Posts

Why Has the Intelligence Community Missed So Many Digital Bales of Hay?

In a piece on the intelligence community’s increasing reliance on SIGINT, LAT reports that the amount of the President’s daily brief that comes from SIGINT has increased from 60% since 2000.

Determined to identify and track Al Qaeda terrorists and to prevent another attack after Sept. 11, 2001, the NSA set about vastly enlarging its ability to capture, store and exploit the ocean of texts, emails, videos and other electronic communications.

“They took on a new mission that required sifting vast amounts of data to find a few important signals,” said Stewart Baker, who was the NSA’s general counsel from 1992 to 1994 and held top Homeland Security Department jobs in the George W. Bush administration.

Today the NSA secretly siphons an almost unimaginable number of foreign government, corporate and private communications from the World Wide Web, according to the trove of classified material disclosed by Edward Snowden, the fugitive former NSA contractor. One document leaked last week revealed that NSA computers take in 500 million “communications connections” per month in Germany alone.

[snip]

About 60% of the president’s daily brief, the highly classified intelligence summary delivered to the White House each morning, was based as of 2000 on “signals intelligence,” or intercepted communications, according to a declassified NSA document from December of that year. The NSA portion has increased since then, former officials say.

“Over the last 10 years, because of the Internet gold mine, signals intelligence has become the primary vehicle for U.S. intelligence collection,” said James Lewis, director of the technology and public policy program at the nonpartisan Center for Strategic and International Studies in Washington.

WaPo’s original story on PRISM (which, remember, is just a computer interface making it easier for analysts to access data from just 9 companies) reported that 1 in 7 pieces of intelligence in the PDB derived from PRISM, or a total of 1,477 pieces of intelligence last year (10,339 pieces of intelligence in all the PDBs last year, then?).

An internal presentation of 41 briefing slides on PRISM, dated April 2013 and intended for senior analysts in the NSA’s Signals Intelligence Directorate, described the new tool as the most prolific contributor to the President’s Daily Brief, which cited PRISM data in 1,477 items last year. According to the slides and other supporting materials obtained by The Post, “NSA reporting increasingly relies on PRISM” as its leading source of raw material, accounting for nearly 1 in 7 intelligence reports.

Remember, this is all non-public information.

Back in 2011, however, the intelligence committee failed to understand the Arab Spring that was breaking out in public fora for all the world to see (I once quipped that those who followed Democracy Now’s Sharif Kouddous on Twitter had a better understanding of what was going on than the CIA).

And as recently as this year’s confirmation hearing for John Brennan, he admitted that the CIA needed to better monitor public social networks.

BRENNAN: Well clearly, counterterrorism is going to be a priority area for the intelligence community and for CIA for many years to come. Just like weapons proliferation is as well. Those are enduring challenges. And since 9/11 the CIA has dedicated a lot of effort, and very successfully, they’ve done a tremendous job to mitigate that terrorist threat.

At the same time, though, they do have this responsibility on global coverage. And so, what I need to take a look at is whether or not there has been too much of an emphasis of the CT front. As good as it is, we have to make sure we’re not going to be surprised on the strategic front and some of these other areas, to make sure we’re dedicating the collection capabilities, the operations officers, the all-source analysts, social media, as you said, the — the so-called Arab Spring that swept through the Middle East. It didn’t lend itself to traditional types of — of intelligence collection.

There were things that were happening — happening in a — on a populist — in a populist way, that, you know, having somebody, you know, well positioned somewhere who can provide us information is not going to give us that insight, social media, other types of things. So I want to see if we can expand beyond the sodestra (ph) collection capabilities that have served us very well, and see what else we need to do in order to take into account the changing nature of the global environment right now, the changing nature of the communication systems that exist worldwide.

Though Brennan suggested that a focus on leaders rather than common people led to CIA’s blindness in this case (I’d add, a reliance on brokers like Egypt’s Omar Suleiman or Saudi Arabia’s Mohammed bin Nayef, who have an interest in depicting unrest in their countries as threats to friendly governments, distorts reality).

But whether the NSA or the CIA should have seen the revolts bubbling up in plain sight, both missed it because of all the secret stuff they remained focused on.

I’m not actually advocating for the CIA to start trolling Twitter more aggressively. Still, if the focus on secret stuff has led to blindness, we need to rethink our obsession with secret digital haystacks.

Researcher Exposes Government, Military Lies About Civilian Drone Deaths in Afghanistan

A tweet this morning by Daphne Eviatar alerted me to a very important article by Spencer Ackerman at his new home with the Guardian. Ackerman interviewed Dr. Larry Lewis, who is a research scientist at the Center for Naval Analyses but is also described by National Defense University as a Current Field Representative to the Joint Staff J7, Joint and Coalition Operational Analysis Division. In speaking with Ackerman, Lewis referred to a study he conducted with access to classified data, where his work had a remarkable finding:

Larry Lewis, a principal research scientist at the Center for Naval Analyses, a research group with close ties to the US military, studied air strikes in Afghanistan from mid-2010 to mid-2011, using classified military data on the strikes and the civilian casualties they caused. Lewis told the Guardian he found that the missile strikes conducted by remotely piloted aircraft, commonly known as drones, were 10 times more deadly to Afghan civilians than those performed by fighter jets.

Ackerman points out in the article that Lewis mentions some of this work in a recently published article in Prism, which is published by NDU (note: To make things clearer to folks reading Marcy’s work on Snowden, I will call the journal Prism and not PRISM, even though the Guardian is once again breaking the news and the journal uses all caps in its name). Although NDU doesn’t make it easy to find the most recent issue of Prism, I finally found a pdf of the entire latest issue here, where the article by Lewis and coauthor Sarah Holewinski (who is at the Center for Civilians in Conflict) can be found on pages 57 to 65.

Lewis and Holewinski open by framing the issue of protection of civilians as a lesson that the US military has to learn repeatedly:

Civilian casualties can risk the success of a combat mission. While not new, this is a lesson us defense forces have had to repeatedly relearn. Historically, civilian protection and efforts to address harm became priorities only when external pressures demanded attention. As the Pentagon reshapes its defenses and fighting force for the next decade, continuing this ad hoc pattern in the future is neither strategically smart nor ethically acceptable.

As Ackerman notes in the Guardian article, the Prism article makes mention of the finding regarding civilian drone casualties in Afghanistan outpacing those from conventional aerial attacks:

The assumption that UAS (Unmanned Aerial Systems) strikes are surgical in nature is also belied by research on recent combat operations in Afghanistan. There, UAS operations were statistically more likely to cause civilian casualties than were operations conducted by manned air platforms.

Lewis and Holewinski describe the impact of both failing to protect civilians and lying about operations in which civilians have died. After describing relatively well-known examples of drone strikes in Pakistan that included such horrors as a double-tap targeting rescuers, the strike on a jirga addressing mining issues that killed up to 40 civilians or deaths at a restaurant, Lewis and Holewinski move back to Afghanistan:

Independent investigations are not always correct in their assessment of civilian deaths; however, the inability of the U.S. to adequately investigate the outcome of its clandestine UAS strikes calls into question official denials of civilian harm. The U.S. has stated that these strikes kill only combatants; however, operations in Afghanistan are replete with examples where all the engaged individuals were believed to be combatants, but a later investigation found many or all were civilians misidentified as combatants.

The continued claims of lack of civilian deaths despite hard evidence to the contrary takes a huge toll both on US credibility and on what takes place in the war theater:

A growing body of research, including that conducted by this article’s authors, shows that civilian casualties (CIVCAS) and the mishandling of the aftermath can compel more people to work against U.S. interests. Indeed, America’s image has suffered for years under the weight of anger and dismay that a nation, which stands by the value of civilian protection in wartime, seemed indifferent to civilian suffering.

Sadly, this is a lesson that has not been learned by such luminaries as Barack Obama, Diane Feinstein and John Brennan. As Ackerman points out:

While the drone strikes remain classified, several senior Obama administration officials and their congressional allies have described them as notable for their precision. John Brennan, now the CIA director responsible for the agency’s drones, said in 2012 they provide “targeted strikes against specific al-Qaida terrorists”. While defending the strikes as legal and “targeted”, Obama conceded in May that “US strikes have resulted in civilian casualties, a risk that exists in all wars”. Dianne Feinstein, the California Democrat who chairs the Senate intelligence committee, said in February that drones kill only “single digits” worth of civilians annually.

It does not appear that we have even gotten to a “least untruthful” official US accounting of the civilian casualty rates due to drones. In the meantime, our credibility will continue to suffer and our enemies will continue to accumulate.

Yahoo, the Law-Abiding Free Email Provider

[NSA presentation, PRISM collection dates, via Washington Post]The FISA Court has officially agreed to declassify that Yahoo was the company that challenged a Protect Amendment Act order in 2007.

Once this PRISM slide was published, it was always pretty likely that Yahoo — or maybe Google — was the company in question. Yahoo started complying around the time the FISC decision was reached; Google joined in after the FISCR decision was unsealed.

Which leaves … Microsoft, which started cooperating before the law and then the FISA Court forced it to (though collection may not have begun until after PAA passed and, as Rayne has pointed out, Microsoft’s code was being exploited by the government for entirely different purposes in precisely that timeframe).

Now might be a good time to review what happened with the 7 companies the government asked to participate in an illegal wiretap program based solely on the President’s say-so. Per the 2009 NSA Draft IG Report, the companies are:

  • Telecoms A, B, and C (probably AT&T, Verizon, and — definitely– MCI, respectively, since they were the 3 telecoms working onsite at FBI’s direct access office under another program). These companies were approached by people from NSA’s Special Source Operations unit as soon as the program was approved, and they agreed to participate “voluntarily.” In 2003, MCI got cold feet and demanded a letter from John Ashcroft stating that the request was lawful, in which he “directed” them to comply with NSA’s requests.
  • Telecom E (Qwest). It was approached by SSO personnel in 2002, purportedly for collections related to the Olympics. After some discussion, Qwest’s General Counsel decided to not support the operation.
  • Internet Provider D (probably Microsoft). This company was approached by “NSA legal and operational personnel” (not SSO) in September 2002. In response, this company provided “minimal” support, spanning roughly from October 9, 2002 through just after September 11, 2003. No person at this company was ever cleared to store letters from the NSA.
  • Internet Provider F (probably Yahoo). This company was approached in October 2002 by NSA legal and operational personnel. In response to NSA’s request, Internet Provider F asked for a letter from Attorney General Ashcroft certifying the legality of the program. While in December 2002, NSA’s Commercial Technologies Group through Internet Provider F was participating, NSA’s GC says they did not because of corporate liability concerns.
  • Private Sector Company G. This company was approached in April 2003 by NSA legal and operational personnel. This company’s GC said he or she wanted to consult outside counsel. NSA chose to drop the request. I have no idea what company this would be (CISCO?); any thoughts?

Here’s what these companies provided:

Screen shot 2013-06-29 at 3.33.46 PM

This table tells us a great deal about the program–and also the legal problems behind it.

Internet provider D — the one of two that cooperated — only did so for 7 months in 2003, and only provided Internet content (probably primarily Hotmail emails), not metadata.

Which left the government to get the other Internet data off of AT&T and Verizon’s switches (we know C is MCI because February 2005 is when Verizon bought it, which explains why it started handing over Internet content and metadata then). As the IG Report explains,

A, B, and C provided access to the content of Al Qaeda and Al Qaeda-affiliate email from communication links they owned and operated.

[snip]

The last category of private sector assistance was access to Internet Protocol (IP) metadata associated with communications of al Qaeda (and affiliates) from data links owned or operated by COMPANIES A, B, and C.

In other words, Microsoft and Yahoo, the biggest free email providers, were not crazy about providing content (though one, probably Microsoft, did for a period). And they were completely unwilling to provide IP metadata.

So the government just went to AT&T and Verizon’s switches and took it there.

Read more

The Intelligence Community’s Willful Ignorance about Americans Caught in 702 Surveillance

Given the Intelligence Community’s reluctant and partial disclosures on the Section 702 (PRISM/FAA) collection, I want to return to a squabble from last fall, before Congress reauthorized FAA.

As you’ll recall, Ron Wyden tried to get the IC to disclose the number of Americans whose communication had been reviewed under Section 702. The IC dicked around long enough to ensure Wyden didn’t get an answer in time to make a political stink about it. When they finally gave him an answer, they said providing such a number would violate the privacy of Americans.

I defer to [the NSA Inspector General’s] conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission. He further stated that his office and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons.

Ultimately, this statement seemed to be as much about resource allocation as anything else — the NSA and IC IGs would need more staff to accomplish the tast. (I must say, I do find it interesting the ICIG has time to investigate 375 leaks but not enough time to find out how many Americans are being spied on.)

But look at how closely the government is purportedly tracking US person data.

These procedures require that the acquisition of information is conducted, to the greatest extent reasonably feasible, to minimize the acquisition of information not relevant to the authorized foreign intelligence purpose.

Any inadvertently acquired communication of or concerning a U.S. person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.

[snip]

Any information collected after a foreign target enters the U.S. –or prior to a discovery that any target erroneously believed to be foreign was in fact a U.S. person– must be promptly destroyed unless that information meets specific, limited criteria approved by the Foreign Intelligence Surveillance Court.

The dissemination of any information about U.S. persons is expressly prohibited unless it is necessary to understand foreign intelligence or assess its importance; is evidence of a crime; or indicates a threat of death or serious bodily harm.

Now, these passages ought to make people more worried about privacy than not. Stated clearly, it says the government believes it can collect and keep US person content if it deems that content “relevant” to the reason they collected the information.

Remember two things: this collection is not limited to use with terrorism; it can be used for espionage investigations, hacking, or any foreign intelligence purpose. And the government has already deemed every single one of our phone records to be “relevant” to an umbrella terror investigation, so the definition of relevance the government has developed in secret is unbelievably broad and persmissive.

That collection — the people whose content is reviewed and deemed relevant and kept — is the universe of people Wyden wanted to count. And the government is making decisions about the relevance of them in secret, but not tracking the process by which they do so.

Note too that the government can disseminate US person communications if “it is necessary to understand foreign intelligence.” This is not news (which is why it is so appalling that people were fighting over whether the government could listen to US person calls or read their emails). It is part of traditional FISA, too. (It was using that excuse that John Bolton was learning about what his rivals were negotiating with the North Koreans.) But given how much more information an analyst can access both because she is accessing all Internet activity and not just phone, but also because more associated communications are sucked up with a target, it means many more US persons’ communications might be disseminated. It’s not clear, by the way, such dissemination would exclude privileged conversations between lawyers and clients, or discussions between journalists and sources.

And this second group of people — the ones whose communications are being circulated — are counted.

Though we’re not allowed to know what those numbers are.

Here’s what the DOJ Inspector General Michael Horowitz had to say about a statutorily required review of the 702 collection he recently completed (I think, but it’s not entirely clear, that Horowitz didn’t finish this review until after FAA was renewed last year — I know he didn’t finish it before the Judiciary and Intelligence Committees passed it out).

Inspector General Michael E. Horowitz of the United States Department of Justice Office of the Inspector General (OIG) recently issued a report examining the activities of the Federal Bureau of Investigation (FBI) under Section 702 of the Foreign Intelligence Surveillance Act Amendments Act of 2008 (Act). Section 702 authorizes the targeting of non-U.S. persons reasonably believed to be outside the United States for the purpose of acquiring foreign intelligence information. The Act required that the Inspector General conduct a review of the Department’s role in this process and, in conjunction with this review, the OIG reviewed the number of disseminated FBI intelligence reports containing a reference to a U.S. person identity, the number of U.S. person identities subsequently disseminated in response to requests for identities not referred to by name or title in the original reporting, the number of targets later determined to be located in the United States, and whether communications of such targets were reviewed. See 50 U.S.C. 1881a(l)(2)(B) and (C). The OIG also reviewed the FBI’s compliance with the targeting and minimization procedures required under the Act.

The final report has been issued and delivered to the relevant Congressional oversight and intelligence committees, as well as leadership offices. Because the report is classified, its contents cannot be disclosed to the public.

In other words, the DOJ IG counted — because the law required him to — the following:

  • The number of US person-related communication that got disseminated in a first dissemination of intelligence 
  • The number of US persons whose identity identified in a follow-up on an original dissemination
  • The number of targets originally believed to be foreign who end up being US persons (note, the NSA conveniently doesn’t explain what the specific criteria are that would allow the government to keep these communications … I wonder why?)

But it did not count how many US persons’ communications were reviewed but not disseminated, many of which may be retained under the relevance standard.

In general, when the government chooses not to count things, there’s a reason it doesn’t want to.

Minimization in the Age of Cyberwar

I’d like to compare how the NSA talking point document released yesterday compares with a document Glenn Greenwald has or has seen, with respect to minimization under Section 702 (PRISM/FAA) collection. Remember PRISM allows the government to access Internet communications with little review of individual targeting decisions, and any American communications accessed with that foreign target communication is also viewed.

The NSA document says US person communications can only be disseminated (this includes getting shared with FBI) if it is necessary to understand the communication, and evidence of crime, or indicates a threat of death.

The dissemination of any information about U.S. persons is expressly prohibited unless it is necessary to understand foreign intelligence or assess its importance; is evidence of a crime; or indicates a threat of death or serious bodily harm.

The Guardian document (which they did not publish) says US person communications — and note, these are entirely domestic communications — can be disseminated in two slightly different cases and a third unrelated one. The unrelated one permits US person communications to be disseminated if it contains “information necessary to understand or assess a communications security vulnerability.”

One typical example is a document submitted by the NSA in July 2009. In its first paragraph, it purports to set forth “minimization procedures” that “apply to the acquisition, retention, use, and dissemination of non-publicly available information concerning unconsenting United States persons that is acquired by targeting non-United States persons reasonably believed to be located outside the United States in accordance with section 702 of the Foreign Intelligence Surveillance Act of 1978, as amended.”

That document provides that “communications of or concerning United States persons that may be related to the authorized purpose of the acquisition may be forwarded to analytic personnel responsible for producing intelligence information from the collected data.” It also states that “such communications or information” – those from US citizens – “may be retained and disseminated” if it meets the guidelines set forth in the NSA’s procedures.

Those guidelines specifically address what the NSA does with what it calls “domestic communications”, defined as “communications in which the sender and all intended recipients are reasonably believed to be located in the United States at the time of acquisition”. The NSA expressly claims the right to store and even disseminate such domestic communication if: (1) “it is reasonably believed to contain significant foreign intelligence information”; (2) “the communication does not contain foreign intelligence information but is reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed”; or (3) “the communication is reasonably believed to contain technical data base information, as defined in Section 2(i), or information necessary to understand or assess a communications security vulnerability.” [my emphasis]

Now, this is not an apple to apple comparison. Indeed, this could very well be an apples to small rubber child’s ball comparison.

The NSA document purports to describe minimization as it occurs today. The Guardian one dates to July 2009, so may be out of date, for starters.

And by design, the NSA timeline focuses on terrorism examples because TERROR TERROR TERROR is very convincing to people who don’t want to think. Based on the mention of a “communications security vulnerability,” the Guardian one seems to be a 702 order describing minimization for a cybersecurity order.

If that’s true, though, it suggests two things. First, that hacking has been equated to terrorism as a crime adequate to disseminate US person communications with no warrant.

And this is where the difference in the standard on foreign intelligence gets interesting: the NSA document claims that only communications necessary to understand foreign intelligence merits dissemination. The Guardian document only need be “reasonably believed to contain significant foreign intelligence information” (though admittedly, that may be the language used in the first instance).

But again, this minimization order is 4 years old. The other day the WaPo suggested that the NSA has changed how they collect Internet metadata (which may be what that other clause “technical data base information, as defined in Section 2(i)” in the minimization order refers to. It may be they’re conducting their cybersecurity dragnet via other means, perhaps even as a way to maintain this lower standard of minimization.

The government is clearly planning to engage in far more intrusive collection in the name of cyberwar than described in discussions about Section 702 (and at the end of the hearing yesterday, Mike Rogers alluded to keeping the programs in place, with their permissive standards, for other reasons, which I took to mean cybersecurity). And that is bound to treat far more Americans as targets of foreign-type collection.

The Truth: The NSA Has Been Working on Domestic Spying for Ten-Plus Years

[graphic: Electronic Frontier Foundation via Flickr]

[graphic: Electronic Frontier Foundation via Flickr]

The yapping of national security conservatives, whether self-identified as Republicans or Democrats, obscures the truth when they denigrate Edward Snowden’s flight to Hong Kong and subsequent attempts at whistleblowing.

The truth is this:

•  Others before Snowden tried to go through so-called chain of command or proper channels to complain about the National Security Agency’s domestic spying, or to refuse the NSA’s efforts to co-opt them or their business. These efforts did not work.

•  They were obstructed, harassed, or punished for their efforts. It did not matter whether they were insiders or outsiders, whistleblowers or plaintiffs, the results were the same for:

•  William Binney,
•  Thomas Drake,
•  Mark Klein,
•  Thomas Tamm,
•  Russell Tice,
•  and J. Kirk Wiebe,
•  as well as Joseph Nacchio.

•  The effort to spy on Americans, violating their privacy and taking their communications content, has been underway since before the Bush administration. (Yes, you read that right: BEFORE the Bush administration.)

•  Three presidents have either failed to stop it or encouraged it (Yes, including Bill Clinton with regard to ECHELON).

•  The program has been growing in physical size for more than a decade.

One document in particular [PDF] described the challenge of the NSA , from which this excerpt is drawn: Read more

Seeing Through the Blizzard to Utah: How Much Space Does Metadata Need

In the blizzard of half-truths, dissembling, and prevarications about the nature of the National Security Agency’s surveillance programs, it’s easy to lose sight of the obvious. In this case, the obvious is about one million square feet in size.

First, a few other large scale objects for comparison:

[photo: DeveloperTutorials.com]

[photo: DeveloperTutorials.com]

Here’s Google’s data center in The Dalles, Oregon; note the size of cars in proportion to the size of the buildings on this campus. You’ll find cars are the best tool for estimating approximate physical scale of this and the following examples.

[photo: DataCenterKnowledge.com]

[photo: DataCenterKnowledge.com]

This is Apple’s data center in Maiden, North Carolina. Again, compare the automobiles against the building in the photo for scale.

[photo: DataCenterKnowledge.com]

[photo: DataCenterKnowledge.com]

Microsoft has a data center in Dublin, Ireland. It’s a little harder to estimate physical size in this photo. A key difference is the height of the facility, as if development was limited in footprint.  Read more

The CNET “Bombshell” and the Four Surveillance Programs

CNET is getting a lot of attention for its report that NSA, “has acknowledged in a new classified briefing that it does not need court authorization to listen to domestic phone calls.”

In general, I’m just going to outsource my analysis of what the exchange means to Julian Sanchez (I hope he doesn’t charge me as much as Mike McConnell’s Booz Allen Hamilton for outsourced analysis).

What seems more likely is that Nadler is saying analysts sifting through metadata have the discretion to determine (on the basis of what they’re seeing in the metadata) that a particular phone number or e-mail account satisfies the conditions of one of the broad authorizations for electronic surveillance under §702 of the FISA Amendments Act.

[snip]

The analyst must believe that one end of the communication is outside the United States, and flag that account or phone line for collection. Note that even if the real target is the domestic phone number, an analyst working from the metadatabase wouldn’t have a name, just a number.  That means there’s no “particular, known US person,” which ensures that the §702 ban on “reverse targeting” is, pretty much by definition, not violated.

None of that would be too surprising in principle: That’s the whole point of §702!

That is, what Nadler may have learned that the same analysts who have access to the phone metadata may also have authority to issue directives to companies for phone content collection. If so, it would be entirely feasible for the same analyst to learn, via the metadata database, that a suspect phone number is in contact with the US and for her to submit a request for actual content to the providers, without having to first get a FISA order covering the US person callers directly. Since she was still “targeting” the original overseas phone number, she would be able to get the US person content without a specific order.

Screen shot 2013-06-16 at 11.50.59 AMI just want to point to a part of this exchange that everyone is ignoring (but that I pointed out while live tweeting this).

Mueller: I’m not certain it’s the same–I’m not certain it’s an answer to the same question.

Mueller didn’t deny the NSA can get access to US person phone content without a warrant. He just suggested that Nadler might be conflating two different programs or questions.

And that’s one of the things to remember about this discussion. Among many other methods of shielding parts of the programs, the government is thus far discussing primarily the two programs identified by the Guardian: the phone metadata collection (which the WaPo reports is called MAINWAY) and the Internet content access (PRISM).

Read more

PRISM: The Difference between Orders and Directives

The AP has a story that lays out the architecture of how PRISM fits in with the rest of the government surveillance programs. The short version is, as much prior reporting supports, it uses PRISM to target communications it has collected, as packets, from the telecom backbone. Like the Section 215 dragnet (and consistent with James Clapper’s metaphor that the dragnet serves as the Dewey Decimal system to direct the government were to find the conversations it wants) it seems to serve to tell the government where to look to get more content.

The story is most valuable, in my opinion, for the distinction it describes between orders — which courts approve — and directives — which courts don’t.

Every year, the attorney general and the director of national intelligence spell out in a classified document how the government plans to gather intelligence on foreigners overseas.

By law, the certification can be broad. The government isn’t required to identify specific targets or places.

A federal judge, in a secret order, approves the plan.

With that, the government can issue “directives” to Internet companies to turn over information.

While the court provides the government with broad authority to seize records, the directives themselves typically are specific, said one former associate general counsel at a major Internet company. They identify a specific target or groups of targets. Other company officials recall similar experiences.

I’ve seen some apologist reporting that conflates these two, suggesting that the courts approve individual targets.

The entire point of FISA Amendments Act is to have the courts approve broader targeting.

As Russ Feingold warned four years ago, there is less oversight of how you get from orders to the procedures that make them compliant with the Constitution.

AP goes on to explain the danger to this scheme, though: there’s far less oversight over individual targets. Which can — and in 2009, at least — led the NSA to take US person data.

A few months after Obama took office in 2009, the surveillance debate reignited in Congress because the NSA had crossed the line. Eavesdroppers, it turned out, had been using their warrantless wiretap authority to intercept far more emails and phone calls of Americans than they were supposed to.

Remember, this overcollection was self-reported by the Obama Administration at the time, not discovered by the FISA Court. Good for the Obama Administration, though we’re trusting them at their word that the overcollection was unintentional.

As part of a periodic review of the agency’s activities, the department “detected issues that raised concerns,” it said. [snip]

The overcollection problems appear to have been uncovered as part of a twice-annual certification that the Justice Department and the director of national intelligence are required to give to the Foreign Intelligence Surveillance Court on the protocols that the N.S.A. is using in wiretapping. That review, officials said, began in the waning days of the Bush administration and was continued by the Obama administration. It led intelligence officials to realize that the N.S.A. was improperly capturing information involving significant amounts of American traffic.

But that raises one of the problems with the program. The court oversight is removed from the specificity of the collection, and the law, by design, prevents the court from double-checking whether the government does at the directive level what it says it will do at the order level.

Trust us.

Read more

Russ Feingold: Yahoo Didn’t Get the Info Needed to Challenge the Constitutionality of PRISM

The NYT has a story that solves a question some of us have long been asking: Which company challenged a Protect America Act order in 2007, only to lose at the district and circuit level?

The answer: Yahoo.

The Yahoo ruling, from 2008, shows the company argued that the order violated its users’ Fourth Amendment rights against unreasonable searches and seizures. The court called that worry “overblown.”

But the NYT doesn’t explain something that Russ Feingold pointed out when the FISA Court of Review opinion was made public in 2009 (and therefore after implementation of FISA Amendments Act): the government didn’t (and still didn’t, under the PAA’s successor, the FISA Amendments Act, Feingold seems to suggests) give Yahoo some of the most important information it needed to challenge the constitutionality of the program.

The decision placed the burden of proof on the company to identify problems related to the implementation of the law, information to which the company did not have access. The court upheld the constitutionality of the PAA, as applied, without the benefit of an effective adversarial process. The court concluded that “[t]he record supports the government. Notwithstanding the parade of horribles trotted out by the petitioner, it has presented no evidence of any actual harm, any egregious risk of error, or any broad potential for abuse in the circumstances of the instant case.” However, the company did not have access to all relevant information, including problems related to the implementation of the PAA. Senator Feingold, who has repeatedly raised concerns about the implementation of the PAA and its successor, the FISA Amendments Act (“FAA”), in classified communications with the Director of National Intelligence and the Attorney General, has stated that the court’s analysis would have been fundamentally altered had the company had access to this information and been able to bring it before the court.

In the absence of specific complaints from the company, the court relied on the good faith of the government. As the court concluded, “[w]ithout something more than a purely speculative set of imaginings, we cannot infer that the purpose of the directives (and, thus, of the surveillance) is other than their stated purpose… The petitioner suggests that, by placing discretion entirely in the hands of the Executive Branch without prior judicial involvement, the procedures cede to that Branch overly broad power that invites abuse. But this is little more than a lament about the risk that government officials will not operate in good faith.” One example of the court’s deference to the government concerns minimization procedures, which require the government to limit the dissemination of information about Americans that it collects in the course of its surveillance. Because the company did not raise concerns about minimization, the court “s[aw] no reason to question the adequacy of the minimization protocol.” And yet, the existence of adequate minimization procedures, as applied in this case, was central to the court’s constitutional analysis. [bold original, underline mine]

This post — which again, applies to PAA, though seems to be valid for the way the government has conducted FAA — explains why.

The court’s ruling makes it clear that PAA (and by association, FAA) by itself is not Constitutional. By itself, a PAA or FAA order lacks both probable cause and particularity.

The programs get probable cause from Executive Order 12333 (the one that John Yoo has been known to change without notice), from an Attorney General assertion that he has probable cause that the target of his surveillance is associated with a foreign power.

And the programs get particularity (which is mandated from a prior decision from the court, possibly the 2002 one on information sharing) from a set of procedures (the descriptor was redacted in the unsealed opinion, but particularly given what Feingold said, it’s likely these are the minimization procedures both PAA and FAA required the government to attest to) that give it particularity. The court decision makes it clear the government only submitted those — even in this case, even to a secret court — ex parte.

The petitioner’s arguments about particularity and prior judicial review are defeated by the way in which the statute has been applied. When combined with the PAA’s other protections, the [redacted] procedures and the procedures incorporated through the Executive Order are constitutionally sufficient compensation for any encroachments.

The [redacted] procedures [redacted] are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. [redacted] Although the PAA itself does not mandate a showing of particularity, see 50 USC 1805b(b), this pre-surveillance procedure strikes us as analogous to and in conformity with the particularity showing contemplated by Sealed Case.

In other words, even the court ruling makes it clear that Yahoo saw only generalized descriptions of these procedures that were critical to its finding the order itself (but not the PAA in isolation from them) was constitutional.

Incidentally, while Feingold suggests the company (Yahoo) had to rely on the government’s good faith, to a significant extent, so does the court. During both the PAA and FAA battles, the government successfully fought efforts to give the FISA Court authority to review the implementation of minimization procedures.

The NYT story suggests that the ruling which found the program violated the Fourth Amendment pertained to FAA.

Last year, the FISA court said the minimization rules were unconstitutional, and on Wednesday, ruled that it had no objection to sharing that opinion publicly. It is now up to a federal court.

I’m not positive that applies to FAA, as distinct from the 215 dragnet or the two working in tandem.

But other reporting on PRISM has made one thing clear: the providers are still operating in the dark. The WaPo reported from an Inspector General’s report (I wonder whether this is the one that was held up until after FAA renewal last year?) that they don’t even have visibility into individual queries, much less what happens to the data once the government has obtained it.

But because the program is so highly classified, only a few people at most at each company would legally be allowed to know about PRISM, let alone the details of its operations.

[snip]

According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process. [my emphasis]

This gets to the heart of the reason why Administration claims that “the Courts” have approved this program are false. In a signature case where an Internet provider challenged it — which ultimately led the other providers to concede they would have to comply — the government withheld some of the most important information pertaining to constitutionality from the plaintiff.

The government likes to claim this is constitutional, but that legal claim has always relied on preventing the providers and, to some extent, the FISA Court itself from seeing everything it was doing.