The Sabotage Attack on the Syrian Coalition

The NYT reportsadding to an earlier WaPo story — that hackers have attempted to sabotage a bunch of US energy companies.

A new wave of cyberattacks is striking American corporations, prompting warnings from federal officials, including a vague one issued last week by the Department of Homeland Security. This time, officials say, the attackers’ aim is not espionage but sabotage, and the source seems to be somewhere in the Middle East.

It ties these attacks to earlier attacks, claimed to have been launched by Iran, against ARAMCO and Qatar’s RasGas.

Two senior officials who have been briefed on the new intrusions say they were aimed largely at the administrative systems of about 10 major American energy firms, which they would not name. That is similar to what happened to Saudi Aramco, where a computer virus wiped data from office computers, but never succeeded in making the leap to the industrial control systems that run oil production.

[snip]

At Saudi Aramco, the virus replaced company data on thousands of computers with an image of a burning American flag. The attack prompted the defense secretary at the time, Leon E. Panetta, to warn of an impending “cyber 9/11” if the United States did not respond more efficiently to attacks. American officials have since concluded the attack and a subsequent one at RasGas, the Qatari energy company, were the work of Iranian hackers. Israeli officials, who follow Iran closely, said in interviews this month that they thought the attacks were the work of Iran’s new “cybercorps,” organized after the cyberattacks that affected their nuclear facilities.

Saudi Aramco said that while the attackers had attempted to penetrate its oil production systems, they had failed because the company maintained a separation between employees’ administrative computers and the computers used to control and monitor production. RasGas said the attack on its computers had failed for the same reason.

And while the adoption of earlier sabotage approach used with ARAMCO and RasGas infrastructure to US energy producers does not mean all members of the coalition to topple Bashar al-Assad have been attacked by an entity insinuated to be Iran (unless the European parters’ energy companies have been attacked and we just don’t know about it). But this attack does seem to be an assault on the coalition trying to undercut Iran by taking down its client regime in Syria.

Which has me wondering whether this is an Iranian attack — revenge, if you will, for StuxNet, serves the US right. Or if it’s an attack launched by a coalition, possibly including Russia.

I also wonder whether the point of the sabotage isn’t on the information side of the equation, rather than the operational one.

In other news, remember how former NSA head and all-around cyberwar profiteer Mike McConnell declared digital 9/11 warning based on the ARAMCO attack and some crude DNS attacks on banks here in the US? Guess who has become a player in Saudi (and Gulf generally) cybersecurity?

During this event, Booz Allen Hamilton leadership shared their insights on global cyber security practices and the importance of a cross-border cooperative approach to protecting critical infrastructure in the Gulf.

Commenting at the event, McConnell said, “The GCC states have become global hubs in finance. However, this growth introduces increased cyber security risks by threat actors who target this region for monetary or political gain. GCC states have already experienced significant cybercrime in the recent past, it is now more important than ever to ensure that these are not repeated.”

He also added, “Financial institutions are a prime target for cyber criminals, and as a result, they need to focus on staying ahead of cyber threats by developing the right human capital, developing appropriate training programmes and retaining the right skills and technology to properly access and protect corporate data.”

Booz Allen Hamilton was recently registered by the Kingdom of Saudi Arabia Ministry of Commerce and Industry to pursue business opportunities in the Kingdom in support of domestic economic diversification. The firm will provide services to government and commercial clients on critical issues related to the Kingdom’s development, most notably in the areas of cyber security, information technology, financial services and other selected infrastructure. [my emphasis]

I’m guessing BAH’s work in KSA has a lot to do with the expanded Technical Cooperation Agreement signed with the US in January, which added a cyber component onto the previous effort to create a 35,000 person security force Mohammed bin Nayef could use to protect the kingdom’s oil infrastructure.

So if you’re bummed that BAH gets to troll American networks with abandon, rest assured that it will now be doing so in Saudi Arabia, too.

Cyber-9/11 Warning!! … Screams Man Making Huge Profit Off Such Screams

The FT reports (and CNET repeats almost in its entirety) that former Director of National Intelligence Mike McConnell says we have had our 9/11 warning and we risk the cyber equivalent of a World Trade Center attack unless “urgent action” is taken.

A former US intelligence chief says the west has had its “9/11 warning” on cybersecurity and warns that unless urgent action is taken, the US faces “the cyber equivalent of the World Trade Center attack”.

According to John “Mike” McConnell, such an attack would bring the country’s banking system, power grid and other essential infrastructure to their knees.

Mind you, McConnell doesn’t appear to be talking about a real warning–the kind of intelligence that set George Tenet’s hair on fire in 2001. Rather, he says the recent attacks on Saudi Aramco and some banks’ internet interfaces constitutes that warning.

Sustained cyber attacks targeting the websites of a dozen major US banks including Wells Fargo, JPMorgan Chase and Bank of America, coupled with an earlier attack on Saudi Aramco, which erased data on two-thirds of the Saudi oil company’s corporate PCs, were examples of the growing threat.

McConnell apparently would have us believe that some crude DNS attacks on banks and an infiltrator’s attack on Saudi oil business (not production) computers is a hair on fire warning.

Leon Panetta made similarly unconvincing claims back in October.

Nevertheless, the FT presented McConnell’s warning without providing readers a few important details. First, here’s how they describe the background that qualifies McConnell to issue such warnings.

Mr McConnell, who served as director of the National Security Agency under President Bill Clinton and then as director of national intelligence under President George W. Bush and President Barack Obama, believes those corporate attacks should be treated as a further “wake-up call” to politicians and business leaders in the west.

Here’s the very important detail they left out.

Mike McConnell is Vice Chairman of Booz Allen Hamilton, where his primary roles include serving on the firm’s Leadership Team and leading Booz Allen’s rapidly expanding cyber business.

It is McConnell’s job to make the cyber threat seem as dangerous as possible so his employer can get rich by charging the government an arm and a leg to take “urgent action.” While I’m not sure where the emails are available anymore, one of the amusing features of the HB Gary emails liberated by Anonymous is Mike McConnelll licking his chops as he identified new purported threats to build business around.

More amusing still is this:

Mr McConnell said such an attack could see a country like Iran work with Russian criminals or Chinese hackers to target banks, the power grid and the computers that control routing and ticketing for planes and trains.

[snip]

Mr McConnell said he doubted whether Iran or a terrorist group could undertake such a devastating assault at the moment but added that it is only a matter of time before the sophisticated tools needed fall into the wrong hands.

The government (and, apparently McConnell himself) believes Iran launched the attacks on Aramco and the banks. But as McConnell suggests, Iran couldn’t carry out a real 9/11 cyber-attack by itself: it’d have to have the help of Russian criminals or Chinese hackers to pull off a really serious attack.

Because, you see, cyberattacks aren’t as easy as McConnell’s fear-mongering suggests.

But note the scenario he envisions: “the sophisticated tools” needed for a cyber attack would “fall into the wrong hands” and enable such an attack.

Mike McConnell was Director of National Intelligence from 2007 to 2009. During his tenure, the StuxNet project moved from intelligence-gathering to testing to implementation. It is inconceivable the DNI, the former head of NSA, and former executive of BAH would be out of the loop on that operation.

In other words, McConnell is almost certainly one of the people involved in the decision to unleash these sophisticated tools in the first place. And now he’s screaming about the dangers he unleashed for profit.

It’s a very neat system our Military Intelligence Industrial Complex has created.