Posts

Charles McCullough Too Busy Investigating Leakers to Investigate the Dragnet

As I noted back in September, Patrick Leahy and a bunch of other Senators asked the Intelligence Community Inspector General Charles McCullough to investigate the dragnet.

In particular, we urge you to review for calendar years 2010 through 2013:

  • the use and implementation of Section 215 and Section 702 authorities, including the manner in which information – and in particular, information about U.S. persons – is collected, retained, analyzed and disseminated;
  • applicable minimization procedures and other relevant procedures and guidelines, including whether they are consistent across agencies and the extent to which they protect the privacy rights of U.S. persons;
  • any improper or illegal use of the authorities or information collected pursuant to them; and
  • an examination of the effectiveness of the authorities as investigative and intelligence tools.

McCullough just answered.

No.

“At present, we are not resourced to conduct the requested review within the requested timeframe,” wrote McCullough, before adding he and other agency inspectors general are weighing now whether they can combine forces on a larger probe.

Leahy had asked McCullough to finish in what was then 15 months, December 2014, which would make it available for the PATRIOT Reauthorization due the next year.

Note, McCullough gave the same answer he and NSA’s IG gave when Ron Wyden asked how many Americans get caught up in the dragnet.

Not enough resources.

Mind you, he apparently has enough resources to do this:

Finally, we began to implement a program to lead IC-wide administrative investigations into unauthorized disclosures of classified information (i.e., “leak”) matters.

[snip]

The Investigations Division reviewed hundreds of closed cases from across the IC. Going forward, the division will engage in gap mitigation for those cases where an agency does not have the authority to investigate (multiple agencies or programs) or where DOJ declined criminal prosecution. The division will conduct administrative investigations with IG Investigators from affected IC elements to maximize efficiencies, expedite investigations, and enhance partnerships.

[snip]

The Investigations Division is reviewing 375 unauthorized disclosure case files.

But not enough resources to review a massive dragnet affecting every American in time to have results before the dragnet gets reauthorized.

Update: And apparently the Senate Intelligence Committee just told ODNI to investigate more leaks and pre-leaks.

  • Empowering the Director of National Intelligence to improve the government’s process to investigate (and reinvestigate) individuals with security clearances to access classified information;

Raj De and the Back-Door Loophole

As I already noted, NSA General Counsel lied in today’s PCLOB hearing when he said the use of Section 215 to conduct a phone dragnet had the indicia of legitimacy because Congress twice reauthorized the PATRIOT after the executive had given it full information.

We know that the 2010 freshman class — with the exception of the 7 members who served on the Judiciary or Intelligence Committees — did not have opportunity to learn the most important details about the phone dragnet before reauthorizing PATRIOT in 2011. And it appears DOJ withheld from the Judiciary and Intelligence the original phone dragnet opinion — and they clearly withheld significant FISC materials on it — until August 2010, after PATRIOT had been reauthorized the first time. I trust Ben Wittes, who wants to prevent Jim Sensenbrenner from commenting on NSA’s secrecy because he’s dishonest about his own role, applies a similar standard to Raj De.

But I was even more interested in the way De answered Center for Democracy and Technology’s Jim Dempsey’s question about the back-door loophole in which NSA searches on incidentally collected US person data (starting at 2:09:00).  Dempsey asked whether NSA needed something like the Reasonably Articulable Suspicion before it searched incidental US person data. De treated the question as nonsensical, given that when you collect on a particular phone number in the criminal context you don’t need to ignore what you find.

In other words, the NSA has a lower standard for access this content than they do for accessing the metadata of our phone calls.

Curiously, though, De tried to tout the minimization of both 702 and EO 12333 collection to present this as reasonable.

By minimization, Dempsey asked, you mean you keep it.

De insisted that no, there’s minimization at each step of the process.

I get how he was trying to use this blatant dodge. I get that the NSA assumes they can take everything so long as they’re careful about how they sent it around.

But make no mistake. NSA searches on the data before it gets minimized.

Here’s how this year’s Semiannual Compliance Review, submitted by the Attorney General and Director of National Intelligence, describes this practice.

NSA’s querying of unminimized Section 702-acquired communications using United States person identifiers (page 7)

Here’s how John Bates referred to the practice, based on a submission the NSA had made itself (though before De was writing the documents), in his October 3, 2011 opinion.

The government has broadened Section 3(b)(5) to allow NSA to query the vast majority of its Section 702 collection using United States-Person identifiers, subject to approval pursuant to internal NSA procedures and oversight by the Department of Justice. Like all other NSA queries of the Section 702 collection, queries using United States-person identifiers would be limited to those reasonably likely to yield foreign intelligence information. (page 22-23)

Bates justifies this practice by pointing to another agency’s (almost certainly FBI) use of the practice, which he describes as,

an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information.

The NSA has restrictions about circumstances in which they can share this data (which arguably will be expanded under Dianne Feinstein’s FakeFISAFix). But they allow the NSA to share this data if it is “foreign intelligence,” evidence of a crime, and evidence of a threat to life-which-to-NSA-means-property.

They can sweep up entire countries worth of Internet traffic. They can sweep up entire mailboxes overseas. And then go in, without a warrant, and “discover” evidence of crime.

Anonymous Aide Pushback Strengthens Case that DiFi Bill Supports Backdoor Searches

Ellen Nakashima wrote a truly remarkable article on the DiFi Fake FISA Fix, in which she quotes the following critics of the bill:

Sen. Ron Wyden (D-Ore.)

Elizabeth Goitein, co-director of the Brennan Center for Justice’s Liberty and National Security Program

Julian Sanchez, a research fellow at the CATO Institute

And quotes the following defenders of the bill and/or surveillance:

Committee Chairman Dianne Feinstein (D-Calif.)

Committee staff, including a committee aide, who was not permitted to speak on the record

Several former senior Justice Department officials, who were not permitted by their current employers to speak on the record

DiFi’s sole on the record comment, by the way, was stating that she would do “everything I can” to preserve the phone dragnet.

And in this article in which surveillance defenders hide behind anonymity, SSCI aides make the following case about the backdoor search “protections” in DiFi’s Fake FISA Fix (concerns about which I raised here).

Wyden and privacy advocates are also concerned that the bill would place in statute authority for NSA to search without a warrant for Americans’ e-mail and phone call content collected under a separate FISA surveillance program intended to target foreigners overseas. That is what Wyden has called a “back-door search loophole.”

Aides note the bill restricts the queries to those meant to obtain foreign intelligence information. They say that there have been only a “small number” of queries each year. Such searches are useful, for instance, if a tip arises that a terrorist group is plotting to kill or kidnap an American, officials have said. [my emphasis]

Take a look at the language pertaining to this issue in the past. Last year’s FAA conference report from the very same Committee described the issue as, “querying information collected under Section 702 to find communications of a particular United States person.” And when Ron Wyden and Mark Udall busted Keith Alexander for making false claims, they suggested the issue was about “allow[ing] the NSA to deliberately search for the records of particular Americans.” And when John Bates approved the NSA and CIA’s use of the practice in 2011, he described it as “query[ing] the vast majority of its Section 702 collection using United States-Person identifiers.” That’s almost precisely the way the Administration referred to it in its Compliance Report this year: “querying of unminimized Section 702-acquired communications using United States person identifiers” (see page 7).

That is, in every reference to this practice I can think of, nothing suggests the practice is limited to searching for US person identifiers in the content of communications. Indeed, the report from this very same committee last year made it clear the practice pertained to searching for the communications written by Americans, not those written about them. And the easiest way to find communications written by Americans is to search on US person identifiers in the metadata of communications.

But the bill specifically excludes searching for US person identifiers in the metadata of communications from its protections. That is, in addition to not prohibiting the searching of US person identifiers to protect life, body, and probably property, and for law enforcement purposes, the bill specifically leaves unrestricted looking up someone’s email or phone number to pull up all their communications from the collection of Section 702-acquired data.

And in their discussion of what the bill protects, these anonymous aide bill defenders describe its use to find people talking about Americans — the kidnapped American whose abductors refer to him by his IP address or phone number in their email. They appear to refer to searching for US person identifiers in the content of communications (which is all the bill protects anyway), not in its metadata. Communications about Americans, not by them. Which is not how all the previous descriptions of this practice describe it.

But the dead giveaway, the tell that this is a big scam to provide the appearance of limits while at the same time enshrining and possibly expanding the warrantless searching of “incidentally” collected US person content, is where the aides say this:

“There have only been a ‘small number’ of queries each year.”

Hahahaha! Have you missed the number of times NSA has said it would be impossible for them to count the number of Americans whose data has been searched in such a way?! NSA has spent well over a year making that claim, and DiFi has shielded that claim every step of the way.

So when DiFi’s anonymous aides make the claim that the queries protected by the law have only been used a few times a year — indeed, when they make the claim they can be and have been counted at all — they make it crystal clear the protections in the law do not pertain to the vast majority of the searches on US person data that has been collected “incidentally” under Section 702 which — the NSA assures us — cannot be counted.

What DiFi and her aides — by their own anonymous and perhaps inadvertent admission — plan to protect is a tiny fraction of the searches on US person data collected under Section 702, the countable fraction of the practice that NSA can’t or won’t count without incurring resource problems.

OK. Thanks anonymous DiFi aides. I wasn’t sure we had cause to worry. But now you’ve made it crystal clear what is going on.

DiFi’s Fake FISA Fix Appears to Further Extend Searches on US Persons Under Section 702

There’s a section of DiFi’s FakeFISAFix bill, called “Restrictions on the Querying of the Contents of Certain Communications,” that purports to put new limits on the searches of data collected under Section 702 for US person information.

(m) QUERIES.—

(1) LIMITATION ON QUERY TERMS THAT IDENTIFY A UNITED STATES PERSON.—A query of the contents of communications acquired under this section with a selector known to be used by a United States person may be conducted by personnel of elements of the Intelligence Community only if the purpose of the query is to obtain foreign intelligence information or information necessary to understand foreign intelligence information or to assess its importance.

(2) RECORD.—

(A) IN GENERAL.—For any query performed pursuant to paragraph (1) a record shall be retained of the identity of the Government personnel who performed the query, the date and time of the query, and the information indicating that the purpose of the query was to obtain foreign intelligence information or information necessary to understand foreign intelligence information or to assess its importance.

While the additional record-keeping is a significant improvement (remember, the IC has been saying they can’t even count this), I think, as it does with Section 215 searches, the language of the bill may actually expand the searches for US person content in information collected under Section 702.

As a threshold matter, the language restricting certain searches to foreign intelligence purposes only codifies the status quo. The language John Bates approved in 2011 (see page 23 and following) when he gave NSA and CIA this authority (FBI apparently already had it) limited such searches to those “reasonably likely to yield foreign intelligence information.”

In addition, this provision permits such searches for the IC in general. As far as we know for sure, only NSA, CIA, and FBI have this authority (though NCTC have recently gotten their own FISA minimization procedures which might allow them). But this language would seem to permit other agencies within the IC — say, DEA — to query 702 data for US person information as well.

Moreover, the section specifically excludes dialing, routing, and addressing information from this.

(B) CONTENT.—The term ‘content’, with respect to a communication—

(i) means any information concerning the substance, purport, or meaning of that communication; and

(ii) does not include any dialing, routing, addressing, or signaling information

While leaving this stuff out of the definition of content makes sense under the law, this would have the effect of permitting searches on Section 702 data to see if US persons were in there (to see whether a US person was in contact with the target, for example), by searching on the selector as metadata rather than content. Such searches wouldn’t require the same documentation, nor would they bear the intelligence purpose limitation (though I think Bates’ ruling would still limit that).

In other words, thus far, this section seems to create the illusion of oversight for such searches, but oversight that only covers one kind of search on US person data. Read more

The Common Commercial Services OLC Memo and Zombie CISPA

Some time last summer, Ron Wyden wrote Attorney General Holder, asking him (for the second time) to declassify and revoke an OLC opinion pertaining to common commercial service agreements. He said at the time the opinion “ha[d] direct relevance to ongoing congressional debates regarding cybersecurity legislation.”

That request would presumably have been made after President Obama’s April 25, 2012 veto threat of CISPA, but at a time when several proposed Cybersecurity bills, with different information sharing structures, were floating around Congress.

Wyden asked for the declassification and withdrawal of the memo again this January as part of his laundry list of requests in advance of John Brennan’s confirmation. Then, after having been silent about this request for 8 months (at least in public), Wyden asked again on September 26.

It appears that Wyden had intended to ask the question of one of the witnesses at an open Senate Intelligence Committee hearing (perhaps Deputy Attorney General James Cole), but — having had warning of his questions (because he sent them to the witnesses in advance) — Dianne Feinstein and Susan Collins ensured there would not be a second round of questions.

As it happens, Wyden made the request for the memo two days after DiFi told The Hill she was preparing to advance her version of CISPA, and the day after Keith Alexander started calling for cybersecurity legislation again.

In a brief interview with The Hill in the U.S. Capitol on Tuesday, Feinstein said she has prepared a draft bill and plans to move it forward.

The legislation would be the Senate’s counterpart to the Cyber Intelligence Sharing and Protection Act, known as CISPA, which cleared the House in April.

CISPA would remove legal barriers that prevent companies from sharing information with each other and the government about cyber attacks. It would also allow the government to share more information with the private sector.

Since then, Alexander has pitched new cybersecurity legislation in an “interview” with the NYT, admitting he needs to be more open about his places for cybersecurity.

Now, the Executive Branch’s unwillingness to actually share the law as it interprets it with us mere citizens prevents us from understanding precisely what relationship this OLC memo has with proposed cybersecurity legislation — but Wyden made it clear in January that it does have one. But here are some things we might surmise about the memo:

  • The Administration is currently relying on this memo. If it weren’t using it, after all, it wouldn’t need to be revoked. That means that since at least January 14, 2011 (before which date Wyden and Russ Feingold first asked it be revoked), the Administration has had a secret interpretation of law relating in some way to cybersecurity.
  • The interpretation would surprise us. As Wyden notes, “this opinion is inconsistent with the public’s understanding of the law” (he doesn’t say what that law is, but I’ll hazard a guess and say it pertains to information sharing). It’s likely, then, that some form of online provider has been sharing cyber-intelligence with the federal government under some strained interpretation of our privacy protections (and, probably, some kind of Attorney General assurances everything’s cool).

Let’s use the lesson we learned during the FISA Amendments Act where the telecoms were clambering for the legislation and the retroactive immunity, but the Internet companies were grateful for “clarity,” but explicitly opposed to retroactive immunity. When we learned the telecoms had been turning over the Internet companies metadata and content, this all made more sense. The Internet Companies wanted the telecoms to be punished for stealing their data.

In this case, in the first round of CISPA (which had broad immunity protections), Facebook and Microsoft were supporters. But in this go-around (which has still generous but somewhat more limited immunity), the big supporters consist of:

  • Telecoms (AT&T, Verizon; interestingly, Sprint did not sign a letter of support)
  • Broadband and other backbone providers (Boeing, Cisco, Comcast, TimeWarner, USTelecom)
  • Banks and financial transfer
  • Power grid operators and other utilities

Now, who knows with which of these entities the government is already relying on this common commercial services memo, which of our providers we believe have made some assurances to us but in fact they’ve made entirely different ones.

But I will say the presence of the telecoms, again, angling for immunity for information sharing, along with their analogues the broadband providers does raise questions. Especially considering Verizon Exec’s trash talking about consumer-centric Internet companies that don’t prioritize national security.

Stratton said that he appreciated that “consumer-centric IT firms” such as Yahoo, Google, Microsoft needed to “grandstand a bit, and wave their arms and protest loudly so as not to offend the sensibility of their customers.”

“This is a more important issue than that which is generated in a press release. This is a matter of national security.”

After all, the telecoms have a history of willingly cooperating with the government, even if it bypassed the protections offered by Internet companies, even if it violated the law. Have they been joined by big broadband?

Well, DOJ could clear all this up by revoking and releasing the memo. Until they do, though, my wildarsed guess is that those operating the Toobz in the country — the telecom and broadband companies — have already started sharing consumers’ data that a plain reading of the law seemingly wouldn’t permit them to do.

Article II Is Article II: EO 12333 and Protect America Act, FISA Amendments Act, and FISC

I’m reading a very old SSCI hearing on FISA today — from May 1, 2007, when then Director of National Intelligence Mike McConnell initiated the push for the Protect America Act.

Given recent revelations that NSA continues to conduct some collection under EO 12333 — including the address books of people all over the world, including Americans — I thought this part of the hearing might amuse some of you.

SEN. FEINGOLD: I thank the witnesses for testifying today. Can each of you assure the American people that there is not — and this relates to what — the subject Senator Wyden was just discussing — that there is not and will not be any more surveillance in which the FISA process is side-stepped based on arguments that the president has independent authority under Article II or the authorization of the use of military force?

MR. McCONNELL: Sir, the president’s authority under Article II is – – are in the Constitution. So if the president chose to exercise Article II authority, that would be the president’s call. What we’re attempting to do here with this legislation is to put the process under appropriate law so that it’s conducted appropriately to do two things — protect privacy of Americans on one hand, and conduct foreign surveillance on the other.

SEN. FEINGOLD: My understanding of your answer to Senator Wyden’s last question was that there is no such activity going on at this point. In other words, whatever is happening is being done within the context of the FISA statute.

MR. McCONNELL: That’s correct.

SEN. FEINGOLD: Are there any plans to do any surveillance independent of the FISA statute relating to this subject?

MR. McCONNELL: None that — none that we are formulating or thinking about currently. But I’d just highlight, Article II is Article II, so in a different circumstance, I can’t speak for the president what he might decide.

SEN. FEINGOLD: Well, Mr. Director, Article II is Article II, and that’s all it is. Read more

The FISC Opinion Dance

Andrea Peterson calls attention to this cryptic Ron Wyden quote in WaPo’s story on extant FISA Court opinions on bulk collection.

“The original legal interpretation that said that the Patriot Act could be used to collect Americans’ records in bulk should never have been kept secret and should be declassified and released,” Sen. Ron Wyden (D-Ore) said in a statement to The Washington Post. “This collection has been ongoing for years and the public should be able to compare the legal interpretation under which it was originally authorized with more recent documents.”

Before I speculate about what Wyden might be suggesting, let’s review what opinions the article says exist.

There’s the original Colleen Kollar-Kotelly opinion.

In the recent stream of disclosures about National Security Agency surveillance programs, one document, sources say, has been conspicuously absent: the original — and still classified — judicial interpretation that held that the bulk collection of Americans’ data was lawful.

That document, written by Colleen Kollar-Kotelly, then chief judge of the Foreign Intelligence Surveillance Court (FISC), provided the legal foundation for the NSA amassing a database of all Americans’ phone records, say current and former officials who have read it.

[snip]

Kollar-Kotelly’s interpretation served as the legal basis for a court authorization in May 2006 that allowed the NSA to gather on a daily basis the phone records of tens of millions of Americans, sources say. Her analysis, more than 80 pages long, was “painstakingly thorough,” said one person who read it. The date of the analysis has not been disclosed.

 

There’s a 2006 one pertaining to Section 215 not written by Kollar-Kotelly.

The Justice Department also is reviewing a 2006 court opinion related to the Section 215 provision to determine whether it can be released, said Alex Abdo, an ACLU staff lawyer. (A senior department official told The Post that no 2006 Kollar-Kotelly opinion is based on that provision.)

There are two more on Section 215 the government has disclosed the existence of to ACLU.

Government lawyers have told the ACLU that they are withholding at least two significant FISC opinions — one from 2008 and one from 2010 — relating to the Patriot Act’s Section 215, or “business records” provision.

Now compare how these map up with the two opinions referenced by Claire Eagan in her recent opinion.

This Court had reason to analyze this distinction in a similar context in [redacted]. In that case, this Court found that “regarding the breadth of the proposed surveillance, it is noteworthy that the application of the Fourth Amendment depends on the government’s intruding into some individual’s reasonable expectation of privacy.” Id. at 62. The Court noted that Fourth Amendment rights are personal and individual, see id. (citing Steagald v. United States, 451 U.S. 204, 219 (1981); Rakas v. Illinois, 439 U.S. 128, 133 (1978) (“‘Fourth Amendment rights are personal rights which … may not be vicariously asserted.,) (quoting Alderman v. United States, 394 U.S. 165, 174 (1969))), and that “[s]o long as no individual has a reasonable expectation of privacy in meta data, the large number of persons whose communications will be subjected to the … surveillance is irrelevant to the issue of whether a Fourth Amendment search or seizure will occur.” Id. at 63. Put another way, where one individual does not have a Fourth Amendment interest, grouping together a large number of similarly-situated individuals cannot result in a Fourth Amendment interest springing into existence ex nihilo.

[snip]

This Court has previously examined the issue of relevance for bulk collections. See [6 lines redacted]

While those involved different collections from the one at issue here, the relevance standard was similar. See 50 U.S.C. § 1842(c)(2) (“[R]elevant to an ongoing investigation to protect against international terrorism …. “). In both cases, there were facts demonstrating that information concerning known and unknown affiliates of international terrorist organizations was contained within the non-content metadata the government sought to obtain.  Read more

The NSA Hides Its Domestic Collection by Refusing to Count It

In his speech at Cato last week Ron Wyden made it clear that when he asked Keith Alexander and James Clapper in advance of the reauthorization of the FISA Amendments Act for the number of Americans’ communications that had been collected under Section 702, he meant to elicit the estimates John Bates made in his October 3, 2011 opinion.

I spent much of 2012 asking the NSA and the DNI [Director of National Intelligence] whether anyone had done an estimate of how many American communications had been collected under section 702. The ODNI and the NSA insisted that such an estimate was impossible, but what they failed to tell the public was that the Fisa court had already done one.

Bates had the NSA conduct a manual review of a statistical subsection of 50,440 transactions collected via upstream collection between January and June 2011. (Note, it appears Bates may have had to raise dire warnings with “top DOJ officials” on July 8, 2011 before he got such a review.) He then annualized the results and estimated that the NSA was collecting up to 56,000 communications of Americans each year, made up of 46,000 communications consisting entirely of an American’s communication (Single Communication Transactions), and 10,000 in which their communication got included in a Multiple Communication Transaction swept up in the search.

Given what we’ve learned about the 2011 confrontation, Wyden’s serial requests for this information take on added importance for two reasons.

Administration never disclosed its domestic collection to the most Members of Congress

First, because the Administration very pointedly did not inform the bulk of Congress that NSA had been — and had been allowed to continue — collecting purely domestic communications from telecom switches. Neither the February 9, 2012 statement to the Senate Intelligence Committee nor the May 4, 2012 notice to Congress provided any indication that this violation involved collecting domestic communications (the December 8, 2011 statement to the House Intelligence Committee did, and both Committees, presumably as well as the Judiciary Committees, received the opinion itself, which makes that clear). It’s also not clear whether any of these notices included any mention of the SCTs, those single communication transactions involving just a US person communication.

Read more

The Business as Usual Brigade

I missed the CATO surveillance event today (they’ll have video up soon, Julian Sanchez promises), but here’s the speech Ron Wyden gave.

I’m amused by this line:

We wanted to put this marker down early because we know in the months ahead we will be up against a “business-as-usual brigade” – made up of influential members of the government’s intelligence leadership, their allies in thinktanks and academia, retired government officials, and sympathetic legislators.

Wyden, a politician, can’t name these people.

But I would suggest they are all immediately identifiable as an archetype:

Influential members of the government’s intelligence leadership: Keith Alexander and James Clapper

Their allies in thinktanks and academia: Ben Wittes

Retired government officials: Michael Hayden

Sympathetic legislators: Dianne Feinstein

Indeed, further in his speech, he repeats claims these people have made, without identifying the speaker.

Some of the “business as usual” arguments have something of an Alice in Wonderland flavor.

We have heard that surveillance of Americans’ phone records, aka metadata, is not actually surveillance at all – it’s simply the collection of bits of information. [DiFi]

We’ve been told that falsehoods aren’t falsehoods – they are simply imprecise statements. [Clapper]

We’ve been told that rules that have been repeatedly broken are a valuable check on government overreach. [Wittes]

And we’ve been told that codifying secret surveillance laws and making them public surveillance laws is the same as actually reforming these overreaching surveillance programs. [Hayden]

And Wyden is absolutely correct. DiFi has submitted changes to Section 215 and 702 that … don’t change a single solitary thing, except that they (1) write down what the FISA Court has already mandated and (2) expand surveillance by authorizing the wiretapping of roamers for a period in the US.

So maybe Wyden isn’t correct? Maybe this is not the “Business as Usual Brigade,” but the “Use a crisis to authorizing phone wiretapping in the US brigade”?

Whatever it is, these are recognizable people. And the press should be focusing on the many ways in which their legislation actually increases surveillance.

6 Years Later, Are the Internet Companies Trying to Expose Telecoms Stealing Their Data, Again?

Update: And now this, too, has been halted because of the shutdown (h/t Mike Scarcella). This motion suggests the government asked the Internet companies for a stay on Friday. This one suggests the Internet companies asked the government for access to the classified information in the government filing, but the government told them they can’t consider that during the shut-down. 

As Time lays out, unlike several of the other NSA-related transparency lawsuits, the fight between the government and some Internet companies (Google, Yahoo, Facebook, Microsoft, and LinkedIn, with Dropbox as amicus) continues even under government shut-down. The government’s brief and declaration opposing the Internet bid for more transparency is now available on the FISA Court docket.

Those documents — along with an evolving understanding of how EO 12333 collection works with FISA collection — raise new questions about the reasons behind the government’s opposition.

When the Internet companies originally demanded the government permit them to provide somewhat detailed numbers on how much information they provide the government, I thought some companies — Google and Yahoo, I imagined — aimed to show they were much less helpful to the government than others, like Microsoft. But, Microsoft joined in, and it has become instead a showdown with Internet companies together challenging the government.

Meanwhile, the phone companies are asking for no such transparency, though one Verizon Exec explicitly accused the Internet companies of grandstanding.

In a media briefing in Tokyo, Stratton, the former chief operating officer of Verizon Wireless, said the company is “compelled” to abide by the law in each country that it operates in, and accused companies such as Microsoft, Google, and Yahoo of playing up to their customers’ indignation at the information contained in the continuing Snowden leak saga.

Stratton said that he appreciated that “consumer-centric IT firms” such as Yahoo, Google, Microsoft needed to “grandstand a bit, and wave their arms and protest loudly so as not to offend the sensibility of their customers.”

“This is a more important issue than that which is generated in a press release. This is a matter of national security.”

Stratton said the larger issue that failed to be addressed in the actions of the companies is of keeping security and liberty in balance.

“There is another question that needs to be kept in the balance, which is a question of civil liberty and the rights of the individual citizen in the context of that broader set of protections that the government seeks to create in its society.”

With that in mind, consider these fascinating details from the government filings.

  • The FBI — not the NSA — is named as the classification authority and submits the declaration (from Acting Executive Assistant Director Andrew McCabe) defending the government’s secrecy claims
  • The government seems concerned about breaking out metadata numbers from content (or non-content from non-content and content, as Microsoft describes it), even while suggesting this is about providing our “adversaries” hints about how to avoid surveillance
  • The government suggests some of what the Internet companies might disclose doesn’t fall under FISC’s jurisdiction

All of these details lead me to suspect (and this is a wildarsed guess) that what the government is really trying to hide here is how they use upstream metadata collection under 12333 to develop relatively pinpointed requests for content from Internet companies. If the Internet companies disclosed that, it would not only make their response seem much more circumscribed than what we’ve learned about PRISM, but more importantly, it would reveal how the upstream, unsupervised collection of metadata off telecom switches serves to target this collection.

The FBI as declarant

Begin with the fact that the FBI — and not NSA or ODNI — is the declarant here. I can think of two possible reasons for this.

One, that much of the collection from Internet companies is done via NSL or another statute for which the FBI, not the NSA, would submit the request. There are a number of references to NSLs in the filings that might support this reading. [Correction: FBI is not required to submit NSLs in all cases, but they are in 18 USC 2709, which applies here.]

It’s also possible, though, that the Internet companies only turn over information if it involves US persons, and that the government gets all other content under EO 12333. As with NSLs, the FBI submits applications specifically for US person data, not the NSA. But if that’s the case, then this might point to massive parallel construction, hiding that much of the US person data they collect comes without FISC supervision.

And remember — the FBI seems to have had the authority to search incidentally collected (presumably, via whatever means) US person data before the NSA asked for such authority in 2011.

There may be other possibilities, but whatever it is, it seems that the FBI would only be the classification authority appropriate to respond here if they are the primary interlocutor with the Internet companies — at least within the context of collection achieved under the FISA Court’s authority.

Breaking out metadata from content numbers and revealing “timing”

While the government makes an argument that revealing provider specific information would help “adversaries” to avoid surveillance, two other issues seem to be of more acute concern.

First, it suggests Google and Microsoft’s request to break out requests by FISA provision — and especially Microsoft’s request to “disclose separate categories for ‘non-content’ requests and ‘content and non-content requests” — brought negotiations to a head (see 2-3). This suggests we would see a pretty surprising imbalance there — perhaps (if my theory that the FBI goes to Internet companies only for US person data is correct) primarily specific orders (though that would seem to contradict the PRISM slide that suggested it operated under Section 702). It also suggests that the Internet companies may be providing either primarily content or primarily metadata, not both (as we might expect under PRISM).

The government is also concerned about revealing “the timing of when the Government acquires certain surveillance capabilities.” (see brief 19; the brief references McCabe’s discussion of timing, but the discussion is entirely redacted). That’s interesting because these are to a large extent (though not exclusively) storage companies. It may suggest the government is only asking for data stored in the Internet companies’ servers, not data that is in transit.

The FISC may not have jurisdiction over all this

Then there are hints that the FISC may not have jurisdiction over all the collection involving the Internet companies. That shows up in several ways.

First, in one spot (page 17) the government refers to the subject of its brief as “FISA proceedings and foreign intelligence collection.” In other documents, we’ve seen the government distinguish FISC-governed collection from collection conducted under other authorities — at least EO 12333. Naming both may suggest that part of the jurisdictional issue is that the collection takes place under EO 12333.

There’s another interesting reference to the FISC’s jurisdiction, where the government says it wants to reveal information on the programs “overseen by this Court.”

Although the Government has attempted to release as much information as possible about the intelligence collection activities overseen by this Court, the public debate about surveillance does not give the companies the First Amendment right to disclose information that the Government has determined must remain classified.

I’m increasingly convinced that the government is trying to do a limited hangout with the Edward Snowden leaks, revealing only the stuff authorized by FISC, while refusing to talk about the collection authorized under other statutes (this likely also serves to hide the role of GCHQ). If this passage suggests — as I think it might — that the Government is only attempting to release that information overseen by the FISC, then it suggests that part of what the Internet companies would reveal does not fall under FISC.

Then there are the two additional threats the government uses — in addition to gags tied to FISA orders — to ensure the Internet personnel not reveal this information: nondisclosure agreements and the Espionage Act.

I’m not certain whether the government is arguing whether these two issues — even if formulated in conjunction with FISA Orders — are simply outside the mandate of the FISC, or if it is saying that it uses these threats to gag people engaged in intelligence collection not covered by FISA order gags.

The review and construction of nondisclosure agreements and other prohibitions on disclosure unrelated to FISA or the Courts rules and orders fall far outside the powers that “necessarily result to [this Court] from the nature of [the] institution,” and therefore fall outside the Court’s inherent jurisdiction.

Whichever it is (it could be both), the government seems intent on staving off FISC-mandated transparency by insisting that such transparency on these issues is outside the jurisdiction of the Court.

There there’s this odd detail. Note that McCabe’s declaration is not sworn under oath, but is sworn under penalty of perjury under 18 USC 1746 (see the redaction at the very beginning of the declaration) . Is that another way of saying the FISA Court doesn’t have jurisdiction over this matter? [Update: One possibility is that this is shut-down related–that DOJ’s notaries who validate sworn documents aren’t considered essential.]

The PRISM companies and the poisoned upstream fruit

One more thing to remember. Though we don’t know why, the government had to pay the PRISM companies — that is, the same ones suing for more transparency — lots of money to comply with a series of new orders after John Bates imposed new restrictions on the use of upstream data. I’ve suggested that might be because existing orders were based on poisoned fruit, the illegally collected US person data collected at telecom switches.

That, too, may explain why PRISM company disclosure of the orders they receive would reveal unwanted details about the methods the government uses: there seems to be some relation between this upstream collection and the requests the Internet companies that is particularly sensitive.

As I have repeatedly recalled, back in 2007, these very same Internet companies tried to prevent the telecoms from getting retroactive immunity for their actions under Bush’s illegal wiretap program. That may have been because the telecoms were turning over the Internet companies’ data to the government.

They appear to be doing so again. And this push for transparency seems to be an effort to expose that fact.

Update: Microsoft’s Amended Motion — the one asking to break out orders by statute — raises the initial reports on PRISM, reports on XKeyscore, and on the aftermath of the 2011 upstream problems (which I noted above). It doesn’t talk about any story specifically tying Microsoft to Section 215. However, it lists these statutes among those it’d like to break out.

1These authorities could include electronic surveillance orders, see 50 U.S.C. §§ 1801-1812; phyasical search orders, see 50 U.S.C. §§ 1821-1829; pen register and trap and trace orders, see 50 U.S.C. §§ 1841-1846; business records orders, see 50 U.S.C. §§ 1861-1862; and orders and directives targeting certain persons outside the United States, see 50 U.S.C. §§ 1881-1881g. [my emphasis]

If I’m not mistaken, the motion doesn’t reference this article, which described how the government accessed Skype and Outlook, which you’d think would be one of the ones MSFT would most want to refute, if it could. But I’ve also been insisting that they must get Skype info for the phone dragnet, otherwise they couldn’t very well claim to have the whole “phone” haystack.

But the mention of Section 215 suggests they may be included in that order.

Also, we keep seeing physical search orders included in a communication arena. I wonder if that’s a storage issue.

Update: One more note about the MSFT Amended Motion. It lists where the people involved got their TS security clearances. MSFT’s General Counsels is tied to DOD; the lawyers on the brief all are tied to FBI.

One final detail on MSFT. Though the government brief doesn’t say this, MSFT is also looking to release the number of accounts affected by various orders, not just the number of targets (which is what the government wants to release). That’s a huge difference.