Posts

The Holder-Clapper Letter Ought to Make You Worry about Leahy’s USA Freedom

/10 Comments/in /by

As the press is reporting right now, James “Too Cute by Half” Clapper and Eric Holder have written Patrick Leahy a letter endorsing his version of the dragnet reform bill. Reports claim this shows that Clapper supports reform.

Consider me unimpressed.

To understand why, it helps to understand what this letter was once supposed to do. According to a Senate source who is skeptical this reform does enough, it was supposed to provide language that would endorse civil libertarians’ understanding of key terms of the bill. I’m not sure if the letter is still supposed to do that work — if it is not, that is a story unto itself. But the language in this letter doesn’t make any commitments on the key points of concern.

As an initial matter, I was told this letter would include language making it clear that the “connection chaining” language I’ve been so concerned about would limit contact chaining to actual calls made. The letter doesn’t address connection chaining at all. Huh. How about that?

Here’s what Clapper’s letter says about the prospective call detail record (CDR) collection:

The bill also provides a mechanism to obtain telephone metadata records in order to identify potential contacts of suspected terrorists inside the United States. The Intelligence Community believes that, based on communications providers’ existing practices in retaining metadata, the bill will retain the essential operational capabilities of the existing bulk telephone metadata program while eliminating bulk collection.

It’s good news the IC is not asking for data retention requirements — but you ought to ask why, given that the most important provider, Verizon, has told the Senate Intelligence Committee that it only keeps billing records — not CDRs — for 18 months.

Note, however, that Clapper doesn’t use CDR language here — he uses “metadata,” which is actually broader — potentially far broader — than CDRs as defined by the bill. We know, for example, that the IC considers location data metadata — and James Cole told Mark Warner they might ask for hybrid orders to get location data. We know from the ICREACH documents that the IC admits it uses a different definition of metadata than the FISA Court does (the IC’s definition of metadata not only includes content, but also substantive information about people). We know that providers store customer things-that-count-as-metadata on their clouds, indefinitely. Adopting metadata here, in short, may back off the otherwise limited definition of CDR, which is one of the bills laudable limiting factors.

The letter’s claim to end bulk collection does nothing to reflect that the IC’s definition of bulk — anything without a discriminator — has nothing to do with the common English definition of it; it certainly doesn’t promise to end the English language definition of bulk. Moreover, it only promises to limit bulk collection to the “greatest extent practicable.”

[T]he bill permits collection under Section 215 of the USA PATRIOT Act using a specific selection term that narrowly limits the scope of the tangible things sought to the greatest extent reasonably practicable, consistent with the purposes for seeking the tangible things. Recognizing that the terms enumerated in the statute may not always meet operational needs, the bill permits the use of other terms, provided there are court-approved minimization procedures that prohibit the dissemination and require the destruction within a reasonable period of time of any information that has not been determined to satisfy certain specific requirements.

That “reasonably practicable” language is a direct quote from the bill. It adds nothing, and given that Bob Litt refuses to limit FBI back door searches because it’s not practicable, what the IC means by practicable could very easily encompass gross privacy violations — ones that have already been approved by FISC! And remember–the IC can use corporate persons as selection terms.

Then the letter all but admits it will use selection terms that violate this principle, but points to the minimization procedures required by the law to rationalize that. As I’ve pointed out, there’s no reason to believe the minimization procedures will be any more stringent than what the FISC currently requires — and there’s at least some reason to suspect they might be weaker than current minimization procedures. (And remember, the retention requirements for the CDR authority almost certainly broadens permitted dissemination to foreign intelligence purpose, which might lead to a similar broadening of it elsewhere under the authority.)

The transparency paragraph includes this language.

the transparency provisions  in this bill … among other things, [] recognize the technical limitations on our ability to report certain types of information.

This is James Clapper saying quite clearly to anyone willing to listen that he sees this bill — which explicitly carves out FBI back door searches from any transparency reporting — as Congressional endorsement of the idea that we should never demand the number of FBI back door searches. This language, by itself, ought to make the bill toxic.

Congratulations NGOs. You’re backing the idea that the FBI should be able to use 702 and 12333 collected information in criminal contexts with zero oversight or accountability.

Finally, Clapper’s letter makes it clear that Leahy’s bill will do nothing to stop ex parte communication between the Executive and FISC. And he even points to John Bates’ ridiculous letter (huh, now we have a better sense of who put Bates up to that!) to warn he’ll carve out even more.

We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

Especially after we learned Bates single-handedly rewrote PATRIOT last year to make it okay to spy on Americans for their protected speech, we should do nothing to accommodate Bates’ wishes, especially since he didn’t speak with the authority of his position. The FISC, as Bates envisions it, doesn’t resemble a real court at all.

In short, there’s one piece of good news in this letter — that the IC won’t ask for data retention requirements — and a whole lot of reason to be even more skeptical of the bill.

ICREACH and FBI’s PRTT Program

/3 Comments/in , /by

I’ll have a more substantive post about what we learn about NSA’s broader dragnet from the Intercept’s ICREACH story.

But for the moment I want to reiterate a point I made the other day. ICREACH is important not just because it makes NSA data available to CIA and FBI. But also because it makes CIA and FBI data available for the metadata analysis the NSA conducts.

The documents describe that to include things like clandestine intelligence and flight information.

But there’s one other program that ought to be of particular concern with regards to NSA’s programs. As I laid out here, FBI had a Pen Register/Trap and Trace “program” that shared information with the NSA at least until February 2012, several months after NSA had ended its PRTT Internet dragnet program.

The secrecy behind the FBI’s PRTT orders on behalf of NSA

PRTT1

Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.

These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.

But that the FBI PR/TT program – which seems different than these individual orders — was considered TS/SI/NOFORN.

PRTT2

If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level)  – is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.

This is considered one of the most sensitive secrets in the whole FISA package.

PRTT3

Even minimized PRTT data is considered TS/SCI.

PRTT4

Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.

So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.

Except there’s the date.

This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)

That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.

I have no idea what this program entailed — and no one else has even picked up on this detail. It’s possible NSA’s Internet dragnet just moved under the FBI’s control. It’s possible (this is my current operative wildarseguess) that FBI’s PRTT program collects location data; the Bureau uses PRTT orders to get individualized location data, after all.

Whatever it is, though, the existence of ICREACH would make that data available to NSA in a form it could use to include it in contact chaining of metadata (which may be why it figures so prominently in NSA’s classification guide). And note: FBI’s minimization procedures are far more lenient than NSA’s, so whatever this data is, NSA may be able to do more with it given that FBI collected it.

And as with a number of other things, even the Pat Leahy version of USA Freedom would weaken protections for PRTT data.

USA Freedom Must Explicitly Require NSA and CIA to Comply with Law’s Minimization Procedures

/12 Comments/in /by

I know I’ve had a lot of mostly unenthusiastic things to say about even Pat Leahy’s version of the USA Freedom Act.

  • It explicitly exempts FBI from counting back door searches
  • It may not do anything to existing non-electronic communication bulk programs, because it probably permits the use of corporate persons as Specific Selection Terms
  • The “connection chaining” may permit expanded access to smart phone data
  • It retains USA Freedumber’s “foreign intelligence” retention language

Having read about half of last week’s Internet Dragnet document dump so far, I’m increasingly worried about two details I’ve already raised.

I suspect, unless the law explicitly imposes minimization procedures on NSA (and CIA, which reportedly operates the bulky Western Union dragnet), they will evade the bill’s most stringent minimization procedures.

As I noted in November and PCLOB noted in January, the business records provision was explicitly written for FBI, not other intelligence agencies. As a result, the language in it requiring minimization procedures did not — and still would not under Leahy Freedom (to say nothing of USA Freedumber) — require minimization procedures from Agencies beyond FBI. For example, unless I’m misreading how the law would be implemented, this is what would still be in place with regards to minimization procedures.

Applications have to lay out minimization procedures. But the law only requires they apply to FBI.

(D) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

The judge reviews the minimization procedures in the application to make sure they comply with (g), and then includes an order they be followed in his order approving the application.

(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b) and that the minimization procedures submitted in accordance with subsection (b)(2)(D) meet the definition of minimization procedures under subsection (g), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.

And as I’ve already noted, the entire section (g) devoted to minimization explicitly applies to just FBI.

The Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this subchapter.

What’s particularly crazy about this is that the clause was changed to take out deadlines imposed in the 2006 renewal. In other words, they changed this clause, but left in the limits for most minimization procedures to just FBI.

Read more

Leahy’s Freedom Act May Not Change Status Quo on Records Other than Call Records

/2 Comments/in /by

Update: According to the DOJ IG NSL Report released today, the rise in number of Section 215 orders stems from some Internet companies refusing to provide certain data via NSL; FBI has been using Section 215 instead. However they’re receiving it now, Internet companies, like telephone companies, should not be subject to bulk orders as they are explicitly exempted. 

WaPo’s MonkeysCage blog just posted a response I did to a debate between H.L. Pohlman and Gabe Rottman over whether Patrick Leahy’s USA Freedom includes a big “backdoor” way to get call records. The short version: the bill would prevent bulk — but not bulky — call record collection. But it may do nothing to end existing programs, such as the reported collection of Western Union records.

In the interest of showing my work, he’s a far more detailed version of that post.

Leahy’s Freedom still permits phone record collection under the existing authority

Pohlman argues correctly that the bill specifically permits the government to get phone records under the existing authority. So long as it does so in a manner different from the Call Detail Record newly created in the bill, it can continue to do so under the more lenient business records provision.

To wit: the text “carves out” the government’s authority to obtain telephone metadata from its more general authority to obtain “tangible things” under the PATRIOT Act’s so-called business records provision. This matters because only phone records that fit within the specific language of the “carve out” are subject to the above restrictions on the government’s collection authority.  Those restrictions apply only “in the case of an application for the production on a daily basis of call detail records created before, on, or after the date of the application relating to an authorized investigation . . . to protect against international terrorism.”

This means that if the government applies for a production order of phone records on a weekly basis, rather than on a “daily basis,” then it is falls outside the restrictions. If the application is for phone records created “before, on, [and] after” (instead of “or after”) the date of the application, ditto. If the investigation is not one of international terrorism, ditto.

However, neither Pohlman nor Rottman mention the one limitation that got added to USA Freedumber in Leahy’s version which should prohibit the kind of bulk access to phone records that currently goes on.

Leahy Freedom prohibits the existing program with limits on electronic service providers

The definition of Specific Selection Term “does not include a term that does not narrowly limit the scope of the tangible things … such as–… a term identifying an electronic communication service provider … when not used as part of a specific identifier … unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.”

In other words, the only way the NSA can demand all of Verizon’s call detail records, as they currently do, is if they’re investigating Verizon. They can certainly require Verizon and every other telecom to turn over calls two degrees away from, say, Julian Assange, as part of a counterintelligence investigation. But that language pertaining to electronic communication service provider would seem to prevent the NSA from getting everything from a particular provider, as they currently do.

So I think Rottman’s largely correct, though not for the reasons he lays out, that Leahy’s Freedom has closed the back door to continuing the comprehensive phone dragnet under current language.

But that doesn’t mean it has closed a bunch of other loopholes Rottman claims have been closed.

FISC has already dismissed PCLOB (CNSS) analysis on prospective collection 

For example, Rottman points to language in PCLOB’s report on Section 215 stating that the statutory language of Section 215 doesn’t support prospective collection. I happen to agree with PCLOB’s analysis, and made some of the same observations when the phone dragnet order was first released. More importantly, the Center for National Security Studies made the argument in an April amicus brief to the FISC. But in an opinion released with the most recent phone dragnet order, Judge James Zagel dismissed CNSS’ brief (though, in the manner of shitty FISC opinions, without actually engaging the issue).

In other words, while I absolutely agree with Rottman’s and PCLOB’s and CNSS’ point, FISC has already rejected that argument. Nothing about passage of the Leahy Freedom would change that analysis, as nothing in that part of the statute would change. FISC has already ruled that objections to the prospective use of Section 215 fail.

Minimization procedures may not even protect bulky business collection as well as status quo

Then Rottman mischaracterizes the limits added to specific selection term in the bill, and suggests the government wouldn’t bother with bulky collection because it would be costly.

The USA Freedom Act would require the government to present a phone number, name, account number or other specific search term before getting the records—an important protection that does not exist under current law. If government attorneys were to try to seek records based on a broader search term—say all Fedex tracking numbers on a given day—the government would have to subsequently go through all of the information collected, piece by piece, and destroy any irrelevant data. The costs imposed by this new process would create an incentive to use Section 215 judiciously.

As I pointed out in this post, those aren’t the terms permitted in Leahy Freedom. Rather, it permits the use of “person, account, address, or personal device, or another specific identifier.” Not a “name” but a “person,” which in contradistinction from the language in the CDR provision — which replaces “person” with “individual” — almost certainly is intended to include “corporate persons” among acceptable SSTs for traditional Section 215 production.

Like Fedex. Or Western Union, which several news outlets have reported turns over its records under Section 215 orders.

FISC already imposes minimization procedures on most of its orders

Rottman’s trust that minimization procedures will newly restrain bulky collection is even more misplaced. That’s because, since 2009, FISC has been imposing minimization procedures on Section 215 collection with increasing frequency; the practice grew in tandem with greatly expanded use of Section 215 for uses other than the phone dragnet.

While most of the minimization procedure orders in 2009 were likely known orders fixing the phone dragnet violations, the Attorney General reports covering 2010 and 2011 make it clear in those years FISC modified increasing percentages of orders by imposing minimization requirements and required a report on compliance with them

The FISC modified the proposed orders submitted with forty-three such applications in 2010 (primarily requiring the Government to submit reports describing implementation of applicable minimization procedures).

The FISC modified the proposed orders submitted with 176 such applications in 2011 (requiring the Government to submit reports describing implementation of applicable minimization procedures).

That means the FISC was already requiring minimization procedures for 176 orders in 2011, only 5 of which are known to be phone dragnet orders. Read more

A Better Reform than USA Freedom: Get Rid of the FISA Court

/6 Comments/in /by

As he did once before, John Bates has written a letter in the guise of raising concerns about the resources of the FISA Court (though in this case, not actually raising any such concerns) to provide his — or someone else’s — policy views on Patrick Leahy’s version of USA Freedom (see Steve Vladeck’s great post arguing that this letter presents solely Bates defending the executive; though I think Vladeck misreads claimed cooperation with the Administration on Leahy’s bill for assent to it). But also as his earlier letter did, this does nothing so much as make a compelling case to eliminate the FISC.

While Bates raises legitimate concerns about whether summaries of court opinions are better than redacted versions (he would prefer the most sensitive ones remain secret) and the constitutionality of the appeals process, his chief gripe arises from the increased independence Leahy’s bill gives a special advocate.

Bates maintains that by requiring the FISC special advocate to advocate for privacy or civil liberties would not further the interests of privacy or civil liberties.

That’s because actually requiring the advocate to advocate for something would put her in an adversarial position vis-a-vis the government. And that, Bates is sure, would lead the government to withhold information from the Court.

Introducing an adversarial special advocate in FISA proceedings creates the risk that representatives of the Executive Branch — who, as noted, have a heightened duty of candor in ex parte FISA court procedings — would be reluctant to disclose to the courts particularly sensitive factual information, or information detrimental to a case, because doing so would also disclose the information to an independent adversary.

Mind you, the public record shows the government already withholds crucial information, such as how many Americans get collected under upstream collection, as well as how the government is actually using back door searches and how prevalent they are, as well as the torture from which some of their evidence introduced at FISC derives, as well as that EFF had a protection order for data that might incorporate the Section 215 program. So the notion that ex parte proceedings currently give the FISC all the information it needs is farcical.

But Bates worries that requiring the government to expose all the information about its plans to an adversary might lead the government to forgo “potentially valuable intelligence-gathering activities under FISA.” That’s an admission that some of the government’s current programs could not have withstood even the classified scrutiny of someone not positioned as a partner in implementing all the possible intelligence gather activities. The FISC has become, Bates makes clear, the government’s partner in approving every possible collection program that might be valuable.

And all of this complaint is an admission from Bates that it never intended to provide the advocate, as described under USA Freedumber, all the information she needed to do her job.

Bates had already made that complaint in his last letter. In this one, he adds a new one: that because Leahy’s USA Freedom requires the special advocate to be involved in novel cases — and actually defines what novel means — she would be involved in too many.

Section 401 would seem to apply to a potentially large number of cases. The requirement to designate a special advocate would be triggered in the first instance in any matter involving a “novel or significant interpretation of the law.” That term is defined expansively to include, among other things, matters involving the “application … of settled law to novel … circumstances.” Because nearly every application involves distinct (i.e., “novel”) facts and circumstances, Section 401 could be read as applying in a broad swath of cases.

Bates’ former colleagues disagree on this point. James Robertson and James Carr have said the vast majority of what FISC judges approve are fairly simple warrants.

Both and his colleagues, however, may be right: that is, it may well be the FISC has now gotten to the point where each application represents an expansion or a new tweak of previous approvals. I would actually be shocked if the expanding number of Section 215 orders — accompanied as they have been by FISC-imposed minimization procedures — don’t represent such an expansion.

Given Deputy Attorney General James Coles’ confirmation of Zoe Lofgren and Mark Warner’s questions about what Section 215 may be used for — including credit card data, URL searches, and location data — this morphing use of 215 now likely provides the government access programmatically to things they previously needed individualized warrants for.

Even with the opinions and applications we’ve seen — most of which pre-date the significant 2010 expansion of 215-based programs — it becomes clear the FISC judges (or at least those in DC who review the more novel applications) have become a rubber stamp for programs that far surpass the language of the law and likely conflict with other laws. With the vast expansion of dragnets starting in 2004, the FISC has become a court of reasonableness generally, not reasonableness within the letter of the law as written by Congress. The series of plaintive and laughably weak FISC opinions since the exposure of the Section 215 program underscores this: exposed as having far exceeded the law and intent of the Section 215 program, the FISC was left trying to invent the law post hoc.

Bates has, even more than his earlier letter, made it clear that he, at least, believes the FISC is and should be a partner with the Executive, providing legal cover for novel new surveillance that may not fit the intent of Congress. I’d say, too, that even in the area of individualized warrants, it has presided over the redefinition of things like “agent of foreign power,” such that confused Muslim young men become legitimate targets for invasive surveillance that can never be checked in the context of criminal proceedings.

So let’s get rid of it!

It may be the case that in 1978 traditional Title III courts couldn’t handle the secrecy required by FISC proceedings. But they can and do now, routinely. There’s no reason judges throughout the country couldn’t be asked to weigh FISC probable cause as they currently weigh criminal probable cause; and having more judges do so might stay closer to the definition of foreign power as intended by Congress, and if it doesn’t (which given the rubber stamp of magistrates, might well happen), it would be more likely to be reviewed at the appellate level.

Similarly, the courts have and are proving able to deal with new applications, as their treatment of FBI’s request for nationwide warrants to hack makes clear. But they do so in deliberative fashion, actual weighing the language of the law, rather than just secretly approving an application that pretty clearly violates Congress’ intent.

Eliminating the FISC wouldn’t fix all the problems of out-of-control surveillance. Requiring notice for EO 12333 collection is another necessary step, as is actual prosecution for violations of surveillance law. But it seems that just eliminating the FISC would be a far better fix for the problems exposed by Snowden’s leaking than USA Freedom would be.

USA Freedom Does Not Rein in the Spies

/5 Comments/in , , /by

Honest. I started writing about this David Cole column asking, “Can Congress rein in the spies?” before John Brennan admitted that, contrary to his earlier assurances, his spooks actually had been spying on their Congressional overseers and also before President Obama announced that, nevertheless, he still has confidence in Brennan.

Cole’s column isn’t about the the Senate Intelligence Committee’s struggles to be able to document CIA torture, however. It’s about how Patrick Leahy introduced his version of USA Freedom Act “not a moment too soon.”

I don’t want to gripe with the column’s presentation of Leahy’s version of Freedom; with a few notable exceptions (one which I’ll get to), it accurately describes how Leahy’s bill improves on the bill the spies gutted in the House.

I first wanted to point to why Cole says Leahy’s bill comes not a moment too soon.

Leahy’s bill comes not a moment too soon. Two reports issued on Monday bring into full view the costs of a system that allows its government to conduct dragnet surveillance without specific suspicions of wrongdoing. In With Liberty to Monitor All, Human Rights Watch and the ACLU make a powerful case that mass surveillance has already had a devastating effect on journalists’ ability to monitor and report on national security measures, and on lawyers’ ability to represent victims of government overreaching. And the same day, the New America Foundation issued Surveillance Costs, a report noting the widespread economic harm to US tech companies that NSA surveillance has inflicted, as potential customers around the world take their business elsewhere.

Together, these reports make concrete the damaging effects of out-of-control surveillance, even to those with “nothing to hide.” Our democracy has long rested on a vibrant and vigorous press and open legal system. On matters of national security, journalists probably serve as a more important check on the executive than even the courts or Congress.

[snip]

And, it turns out, tech companies also need to be able to promise confidentiality. Customers of Internet services or cloud computing storage programs, for example, expect and need to be certain that their messages and stored data will be private. Snowden’s revelations that the NSA has been collecting vast amounts of computer data, and has exploited vulnerabilities in corporate encryption programs, have caused many to lose confidence in the security of American tech companies in particular.

Cole describes the great costs out-of-control surveillance imposes on journalists, lawyers, and cloud providers, and implies we cannot wait to reverse those costs.

Then he embraces a bill that would not protect journalists’ conversations with whistleblowers (Leahy’s Freedom still permits the traditional access of metadata for counterintelligence purposes as well as the Internet dragnet conducted overseas) or alleged terrorists, would not protect lawyers’ discussions with their clients (the known attorney-client protected collections happened under traditional FISA, EO 12333, and possibly Section 702, none of which get changed in this bill), and would expose American companies’ clouds even further to assisted government access under the new Call Detail Record provision.

Cole does admit the bill does not address Section 702; he doesn’t mention EO 12333 at all, even though both the HRW and NAF reports did.

Senator Leahy’s bill is not a cure-all. It is primarily addressed to the collection of data within the United States, and does little to reform Section 702, the statute that authorizes the PRISM program and allows the government to collect the content of electronic communications of noncitizens abroad, even if they are communicating with US citizens here. And it says nothing about the NSA’s deeply troubling practice of inserting vulnerabilities into encryption programs that can be exploited by any hacker. It won’t, therefore, solve all the problems that the HRW and New American Foundation reports identify. But it would mark an important and consequential first step.

But he doesn’t admit the bill does little to address the specific sources of the costs identified in the two reports. It’s not a minute too soon to address these costs, he says, but then embraces a bill that doesn’t really address the actual sources of the costs identified in the reports.

That is mostly besides the point of whether Leahy’s bill is a fair apples-to-oranges trade-off with the status quo as to represent an improvement — an answer to which I can’t yet give, given some of the obvious unanswered questions about the bill. It is, however, a testament to how some of its supporters are overselling this bill and with it anyone’s ability to rein in the intelligence community.

But it’s one testament to that that bugs me most about Cole’s column. As I noted, he does mention Leahy’s failure to do anything about Section 702. Nowhere in his discussion of 702, however, does he mention that it permits warrantless access to Americans’ content, one which FBI uses when conducting mere assessments of Americans. Which of course means Cole doesn’t mention the most inexcusable part of the bill — its exemption on already soft reporting requirements to provide the numbers for how many Americans get exposed to these back door searches.

I’m not a fancy Georgetown lawyer, but I strongly believe the back door searches — conducted as they are with no notice to anyone ultimately prosecuted based off such information — are illegal, and probably unconstitutional. When retired DC Circuit Court judge Patricia Wald raised these problems with the practice, Director of National Intelligence Counsel Bob Litt simply said it would be “impracticable” to add greater oversight to back door searches. And in spite of the fact that both the President’s Review Group and PCLOB advised significant controls on this practice (which implicates the costs identified in both the HRW and NAF reports), the version of USA Freedom Act crafted by the head of the Senate Judiciary Committee — the Committee that’s supposed to ensure the government follows the law — not only doesn’t rein in the practice, but it exempts the most egregious part of the practice from the transparency applauded by people like Cole, thereby tacitly endorsing the worst part of the practice.

And all that’s before you consider that the IC also conducts back door searches of EO 12333 collected information — as first reported by me, but recently largely confirmed by John Napier Tye. And before you consider the IC’s explicit threat — issued during the passage of the Protect America Act — that if they don’t like any regulation Congress passes, they’ll just move the program to EO 12333.

The point is, Congress can’t rein in the IC, and that’s only partly because (what I expect drives the Senate’s unwillingness to deal with back door searches) many members of Congress choose not to. The have not asserted their authority over the IC, up to and including insisting that the protections for US persons under FISA Amendments Act actually get delivered.

In response to the news that Brennan’s spies had been spying on its Senate overseers, Patrick Leahy (who of course got targeted during the original PATRIOT debate with a terrorist anthrax attack) issued a statement insisting on the importance of Congressional oversight.

Congressional oversight of the executive branch, without fear of interference or intimidation, is fundamental to our Nation’s founding principle of the separation of powers.

Yet his bill — which is definitely an improvement over USA Freedumber but not clearly, in my opinion, an improvement on the status quo — tacitly endorses the notion that FBI can conduct warrantless searches on US person communications without even having real basis for an investigation.

That’s not reining in the spies. That’s blessing them.

Did ACLU and EFF Just Help the NSA Get Inside Your Smart Phone?

/10 Comments/in /by

EFF ACLUThe ACLU and EFF normally do great work defending the Fourth Amendment. Both have fought the government’s expansive spying for years. Both have fought hard to require the government obtain a warrant before accessing your computer, cell phone, and location data.

But earlier this week, they may have taken action that directly undermines that good work.

On Wednesday, both civil liberties organizations joined in a letter supporting Patrick Leahy’s version of USA Freedom Act, calling it a necessary first step.

We support S. 2685 as an important first step toward necessary comprehensive surveillance reform. We urge the Senate and the House to pass it quickly, and without
making any amendments that would weaken the important changes described above.

ACLU’s Laura Murphy explained why ACLU signed onto the bill in a column at Politico, analogizing it to when, in 2010, ACLU signed onto a bill that lowered, but did not eliminate,  disparities in crack sentencing.

Reform advocates were at a crossroads. Maximalists urged opposition despite the fact the bill would, in a very real way, make life better for thousands of people and begin to reduce the severe racial and ethnic inequality in our prison system. Pragmatists, fearing that opposition to the bill would preclude any reform at all, urged support.

It was a painful compromise, but the ACLU ultimately supported the bill. It passed, astoundingly, with overwhelming support in both chambers.

And then something amazing happened. Conservative lawmakers, concerned about government waste, increasingly came to the table to support criminal justice reform. Liberals realized they could vote their conscience on criminal justice without accusations of being “soft on crime.” It has not been easy and there have been many steps backward, but in recent years, we’ve seen greater public opposition to mandatory minimum sentences and real movement on things like reducing penalties for low-level drug offenses.

The analogy is inapt. You don’t end crack disparities by increasing the number of coke dealers in jail. But Leahy’s USA Freedom Act almost certainly will increase the number of totally innocent Americans who will be subjected to the full brunt of NSA’s analytical authorities indefinitely.

That’s because by outsourcing to telecoms, NSA will actually increase the total percentage of Americans’ telephone records that get chained on; sources say it will be more “comprehensive” than the current dragnet and Deputy NSA Director Richard Ledgett agrees the “the actual universe of potential calls that could be queried against is [potentially] dramatically larger.” In addition, the telecoms are unlikely to be able to remove all the noisy numbers like pizza joints — as NSA currently claims to — meaning more people with completely accidental phone ties to suspects will get sucked in. And USA Freedom adopts a standard for data retention — foreign intelligence purpose — that has proven meaningless in the past, so once a person’s phone number gets turned over to the NSA, they’ll be fair game for further NSA spying, the really invasive stuff, indefinitely.

But that’s not the reason I find ACLU and EFF’s early support for USA Freedom so astounding.

I’m shocked ACLU and EFF are supporting this bill because they don’t know what the NSA will be permitted to do at the immunized telecoms. They have blindly signed onto a bill permitting “connection chaining” without first understanding what connection chaining entails.

As I have reported extensively, while every witness who has talked about the phone dragnet has talked about chaining on phone calls made — all the calls Anwar al-Awlaki made, all the calls those people made — the language describing this chaining process has actually been evolving. Dianne Feinstein’s Fake FISA Fix last fall allowed the NSA to chain on actual calls — as witnesses had described — but also on communications (not just calls) “to or from any selector reasonably linked to the selector.” A February modification and the last two dragnet orders permitted NSA to chain on identifiers “with a contact and/or connection” with the seed, making it clear that a “connection” is something different than a “contact.” The House bill USA Freedumber adopted the same language in a legislative report. Leahy’s bill adopts largely the same language for chaining.

(iii) provide that the Government may require the prompt production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

Now, it’s possible that this language does nothing more than what NSA illegally did until 2009: chain on both the identifier itself, but also on identifiers it has determined to be the same person. Back in 2009, NSA referred to a separate database to determine these other identifiers. Though that’s unlikely, because the bill language suggests the telecoms will be identifying these direct connections.

It’s possible, too, that this language only permits the telecoms to find “burner” phones — a new phone someone adopts after having disposed of an earlier one — and chain on that too.

But it’s also possible that this language would permit precisely what AT&T does for DEA in its directly analogous Hemisphere program: conduct analysis using cell site data. The bill does not permit NSA to receive cell site data, but it does nothing to prohibit NSA from receiving phone numbers identified using cell site data. When Mark Warner asked about this, Ledgett did not answer, and James Cole admitted they could use these orders (with FISC approval) to get access to cell location.

It’s possible, too, that the telecoms will identify direct connections using other data we know NSA uses to identify connections in EO 12333 data, including phone book and calendar data.

The point is, nobody in the public knows what “connections” NSA will be asking its immunized telecom partners to make. And nothing in the bill or even the public record prohibits NSA from asking telecoms to use a range of smart phone information to conduct their analysis, so long as they only give NSA phone identifiers as a result.

In response to questions from Senators about what this means, Leahy’s office promised a letter from James Clapper’s office clarifying what “connections” means (No, I don’t remember the part of Schoolhouse Rock where those regulated by laws get to provide “clarifications” that don’t make it into the laws themselves). That letter was reported to be due on Tuesday, by close of business — several days ago. It hasn’t appeared yet.

I asked people at both EFF and ACLU about this problem. EFF admitted they don’t know what this language means. ACLU calls the language “ambiguous,” but based on nothing they were able to convey to me, insists getting smart phone data under the guise of connection chaining would be an abuse. ACLU also pointed to transparency provisions in the bill, claiming that would alert us if the NSA starting doing something funky with its connection language; that of course ignores that “connection chaining” is an already-approved process, meaning that existing processes won’t ever be need to be released. It also ignores that the Administration has withheld what is probably a directly relevant phone dragnet opinion from both ACLU and EFF in their dragnet FOIA.

I get Laura Murphy’s point about using USA Freedom to start the process of reform. But what I don’t understand is why you’d do that having absolutely no idea whether that “reform” codifies the kind of warrantless probable cause-free access to device data that ACLU and EFF have fought so hard to prevent elsewhere.

ACLU and EFF are supposed to be leaders in protecting the privacy of our devices, including smart phones. I worry with their embrace of this bill, they’re leading NSA right into our smart phones.

A Good Idea that May Backfire: FISCR Fast Track

/in /by

I’ve written several posts about Leahy’s USA Freedom already. To recap:

  • The bill is definitely an improvement off of USA Freedumber, though it retains “connection” chaining language I’m seriously concerned about
  • The bill permits the government to collect “bulky” collections in at least two ways: the use of IP addresses and non-individual persons (aka corporations)
  • The bill inexplicably exempts the FBI from reporting requirements on back door searches

My last new concern about the bill pertains to a measure that means well, but might backfire.

The bill includes language designed to provide for appeals of significant issues, first to the FISA Court of Review, and then to SCOTUS.

(j) REVIEW OF FISA COURT DECISIONS.—After issuing an order, a court established under subsection (a) shall certify for review to the court established under subsection (b) any question of law that the court determines warrants such review because of a need for uniformity or because consideration by the court established under subsection (b) would serve the interests of justice. Upon certification of a question of law under this paragraph, the court established under subsection (b) may give binding instructions or require the entire record to be sent up for decision of the entire matter in controversy.

(k) REVIEW OF FISA COURT OF REVIEW DECISIONS.—

(1) CERTIFICATION.—For any decision issued by the court of review established under subsection (b) approving, in whole or in part, an application by the Government under this Act, such court may certify at any time, including after a decision, a question of law to be reviewed by the Supreme Court of the United States.

(2) SPECIAL ADVOCATE BRIEFING.—Upon certification of an application under paragraph (1), the court of review established under subsection (b) may designate a special advocate to provide briefing as prescribed by the Supreme Court.

(3) REVIEW.—The Supreme Court may review any question of law certified under paragraph (1) by the court of review established under subsection (b) in the same manner as the Supreme Court reviews questions certified under section 1254(2) of title 28, United States Code.

That is, it provides a way for FISC to ask FISCR to review their work, and for FISCR to ask SCOTUS to review their work.

To some degree, the more eyes that look at these novel decisions, the better.

But neither the FISCR review nor the SCOTUS review requires even the Special Advocate. While FISCR has, in the past, permitted amici, they (and Yahoo, in the case where Yahoo appealed FISC’s 2007 recision on Protect America Act) were shooting in the dark. the new advocate, such as it exists, would be able to argue before FISCR if the court wanted it.

So to a significant extent that would result in the same people (the government and the Court’s permanent staff, on one side, and the unproven advocate on the other) arguing the same issue over and over. with the courts themselves choosing to have their own decisions certified by the higher courts.

With the potential result that you’d have appellate decisions or even a SCOTUS instruction without ever giving a real adversary a shot at the issue. If FISC responded to the phone dragnet question before the way they have since Snowden leaked details of it, they would have gotten it certified to confirm their authority.

One addition to Leahy’s bill could exacerbate that. His bill requires the FISC to consult with PCLOB on appointees as  Advocates. With today’s PCLOB, that’d be a good thing. But if Republicans win back the Senate — especially if Mitch McConnell retains his seat — you’d see another PCLOB member the likes of Elisabeth Collins Cook and Rachel Brand. Both are really smart. But both were architects of the surveillance regime while serving as DOJ Policy AAGs. Add a third of that ilk, and PCLOB could load up the Advocates corp with people like Steven Bradbury.

Moreover, for the foreseeable future, Justice John Roberts will be handpicking these judges, which doesn’t give me a lot of confidence.

I just think the Advocate system is unproven right now. It may work out, it may be gamed to reinforce the dysfunction of the court. And the record of the FISCR — especially Laurence Silberman’s efforts to rule FISA illegal in 2002 — give me no confidence this kind of self-appeal would do anything but sanction bad decisions.

Mind you, the Leahy bill also permits the government to go on denying aggrieved people of review of Section 215 collection, so it’s not clearly anyone else will get standing to challenge this program in particular.

But it seems like the FISC system is so dysfunctional, there’s no reason to pre-empt the possibility of real adversarial court function.

Update: Orin Kerr thinks this is unconstitutional.

Leahy USA Freedom’s Bulky Corporate Persons

/5 Comments/in /by

As I said in my post the other day, the definition of Specific Selection Term in the Leahy version of USA Freedom addresses almost all my concerns about bulk collection under USA Freedom Act.

But not all of them.

I have two concerns.

First, some background. The bill actually uses two definitions of “specific selection term.” The definition as it applies to traditional Section 215, PRTT, and NSL collection is,

(i) means a term that specifically identifies a person, account, address, or personal device, or another specific identifier, that is used by the Government to narrowly limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things; and [my emphasis]

It defines “address” this way:

ADDRESS.—The term ‘address’ means a physical address or electronic address, such as an electronic mail address, temporarily assigned network address, or Internet protocol address.

That’s my first concern. IP addresses can represent entire companies. And who knows what the NSA might consider “temporarily assigned network addresses”?

Then there’s the difference between that definition of “specific selection term” and the more narrow one used with the prospective contact chaining at telecoms, which is:

CALL DETAIL RECORD APPLICATIONS.—For purposes of an application submitted under subsection (b)(2)(C), the term ‘specific selection term’ means a term that specifically identifies an individual, account, or personal device. [my emphasis]

You’ll note the bill targets “individual” for its contact chaining, but “person” for the rest of Section 215 collection. The obvious reason to do that is if you’re collecting on an entire corporate person, like Western Union (which WSJ and NYT reported CIA uses Section 215 to collect on).

The bill does include limits on what kinds of corporate persons can be collected. The bill explicitly prohibits using electronic communication service providers and cloud providers as specific selection terms, unless they are being investigated.

(II) a term identifying an electronic communication service provider (as that term is defined in section 701) or a provider of remote computing service (as that term is defined  in section 2711 of title 18, United States Code), when not used as part of a specific identifier as described in clause (i), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

That still seems to leave a whole slew of corporate persons who can be the selection term for collection.

The bill limits that collection in another way, through minimization procedures.

‘(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—

(i) a subject of an authorized investigation;

(ii) a foreign power or a suspected agent of a foreign power;

(iii) reasonably likely to have information about the activities of—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation; or

(iv) in contact with or known to—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation,

unless the tangible thing or information therein indicates a threat of death or serious bodily harm to any person or is disseminated to another element of the intelligence community for the sole purpose of determining whether the tangible thing or information therein relates to a person who is described in clause (i), (ii), (iii),  or (iv)

This language is almost certainly not new — as CDT’s otherwise decent analysis suggests. We know the FISC has been modifying orders more and more in recent years. We don’t know — we have to rely on Congress, blindly — whether these minimization procedures are more strict or (likely, because other parts of this bill are) less restrictive than what the FISC itself has been imposing.

But even the existence of this language — and the differential use of “person” and “individual” — makes it clear the bill still permits the bulk collection of data. It just requires the agency in question to purge the data … sometime.

The question is whether this “agency protocol” — what Chief Justice John Roberts said was not enough to protect Americans’ privacy — is sufficient to protect Americans’ privacy.

I don’t think it is.

First, it doesn’t specify how long the NSA and FBI and CIA can keep and sort through these corporate records (or what methods it can use to do so, which may themselves be very invasive).

It also permits the retention of data that gets pretty attenuated from actual targets of investigation: agents of foreign powers that might have information on subjects of investigation and people “in contact with or known to” suspected agents associated with a subject of an investigation.

Known to?!?! Hell, Barack Obama is known to all those people. Is it okay to keep his data under these procedures?

Also remember that the government has secretly redefined “threat of death or serious bodily harm” to include “threats to property,” which could be Intellectual Property.

So CIA could (at least under this law — again, we have no idea what the actual FISC orders this is based off of) keep 5 years of Western Union money transfer data until it has contact chained 3 degrees out from the subject of an investigation or any new subjects of investigation it has identified in the interim.

In other words, probably no different and potentially more lenient than what it does now.

Leahy Freedom Act Exempts FBI from Counting Its Back Door Searches

/2 Comments/in /by

As I said in my post last night, Pat Leahy’s version of USA Freedom Act is a significant improvement over USA Freedumber, the watered down House version. But it includes language that no one I’ve met has been able to explain. I believe it may permit the NSA to have its immunized telecom providers contact chain on (at least) location, and possibly worse. Thus, it may well be everyone applauding the bill — including privacy NGOs — are applauding increased use of techniques like location spying even as judges around the country are deeming such spying unconstitutional. I strongly believe this bill may expand the universe of US persons who will be thrown into the corporate store indefinitely, to be subjected to the full brunt of NSA’s analytical might.

But that’s not the part of the bill that disturbs me the most. It’s this language:

‘(3) FEDERAL BUREAU OF INVESTIGATION.—

Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

The language refers, in part,  to requirements that the government report to Congress:

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

These are back door searches on US person identifiers of Section 702 collected data — both content (iv) and metadata (v).

In other words, after having required the government to report how many back door searches of US person data it conducts, the bill then exempts the FBI.

The FBI — the one agency whose use of such data can actually result in a prosecution of the US person in question.

We already know the government has not provided all defendants caught using 702 data notice. And yet, having recognized the need to start counting how many Americans get caught in back door searches, Patrick Leahy has decided to exempt the agency that uses back door searches the most.

And if they’re not giving defendants notice (and they’re not), then this is an illegal use of Section 702.

There is no reason to exempt the FBI for this. On the contrary, if we’re going to count back door searches on US persons, the first place we should start counting is at FBI, where it likely matters most. But the Chair of the Senate Judiciary Committee has decided it’s a good idea to exempt precisely those back door searches from reporting requirements.