Posts

CISA Moves: A Summary

/13 Comments/in /by

This afternoon, Aaron Richard Burr moved the Cyber Intelligence Sharing Act forward by introducing a manager’s amendment that has limited privacy tweaks (permitting a scrub at DHS and limiting the use of CISA information to cyber crimes that nevertheless include to prevent threat to property), with a bunch of bigger privacy fix amendments, plus a Tom Cotton one and a horrible Sheldon Whitehouse one called as non-germane amendments requiring 60 votes.

Other than that, Burr, Dianne Feinstein, and Ron Wyden spoke on the bill.

Burr did some significant goalpost moving. Whereas in the past, he had suggested that CISA might have prevented the Office of Public Management hack, today he suggested CISA would limit how much data got stolen in a series of hacks. His claim is still false (in almost all the hacks he discussed, the attack vector was already known, but knowing it did nothing to prevent the continued hack).

Burr also likened this bill to a neighborhood watch, where everyone in the neighborhood looks out for the entire neighborhood. He neglected to mention that that neighborhood watch would also include that nosy granny type who reports every brown person in the neighborhood, and features self-defense just like George Zimmerman’s neighborhood watch concept does. Worse, Burr suggested that those not participating in his neighborhood watch were had no protection, effectively suggesting that some of the best companies on securing themselves — like Google — were not protecting customers. Burr even suggested he didn’t know anything about the companies that oppose the bill, which is funny, because Twitter opposes the bill, and Burr has a Twitter account.

Feinstein was worse. She mentioned the OPM hack and then really suggested that a series of other hacks — including both the Sony hack and the DDOS attacks on online banking sites that stole no data! — were worse than the OPM hack.

Yes, the Vice Chair of SSCI really did say that the OPM hack was less serious than a bunch of other other hacks that didn’t affect the national security of this country. Which, if I were one of the 21 million people whose security clearance data had been compromised, would make me very very furious.

DiFi also used language that made it clear she doesn’t really understand how the information sharing portal works. She said something like, “Once cyber information enters the portal it will move at machine speed to other federal agencies,” as if a conveyor belt will carry information from DHS to FBI.

Wyden mostly pointed out that this bill doesn’t protect privacy. But he did call out Burr on his goalpost moving on whether the bill would prevent (his old claim) or just limit the damage 0f (his new one) attacks that it wouldn’t affect at all.

Wyden did, however, object to unanimous consent because Whitehouse’s crappy amendment was being given a vote, which led Burr to complain that Wyden wasn’t going to hold this up.

Finally, Burr came back on the floor, not only to bad mouth companies that oppose this bill again (and insist it was voluntary so they shouldn’t care) but also to do what I thought even he wouldn’t do: suggest we need to pass CISA because a 13 year old stoner hacked the CIA Director.

Our Definitions of National Security Crimes Are Fucked

/9 Comments/in , /by

I realized something the other day.

For the purposes of hacking, a theater (or at least any mall it was attached to) might count as critical infrastructure that would deem it a National Security target, just as Sony Pictures was deemed critical infrastructure for sanction and retaliation purposes after it got hacked.

But if a mentally ill misogynist with a public track record of supporting right wing hate shoots up a movie showing, it would not be considered a national security target. Given his death, DOJ won’t be faced with the challenge of naming John Russell Houser’s crime, but they would have even less ability to punish Houser for his motivation and ties to other haters than they had with Dylann Roof.

DOJ had no such problem with Joseph Buddenberg and Nicole Kissane, who got charged with terrorism (under the Animal Enterprise Terrorism Act) yesterday because they freed some minks. And a bobcat.

So shooting African Americans worshipping in church is not terrorism, but freeing a bobcat is.

Meanwhile, most of the 204 mass shootings — averaging one a day — that happened this year have passed unremarked.

I laid out some of the problems with the disparity between Muslim terrorism and white supremacist terrorism (to say nothing of bobcat-freeing “terrorism”) the other day.

“This should in no way signify that this particular murder or any federal crime is of any lesser significance.” [than terrorism, Loretta Lynch claimed while announcing the Hate Crime charges against Roof

Except it is, by all appearances.

When asked, Lynch refused to comment on how DOJ is allocating resources, but reporting on the increase in terrorism analysts since 9/11 suggests the FBI has dedicated large amounts of new resources to fighting Islamic terrorism, domestically and abroad. In addition, there are a number of spying tools that are tied solely to international terrorism — but DOJ has managed to define, in secret, domestic terrorism espoused by Muslims in the U.S. as international terrorism. That means FBI has far more tools to dedicate to finding tweets posted by Muslims, and fewer to find the manifesto Roof wrote speaking of having ”the bravery to take it to the real world” against blacks and even Jews.

Perhaps most importantly, because of vastly expanded post-9/11 information sharing, local law enforcement offices have been deputized in the hunt for Muslim terrorists, receiving intelligence obtained through those additional spying tools and sharing tips back up with the FBI. By contrast, as one after another confrontation makes clear — most recently the video of a white Texas trooper escalating a traffic stop with African American woman Sandra Bland that ultimately ended in her death, purportedly by suicide — too many white local cops tend to prey on African Americans themselves rather than  the police who target African Americans for their race.

[snip]

Finally, the FBI has an incentive to call Roof’s attack something different, as it makes a big deal of its success in preventing “terrorist” attacks. If the Charleston attack was terrorism, it means FBI missed a terrorist plotting while tracking a bunch of Muslims who might not have acted without FBI incitement. That would be all the worse as the FBI might have stopped Roof during the background check conducted before he bought the murder weapon, if not for some confusion on a prior charge.

[snip]

I’m certainly not saying we should expand the already over-broad domestic dragnet to include white supremacists espousing ugly speech (but neither should hateful speech from Muslims be sufficient for a material support for terrorism charge, as it currently is). Yet as one after another white cop kills or leads to the death of unarmed African Americans, we have to ensure that we call like crimes by like names to emphasize the importance of protecting all Americans. DOJ under Eric Holder was superb at policing civil rights violations, and there’s no reason to believe that will change under DOJ’s second African American Attorney General, Loretta Lynch.

But hate crimes brought with the assistance of DOJ’s Civil Rights division (as these were) are not the same as terrorist crimes brought by national security prosecutors, nor are they as easy to prosecute. If our nation can’t keep African Americans worshipping in church safe, than we’re not delivering national security.

But I’d add to that. If we’re discussing mass killings with guns (remember, earlier this year Richard Burr tried to include commission of a violent crime while in possession of a gun among the definitions of terrorism) then it suggests far different solutions than just calling terrorism terrorism.

What if we focused all our energy on interceding before crazy men — of all sorts — shoot up public spaces rather than just one select group?

What if our definitions of national security started with a measure of impact rather than a picture of global threat?

Richard Burr’s Backdoor Data Retention Amendment

/6 Comments/in /by

The Senate Intelligence Authorization is now available here.

In addition to language requiring social media companies to report terrorist activity on their network to the government — which yesterday Jim Comey said they didn’t need — it has a provision that might to lead to data retention mandates under USA F-ReDux. It requires reporting if any provider stops retaining call detail records at least 18 months.

SEC. 602. NOTIFICATION OF CHANGES TO RETENTION OF CALL DETAIL RECORD POLICIES.
(a) Requirement To Retain.—Not later than 15 days after learning that an electronic communication service provider that generates call detail records in the ordinary course of business has changed its policy on the retention of such call detail records to result in a retention period of less than 18 months, the Director of National Intelligence shall provide written notification of such change to the congressional intelligence committees.

(b) Definitions.—In this section:

(1) CALL DETAIL RECORD.—The term “call detail record”—

(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location or global positioning system information.

(2) ELECTRONIC COMMUNICATION SERVICE.—The term “electronic communication service” has the meaning given that term in section 2510 of title 18, United States Code. [my emphasis]

The important details of this provision, however, are in the definitions.

This retention requirement applies to all electronic communication service providers that generate call detail records. That means it applies not just to telecoms, traditionally defined, but also to internet service providers. And the definition of call detail record relies on “session identifier,” not any phone call made.

That either confirms that USA F-ReDux will apply to Internet companies as well as phone companies, and/or it suggests SSCI wants data retention to apply to far more than just the newfangled phone dragnet.

NYT Buries the Ineffective CyberSecurity Lede

/18 Comments/in /by

The NYT has a story today headlined,

Senate Rejects Measure to Strengthen Cybersecurity

In paragraph 12 of the story — after portraying the horse race details of Mitch McConnell and Richard Burr’s attempt to push through CISA yesterday and then reviewing how devastating the Office of Personnel Management hack is — NYT reports,
The bills before Congress would not directly address the attack on the Office of Personnel Management systems, which resulted from a series of missteps that included the use of outdated detection technology, a failure to employ basic authentication techniques most Americans use for online banking, having not acted on previous security recommendations, and a lack of encryption on the data.
The story then embraces a do something, do anything approach it says is backed by experts, plural, of which it only cites one, a contractor in information sharing:

However, the attack bore a similar signature as those on two insurance companies and underscored the overall need for Congress to advance new policies, experts said.

“It is as clear as a bell to me that this is case and point in favor of information sharing,” said Paul Kurtz, who worked on the issue under in the Clinton, Bush and Obama administrations, and is the chief executive of TruStar, which aids companies in information sharing. “It is really terribly unfortunate that this measure failed because of the politics on Capitol Hill.”

It’s all very nice for the NYT to “report” this as a matter of Congressional dysfunction — as an example of stupid politics getting in the way of protecting the country. But even the evidence the story itself presents suggests a different story: the solution being pursued by Congress would not actually fix our most urgent cybersecurity problems. The real story is about Congressional dysfunction, but of a different kind.

Indeed, the lede and headline of the story should be something like,

Congress Responds to Devastating Hack by Pushing Bill that Wouldn’t Help

Had the NYT reported that story, it might have found far more experts, who would explain in more detail why there are a long list of things we should do before facilitating information sharing with expansive immunity and obscurity.

But somehow, it didn’t report that story, even though that’s what the evidence it presents supports.

Because Government Employees Have Been Spied On, Richard Burr Wants All of Us To Be

/4 Comments/in /by

Predictably, Richard Burr has used the news of the Office of Personnel Management hack to renew his efforts to pass CISA. Burr added it as an amendment to the National Defense Authorization Act yesterday, stating,

The recent cyber breach at the Office of Personnel Management was a serious attack on our government and we cannot continue to have citizens’ personal information needlessly exposed to foreign adversaries and criminals.  In passing the Cybersecurity Information Sharing Act with an overwhelmingly bipartisan vote of 14-1, the Committee recognized the extreme threat posed by our adversaries who, in addition to the OPM breach, have stolen hundreds of millions of Americans’ personal information in the last year alone, swiped intellectual property, and conducted attacks on our agencies.  Not only does CISA propose a solution to help address these threats, it does so in a way that works to ensure the personal privacy of all Americans. We can no longer simply watch Americans’ personal information continue to be compromised. This bill is long needed and will help us combat threats to our country and our economy.

Remember, OPM was warned in a series of IG Reports that it didn’t have adequate protection for the Federal government workers’ data it stored. Congressional overseers, like Burr, did nothing to force OPM to improve security, just as the Intelligence Committees have tried for years to get National Security agencies to provide better checks on insider threats and other security problems, but never succeeded in actually getting them to do so.

So Burr’s response to neglect is to do something else that wouldn’t prevent the OPM hack. But it would effectively gut ECPA and FOIA, all in the name of information sharing which is about the 20th most effective way to combat hacking.

This is sheer incompetence from a legislative standpoint — pushing through an ineffective solution when faced with mounting evidence it wouldn’t work, all so as to increase spying on Americans.

But then, that seems to be Burr’s aspiration: to increase spying regardless of the efficacy of it.

Both Patrick Leahy and Ron Wyden released statements in response to Burr’s move. I’m intrigued by the way they note no one has been able to see the amendments Wyden tried to push through in the committee.
Leahy:

The Intelligence Committee’s information sharing bill will affect the privacy rights of all Americans, yet it has been cloaked in secrecy. It was considered behind closed doors, without a public hearing or public debate. We cannot even read the text of amendments considered at the mark up of this legislation. Senator Burr’s information sharing bill also erodes Americans’ right to know what their government is doing by weakening the Freedom of Information Act. I am deeply concerned that the Republican Leader now wants the Senate to pass this information sharing bill without any opportunity for the kind of public debate it needs. This is not the transparent and meaningful committee process the Republican Leader promised just months ago. I agree that we must do more to protect our cybersecurity, but this information sharing bill should not be considered as a last-minute amendment to yet another bill that was negotiated and considered behind closed doors. The privacy of millions of Americans is at stake. The American people deserve an open debate about legislation that would dramatically expand the amount of information about them that companies can share with agencies throughout the federal government.

Wyden:

“Senate Republican leaders are trying to make a bad defense bill worse by adding a flawed cybersecurity bill,” Wyden said.

“If Senator McConnell insists on attaching the flawed CISA bill to unrelated legislation, I will be fighting to ensure the Senate has a full debate and a chance to offer amendments to add vital protections for American privacy and address the threats to our cybersecurity.

Cybersecurity threats demand thoughtful solutions, not half-baked efforts that don’t address the real problems. CISA would create a way for the government to obtain Americans’ information without a warrant, and without adequate protections to protect their privacy. Most security experts agree that encouraging private companies to share more information with the government would have done little if anything to prevent recent data breaches.

In October 2013, Patrick Leahy and Jim Sensenbrenner Rolled Out a Bill That Would Have Ended Upstream Cyber Collection

/8 Comments/in , /by

Back in October 2013, Jim Sensenbrenner and Patrick Leahy released the original, far better, version of the USA Freedom Act. As I noted in November 2013, it included a provision that would limit upstream collection to international terrorism and international proliferation of WMD uses.

It basically adds a paragraph to section d of Section 702 that limits upstream collection to two uses: international terrorism or WMD proliferation.

(C) limit the acquisition of the contents of any communication to those communications—

(i) to which any party is a target of  the acquisition; or

(ii) that contain an account identifier of a target of an acquisition, only if such communications are acquired to protect against international terrorism or the international proliferation of weapons of mass destruction.;

And adds a definition for “account identifier” limiting it to identifiers of people.

(1) ACCOUNT IDENTIFIER.—The term ‘account identifier’ means a telephone or instrument number, other subscriber number, email address, or  username used to uniquely identify an account.

At the time, I noted that this would give the NSA 6 months to shut down the use of upstream collection to collect cyber signatures.

Jonathan Mayer’s comments on the NYT/PP story today reveals why that would be important to do (this is a point I’ve been making for years): because if you’re collecting signatures of cyber attacks, you’re collecting victim data, as well, a problem that would only get worse under the cyberinformation sharing bills before Congress.

This understanding of the NSA’s domestic cybersecurity authority leads to, in my view, a more persuasive set of privacy objections. Information sharing legislation would create a concerning surveillance dividend for the agency.

nsa_cyber_2

Because this flow of information is indirect, it prevents businesses from acting as privacy gatekeepers. Even if firms carefully screen personal information out of their threat reports, the NSA can nevertheless intercept that information on the Internet backbone.

Furthermore, this flow of information greatly magnifies the scale of privacy impact associated with information sharing. Here’s an entirely realistic scenario: imagine that a business detects a handful of bots on its network. The business reports a signature to DHS, who hands it off to the NSA. The NSA, in turn, scans backbone traffic using that signature; it collects exfiltrated data from tens of thousands of bots. The agency can then use and share that data.12 What began as a tiny report is magnified to Internet scale.

But, instead of giving NSA 6 months to close this loophole, we instead passed USA F-ReDux, which does nothing to rein domestic spying in the name of cybersecurity.

Leahy released a remarkable statement in response to today’s story that doesn’t reveal whether he knew of this practice (someone knew to forbid it in their original bill!), but insisting he’ll fight for more limits on surveillance and transparency.

Today’s report that the NSA has expanded its warrantless surveillance of Internet traffic underscores the critical importance of placing reasonable and commonsense limits on government surveillance in order to protect the privacy of Americans.  Congress took an important step in this direction this week by passing the USA FREEDOM Act, but I have always believed and said that more reforms are needed.  Congress should have an open, transparent and honest debate about how to protect both our national security and our privacy.  As Congress continues to work on surveillance and cybersecurity legislation, I will continue to fight for more reforms, more transparency, and more accountability – particularly on issues related to the privacy of Americans’ personal communications.

Remember: on Tuesday, Richard Burr vehemently denied we had secret law. And while this application of FISA wasn’t entirely secret — I figured it out pretty quickly, but a great great many people doubted me, as per usual — even Leahy is faced with a situation where he can’t admit he knew about a practice he already tried to shut down once.

ACLU’s Poker Face

/6 Comments/in /by

Thus far, I have not seen a statement from the ACLU on last night’s developments with respect to the PATRIOT Act — the passage of cloture, McConnell’s failure to even ask for an immediate vote, followed by McConnell filing several amendments that would weaken USA F-ReDux. [Correction: here is one. h/t EG]

Indeed, no one even seems to be interested what the ACLU thinks about all this, reporting the key players to include Mitch McConnell and Richard Burr, the White House and Intelligence Agencies, and the House, especially House leadership that would be forced to shepherd any changes to USA F-ReDux back through the House, but not the ACLU.

I’m interested.

Especially with Burr’s amendment to extend the transition period to the new phone records program to a full year. After all, ACLU’s lawsuit just got punted back to the District to see what happens now, but it was punted based on the presumption that Congress was going to fix the illegal dragnet “soon.”

A year is not “soon,” at least not in my book.

If ACLU agrees with me, they can asks the judges to provide some relief “sooner” than a year from now, either by ordering an earlier end to the dragnet or — at the very least — requiring the NSA to pull all of ACLU’s records from their dragnet. Indeed, given the number of active court challenges the ACLU has against the government, they’d be able to argue pretty compellingly they need quicker relief than a year.

In the past, NSA has suggested it would be too onerous to pull the records of one plaintiff from the dragnet. Who knows whether they were just bullshitting judges, but if it is too onerous, that would present other issues.

All of which is my way of saying the ACLU may have a few cards of interest in their hand that no one is much considering. I’m not going to ask them what they’re holding, mind you. I like that they may be deliberating in secret to thwart efforts to extend the dragnet.

I’m just noting that they do appear to still be holding some cards…

Richard Burr Wants to Label People Who Make Threats and Carry Guns “Terrorists”

/14 Comments/in /by

The bill Senate Intelligence Chair Richard Burr released last Friday is bad enough for the way it expanded the existing illegal dragnet. I argued here Burr’s bill would give the Intelligence Community everything they lost in 2009 and 2011.

But there’s something just as troubling in Burr’s stack of additional goodies for the IC. As USA F-ReDux does, Burr’s bill extends maximum sentences for material support for terrorism. Both bills increase the maximum sentence under 18 USC 2339B, which prohibits material support for a terrorist group formally designated as such by the government. Burr would also increase the maximum sentence under 18 USC 2339A, which prohibits material support for people who may not be formally designated as terrorists, but who violate one of a bunch of other laws that are deemed terrorist acts. (Burr also tweaks the penalty for getting military training from terrorists in ways that might actually lower the punishment.)

The shocking move came in Burr’s proposal to add 18 USC 924(c) — which prohibits the “use, carrying, or possession of fire arms” during the commission of a crime of violence — among those crimes listed in 18 USC 2332b that make someone a terrorist.

Let me be clear: I’m in favor of doing whatever we can to keep guns out of the hands of terrorists and dangerous people, so much so my libertarian and gun activist friends surely consider me squishy on the Constitution.

But there are a number of reasons why making the possession of gun while committing a crime of violence, “a terrorist act,” is a dangerous idea.

It starts from the fact that the term “crime of violence” is horribly vague (so much so that SCOTUS is reviewing a similar designation right now). It “has as an element the use, attempted use, or threatened use of physical force against the person or property of another.” That is, the “violence” may all stem from that perceived threat of physical force, which in turn may stem from someone’s possession of a gun (or, as often happens in our still very racially charged society, the possession of a gun by a particular kind of someone).

Then, to meet the terms of 18 USC 2332b that makes something a terrorist act, it may only involve a threat to “conspir[e] to destroy or damage any structure, conveyance, or other real or personal property within the United States.” As with the crime of violence, it may be the perceived threat of a crime, rather than a committed crime. And one way to qualify under this provision, the act would be “calculate[] to influence or affect the conduct of government by intimidation or coercion, or to retaliate against government conduct.”

Altogether, Burr’s proposed change could — if the Federal Government pushed far enough — get people labeled as a terrorist for posing a threat or risk to the government while carrying a gun. The required element — beyond being or making a threat — is that gun, which, of course, is protected under the Constitution. The rest is just the risk to property in a way to influence politics. But ordinary dissidents and protestors intend to influence politics and have, at times, been called a threat to property, and looters who definitely (and indefensibly) destroy property have, throughout history, often been described as a “risk to the government” (and especially, a risk to law enforcement). Certainly dissidents should not be deemed terrorists because they carry guns and sit in the wrong park. And while looting is wrong, it’s not terrorism.

This might seem far-fetched, but one of the rare instances where non-Muslims have been charged as terrorists under a related provision — which deems even FBI-supplied bombs “Weapons of Mass Destruction” and therefore terrorist weapons — were three guys tied to Occupy Cleveland who were caught in an FBI-crafted sting.

As with that case, the effect of labeling someone’s threat of violence a terrorist crime would involve expanding the potential sentences significantly, not to mention labeling someone a terrorist as they contemplated a jury trial. Since 9/11, jurors have been very credulous of evidence involving alleged terrorists, meaning it would become a lot easier for the government to win convictions even with dodgy evidence or (as in the Cleveland case) a plot invented by the FBI.

It probably, also, involves lots of extra investigative tools.

There are so many other ways to designate people who are really conspiring under the direction of actual terrorists as terrorists that this seems like dangerous overkill. It would invite Feds to label looters who happen to be armed or dissidents who mouth off and train with guns as terrorists — and thereby all their associates as material supporters of terrorism.

Richard Burr’s bill is horrible, as it is, for how it would expand the dragnet. But that he is, at the same time, envisioning dangerously expanding the definition of “terrorist” in a way that could be badly abused is another reason to distrust Burr’s effort to capitalize on fear-mongering around the PATRIOT reauthorization to expand the security state.

A Brief History of the PATRIOT Reauthorization Debate

/7 Comments/in , /by

I wanted to provide some background of how we got to this week’s PATRIOT Reauthorization debate to explain what I believe the surveillance boosters are really aiming for. Rather than a response to Edward Snowden, I think it is more useful to consider “reform” as an Intelligence Community effort to recreate functionalities they had and then lost in 2009.

2009 violations require NSA to start treating PATRIOT data like PATRIOT data and shut down automated functions

That history starts in 2009, when NSA was still operating under the system they had established under Stellar Wind while pretending to abide by FISC rules.

At the beginning of 2009, the NSA had probably close to full coverage of phone records in the US, and coverage on the most important Internet circuits as well. Contrary to the explicit orders of the FISC, NSA was treating all this data as EO 12333 data, not PATRIOT data.

On the Internet side, it was acquiring data that it considered Dialing, Routing, Addressing, and Signaling information but which also constituted content (and which violated the category limits Colleen Kollar-Kotelly had first imposed).

On the phone side, NSA was not only treating PATRIOT data according to NSA’s more general minimization procedures as opposed to those dictated by the FISC. But in violation of those minimization procedures, NSA was submitting phone dragnet data to all the automated procedures it submitted EO 12333 data to, which included automated searches and automatic chaining on other identifiers believed to belong to the same user  (the latter of which NSA calls “correlations”). Either these procedures consisted of — or the data was also treated to — pattern analysis, chaining users on patterns rather than calls made. Of key importance, one point of having all the data in the country was to be able to run this pattern analysis. Until 2008 (and really until 2009) they were sharing the results of this data in real time.

Having both types of data allowed the NSA to chain across both telephony and Internet data (obtained under a range of authorities) in the same query, which would give them a pretty comprehensive picture of all the communications a target was engaging in, regardless of medium.

I believe this bucolic state is where the surveillance hawks want us to return to. Indeed, to a large extent that’s what Richard Burr’s bill does (with a lot of obstructive measures to make sure this process never gets exposed again).

But when DOJ disclosed the phone violations to FISC in early 2009, they shut down all those automatic processes. And Judge Reggie Walton took over 6 months before he’d even let NSA have full ability to query the data.

Then, probably in October 2009, DOJ finally confessed to FISC that every single record NSA had collected under the Internet dragnet for five years violated Kollar-Kotelly’s category rules. Walton probably shut down the dragnet on October 30, 2009, and it remained shut down until around July 2010.

At this point, not only didn’t NSA have domestic coverage that included Internet and phone, but the phone dragnet was a lot less useful than all the other phone data NSA collected because NSA couldn’t use its nifty automatic tools on it.

Attempts to restore the pre-2009 state

We know that NSA convinced John Bates to not only turn the Internet dragnet back on around July 2010 (though it took a while before they actually turned it on), but to expand collection to some or all circuits in the US. He permitted that by interpreting anything that might be Dialing, Routing, Addressing, and Signaling (DRAS) to be metadata, regardless of whether it also was content, and by pointing back to the phone dragnet to justify the extension of the Internet dragnet. Bates’ fix was short-lived, however, because by 2011, NSA shut down that dragnet. I wildarseguess that may partly because DOJ knew it was still collecting content, and when Bates told NSA if it knew it was collecting content with upstream collection, it would be illegal (NSA destroyed the Internet dragnet data at the same time it decided to start destroying its illegal upstream data). I also think there may have been a problem with Bates’ redefinition of DRAS, because Richard Burr explicitly adopted Bates’ definition in his bill, which would have given Bates’ 2010 opinion congressional sanction. As far as we know, NSA has been coping without the domestic Internet dragnet by collecting on US person Internet data overseas, as well as off PRISM targets.

Remember, any residual problems the Internet dragnet had may have affected NSA’s ability to collect any IP-based calls or at least messaging.

Meanwhile, NSA was trying to replace the automated functions it had up until 2009, and on November 8, 2012, the NSA finally authorized a way to do that. But over the next year plus, NSA never managed to turn it on.

The phone records gap

Meanwhile, the phone dragnet was collecting less and less of the data out there. My current theory is that the gap arose because of two things involving Verizon. First, in 2009, part or all of Verizon dropped its contract with the FBI to provide enhanced call records first set up in 2002. This meant it no longer had all its data collected in a way that was useful to FBI that it could use to provide CDRs (though Verizon had already changed the way it complied with phone records in 2007, which had, by itself, created some technical issues). In addition, I suspect that as Verizon moved to 4G technology it didn’t keep the same kind of records for 4G calls that transited its backbone (which is where the records come from, not from customer bills). The problems with the Internet dragnet may have exacerbated this (and in any case, the phone dragnet orders only ask for telephony metadata, not IP metadata).

Once you lose cell calls transiting Verizon’s backbone, you’ve got a big hole in the system.

At the same time, more and more people (and, disproportionately, terrorist targets) were relying more and more on IP-based communications — Skype, especially, but also texting and other VOIP calls. And while AT&T gets some of what crosses its backbone (and had and still has a contract for that enhanced call record service with the FBI, which means it will be accessible), a lot of that would not be available as telephony. Again, any limits on Internet collection may also impact IP based calls and messaging.

Edward Snowden provides a convenient excuse

Which brings you to where the dragnets were in 2013, when Edward Snowden alerted us to their presence. The domestic PATRIOT-authorized Internet dragnet had been shut down (and with it, potentially, Internet-based calls and messaging). The phone dragnet still operated, but there were significant gaps in what the telecoms would or could turn over (though I suspect NSA still has full coverage of data that transits AT&T’s backbone). And that data couldn’t be subjected to all the nifty kinds of analysis NSA liked to subject call data to. Plus, complying with the FISC-imposed minimization procedures meant NSA could only share query results in limited situations and even then with some bureaucratic limits. Finally, it could only be used for counterterrorism programs, and such data analysis had become a critical part of all of NSA’s analysis, even including US collection.

And this is where I suspect all those stories about NSA already considering, in 2009 and in 2013, shutting down the dragnet. As both Ken Dilanian stories on this make clear, DOJ believed they could not achieve the same search results without a new law passed by Congress. Bob Litt has said the same publicly. Which makes it clear these are not plain old phone records.

So while Edward Snowden was a huge pain in the ass for the IC, he also provided the impetus to make a decision on the phone dragnet. Obama made a big show of listening to his Presidential Review Group and PCLOB, both of which said to get rid of it (the latter of which said it was not authorized by Section 215). But — as I noted at the time — moving to providers would fix some of their problems.

In their ideal world, here’s what we know the IC would like:

  • Full coverage on both telephony and IP-based calls and messaging and — ideally — other kinds of Internet communications
  • Ability to share promiscuously
  • Ability to use all NSA’s analytical tools on raw data (the data mandates are about requiring some kind of analytical work from providers)
  • Permission to use the “call” function for all intelligence purposes
  • Ability to federate queries with data collected under other authorities

And the IC wants this while retaining Section 215’s use of bulky collections that can be cross-referenced with other data, especially the other Internet collection it conducts using Section 215, which makes up a majority of Section 215 orders.

Those 5 categories are how I’ve been analyzing the various solutions (which is one of about 10 reasons I’m so certain that Mitch McConnell would never want straight reauthorization, because there’s nothing that straight reauthorization would have ratified that would have fixed the existing problems with the dragnet), while keeping in mind that as currently constructed, the Internet 215 collection is far more important to the IC than the phone dragnet.

How the bills stack up

USA F-ReDux, as currently incarnated, would vastly expand data sharing, because data would come in through FBI (as PRISM data does) and FBI metadata rules are very permissive. And it would give collection on telephony and IP-based calls (probably not from all entities, but probably from Apple, Google, and Microsoft). It would not permit use for all intelligence purposes. And it is unclear how many of NSA’s analytical tools they’d be able to use (I believe they’d have access to the “correlations” function directly, because providers would have access internally to customers’ other accounts, but with the House report, other kinds of analysis should be prohibited, though who knows what AT&T and Microsoft would do with immunity). The House report clearly envisions federated queries, but they would be awkward to integrate with the outsourced collection.

Burr’s bill, on the other hand, would expand provider based querying to all intelligence uses. But even before querying might —  maybe — probably wouldn’t — move to providers in 2 years, Burr’s bill would have immediately permitted NSA to obtain all the things they’d need to return to the 2009 bucolic era where US collected data had the same treatment as EO 12333 collected data. And Burr’s bill would probably permit federated queries with all other NSA data. This is why, I think, he adopted EO 12333 minimization procedures, which are far more restrictive than what will happen when data comes in via FBI, because since it will continue to come in in bulk, it needs to have an NSA minimization procedure. Burr’s bill would also sneak the Section 215 Internet collection back into NSL production, making that data more promiscuously available as well.

In other words, this is why so many hawks in the House are happy to have USA F-ReDux: because it is vastly better than the status quo. But it’s also why so many hawks in the Senate are unsatisfied with it: because it doesn’t let the IC do the other things — some of the analytical work and easy federated queries — that they’d like, across all intelligence functions. (Ironically, that means even while they’re squawking about ISIS, the capabilities they’d really like under Burr’s bill involve entirely other kinds of targets.)

A lot of the debate about a phone dragnet fix has focused on other aspects of the bill — on transparency and reporting and so on. And while I think those things do matter (the IC clearly wants to minimize those extras, and had gutted many of them even in last year’s bill), what really matters are those 5 functionalities.

 

Why Does Richard Burr Think It Will Take Four Times Longer To Set Up a Metadata Compliance System than a Content One?

/in /by

On November 8, 2007, Yahoo received its first order to comply with the Protect America Act, the original law authorizing PRISM. Yahoo immediately told DOJ it would challenge the order. On May 12, 2008 — even as Yahoo appealed FISC’s order to comply with those PAA orders — Yahoo started complying with its PAA orders.

It took 185 days for Yahoo to set up a content compliance system under PRISM and challenge the underlying orders. And along the way, FBI’s requests expanded, from just a few items to nine, which appear to span the four business units Yahoo had at the time. Yet even in spite of FBI’s moving target and its ongoing legal challenge, Yahoo was able to start complying in about 6 months.

And yet Richard Burr believes — rather, claims to believe — that providers who already have sophisticated compliance systems (either under upstream and daily call records production, in the case of the telecoms, or PRISM production, in the case of other providers, not to mention that AT&T already provides roughly what it will under the new program under a contract with the FBI) will not be able to implement a system that will allow them to turn over phone records within 180 days.

Now, perhaps Burr really believes it will be tougher for providers to set up a metadata compliance system than set up content compliance systems that involve a heavy metadata component.

If so, that ought to raise real questions about what he thinks these providers will be doing, because it won’t just be turning over metadata.

Alternately, he’s wielding his ridiculous concerns about compliance for the same hoped effect as his bill did. He claimed that bill would institute a 2-year transition period for this program, but what it did in fact was to immediately grant the Intelligence Community all the authorities it has wanted, vastly expanding the dragnet. Then, a year after giving the IC everything it wanted, it would conduct a 1-year review (before any transition happened) that would show that it would be cheaper for the government to remain in the dragnet business. Only after 2 years would any “transition” happen, and it would in fact happen, if it did, immediately, with no transition period (though it probably never would happen, given that the IC would have already gotten everything it wanted).

That is, Burr’s claim that providers that have been complying with significant government requests for 7 years would need 2 more years to learn how to do it are probably just a bid to prevent the move to providers in the first place, a bid to have one more chance to argue in 6 months or a year or 2 years that it’s okay for the government to hold onto all our phone and Internet metadata.

But if not — if the new system will require more from providers than it did when they started turning over records under PRISM — than that is itself news.