Posts

Where Does the Bulk Collection Under NSLs Happen?

Back in January, I noted that both the President’s Review Group and those behind the Leahy-Sensenbrenner USA Freedom Act seemed very concerned that the government is using NSLs to conduct bulk collection (which is the term I used, based off the fact that both made parallel changes to Section 215 and NSL collection). Both required (recommended, in the case of PRG) that the government fix that by requiring that NSL’s including language asserting that the particular information sought has a tie to the investigation in question, and some limits on the amount of information collected.

Here’s how the PRG phrased it.

Recommendation 2 We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that:

(1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and

(2) like a subpoena, the order is reasonable in focus, scope, and breadth.

The thing is, because NSLs haven’t shown up in any troves of leaked documents, we don’t know why USA Freedom original backers and PRG are so concerned NSLs today collect data beyond reasonable breadth (though IG reports done years ago raised big concerns, many of them about whether FBI was meeting the legal standards required).

We don’t know what kind of bulk collection they’re engaging in.

Because FBI — not NSA — primarily uses NSLs, we don’t know what the problem is.

I raise this now because — in addition to having planned on writing this post since January — of questions about whether the HjC HJC and HPSCI “reform” bills will really end what you and I (as distinct from the Intelligence Community) would consider bulk collection.

And NSL reporting — unlike that for Section 215 — provides some hints on where the bulk collection might be.

Here’s what the most recent FISA report to Congress says about (most) NSLs issued last year.

Requests Made for Certain Information Concerning Different United States Persons Pursuant to National Security Letter Authorities During Calendar Year 2013 (USA PATRIOT Improvement and Reauthorization Act of 2005, Pub. L. No. 109-177 (2006))

Pursuant to Section 118 of the USA PATRIOT Improvement and Reauthorization Act, Pub. L. 109-177 (2006), the Department of Justice provides Congress with annual reports regarding requests made by the Federal Bureau of Investigation (FBI) pursuant to the National Security Letter (NSL) authorities provided in 12 U.S.C. § 3414, 15 U.S.C. § 1681u, 15 U.S.C. § 1681v, 18 U.S.C § 2709, and 50 U.S.C. § 436.

In 2013, the FBI made 14,219 requests (excluding requests for subscriber information only) for information concerning United States persons. These sought information pertaining to 5,334 different United States persons.2

2 In the course of compiling its National Security Letter statistics, the FBI may over-report the number of United States persons about whom it obtained information using National Security Letters. For example, NSLs that are issued concerning the same U.S. person and that include different spellings of the U.S. person’s name would be counted as separate U.S. persons, and NSLs issued under two different types of NSL authorities concerning the same U.S. person would be counted as two U.S. persons.

The report would seem to say that the 14,219 requests were based off requests about 5,334 US persons. That’s not really bulk collection, at least on its face! So where is the bulk collection PRG and USAF seem worried about?

It’s possible this report hides some bulk collection in a different Agency. The law requiring this report only requires DOJ to report on the number of requests DOJ made in the previous year.

 In April of each year, the Attorney General shall submit to Congress an aggregate report setting forth with respect to the preceding year the total number of requests made by the Department of Justice for information concerning different United States persons under–

(A) section 2709 of title 18, United States Code (to access certain communication service provider records), excluding the number of requests for subscriber information;

[the law goes on to list the other NSL provisions]

While DOJ’s report should cover both FBI and DEA, I suppose it’s possible that some other entities — not just NSA but also Treasury, NCTC, and CIA — are submitting NSLs themselves, particularly in the case of financial records (though I think Treasury doesn’t have to use NSLs to do this).

The other obvious place the language of the report hides bulk collection is in subscriber records. The law exempts subscriber information requests from the reporting pertaining to US persons. The FBI could be applying for what amount to phone books of all the subscribers of all the phone companies and Internet service providers in the United States and it wouldn’t show up in this report, even though those requests might pertain to hundreds of millions of US persons.

I assume to some extent it is doing this, because there must be a reason subscriber records were excluded from this law. And this would count as bulk collection even according to the Intelligence Community definition of the term.

Via the PRG, we can get a sense of how many such subscriber requests there are. It says FBI issued 21,000 NSLs in FY 2012.

FBI issued 21,000 NSLs in Fiscal Year 2012, primarily for subscriber information.

While the reporting period is different, DOJ reported that FBI obtained 15,229 NSLs in 2012. Which means the balance — so around 5,500 NSLs — would be for subscriber data. Even if only a significant fraction of those are for all of companies’ subscribers, that’s still a fairly comprehensive list of subscriber information across a broad range of providers.

Those 5,500 requests could each be 50 US persons or 120 million US persons; we don’t know. That would be pretty significant bulk collection. But not the same kind of privacy risk PRG seems to have in mind (and if that were the only problem, why change all 4 NSL statutes, as USA Freedom Act did and to the extent it makes a difference still does)?

Still, we know that even the other NSLs — the ones for which we have real data about how many US persons the NSLs “pertained to” — affected far more US persons. That’s because the Exigent Letters IG Report made it clear that two providers (one of these is AT&T, which did it routinely; see page 75ff) provided community of interest information — multiple hops of call records — in response to NSLs. In discovering that, DOJ’s IG complained that FBI was routinely getting information — the derivative call records — that it had not done a relevancy determination for, but it didn’t object across the board.

That concern about ensuring that records obtained via a national security request are “relevant” according to the plain meaning of the term sure seems quaint right now, doesn’t it?

But the potential that FBI is using NSLs to obtain derivative records off of the original selector would sure explain why PRG and Pat Leahy and others are concerned about NSLs (and what we would call — but IC wouldn’t — “bulk collection”).

I assume they can only do this with complicit providers (and I suspect this explains the rise of Section 215 orders with attached minimization requirements in recent years).

But if it happens in significant number at all, it would explain why Leahy and PRG consider it an equivalent problem to Section 215. Because it would mean FBI was using NSLs — not just with telecom and Internet records, but possibly with other things (though I don’t see how you could do this on credit reports) — to get data on associations several levels removed from the target of the NSL.

Here’s the immediate takeaway, though.

Aside from the phone book application (which is significant and I think would be curtailed given the HJC bill, unless FBI were to make requests of AT&T using “AT&T” as the selection term) and financial records (which I’m still thinking through), NSLs appear to include a great deal of “bulk” collection (that is, collection of innocent persons’ data based on association). But they appear to do so from specific identifiers.

And that will not be curtailed by the HJC bill, not at all. It is clear these requests for NSLs are already currently based off selectors — it shows in this reporting.

So at least for two uses of NSLs — credit reports and call details (but not subscriber records) — the House bill simply codifies the status quo.

Update: Here’s the financial records language on NSLs:

Financial institutions, and officers, employees, and agents thereof, shall comply with a request for a customer’s or entity’s financial records made pursuant to this subsection by the Federal Bureau of Investigation when the Director of the Federal Bureau of Investigation (or the Director’s designee in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director) certifies in writing to the financial institution that such records are sought for foreign counter intelligence  [2] purposes to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution of the United States.

It’s clearly intended to work for things that would be a selection term — “customer” or “entity” (which in this context would seem to be different from a customer!) — but I’m not sure it requires that the collection be based off the customer selection term.

Obama’s Legal Hacks

I have a piece over at The Week on the unusually credible denial the government issued on Friday, claiming they did not know of the Heartbleed vulnerability until earlier this month. In it, I note that Obama adopted a much lower bar for using software vulnerability than his hand-picked Review Group recommended in December. Most troubling, Obama admits he will use exploits for law enforcement, in addition to national security.

But the announcement’s discussion of the interagency review also made clear that the process will, sometimes, approve such a use — which means that the next Heartbleed could be exploited by the NSA. Furthermore, the standard the administration claims to have adopted — “a clear national security or law enforcement need” (italics mine) — is lower than the “urgent and significant national security priority” recommended by the Review Group.

In other words, in very clear language, the government has confessed that it does and will continue to keep secret Heartbleed-style vulnerabilities not just for national security purposes, but also for mere law enforcement.

The idea that the government might hack in the name of law enforcement is not new.

As WSJ reported last month, DOJ is trying to get the Judicial Conference to approve language allowing it to get warrants to hack in multiple districts at once.

The government’s push for rule changes sheds light on law enforcement’s use of remote hacking techniques, which are being deployed more frequently but have been protected behind a veil of secrecy for years.

In documents submitted by the government to the judicial system’s rule-making body this year, the government discussed using software to find suspected child pornographers who visited a U.S. site and concealed their identity using a strong anonymization tool called Tor.

The government’s hacking tools—such as sending an email embedded with code that installs spying software — resemble those used by criminal hackers. The government doesn’t describe these methods as hacking, preferring instead to use terms like “remote access” and “network investigative techniques.”

Right now, investigators who want to search property, including computers, generally need to get a warrant from a judge in the district where the property is located, according to federal court rules.

In a computer investigation, that might not be possible, because criminals can hide behind anonymizing technologies. In cases involving botnets—groups of hijacked computers—investigators might also want to search many machines at once without getting that many warrants.

Some judges have already granted warrants in cases when authorities don’t know where the machine is. But at least one judge has denied an application in part because of the current rules. The department also wants warrants to be allowed for multiple computers at the same time, as well as for searches of many related storage, email and social media accounts at once, as long as those accounts are accessed by the computer being searched.

I especially applaud the way WSJ highlighted DOJ’s complaints about Orin Kerr calling what they do hacking.

Even more timely, a team of computer security experts — Steve Bellovin, Matt Blaze, Sandy Clark, and Susan Landau —  just published a paper arguing that legal hacking is a better means to conduct law enforcement collection than a CALEA-type solution. But they argue that the government can and must achieve this law enforcement objective without compromising the security of the network.

¶162 As we alluded to earlier, this is a clash of competing social goods between the security obtained by patching as quickly as possible and the security obtained by downloading the exploit to enable the wiretap to convict the criminal. Although there are no easy answers, we believe the answer is clear. In a world of great cybersecurity risk, where each day brings a new headline of the potential for attacks on critical infrastructure,239 where the Deputy Secretary of Defense says that thefts of intellectual property “may be the most significant cyberthreat that the United States will face over the long term,”240 public safety and national security are too critical to take risks and leave vulnerabilities unreported and unpatched. We believe that law enforcement should always err on the side of caution in deciding whether to refrain from informing a vendor of a vulnerability. Any policy short of full and immediate reporting is simply inadequate. “Report immediately” is the policy that any crime-prevention agency should have, even though such an approach will occasionally hamper an investigation.241

¶163 Note that a report immediately policy does not foreclose exploitation of the reported vulnerability by law enforcement. Vulnerabilities reported to vendors do not result in immediate patches; the time to patch varies with each vendor’s patch release schedule (once per month, or once every six weeks is common), but, since vendors often delay patches,242 the lifetime of a vulnerability is often much longer. Research shows that the average lifetime of a zero-day exploit is 312 days.243 Furthermore, users frequently do not patch their systems promptly, even when critical updates are available.24

¶164 Immediate reporting to the vendor of vulnerabilities considered critical will result in a shortened lifetime for particular operationalized exploits, but it will not prevent the use of operationalized exploits. Instead, it will create a situation in which law enforcement is both performing criminal investigations using the wiretaps enabled through the exploits, and crime prevention through reporting the exploits to the vendor. This is clearly a win/win situation.

[snip]

¶166 The tension between exploitation and reporting can be resolved if the government follows both paths, actively reporting and working to fix even those vulnerabilities that it uses to support wiretaps. As we noted, the reporting of vulnerabilities (to vendors and/or to the public) does not preclude exploiting them.247 Once a vulnerability is reported, there is always a lead time before a “patch” can be engineered, and a further lead time before this patch is deployed to and installed by future wiretap targets. Because there is an effectively infinite supply of vulnerabilities in software platforms,248 provided new vulnerabilities are found at a rate that exceeds the rate at which they are repaired, reporting vulnerabilities need not compromise the government’s ability to conduct exploits. By always reporting, the government investigative mission is not placed in conflict with its crime prevention mission. In fact, such a policy has the almost paradoxical affect that the more active the law enforcement exploitation activity becomes, the more zero-day vulnerabilities are reported to and repaired by vendors.

They go on to propose a legal regime that can provide clear guidance on which vulnerabilities should be reported, even analogizing the emergency period in which an agency can wiretap before getting a warrant.

But here’s the thing: NSA’s Bull Run program got reported in September, and since then the government has remained coy about whether it uses or even seeds vulnerabilities in software, even though anyone paying attention knew it does. It took claims that the government had been using the Heartbleed vulnerability for two years for the Administration to admit, tacitly, the earlier reports were correct.

The kind of legal regime Bellovin et al recommend requires that this law enforcement function operate within a legal — and therefore publicly acknowledged — framework, rather than piggy backing on the NSA’s executive authorities in secret.

While Friday’s admission is a start, and while it may be true that hacking presents a better solution to law enforcement needs than CALEA, these questions need to be openly discussed.

Otherwise, DOJ not only is hacking — in the dictionary definition Orin Kerr applied — but hacking in the reckless manner that DOJ prosecutes.

Goldilocks Porridge of NSA Reform

Since Obama’s speech on the dragnet, I’ve been skeptical the promise to obtain court review before conducting phone dragnet searches means anything. There’s nothing — not a thing — in the actual speech or the White House fact sheet accompanying it distinguishes the allegedly new court review from the review that already exists.

The President has directed the Attorney General to work with the Foreign Intelligence Surveillance Court so that during this transition period, the database can be queried only after a judicial finding, or in a true emergency.

After all, the FISC quarterly approves which terror (and Iranian) groups NSA can target in the dragnet. That’s a judicial finding! Without more specificity, there’s no reason to believe this is any further review than already occurs.

In off-the-record briefing before speech (I didn’t listen in but saw a transcript), anonymous Senior Administration Officials did insist this meant an individualized review of each identifier to be queried (though there were no details about whether the court had to approve each query using that identifier; also, the SAOs indicated no limits would be put on using Section 215 to engage in bulk collection or querying of other items). Though one reason Executive Branch officials like to do off the record briefings is so their credibility can’t be challenged if their secret assurances prove to be hollow. And how would anyone prove these claims to be hollow, in any case, given that all of these reviews are secret?

That background is one reason I’m intrigued by Siobhan Gorman’s tick-tock of how the White House included this review as a very last minute sop to the Review Group, in response to pushback in a January 15 meeting.

Top White House officials, including National Security Adviser Susan Rice, met the afternoon of Jan. 15 with the members of the NSA review panel, which had issued an influential report a month earlier calling for an overhaul of key surveillance programs. The meeting turned tense, though not combative.

The panel had proposed a restructuring that would store telephone data outside the U.S. government and require NSA to obtain approval from the secret Foreign Intelligence Surveillance Court to conduct a search of the database. Currently, NSA searches are governed by an internal process.

White House officials told panel members at the meeting that they were inclined to move the phone data out of the NSA’s hands. But they didn’t mention judicial review of the searches.

The panel’s response was “that’s half” of their recommendation, according to a person close to the review panel. Some panel members interpreted the White House officials’ failure to mention judicial review as a sign that the recommendation wouldn’t be adopted, said several people familiar with the talks.

Appealing to the White House officials, panel members said that without judicial approval, “there’s no way you can restore trust” from the public, said a person familiar with the talks.

[snip]

White House officials appeared “rattled” by the pushback, the person said. “It caused them to regroup.”

The next day—the day before Mr. Obama’s speech—White House officials inserted a new section into the speech that required judicial approval of a search from the secret court, which oversees many of NSA’s surveillance programs.

But even that evening, White House officials were struggling with whether the president could singlehandedly impose such requirements on another branch of government. They sought late-night advice from the Justice Department on how to structure the rule, trying to make it more collaborative than compulsory, a U.S. official said.

Which is how, Gorman goes on, they came up with language that on its face doesn’t impose any new review.

But there are several things that don’t make sense with this story.

First, the NSA Review Group didn’t recommend this kind of individualized review for Section 215, though they did say the intent of the law was to permit the government to query providers on individual orders after getting FISC authorization, suggesting such review is implicit.

As originally envisioned when section 215 was enacted, the government can query the information directly from the relevant service providers after obtaining an order from the FISC.

 

They did recommend judicial review for National Security Letters (and Gorman’s story makes it clear this discussion was wrapped up in a discussion of the Review Group’s recommendations for NSLs). But the Review Group’s recommendations focused on ending bulk collection and moving whatever remained out of government hands. Obama outright rejected the first recommendation and punted the second to a Congress that won’t adopt it.

PCLOB, on the other hand, did recommend something much closer to individualized review for the transition period (though they recommended it come after queries were made).

(c) submit the NSA’s “reasonable articulable suspicion” determinations to the FISC for review after they have been approved by NSA and used to query the database;

Though their last meeting with the White House was on January 8, well before this last-minute addition.

In any case, this last minute changed is pitched — by someone described as a “person familiar with the intelligence-agency discussions” —  as central to a Goldilocks “just right”  solution that left both privacy advocates and the intelligence community placated.

The White House strategy appears to have muted major criticism, both from privacy advocates and intelligence officials.

While privacy advocates said they had wanted Mr. Obama to require more privacy safeguards, their primary message has been that the true effect of the overhauls can’t be known until they are implemented.

Among the spy agencies, there’s relief that Mr. Obama’s speech didn’t criticize the surveillance operations.

“Nobody lost, nobody won,” said one person familiar with the intelligence-agency discussions. “That’s the nature of our government.”

Except the privacy advocate view portrayed here (with no source) doesn’t resemble the view I’m hearing from privacy advocates, who are focusing on Congress and on more pressure. That is, at least the Goldilocks conclusion, that this represents a happy middle, seems to be IC propaganda, perhaps designed to hide how little has actually changed (and unless we can trust Administration officials who would not speak on the record, this last minute solution is useless). It takes a story that claims the Review Group recommendation was to provide judicial review — not to end bulk collection –and declares the Review Group got what they wanted.

They didn’t.

All of this in an article published in the news hole of a Friday night.

Obama’s Dragnet: Policeman of the Whole World

And don’t let anybody make you think that God chose America as his divine, messianic force to be a sort of policeman of the whole world. God has a way of standing before the nations with judgment, and it seems that I can hear God saying to America, “You’re too arrogant! And if you don’t change your ways, I will rise up and break the backbone of your power, and I’ll place it in the hands of a nation that doesn’t even know my name. Be still and know that I’m God.”

–Martin Luther King, “It’s A Dark Day In Our Nation

As I noted the other day, in his speech on the dragnet, President Obama acknowledged that our unique technical surveillance capabilities demands more humility, not less.

But America’s capabilities are unique. And the power of new technologies means that there are fewer and fewer technical constraints on what we can do. That places a special obligation on us to ask tough questions about what we should do.

Yet that concern about our unique technical capabilities quickly transformed into exceptionalism — a concern about how distrust stemming from our dragnet hubris would corrode our “leadership” position in the world.

Instead, we have to make some important decisions about how to protect ourselves and sustain our leadership in the world, while upholding the civil liberties and privacy protections that our ideals – and our Constitution – require. We need to do so not only because it is right, but because the challenges posed by threats like terrorism, proliferation, and cyber-attacks are not going away any time soon, and for our intelligence community to be effective over the long haul, we must maintain the trust of the American people, and people around the world.

And that, in turn, became our role in protecting “our friends and allies as well.”

Our capabilities help protect not only our own nation, but our friends and allies as well. Our efforts will only be effective if ordinary citizens in other countries have confidence that the United States respects their privacy too. And the leaders of our close friends and allies deserve to know that if I want to learn what they think about an issue, I will pick up the phone and call them, rather than turning to surveillance. In other words, just as we balance security and privacy at home, our global leadership demands that we balance our security requirements against our need to maintain trust and cooperation among people and leaders around the world.

This includes protecting them not just from terrorism and hackers, but from crime — including the crime of violating US sanctions.

In terms of our bulk collection of signals intelligence, U.S. intelligence agencies will only use such data to meet specific security requirements: counter-intelligence; counter-terrorism; counter-proliferation; cyber-security; force protection for our troops and allies; and combating transnational crime, including sanctions evasion.

Of course, a number of countries (much of Latin America) object to the way we fight crime (drug cartels) in their countries. But our pursuit of our own national security has literally turned us into the world’s policeman. Which Obama repeats again — our leadership role requires us to use our dragnet to fight terrorists and crime.

We will appoint a senior official at the White House to implement the new privacy safeguards that I have announced today. I will devote the resources to centralize and improve the process we use to handle foreign requests for legal assistance, keeping our high standards for privacy while helping foreign partners fight crime and terrorism.

How ironic, how prescient, that King spoke our arrogance breaking the backbone of our power. Not only does it threaten to break the ideological backbone of our hegemony — replacing our liberties with our policing — but it quite literally threatens to balkanize the communication backbone we’ve exploited to become that policeman.

President Obama seems to understand what a crisis this poses to our leadership. He does not, yet, understand that that leadership was not supposed to be policing the world.

Richard Clarke Alludes to the Real Costs of the Dragnet

New America Foundation did a study of 225 terrorist plots to try to discern the source of the investigation. There are numerous obvious flaws to the study — many of which stem from the government’s own efforts to obscure the sources of what they do, some of which stem from a lack of awareness about how the government responded to other tips by collecting more NSA intelligence, some of which stem from ignoring the dragnet that existed in illegal form before the FISC-approved one.

With those caveats, NAF finds what has been reported for months: only the Basaaly Moalin’s provision of less than $10,000 to al-Shabaab stemmed from the phone dragnet.

Which provides the WaPo with another opportunity to report this as news. I’ll take it: any little bit helps!

WaPo and NAF also report what I reported 5 months ago: that the government delayed 2 months after identifying Moalin’s ties indirectly to Aden Ayro before wiretapping him. Remember, they say they need the dragnet to avoid delays in investigation.

Perhaps the most interesting part of WaPo’s report on this, though, are Richard Clarke’s comments. As a follow-up on the NSA Review Group’s comment on the risk to quality of life posed by the dragnet, Clarke claims the dragnet would still be too intrusive if it had contributed to every plot.

“Although we might be safer if the government had ready access to a massive storehouse of information about every detail of our lives, the impact of such a program on the quality of life and on individual freedom would simply be too great,” the group’s report said.

Said Clarke: “Even if NSA had solved every one of the [terrorist] cases based on” the phone collection, “we would still have proposed the changes.”

This is actually a fairly stunning comment (and not one, I suspect, Mike Morell, who is also quoted, would support). Even if the dragnet had identified every potential terrorist plot, Clarke says, it would still be too intrusive.

I think the dragnet is plenty intrusive — and I think plenty of the ways it infringes on privacy are those not accounted in NAF’s analysis (such as the use of the dragnet to pick targets for informants or conduct back door searches). Still: to suggest the dragnet would not be worth every single one of these leads?

When FBI Director Jim Comey Ate 20 Journalists for Lunch, NSL Edition

Yesterday, charismatic FBI Director Jim Comey had what was alternately described as a “lunchtime interview” and a “roundtable” with a bunch of journalists. (See NYT, ABC, AFP, NPR, McClatchy, HuffPo, LAT, WSJ, Politico, AP)

Where he proceeded to eat them for lunch.

While he addressed many topics, it appears one of his key goals was to lobby to keep National Security Letter authority as is rather than adopt the NSA Review Group’s recommended changes.

Here’s how Politico described it (I don’t mean to pick on Josh Gerstein; his was one of the most thorough reports of what Comey said, even in spite of writing one of the single bylined stories; the outlets above all published some version of this story.)

“The national security letter is not only among the most highly regulated things the FBI does, but a very important building block tool of our national security investigations,” Comey said. “What worries me about their suggestion that we impose a judicial procedure on NSLs, is that it would actually make it harder for us to do national security investigations than bank fraud investigations.”

Comey said applying to a judge for a letter to track down an internet user who made a post indicating an interest in carrying out a terrorist bombing would take days or perhaps weeks, even if more judges were added to the court.

“Being able to do it in a reasonably expeditious way is really important to our investigations. So one of my worries about the proposal in the review group is it would add or introduce a delay,” he said. The director did say he believed there was merit to the review panel’s suggestion that such national security letters not come with a permanent bar on the recipient discussing the order with anyone other than legal counsel.

“We ought to be able to work something out that adopts a nondisclosure regime that is more acceptable to a broader array of folks than the one we have now,” he said.

Comey acknowledged that the FBI process for issuing such letters was too lax several years ago, but insisted it has since been fixed and is now rigorous and heavily audited. “No doubt the process for NSLs was broken in some ways six years ago or longer. It is not broken today. And so I don’t know why we would make natioanls [sic] security investigations harder in that respect than criminal investigations,” he said. He also said doing so would likely encourage his agents to go through prosecutors to get a grand jury subpoena instead—a process that doesn’t require the same number of approvals. [my emphasis]

Here’s the problem with this (aside from the hilarious claims that a program with no external oversight is the most “highly regulated” thing the FBI does, as bolded).

The journalists all, without an exception I’ve found, permitted Comey to misrepresent the Review Group’s two recommendations pertaining to National Security Letters (though HuffPo did include additional reporting noting that two of the Review Group members were Comey’s law professors and he thinks their emphasis is on gag orders preventing recipients from discussing the orders).

I described what the Review Group’s NSL recommendations were here (Julian Sanchez also did a good post).

But to understand why this is important enough for me to be an asshole over, it helps to see Review Group Recommendation 1, affecting the Section 215 dragnet, next to Review Group Recommendation 2, affecting NSLs.

Recommendation 1

We recommend that section 215 should be amended to authorize the Foreign Intelligence Surveillance Court to issue a section 215 order compelling a third party to disclose otherwise private information about particular individuals only if [it  finds that

(1)] the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and

(2) like a subpoena, the order is reasonable in focus, scope, and breadth.

 

Recommendation 2

We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that:

(1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and

(2) like a subpoena, the order is reasonable in focus, scope, and breadth.

[punctuation and spacing altered in brackets]

That is, Recommendation 1 (affecting Section 215) and Recommendation 2 (affecting NSLs) are — in the clauses changing the standard of review to eliminate bulk collection — substantively exactly the same. And while the NSLs require judicial review to get to any enforceable of standard of review — which is definitely one huge proposed change to the NSLs — viewed together like this, it is clear that at least as significant a goal of the Review Group is to end bulk collection under any authority.

Particularly when you consider Recommendation 3, which recommends real minimization procedures for NSLs.

The Review Group recommended judicial review of NSLs, sure. But it also recommended either preventing or (given the likelihood this has been going on) eliminating  bulk collection.

And yet a room full of — in some cases — very good journalists allowed the FBI Director to criticize what they all reported as the Review Group’s recommendation that NSL’s undergo judicial review without even mentioning he misrepresented the recommendation, addressing only a fraction of what the Review Group recommended.

Read more

The FBI (or NSA?)’s Bulk National Security Letters

Say, did you notice that the NSA Review Group, like the Leahy-Sensenbrenner bill before it, endorsed dramatic restrictions on National Security Letters?

Both efforts set out to address the most extreme privacy risks posed by — the perception was — the NSA, yet both would impose new rules on NSLs, which are primarily used by the FBI. And both efforts would attempt to at least limit (and therefore presumably end) any bulk collection with NSLs.

Leahy-Sensenbrenner provides specific changes to both the statute authorizing communications collection and the one authorizing financial data collection. In the case of toll records, the changes look like this:

Required Certification.— The Director of the Federal Bureau of Investigation, or his designee in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director may request the name, address, length of service, and local and long distance toll billing records of a person or entity if the Director (or his designee) certifies in writing to the wire or electronic communication service provider to which the request is made that—

(1) the name, address, length of service, and toll billing records sought are relevant and material to an authorized investigation to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the First Amendment to the Constitution of the United States; and

(2) there are reasonable grounds to believe that the name, address, length of service, and toll billing records sought pertain to—

(A) a foreign power or agent of a foreign power;

(B) the activities of a suspected agent of a foreign power who is the subject of such authorized investigation; or

(C) an individual in contact with, or known to, a suspected agent of a foreign power. [my emphasis]

In addition, Leahy-Sensenbrenner would make NSL gags harder to sustain.

The Review Group went even further with respect to the basic NSL requests. It recommended (as its 2nd and 3rd recommendations, stuck right in the middle of its Section 215 discussion!) not only limiting bulk collection with NSLs, but requiring judicial review and adding minimization procedures to them.

Recommendation 2 We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that:

(1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and

(2) like a subpoena, the order is reasonable in focus, scope, and breadth.

Recommendation 3 We recommend that all statutes authorizing the use of National Security Letters should be amended to require the use of the same oversight, minimization, retention, and dissemination standards that currently govern the use of section 215 orders. [my emphasis]

There are two possible reasons why Leahy-Sensenbrenner and the Review Group would offer such similar reforms. First, it’s possible they worry that limiting bulk collection on Section 215 without limiting it on NSLs would lead the government to use NSLs instead.

Far more likely, both would propose such reforms because they know NSLs had already been used for bulk collection. (We know DOJ used bulk NSLs in its efforts to fix its exigent letter problems, but that involved just 3 bulk orders, all 3 issued in 2006.)

Which would be alarming because — as the Review Group points out — in FY2012 (which extends from October 1, 2011 to September 30, 2012), the FBI issued 21,000 NSLs, “primarily for subscriber information.” DOJ’s reports to Congress reported 16,511 NSL requests in 2011 and 15,229 in 2012 that weren’t subscriber information only, so roughly 5,500 of that 21,000 were just subscriber information. But the FBI could very well be issuing bulk orders for both toll records and financial records.

That’s a lot of potential bulk orders.

And, as the Review Group makes clear in its list of reasons the NSLs are ripe for abuse, the FBI doesn’t treat this data with the same care that NSA purportedly treats the phone dragnet data.

[T]he oversight and minimization requirements governing the use of NSLs are much less rigorous than those imposed in the use of section 215 orders.

So data from potentially thousands of bulk orders, covering both toll and financial records, may be sitting on FBI’s servers, with few access, dissemination, and age-off restrictions.

No wonder the Review Group thinks the NSLs should be subject to the same kind of judicial scrutiny as the other laws repurposed for bulk collection.

There is one final—and important— issue about NSLs. For all the well-established reasons for requiring neutral and detached judges to decide when government investigators may invade an individual’s privacy, there is a strong argument that NSLs should not be issued by the FBI itself. Although administrative subpoenas are often issued by administrative agencies, foreign intelligence investigations are especially likely to implicate highly sensitive and personal information and to have potentially severe consequences for the individuals under investigation. We are unable to identify a principled reason why NSLs should be issued by FBI officials when section 215 orders and orders for pen register and trap-and-trace surveillance must be issued by the FISC.

Which is precisely the reason why the Administration is fighting this.

While the focus on reforms Obama may reject has centered on the phone dragnet collection, anonymous sources are also saying the government can’t accept the Review Group proposal for NSLs.

Civil liberties groups would like Obama to rein in the government’s use of so-called “national security letters,” which allow the FBI and other agencies to compel individuals and organizations to turn over business records without any independent or judicial review.

A senior administration official said no final decisions had been made yet, but some operational agencies have concerns about limiting the use of these letters because it would raise the bar for intelligence investigations above that for criminal ones.

Which is understandable, so long as you ignore the high likelihood these are bulk orders. But once you imagine how many Americans’ records this might include if any significant number of NSLs are bulk orders, then it seems utterly shocking no judge reviews the requests.

That’s presumably one of the reasons the Administration wants to rush through its recommendations before we think too hard about the implications of bulk NSL orders.

Sucky Assessments of the Phone Dragnet Reveal How Much They’re Keeping “Secret”

The assessments of the phone dragnet suck.

I don’t mean the assessments of the phone dragnet show the program sucks, though that may well be the case. I mean the assessments of the phone dragnet I’ve seen do a very poor job of assessing the value of it. Which serves to show how much of the larger dragnet remains, if not secret, still largely undiscussed.

To see what I mean, consider this post, from Just Security’s Ryan Goodman.

Insiders disagree about the phone dragnet value with outsiders

The strongest part of his post compares the seemingly contradictory assessments of the phone dragnet by two different members of the NSA Review Group. University of Chicago Professor Geoffrey Stone and Deputy Director of CIA Mike Morell.

Stone, based on what he learned from public sources and from the briefings the Group received, believes the program did not prevent any terrorist attacks. Morell, whose former agency receives Tippers from the program and even had direct access to query results until 2009 just like the FBI does and did (though no one talks about that) insists it has helped prevent terrorist attacks.

Goodman also notes that the Gang of Four immediately defended the phone dragnet after the Review Group released its results (actually, they object to more than the phone dragnet recommendation but don’t say what other recommendations they object to), but doesn’t note the terms they use to do so:

However, a number of recommendations in the report should not be adopted by Congress, starting with those based on the misleading conclusion that the NSA’s metadata program is ‘not essential to preventing attacks.’ Intelligence programs do not operate in isolation and terrorist attacks are not disrupted by the work of any one person or program. The NSA’s metadata program is a valuable analytical tool that assists intelligence personnel in their efforts to efficiently ‘connect the dots’ on emerging or current terrorist threats directed against Americans in the United States. The necessity of this program cannot be measured merely by the number of terrorist attacks disrupted, but must also take into account the extent to which it contributes to the overall efforts of intelligence professionals to quickly respond to, and prevent, rapidly emerging terrorist threats. [my emphasis]

In other words, Goodman presents evidence that the Gang of Four and a former top CIA official believe there are other reasons the phone dragnet is valuable, while someone relying on limited briefings evaluates the program based on its failure to stop any attack.

That ought to make Goodman ask what Morell and Dianne Feinstein know (or think they know) that Stone does not. It ought to make him engage seriously with their claim that the phone dragnet is doing something else beyond providing the single clues to prevent terrorist attacks.

One they’re not willing to talk about explicitly.

Assessments and the terrorist attack thwarted metric

Instead, Goodman assesses the phone dragnet solely on the basis of the public excuse offered over and over and over since the Guardian first published the Verizon order in June: to see which Americans are in contact with (alleged) terrorist associates so as to prevent an attack.

Goodman lectures program critics that identifying funders or members of terrorist groups might help find terrorists, too, and “peace of mind” might help dedicate resources most productively.

The key objective of course is to stop terrorist attacks against the US homeland and vital US interests abroad. An important distinction, however, is whether the intelligence generated by the program is:

(a) “direct”: timely information to foil a specific attack; or

(b) “indirect”: information that enables the government to degrade a terrorist group or decrease the general likelihood of attacks

Examples of the latter might include information on individuals who have joined or are funding a terrorist organization. Intelligence could help to identify and successfully prosecute such individuals, and hence disable them and deter others. The important point is that both types of information aid the overall goal of stopping terrorist attacks. That point appears to have been lost on some critics of the program. When the government cites the latter information yields, critics often consider such situations irrelevant or little to do with stopping attacks.

But Goodman imagines only those affirmatively supporting terrorism would help the government prevent terrorism, which is not necessarily the case.

Does the NSA’s network analysis even pick the right calls?

One thing missing from such assessments are the failures. Why didn’t, for example, Faisal Shahzad’s planning with the Pakistani Taliban identify him and his hawala before the attack? There are plausible explanations: he used good enough operational security such that he had no communications that could have included in the dragnets, his TTP phone and Internet contacts were not among the services sucked up, the turmoil in the phone and (especially) Internet dragnet in 2009 and 2010 led to gaps in the collection. Then there’s a far more serious one: that the methods NSA use to identify numbers of interest may not work, and may instead only be identifying those whose doings with terror affiliates are relatively innocent, meaning they don’t use operational security (though note the US-based phone dragnets would use more sophisticated analysis only after data gets put in the corporate store, whereas data collected overseas might be immediately subject to it).

And for those who, like Goodman, place great stock in the dragnet’s “peace of mind” metric, they need to assess not just the privacy invasion that might result, but the resources required to investigate all possible leads — which could have been upwards of 36,000 people in the Boston Marathon case.

That is, unless we have evidence that NSA’s means of picking the interesting phone contacts from the uninteresting ones works (and given the numbers involved, we probably don’t have that), then the dragnet may be as much a time suck as it is a key tool.

What about the other purposes the Intelligence Community has (quietly) admitted?

The other problem with assessments of the phone dragnet is they don’t even take the IC at its word in its other, quieter admissions of how it uses the dragnet (notably, in none of Stone’s five posts on the dragnet does he mention any of these — one, two, three, four, five — raising questions whether he ever learned or considered them). These uses include:

  • Corporate store
  • “Data integrity” analysis
  • Informants
  • Index

Corporate store: As the minimization procedures and a few FISC documents make clear, once the NSA has run a query, the results of that query are placed in a “corporate store,” a database of all previous query results. Read more

The Obama as Civil Libertarian Propaganda Rolls Out

Remember back in May 2012, when Daniel Klaidman (and the NYT), rolled out stories about the White House imposing new order on the drone program. The initial roll-out stories adopted the new White House euphemism — Terrorist Attack Disruption Strikes or TADS — in lieu of the previously used “signature strike” or more accurate “untargeted drone strike.” But in stories masquerading as comprehensive, neither made any mention of the death of 16 year old American citizen Abdulrahman al-Awlaki.

And remember back in February 2013, when Klaidman rolled out claims that John Brennan would not only change the drone targeting rules at CIA, but roll back the war on terror altogether? That article didn’t see any contradiction with treating Brennan’s claims as honest when trying to argue he approved signature strikes in Yemen yet admitting he had twice opposed them. Once again, a purportedly comprehensive article — even one focused on Yemen — didn’t mention Abdulrahman al-Awlaki.

And remember when, a month later, Klaidman proclaimed, “Exclusive: No More Drones for CIA”? I predicted then, based on the evidence of John Brennan’s formal statements to Congress and actions rather than credulously treated anonymous claims, it was wrong.

I was right.

Well, yesterday Klaidman was out with another big counterterrorism scoop, this one promising that “Obama’s Defining Fight” would be “how he will take on the NSA’s surveillance state in 2014.” It dedicates 2,200 words to supporting this proposition.

Throughout his presidency he has struggled, even agonized, over how to balance security and liberty in an age of terror.

[snip]

Obama’s willingness to go back and reform his own counterterrorism policies sometimes has led him to give up power or place it under tighter constraints, an unusual characteristic, given that most presidents try to enhance executive authority, especially in the national security arena. Obama, on the contrary, ordered a policy review toward the end of his first term that eventually placed greater restraints on his targeted killing program, resulting in fewer strikes.

His trajectory on surveillance fits the pattern. [my emphasis]

Klaidman apparently doesn’t see the contradiction with the conclusion of his tale.

Sometime in January, Obama plans to deliver a major speech laying out his own blueprint for surveillance reform.

That is, ultimately Obama plans his own “reform.” Which not only keeps the authority for “reform” in the Executive’s hands — protecting executive authority — but almost certainly stops short of the reasonable but by no means adequate changes proposed by his Review Group.

More importantly, in a story focusing on the reform proposals offered by his Review Group that Obama apparently may accept, Klaidman once again has one of his increasingly characteristic black holes in the middle of the story.

Klaidman reports on Obama’s openness to entertain his NSA Review Group’s recommendations. Yet he makes not one mention of the Group’s recommendation that Director of NSA and CyberCommand be split, and that a civilian lead the former organization. This is one of the most important structural reforms proposed by the Review Group.

Nor does Klaidman mention that Obama has already pre-empted that recommendation publicly after having learned of it, announcing that the position would remain joined and in military hands.

This, in an article that portrays Obama getting miffed at General Alexander (and credulously reporting Alexander’s laughable–and more limited claim, in reality–that no one knew that NSA hadn’t turned off deliberate features of the illegal dragnet after FISC excluded those features from the dragnet.

But behind the scenes, Obama was showing some irritation with the intelligence leadership that had pressed for these capabilities and repeatedly vouched for their value. One story that rocketed around the intelligence community involved a meeting between the president and NSA Director Keith Alexander. Alexander, who holds advanced degrees in physics and electronic warfare, was trying to explain certain aspects of one of the surveillance programs to Obama. As his highly technical and jargon-laden presentation rambled on, Obama was beginning to lose patience. When Alexander finished, the president thanked him and then icily asked if he could do it over again, “but this time in English.”

While it went unstated at the time, Obama may have felt frustrated that the complexity of the technology was overwhelming policymakers. Even Alexander had publicly conceded that no single person at the NSA had the wherewithal to understand the metadata program in all its dimensions.

Obama already made it clear that certain issues — as it happens, issues that might rein in the national security state — are not up for deliberation. And yet Klaidman makes no mention of that evidence refuting his central premise, even while pretending Obama will and has stood up to Alexander.

Don’t get me wrong. These tales from Klaidman are useful, because so few other reporters get this access. But given the black holes that persist at the center of Klaidman’s scoops, it’s advisable to take his factoids as potentially fictional details, floating completely independently of the narrative he places them in. Because his narratives increasingly have enormous holes precisely where the known evidence exists.

The NSA Review Group Ganders at Metadata

As you’ve no doubt heard, the NSA Review Group recommends real limits on the government’s access to metadata, preferring that it be left with the telecoms and only be retained 2 years, and also recommending a higher standard for accessing it.

Which is why I find this recommendation, to more closely watch high level security classification holders, so ironic.

The routine PCMP review would draw in data on an ongoing basis from commercially available data sources, such as on finances, court proceedings, and driving activity of the sort that is now available to credit scoring and auto insurance companies. Government-provided information might also be added to the data base, such as publicly available information about arrests and data about foreign travel now collected by Customs and Border Patrol.

Those with extremely high Access Scores might be asked to grant permission to the government for their review by a more intrusive Additional Monitoring Program, including random observation of the meta-data related to their personal, home telephone calls, e-mails, use of online social media, and web surfing. Auditing and verification of their Financial Disclosure Forms might also occur.

A data analytics program would be used to sift through the information provided by the Additional Monitoring Program on an ongoing basis to determine if there are correlations that indicate the advisability of some additional review.

It rationalizes this intrusiveness by pointing out that clearance jobs are privileges, not a right.

We recognize that such a program could be seen by some as an infringement on the privacy of federal employees and contractors who choose on a voluntary basis to work with highly sensitive information in order to defend our nation. But, employment in government jobs with access to special intelligence or special classified programs is not a right. Permission to occupy positions of great trust and responsibility is already granted with conditions, including degrees of loss of privacy.

And, apparently unlike the phone and Internet dragnet, it proposes to start with a pilot.

But I wonder if this metadata program would have the same problem the NSA’s dragnets do: they haven’t ever proven they work as planned.