Posts

USA Freedumb Act: The Timing

/2 Comments/in /by

A number of people have expressed appreciation for this analysis: if you find this useful, please consider donating to support my work. 

I’m going to do a series of more finished posts on the “compromised” version of Jim Sensenbrenner’s USA Freedom Act, which I hereby dub the USA Freedumb Act (thanks to Fake John Schindler for the suggestion), because so many of the reforms have been gutted. Here’s the initially proposed bill. Here’s my working thread on USA Freedumb.

You will hear a great many respectable people making positive comments about this bill, comments they normally would not make. That’s because of the carefully crafted timing.

As you recall, Mike Rogers originally got the House Parliamentarian to rule that the bill could go through the House Intelligence Committee. And his bill, which I affectionately call “RuppRoge” after Rogers and Dutch Ruppersberger and Scooby Doo’s “Rut Roh” phase, is genuinely shitty. Not only does it put the NSA onsite at providers and extend call records collection beyond terrorism applications, but it also extends such collection beyond call records generally. It is likely an attempt to get the US back into the Internet dragnet business. Shitty bill.

That said, in key ways RuppRoge is very similar to USA Freedumb. Both “limit” bulk collection by limiting collection to selectors (Freedumb does so across the board, including for NSLs, whereas RuppRoge does so for sensitive Business Records, call records, and Internet metadata). Both propose a similarly (IMO) flimsy FISC advocate. Both propose laughably weak FISC transparency measures. Both will include compensation and immunity for providers they don’t currently have.

Aside from three areas where RuppRoge is better — it forces agencies to update their EO 12333 proposals, doesn’t extend the PATRIOT Act, and provides a (not very useful) way to challenge certificates, all the way up to SCOTUS — and three where it is far worse — it develops more Insider Threat measures, it applies for uses beyond terrorism and beyond call records, and doesn’t include new (but now circumscribed) IG reporting  — they’re not all that different. [Correction: USA Freedumb ALSO applies beyond terrorism.]

They’re differently shitty, but both are pretty shitty.

The reason why otherwise respectable people are welcoming the shitty Freedumb bill, however, is that it gives House Judiciary Committee — with a number of real reformers on it — first pass on this bill. It’s a jurisdictional issue. It puts the jurisdiction for surveillance bills back where it belongs, at the Judiciary Committee.

Oh, by the way, one of the more extensive (in terms of text) real changes in Freedumb is it finally includes the House Judiciary Committee, along with the House and Senate Intelligence Committees and Senate Judiciary Committee, among the committees that get certain kinds of reporting. Jurisdiction. (No, I can’t explain to you why it wasn’t included in the first place in 2008, and no, I can’t explain why that detail is not better known.) It gives everyone on HJC a tiny reason to support the bill, because they’ll finally get the reporting they should have gotten in 2008.

The House Intelligence Committee will consider RuppRoge the day after HJC considers Freedumb, Thursday. Which has elicited hasty (overly hasty, IMO) statements of support for Freedumb, as a way to head off the shitty RuppRoge.

Effectively, the National Security State has managed to put two differently shitty bills before Congress and forced reformers to choose. Freedumb is the better (as in less horrible) bill, and it might get better in Committee. But it’s not a runaway call. And the haste has prevented anyone from really figuring out what a central change to both programs means, which limits collection to selectors, which could be defined in very broad terms (and about which — you’ll have to take my word for now — the NSA has lied in public comments).

One more timing issue that I suspect explains the sudden activity surrounding “reform.” The Privacy and Civil Liberties Oversight Board is due to release a report on Section 702 in the next month or so (its comment period for the report closed on April 11). Given the comments of David Medine, James Dempsey, and Patricia Wald at hearings, I strongly suspect PCLOB will recommend reforms — at least — to back door searches, and possibly to upstream collection. Both are items which were gutted as USA Freedom became Freedumb. (In addition, two aspects that would have expanded PCLOB’s authorities — giving it a role in picking the FISC advocate and giving it subpoena power — have been removed.) So in the same way that President Obama rushed to reaffirm NSA’s unified structure, in which the Information Assurance Division and Cybercommand functions are unified with the more general NSA spying function, before his handpicked Review Group recommended they be split, this seems to be a rush to pre-empt any recommendations PCLOB makes.

Ultimately, these two shitty bills are destined to be merged in conference anyway, and reformers seem to have given up 75% of the field before we get started.

Which means just about the only “reform” we’ll get are actually tactical fixes to help the Security State deal with legal and technical issues they’ve been struggling with.

The USA Freedumb Act has become — with DiFi’s Fake FISA Fix and RuppRoge before it — the third fake reform since Edward Snowden’s leaks first got published. Wearing down the reformers seems to be working.

More Clarity and Lack Thereof in the Obama Dragnet Reform

/1 Comment/in /by

A Senior Administration Official has clarified two remaining questions I had about the President’s plan to reform the dragnet.

First and very importantly, the conference call left unclear (and most subsequent reporting often didn’t directly address) whether Obama’s plan would apply just to counterterrorism purposes (as the current phone dragnet does) or more broadly (as the House Intelligence Committee RuppRoge proposal does). But SAO is clear: Obama’s plan focuses on specific terrorist groups.

The existing program only allows for queries of numbers associated with specified terrorist groups. Our operational focus is to make sure we preserve that counterterrorism authority in any new legislation. We will continue consulting with Congress on these issues.

This, then, is another way in which the President’s plan is significantly better than the RuppRoge plan — that it sets out to only cover CT, whereas RuppRoge sets out to cover foreign intelligence purposes broadly. Though that “consult with Congress” bit seems to allow the possibility that the White House will move towards broader use for the query system.

I also wondered — particularly given Verizon’s quick statement arguing it should not have to perform analysis for the government — who would do the data integrity analysis required to narrow the query results to those genuinely in contact with a selector, rather than ordering from the same pizza joint. Here, SAO was less clear, in part, punting the issue to Congress and “stakeholders” like Verizon.

Under the President’s proposal, the government would seek court orders compelling the companies to provide technical assistance to ensure the information can be queried, to run the queries, and to give the records back to the government in a usable format and on a timely basis. As additional questions arise with respect to the proposal, we look forward to working through them with Congress and relevant stakeholders to craft legislation that embodies the key attributes of this new approach. [my emphasis]

As a reminder, here’s Verizon General Counsel Randal Milch’s full statement:

This week Congressmen Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) released the “End Bulk Collection Act of 2014”, which would end bulk collection of data related to electronic communications. The White House also announced that it is proposing an approach to end bulk collection. We applaud these proposals to end Section 215 bulk collection, but feel that it is critical to get the details of this important effort right. So at this early point in the process, we propose this basic principle that should guide the effort: the reformed collection process should not require companies to store data for longer than, or in formats that differ from, what they already do for business purposes. If Verizon receives a valid request for business records, we will respond in a timely way, but companies should not be required to create, analyze or retain records for reasons other than business purposes. [my emphasis]

Verizon — probably the most important provider for this to work (because AT&T already gives the government what it wants and because it’s got the most upside growth) — doesn’t want to be forced to change the format in which they keep their data, and it doesn’t want to do analysis. But this response seems to say it wants to receive sound query results from Verizon, which would require that analysis first.

RuppRoge, as you’ll recall, offers NSA assistance (presumably including Booz NSA contractors working onsite at Verizon) to providers to do this work. As written, the White House proposal does not.

While this is an obscure issue (I may be the only one writing on it!), it has a direct impact on how many completely Americans get sucked into the NSA and subjected to the full range of its analytical tools. And it seems to be a key point of disagreement between the White House and perhaps the most important telecom provider.

Happy Birthday to Me, Mike Rogers Edition

/35 Comments/in /by

I’m going to level with you all. Today is my birthday.

And in honor of my birthday, apparently, two of my nemeses will shift their careers. At 3PM, Keith Alexander retires as Director of the NSA.

And in an entirely unexpected announcement, Congressman Mike Rogers announced he will not run for reelection this year.

Happy Birthday to me — and by extension, to all of you!

Now, Mike Rogers’ excuse for retiring — that he’s been offered a national radio show on Cumulus Radio — doesn’t make sense. Less than a year ago, when he decided not to run for Carl Levin’s seat, he said he felt he could still do a lot of good in the House. A key part of that, though, was that unlike other House Committees, the Republicans don’t term limit the Intelligence Committee Chair position (the Democrats don’t term limit anything). So a key reason Rogers gave was that he’d remain HPSCI Chair.

So I can’t help but wonder whether his departure has something to do with his Chairmanship of the Intelligence Community (the original announcement last night from The Hill was that he was resigning the Chairmanship, with the even more horrible Mike Pompeo to take his place, with no mention of him retiring from Congress).

And I honestly wonder whether Rogers got caught revealing information so sensitive that he was told, by the Intelligence Community, to take a hike. Remember that after Richard Shelby leaked news that the NSA had overheard warnings of the 9/11 attack before it happened, he not only stepped down as Ranking Member (he had been Chair) of the Senate Intelligence Committee, he left the Committee entirely. No one ever said that was the reason, but I’ve long assumed that’s what happens when you step over the line of acceptable leaking as a Gang of Four member — you quietly walk away at the end of the term.

Pete Hoekstra leaked very damaging information in his last term as House Intel Chair — that we had a real-time intercept on Anwar al-Awlaki — though he had already announced he was leaving the House to run for Governor.

Mind you, most of the high volume of classified information Mike Rogers leaks, he does so with the blessing of the Intelligence Committee, as Gang of Four members are increasingly expected to serve as cut-outs for the Intelligence Community. Plus, much of what he “leaks” is in fact disinformation. Still, there are a number of stories that reveal NSA intercepts, many placed with conservative journalists, that could very easily have come from him. Some of them have been deemed more immediately damaging than all of Snowden’s leaks. Rogers would be legally protected under the Speech and Debate Clause, but there’d be good reason to remove him from his sensitive position, if he had been discovered to be the source for those stories.

If that happened, I can imagine that facing the prospect of staying in the House without his powerful Intelligence gavel might persuade Rogers he’d rather froth up wingnuts for war on AM radio then while away with much less power in the House. Also, if he compromised intelligence, it’d explain why he’s not moving on to a sinecure with an Intelligence Contractor, as had been floated at different times in the last year or so.

Meanwhile, Rogers’ departure opens up a pretty decent opportunity for Democrats in a district they were otherwise (inexplicably) not going to seriously contest. The Clerk who married the first same sex couple last weekend, Barb Byrum, is among the potential Democratic candidates.

Anyway, at 3PM I shall raise a toast to the departure of Keith Alexander. And hope for better things in MI’s 8th CD.

The Reason Obama Capitulated on the (Phone) Dragnet

/7 Comments/in /by

This will be a bit of a contrary take on what I believe to be the reasons for President Obama’s capitulation on the dragnet, announcing support today for a plan to outsource the first query in the dragnetting process to the telecoms.

It goes back to the claims — rolled out in February — that the NSA has only been getting 20 to 30% of the call data in the US. Those reports were always silent or sketchy on several items:

  • The claims were always silent that they applied only to Section 215, and did not account for the vast amount of data, including US person cell data, collected under EO 12333.
  • The claims were sketchy about the timing of the claim, especially in light of known collection of cell data in 2010 and 2011, showing that at that point NSA had no legal restrictions on accepting such data.
  • The claims were silent about why, in both sworn court declarations and statements to Congress, Administration officials said the collection (sometimes modified by Section 215, often, especially in court declarations, not) was comprehensive.

Here’s what I think lies behind those claims.

We know that as recently as September 1, 2011, the NSA believed it had the legal authority to collect cell location data under Section 215, because they were doing just that. Congress apparently did not respond well to learning, belatedly, that the government was collecting location data in a secret interpretation of a secret interpretation. Nevertheless, it appears the government still believed it had that authority — though was reevaluating it — on January 31, 2012, when Ron Wyden asked James Clapper about it — invoking the “secret law” we know to be Section 215 — during his yearly grilling of Clapper in the Global Threat hearing.

Wyden: Director Clapper, as you know the Supreme Court ruled last week that it was unconstitutional for federal agents to attach a GPS tracking device to an individual’s car and monitor their movements 24/7 without a warrant. Because the Chair was being very gracious, I want to do this briefly. Can you tell me as of now what you believe this means for the intelligence community, number 1, and 2, would you be willing to commit this morning to giving me an unclassified response with respect to what you believe the law authorizes. This goes to the point that you and I have talked, Sir, about in the past, the question of secret law, I strongly feel that the laws and their interpretations must be public. And then of course the important work that all of you’re doing we very often have to keep that classified in order to protect secrets and the well-being of your capable staff. So just two parts, 1, what you think the law means as of now, and will you commit to giving me an unclassified answer on the point of what you believe the law actually authorizes.

Clapper: Sir, the judgment rendered was, as you stated, was in a law enforcement context. We are now examining, and the lawyers are, what are the potential implications for intelligence, you know, foreign or domestic. So, that reading is of great interest to us. And I’m sure we can share it with you. [looks around for confirmation] One more point I need to make, though. In all of this, we will–we have and will continue to abide by the Fourth Amendment. [my emphasis]

Unsurprisingly, as far as I know, Clapper never gave Wyden an unclassified answer.

Nevertheless, since then the government has come to believe it cannot accept cell data under Section 215. Perhaps in 2012 as part of the review Clapper said was ongoing, the government decided the Jones decision made their collection of the cell location of every cell phone in the US illegal or at least problematic. Maybe, in one of the 7 Primary orders DOJ is still withholding from 2011 to 2013, the FISC decided Jones made it illegal to accept data that included cell location. It may be that a February 24, 2013 FISC opinion — not a primary order but one that significantly reinterpreted Section 215 — did so. Certainly, by July 19, 2013, when Claire Eagan prohibited it explicitly in a primary order, it became illegal for the government to accept cell location data.

That much is clear, though: until at least 2011, DOJ believed accepting cell location under Section 215 was legal. At least by July 19, 2013, FISC made it clear that would not be legal.

That, I believe, is where the problems accepting cell phone data as part of Section 215 come from (though this doesn’t affect EO 12333 data at all, and NSA surely still gets much of what it wants via EO 12333). Theresa Shea has explicitly said in sworn declarations that the NSA only gets existing business records. As William Ockham and Mindrayge have helped me understand, unless a telecom makes it own daily record of all the calls carried on its network — which we know AT&T does in the Hemisphere program, funded by the White House Drug Czar — then the business ecords the phone company will have are its SS7 routing records. And that’s going to include cell phone records. And those include location data for cell phones.

Now, it may be that the telecoms chose not to scan out this information for the government. It may be that after the program got exposed they chose to do the bare minimum, and the cell restrictions allowed them to limit what they turned over (something similar may have happened with VOIP calls carried across their networks). It may be that Verizon and even AT&T chose to only provide that kind of data via EO 12333 program that, because they are voluntary, get paid at a much higher rate. In any case, I have very little doubt that NSA got the phone records from Verizon, just not via Section 215.

But I’m increasingly sure the conflict between Section 215’s limit to existing business record and the limits imposed on Section 215 via whatever means was the source of the “problem” that led NSA to only get 30% of phone records [via the Section 215 program, which is different than saying they only got 30% of all records from US calls].

And a key feature of both the President’s sketchy program…

  • the companies would be compelled by court order to provide technical assistance to ensure that the records can be queried and that results are transmitted to the government in a usable format and in a timely manner.

And the RuppRoge Fake Fix…

(h)(1)(A) immediately provide the Government with records, whether existing or created in the future, in the format specified by the Government

[snip]

(h)(2) The Government may provide any information, facilities, or assistance necessary to aid an electronic communications service provider in complying with a directive issued pursuant to paragraph (1).

Is that the government gets to dictate what format they get records in here, which they couldn’t do under Section 215. That means, among other things, they can dictate that the telecoms strip out any location data before it gets to NSA, meaning NSA would remain compliant with whatever secret orders have made the collection of cell location in bulk illegal.

Remember, too, that both of these programs will have an alert feature. In spite of getting an alert system to replace the one deemed illegal in 2009 approved on November 8 2012, the government has not yet gotten that alert function working for what are described as technical reasons.

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes. Accordingly, this amendment to the Primary Order authorizes the use of this automated query process for development and testing purposes only. No query results from such testing shall be made available for analytic purposes. Use of this automated query process for analytical purposes requires further order of this Court.

It’s possible that, simply doing the alert on exclusively legally authorized data (as opposed to data mixing EO 12333 and FISC data) solves the technical problems that had stymied NSA from rolling out the alert system they have been trying to replace for 5 years. It’s possible that because NSA was getting its comprehensive coverage of US calls via different authorities, it could not comply with the FISC’s legal limits on the alert system. But we know there will be an alert function if either of these bills are passed.

The point is, here, too, outsourcing the initial query process solves a legal-technical problem the government has been struggling with for years.

The Obama plan is an improvement over the status quo (though I do have grave concerns about its applicability in non-terrorist contexts, and my concerns about what the government does with the data of tens to hundreds of thousands of innocent Americans remain).

But don’t be fooled. Obama’s doing this as much because it’s the easiest way to solve legal and technical problems that have long existed because the government chose to apply a law that was entirely inapt to the function they wanted to use it for.

Shockers! A more privacy protective solution also happens to provide the best technical and legal solution to the problem at hand.

Update: Forgot to add that, assuming I’m right, this will be a pressure point that Members of Congress will know about but we won’t get to talk about. That is, a significant subset of Congress will know that unless they do something drastic, like threatening legal penalties or specifically defunding any dragnetting, the Executive will continue to do this one way or another, whether it’s under a hybrid of Section 215 and EO 12333 collection, or under this new program. That is, it will be a selling point to people like Adam Schiff (who advocated taking the call records out of government hands but who has also backed these proposals) that this could bring all US intelligence collection under the oversight of the FISC (it won’t, really, especially without a very strong exclusivity provision that prohibits using other means, which the Administration will refuse because it would make a lot of what it does overseas illegal). This is the same tension that won the support of moderates during the FISA Amendments Act, a hope to resolve real separation of powers concerns with an imperfect law. So long as the Leahy-Sensenbrenner supporters remain firm on their demands for more reforms, we may be able to make this a less imperfect law. But understand that some members of Congress will view passing this law as a way to impose oversight over a practice (the EO 12333 collection of US phone records) that has none.

Update: Verizon has released this telling statement.

This week Congressmen Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) released the “End Bulk Collection Act of 2014”, which would end bulk collection of data related to electronic communications. The White House also announced that it is proposing an approach to end bulk collection. We applaud these proposals to end Section 215 bulk collection, but feel that it is critical to get the details of this important effort right. So at this early point in the process, we propose this basic principle that should guide the effort: the reformed collection process should not require companies to store data for longer than, or in formats that differ from, what they already do for business purposes. If Verizon receives a valid request for business records, we will respond in a timely way, but companies should not be required to create, analyze or retain records for reasons other than business purposes. [my emphasis]

It’s telling, first of all, because Verizon still doesn’t want to have to fuss with anything but their business records. That says it has been unwilling to do so, in the past, which, in my schema, totally explains why the government couldn’t get Verizon cell records using Section 215. (I have wondered whether this was a newfound complaint, since they got exposed whereas AT&T did not; and even in spite of Randal Milch’s denial, I still do wonder whether the Verizon-Vodaphone split hasn’t freed them of some data compliance obligations.)

Just as importantly, Verizon doesn’t want to analyze any of this data. As I have pointed out, someone is going to have to do high volume number analysis, because otherwise the number of US person records turned over will be inappropriately large but small enough it will be a significant privacy violation to do it at that point (for some things, it requires access to the raw data).

I’m unclear whether the RuppRuge Fake Fix plan of offering assistance (that is, having NSA onsite) fixes this, because NSA could do this analysis at Verizon.

The RuppRoge Fake Dragnet Fix, As Introduced: Does It Include Keith Alexander’s Quid Pro Quo?

/11 Comments/in , /by

This post is going to be a general review on the contents of the actual records collection part of the RuppRoge Fake Dragnet Fix, which starts on page 15, though I confess I’m particularly interested in what other uses — besides the phone dragnet — it will be put to.

First, note that this bill applies to “electronic communication service providers,” not telecoms. In addition, it uses neither the language of Toll Records from National Security Letters nor Dialing, Addressing, Routing, or Signalling from Pen Registers. Instead, it uses “records created as a result of communications of an individual or facility.” Also remember that FISC has, in the past, interpreted “facility” to mean “entire telecom switch.” This language might permit a lot of things, but I suspect that one of them is another attempt to end run content collection restrictions on Internet metadata — the same problem behind the hospital confrontation and the Internet dragnet shutdown in 2009. I look forward to legal analysis on whether this successfully provides an out.

The facility language is also troubling in association with the foreign power language of the bill (which already is a vast expansion beyond the terrorism-only targeting of the phone dragnet). Because you could have a telecom switch in contact with a suspected agent of a foreign power and still get a great deal of data, much of it on innocent people. The limitation (at b1B) to querying with “specific identifiers or selection terms’ then becomes far less meaningful.

Then add two details from section h, covering the directives the government gives the providers. The government requires the data in the format they want. Section 215 required existing business records, which may have provided providers a way to be obstinate about how they delivered the data (and this may have led to the government’s problems with the cell phone data). But it also says this (in the paragraph providing for compensation I wrote about here):

The Government may provide any information, facilities, or assistance necessary to aid an electronic communications service provider in complying with a directive

Remember, one month ago, Keith Alexander said he’d be willing to trade a phone dragnet fix for what amounts to the ability to partner with industry on cybersecurity. The limits on this bill to electronic communication service providers means it’s not precisely what Alexander wanted (I understand him to want that kind of broad partnership across industries). Still, the endorsement of the government basically going to camp out at a provider makes me wonder if there isn’t some of that. Note, that also may answer my question about when and where NSA would conduct the pizza joint analysis, which would mean there’d still be NSA techs (or contractors) rifling through raw data, but they’d be doing it at the telecoms’ location.

The First Amendment restriction appears more limited than it is in the Section 215 context, though I suspect RuppRoge simply reflects the reality of what NSA is doing now. Both say you can’t investigate an American solely for First Amendment views, but RuppRoge says you can’t get the information for an investigation of an American. Given that RuppRoge eliminates any requirement that this collection be tied to an investigation, it would make it very easy to query a US person selector based on First Amendment issues in the guise of collecting information for another reason. But again, I suspect that’s what the NSA is doing in practice in any case.

Note, too, that RuppRoge borrows the “significant purpose” language from FISA, meaning the government can have a domestic law enforcement goal to getting these records.

RuppRoge then lays out an elaborate certification/directive system that is (as I guessed) modeled on the FISA Amendments Act, but written to be even more Byzantine in the bill. It works the same, though: the Attorney General and the Director of National Intelligence submit broad certifications to the FISC, which reviews whether they comply with the general requirements in the bill. It can also get emergency orders (though for some reason here, as elsewhere, RuppRoge have decided to invent new words from the standard ones), though the language is less about emergency and more about timely acquisition of data. Ultimately, there is judicial review, after the fact, except that like FAA, the review is programmatic, not identifier specific. Significantly, the records the government has to keep only need to comply with selection procedures (which are the new name for targeting procedures) “at the time the directive was issued,” which would seem to eliminate any need to detask over a year if you discover the target isn’t actually in contact with an agent of a foreign power. Also, in the clause permitting the FISC to order data be destroyed if the directives were improper, the description talks about halting production of “records,” but destruction of “information.” That might be more protective (including the destruction of reports based on data) or it might not (requiring only the finished reports be destroyed). Interestingly, this section includes no language affirmatively permitting alert systems, though RuppRoge have made it clear that’s what they intend with the year long certifications. In addition, those year long certifications might be used in conjunction with a year long PRISM order to first search a provider for metadata, then immediately task on content (which would be useful in a cybersecurity context).

The bill also changed the language of minimization procedures, which they call “civil liberties and privacy protection procedures.” Interestingly, the procedures differ from the standard in Section 215, including both a generalized privacy protection and one limiting receipt and dissmenation of “records associated with a specific person.” These might actually be more protective than those in Section 215, or they might not, given that the identifying information (at b1D) excludes things like phone number or email which clearly identify a specific person, but get no protection (this identifying information hearkens back, at least in part, to debates about whether the dragnet minimization procedures complied with requirement for them in law on this point). In other words, it may provide people more protection, but given the NSA’s claim that they can’t get identify from a phone number, they likely don’t consider that data to be protected at all.

I can’t help believing much of this bill was written with cases like Lavabit and the presumed Credo NSL challenges in mind, as it uses language disdainful of legal challenges.

If the judge determines that such petition consists of claims, defenses, or other legal contentions that are not warranted by existing law or consists of a frivolous argument for extending, modifying, or reversing existing law or for establishing new law, the judge shall immediately deny such petition and affirm the directive or any part of the directive that is the subject of the such petition and order the recipient to comply with the directive or any part of it.

This seems to completely rule out any constitutional challenge to this law from providers.  Though the bill even allows for emergency acquisition while FISC is reviewing a certification, suggesting RuppRoge don’t want the FISC to make any through either. So if this bill were to pass, you can be sure it will remain in place indefinitely.

RuppRoge Fake Dragnet Fix Requires Intel Community to Update 30 Year Old EO 12333 Procedures

/3 Comments/in , /by

One good aspect of the RuppRoge Fake Dragnet Fix is its measure requiring all elements of the Intelligence Community to comply with the EO that governs them.

At issue is this clause in EO 12333 requiring that any element of the Intelligence Community collecting data on US persons have Attorney General approved procedures for handling that data.

2.3 Collection of information. Elements of the Intelligence Community are authorized to collect, retain, or disseminate information concerning United States persons only in accordance with procedures established by the head of the Intelligence Community element concerned or by the head of a department containing such element and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order, after consultation with the Director.

This is something PCLOB asked Eric Holder and James Clapper to make sure got done back in August. In their letter, they disclosed some agencies in the IC have been stalling on these updates almost 3 decades.

The Privacy and Civil Liberties Oversight Board just sent a letter to Eric Holder and James Clapper requesting that they have all the Intelligence Committee agencies update what are minimization procedures (though the letter doesn’t call them that), “to take into account new developments including technological developments.”

As you know, Executive Order 12333 establishes the overall framework for the conduct of intelligence activities by U.S. intelligence agencies. Under section 2.3 of the Executive Order, intelligence agencies can only collect, retain, and disseminate information about U.S. persons if the information fits within one of the enumerated categories under the Order and if it is permitted under that agency’s implementing guidelines approved by the Attorney General after consultation with the Director of National Intelligence.

The Privacy and Civil Liberties Oversight Board has learned that key procedures that form the guidelines to protect “information concerning United States person” have not comprehensively been updated, in some cases in almost three decades, despite dramatic changes in information use and technology. [my update]

In other words, these procedures haven’t been updated, in some cases, since not long after Ronald Reagan issued this EO in 1981.

RuppRoge aims to require the IC elements to comply.

(1) REQUIREMENT FOR IMMEDIATE REVIEW.–Each head of an element of the intelligence community that has not obtained the approval of the Attorney General for the procedures, in their entirety, required by section 2.3 of Executive Order 12333 (50 U.S.C. 3001 note) within 5 years prior to the data of the enactment of the End Bulk Collection Act of 2014, shall initiate, not later than 180 days after such enactment, a review of the procedures for such element.

Mind you, asking agencies to initiate a review 6 months after passage of a bill to update procedures that are 30 years old isn’t exactly lighting a fire under IC arse. But then, the delay probably stems from some agencies hoarding agency records on US persons that are even older than the EO.

A Key Part of RuppRoge’s Fake Dragnet Fix Reform: Pay the Telecoms

/4 Comments/in , , /by

Here’s an interesting “reform” in the RuppRoge’s Fake Dragnet Fix. It pays the telecoms.

COMPENSATION AND ASSISTANCE.–The Government shall compensate, at the prevailing rate, an electronic communications service provider for providing records in accordance with directives issued pursuant to [their bill].

Section 215 does not include such a payment provision. And while the first two phone dragnet orders included provision for such payments, that was probably illegal.

Don’t get me wrong. I’m sure the government has found some way to pay the telecoms, either through added payments for AT&T’s Hemisphere program or gifts in kind. (Though given the timing of DOJ’s suit against Sprint for over-billing, I do wonder whether the government is retaliating for something.) Telecoms don’t spy for free, so I’m sure they’ve been getting paid, illegally, for the last 8 years of dragnet spying they’ve been doing.

But the lack of such provision in Section 215 should have limited the scope of the dragnet. It should have required that requests be so narrow no telecom was going to send big bills to the government every month. And it presumably made the telecoms (well, except for AT&T, which never met a spying request it didn’t love) less willing to interpret orders from the government expansively.

The inclusion of such a compensation clause in the RuppRoge “reform” makes it even more likely this dragnet will expand with the now well-oiled willingness of the telecoms to go above and beyond the letter of the request.

Which is presumably just how the NSA wants it to be.

RuppRogers Fake Dragnet Fix Would End (?) Bulk Firearm Record Collection, But Not Bulk Credit Card Record Collection

/1 Comment/in /by

I’m just beginning to go through the House Intelligence Fake Dragnet Fix bill — what I will henceforth call the RuppRogers Fake Dragnet Fix.

It does have some improvements — the kind of bones you throw into a legislation to entice members of Congress to back what is in fact a broad expansion of surveillance.

One of those is a prohibition on the use of FISA (presumably including Section 215) to engage in bulk collection of certain kinds of records:

Notwithstanding any other provision of law, the Federal Government may not acquire under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) library circulation records, library patron lists, book sales records, book customer lists, firearm sales records, tax return records, education records, or medical records containing information that would identify a person without the use of specific identifiers or selection terms.

I find this interesting, for one, because it is yet another piece of evidence that suggests the government has been using Section 215 (and National Security Letters, probably) to make its own firearm registry, in defiance of congressional intent.

But I also find it instructive to compare this list:

  • Some but not all library and book records
  • Firearm sales records
  • Tax return (but not other tax) records
  • Education records
  • Some but not all medical records

With the list laid out in this letter from Ron Wyden and Mark Udall and others.

  • Credit card purchases
  • Pharmacy records
  • Library records
  • Firearm sales records
  • Financial information
  • Book and movie purchase records

I would assume from the difference that NSA was unwilling to give up certain kinds of bulk collection, notably credit card and non-tax return financial records.

I think the use of Section 215 to collect gun records is patently illegal, even though I might support a gun registry if passed legislatively. But if we’re going to roll back that collection, let’s roll back the bulk financial record collection as well.

Former Professional Journalist Suggests NYT Shouldn’t Pay Its Journalists

/14 Comments/in , /by

I’m working on a more substantive response to this Ben Wittes post claiming that the NYT’s latest Snowden story doesn’t mean the NSA spies on lawyers.

But I wanted to note how it begins.

Unless the public is really tiring of matters Snowden, the New York Times’s latest is going to stir up the hornet’s nest. “Spying by N.S.A. Ally Entangled U.S. Law Firm,” blares the headline of the story by reporter James Risen and freelancer Laura Poitras—from whom the Times (which insists it never pays for information) sometimes procures Snowden-leaked documents and to whom it gives a byline when it does so. [my emphasis]

The apparent subtext here is that the NYT is paying Laura Poitras not to do journalism on a story she has covered in depth for the last 8 months, but instead for access to documents in her possession (or to use Mike Rogers’ formulation, Poitras is fencing stolen property).

The comment is odd not just because Wittes has not (as far as I know) complained that the NYT also got (or may have in this case — I frankly don’t claim to know these arrangements) Snowden documents directly from the Guardian in a necessary attempt to bypass the UK’s crackdown on press freedom.

Odder still, according to Wittes’ Brookings bio, he worked as a professional journalist for at least a decade, both as a WaPo staffer and as an independent contributor.

Between 1997 and 2006, he served as an editorial writer for The Washington Post specializing in legal affairs. Before joining the editorial page staff of The Washington Post, Wittes covered the Justice Department and federal regulatory agencies as a reporter and news editor at Legal Times. His writing has also appeared in a wide range of journals and magazines including The Atlantic, Slate, The New Republic, The Wilson Quarterly, The Weekly Standard, Policy Review, and First Things.

Therefore I assume he is familiar with the tradition in journalism that when someone reports — even (especially) for a major newspaper as a freelancer — one gets paid.

Except he seems to want to make an exception just in this one case so as to insinuate certain things about Poitras’ reporting.

I do hope all of Wittes’ reporter friends remind him that their profession is still … a profession, and that equating professional journalism with crime sort of puts a damper on the whole freedom of the press thing, not to mention their claim that they should be compensated for their labor.

Disclosure: Obviously, with my affiliation with First Look Media, I do have a tie with Poitras (though not with this story). As an EW post, however, this post has no tie to First Look, and I have talked to neither Poitras nor anyone else at First Look before writing it.

Update: Wittes explains himself at length here (though the *@^$&*# hackers have brought Lawfare down again). It seems Wittes is nostalgic for the time when newspapers and the government had such a cozy relationship the NYT could lie us into catastrophic war in the service of the government.

I confess that I’m troubled by the power dynamics at work—for reasons that I’m sure will not endear me to my Twitter critics: I believe in institutional media. I believe in editors. And while I also deeply believe in the proliferation of voices that new media has enabled, I don’t like it that Greenwald, Gellman, and Poitras have such enormous leverage against big media organizations which I expect to make responsible publishing decisions. Put simply, I am uncomfortable with the unaccountable power that this arrangement gives people like Poitras over organizations like the New York Times.

The Drone Assassinate Americans Overseas That Want to Kill Americans Overseas Plan

/6 Comments/in /by

Kimberly Dozier reports — based primarily on 4 US Officials (AKA members of Congress or their staffers) and one Senior Administration Official probably located near DOJ — that the Obama Administration is trying to decide whether to drone kill another American citizen with no due process again.

She obviously got the story because Mike Rogers wants to suggest Obama’s increased caution of late, including his decision to shift drones from CIA to DOD control — has impeded this opportunity to off an American with no due process.

And many people discussing the story suggest this case follows the example of Anwar al-Awlaki.

But it appears not to, in at least one very important respect.

According to Dozier’s description, this person is not targeting Americans in the US; he is targeting Americans overseas (given her descriptions, I’m guessing he’s targeting Americans in Afghanistan from Pakistan, though it’s possible he’s in North Africa).

An American citizen who is a member of al-Qaida is actively planning attacks against Americans overseas, U.S. officials say, and the Obama administration is wrestling with whether to kill him with a drone strike and how to do so legally under its new stricter targeting policy issued last year.

[snip]

Four U.S. officials said the American suspected terrorist is in a country that refuses U.S. military action on its soil and that has proved unable to go after him. And President Barack Obama’s new policy says American suspected terrorists overseas can only be killed by the military, not the CIA, creating a policy conundrum for the White House.

Two of the officials described the man as an al-Qaida facilitator who has been directly responsible for deadly attacks against U.S. citizens overseas and who continues to plan attacks against them that would use improvised explosive devices.

But one U.S. official said the Defense Department was divided over whether the man is dangerous enough to merit the potential domestic fallout of killing an American without charging him with a crime or trying him, and the potential international fallout of such an operation in a country that has been resistant to U.S. action.

Another of the U.S. officials said the Pentagon did ultimately decide to recommend lethal action.

The officials said the suspected terrorist is well-guarded and in a fairly remote location, so any unilateral attempt by U.S. troops to capture him would be risky and even more politically explosive than a U.S. missile strike.

Say what you will about the quality of the evidence against Awlaki, they government at least claimed he was behind the UndieBomb and Toner Cartridge attacks, both targeted at American civilians in the US.

Even in the case of Kamal Derwish (whom we killed in 2002 under our prior “sitting next to a baddie” standard), we believed he was training people domestically.

By all appearances, this person is targeting US service members. And if they’re anywhere but Afghanistan (though I suspect they are in Afghanistan, especially given the reference to IEDs), they’re operating with a somewhat dubious claim to legally approved military actions.

No US citizen has the right to join the other side in a war, which (if this is Afghanistan/Pakistan) seems to be what has happened. But using a drone to target an American operating in a sovereign country we pretend not to be at war with because he is targeting military targets is a different legal case than the one against Awlaki.

Sure, Awlaki started us down a slippery slope. But we appear to have slid further down that slope.