Posts

“Linking” Procedures in the Yahoo Opinion

/1 Comment/in /by

As I mentioned earlier, Yahoo is finally releasing the documents pertaining to its challenge of Protect America Act directives in 2008. The LAT has loaded the Yahoo documents in an easy to access page.

This post will look primarily at the FISCR opinion.

As you’ll recall, this opinion was previously released in 2009 (and in fact, the previous list has names of some of the DOJ people who are redacted with this release unredacted).

The four main new disclosures I noted are:

  • A discussion of differences between the definition of foreign power in EO 12333 and FISA
  • Concerns Yahoo raised about how inaccurate the first directives it had received (the Court appears to misunderstood the seriousness of the inaccuracies)
  • Discussion of a parting shot — this supplemental brief makes it clear the largely redacted discussion pertains to US person data collected overseas; I’ll probably return to this, but it appears Yahoo’s concerns were born out and led to the addition of Sections 703-5 in FISA Amendments Act.
  • Reference to “linking” procedures which were part of what FISCR used to deem the collection constitutional

That last item — the “linking” procedures — is what was redacted in this post I did when the memo was first released. As I noted then, the procedures were what the FISCR used to meet particularity requirements.

The following passage starts on page 23:

The linking procedures — procedures that show that the [redacted] designated for surveillance are linked to persons reasonably believed to be overseas and otherwise appropriate targets — involve the application of “foreign intelligence factors” These factors are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. As attested by affidavits  of the Director of the National Security Agency (NSA), the government identifies [redacted] surveillance for national security purposes on information indicating that, for instance, [big redaction] Although the FAA itself does not mandate a showing of particularity, see 50 U.S.C. § 1805(b). This pre-surveillance procedure strikes us as analogous to and in conformity with the particularly showing contemplated by Sealed Case.

I’ll need to look more closely to find this brief — if it was released. But I suspect that this shows more closely how the metadata dragnets and the content collection are linked. They collect the metadata to mine for “proof” of meaningful connection, then use that to unlock the content. That’s not surprising — it’s what I had been speculating since days after Risen first broke this — but it’s important to flesh out. Because, of course, all this not-a-search metadata really is, because it leads directly to the content.

As I noted in my post in 2009, Russ Feingold released a statement with the release of the opinion, basically arguing that Yahoo could have won this if they had had access to the procedures related to the program (Mark Zwillinger made the same point when he testified to PCLOB).

The decision placed the burden of proof on the company to identify problems related to the implementation of the law, information to which the company did not have access.  The courtupheld the constitutionality of the PAA, as applied, without the benefit of an effective adversarial process.  The court concluded that “[t]he record supports the government.  Notwithstanding the parade of horribles trotted out by the petitioner, it has presented no evidence of any actual harm, any egregious risk of error, or any broad potential for abuse in the circumstances of the instant case.”  However, the company did not have access to all relevant information, including problems related to the implementation of the PAA.  Senator Feingold, who has repeatedly raised concerns about the implementation of the PAA and its successor, the FISA Amendments Act (“FAA”), in classified communications with the Director of National Intelligence and the Attorney General, has stated that the court’s analysis would have been fundamentally altered had the company had access to this information and been able to bring it before the court.

There’s no reason to believe the “linking” procedures are what Feingold was referring to. After all, there still are details of the minimization and targeting procedures that raise big constitutional issues. Plus, we know foreign collection has always been a big concern of Feingold’s. But I am wondering whether part of the problem was that their contact chaining was not very good, and therefore they were collecting people who really weren’t linked to the targets in question.

Which might explain why Yahoo was experiencing so many dud directives in the first months of its operation.

USA Freedumber Will Not Get Better in the “Prosecutors” Committee

/13 Comments/in /by

Having been badly outmaneuvered on USA Freedumber — what was sold as reform but is in my opinion an expansion of spying in several ways — in the House, civil liberties groups are promising a real fight in the Senate.

“This is going to be the fight of the summer,” vowed Gabe Rottman, legislative counsel with the American Civil Liberties Union.

If advocates are able to change the House bill’s language to prohibit NSA agents from collecting large quantities of data, “then that’s a win,” he added.

“The bill still is not ideal even with those changes, but that would be an improvement,” Rottman said.

[snip]

“We were of course very disappointed at the weakening of the bill,” said Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute. “Right now we really are turning our attention to the Senate to make sure that doesn’t happen again.”

[snip]

One factor working in the reformers’ favor is the strong support of Senate Judiciary Chairman Patrick Leahy (D-Vt.).

Unlike House Judiciary Chairman Bob Goodlatte (R-Va.), who only came to support the bill after negotiations to produce a manager’s amendment, Leahy was the lead Senate sponsor of the USA Freedom Act.

The fact that Leahy controls the committee gavel means he should be able to guide the bill through when it comes up for discussion next month, advocates said.

“The fact that he is the chairman and it’s his bill and this is an issue that he has been passionate about for many years” is comforting, Greene said.

I hope they prove me wrong. But claims this will get better in the Senate seem to ignore the recent history of the Senate Judiciary Committee’s involvement in surveillance bills, not to mention the likely vote counts.

It is true Pat Leahy wants real reform. And he has a few allies on SJC. But in recent years, every surveillance-related bill that came through SJC has been watered down when Dianne Feinstein offered an alternative (which Leahy sometimes adopted as a manager’s amendment, perhaps realizing he didn’t have the votes). After DiFi offered reform, Sheldon Whitehouse (who a number of less sophisticated SJC members look to as a guide on these issues) enthusiastically embraced it, and everyone fell into line. Often, a Republican comes in and offers a “bipartisan reform” (meaning conservative Republicans joining with the Deep State) that further guts the bill.

This is how the Administration (shacking up with Jeff Sessions) defeated an effort to rein in Section 215 and Pen Registers in 2009.

This is how DiFi defeated an effort to close the backdoor loophole in 2012.

As this was happening in 2009, Russ Feingold called out SJC for acting as if it were the “Prosecutors Committee,” rather than the Judiciary Committee.

(Note, in both of those cases as well as on the original passage of Section 702, I understood fairly clearly what the efforts to stymie reform would do, up to 4 years before those programs were publicly revealed; I’ve got a pretty good record on this front!)

And if you don’t believe this is going to happen again, tell me why this whip count is wrong:

Screen shot 2014-05-26 at 5.18.49 PM

If my read here is right, the best case scenario — short of convincing Sheldon Whitehouse some of what the government wants to do is unconstitutional, which John Bates has already ruled that it is — is relying on people like Ted Cruz (whose posturing on civil liberties is often no more than that) and Jeff Flake (who was great on these issues in the House but has been silent and absent throughout this entire debate). And that’s all to reach a 9-9 tie in SJC.

Which shouldn’t be surprising. Had Leahy had the votes to move USA Freedom Act through SJC, he would have done so in October.

That was the entire point of starting in the House: because there was such a large number of people (albeit, for the  most part without gavels) supporting real reform in the House. But because reformers (starting with John Conyers and Jerry Nadler) uncritically accepted a bad compromise and then let it be gutted, that leverage was squandered.

Right now, we’re looking at a bill that outsources an expanded phone dragnet to the telecoms (with some advantages and some drawbacks), but along the way resets other programs to what they were before the FISC reined them in from 2009 to 2011. That’s the starting point. With a vote count that leaves us susceptible to further corruption of the bill along the way.

Edward Snowden risked his freedom to try to rein in the dragnet, and instead, as of right now it looks like Congress will expand it.

Update: I’ve moved Richard Blumenthal into the “pro reform” category based on this statement after the passage of USA Freedumber. Thanks to Katherine Hawkins for alerting me to the statement.

No Protection for International Communications: Russ Feingold Told Us So

/21 Comments/in /by

Both the ACLU’s Jameel Jaffer and EFF have reviews of the government’s latest claims about Section 702. In response to challenges by two defendants, Mohamed Osman Mohamud and Jamshid Muhtorov, to the use of 702-collected information, the government claims our international communications have no Fourth Amendment protection.

Here’s how Jaffer summarizes it:

It’s hardly surprising that the government believes the 2008 law is constitutional – government officials advocated for its passage six years ago, and they have been vigorously defending the law ever since. Documents made public over the last eleven-and-a-half months by the Guardian and others show that the NSA has been using the law aggressively.

What’s surprising – even remarkable – is what the government says on the way to its conclusion. It says, in essence, that the Constitution is utterly indifferent to the NSA’s large-scale surveillance of Americans’ international telephone calls and emails:

The privacy rights of US persons in international communications are significantly diminished, if not completely eliminated, when those communications have been transmitted to or obtained from non-US persons located outside the United States.

That phrase – “if not completely eliminated” – is unusually revealing. Think of it as the Justice Department’s twin to the NSA’s “collect it all”.

[snip]

In support of the law, the government contends that Americans who make phone calls or sends emails to people abroad have a diminished expectation of privacy because the people with whom they are communicating – non-Americans abroad, that is – are not protected by the Constitution.

The government also argues that Americans’ privacy rights are further diminished in this context because the NSA has a “paramount” interest in examining information that crosses international borders.

And, apparently contemplating a kind of race to the bottom in global privacy rights, the government even argues that Americans can’t reasonably expect that their international communications will be private from the NSA when the intelligence services of so many other countries – the government doesn’t name them – might be monitoring those communications, too.

The government’s argument is not simply that the NSA has broad authority to monitor Americans’ international communications. The US government is arguing that the NSA’s authority is unlimited in this respect. If the government is right, nothing in the Constitution bars the NSA from monitoring a phone call between a journalist in New York City and his source in London. For that matter, nothing bars the NSA from monitoring every call and email between Americans in the United States and their non-American friends, relatives, and colleagues overseas.

I tracked Feingold’s warnings about Section 702 closely in 2008. That’s where I first figured out the risk of what we now call back door searches, for example. But I thought his comment here was a bit alarmist.

As I’ve learned to never doubt Ron Wyden’s claims about surveillance, I long ago learned never to doubt Feingold’s.

 

The Lapses in Dragnet Notice to Congress

/7 Comments/in , /by

I’m at a great conference on national security and civil liberties. Unfortunately, speakers have repeatedly claimed that NSA fully informs Congress on its programs.

Even setting aside Dianne Feinstein’s admission that the intelligence committees exercise less oversight over programs conducted under EO 12333, there are a number of public documents that show the Executive failing to fully inform Congress:

April 27, 2005: Alberto Gonzales and Robert Mueller brief SSCI on PATRIOT Authorities in advance of reauthorization. They make no mention of the use of PR/TT to gather Internet metadata, much less the violations of Colleen Kollar-Kotelly limits on the kind of data collected during the first period of its use.

October 21, 2009: A Michael Leiter and NSA Associate Deputy Director briefing to the House Intelligence Committee pointed to the September 3, 2009 phone dragnet reauthorization as proof that NSA had regained FISC’s confidence, without mentioning further violations on September 21 and 23 — violations that NSA did not inform FISC about.

August 16, 2010: DOJ did not provide the Intelligence and Judiciary Committees with some of the pre-July 10, 2008 FISC rulings providing significant constructions of FISA pertaining to — at a minimum — Section 215 until after the first PATRIOT Reauthorization.

February 2, 2011: House Intelligence Chair Mike Rogers did not invite members of Congress to read the 2011 notice about the phone and Internet dragnets. Approximately 86 freshmen members — 65 of whom voted to reauthorize the PATRIOT Act, a sufficient number to tip the vote — had no opportunity to read that notice.

May 13, 2011: In a briefing by Robert Mueller and Valerie Caproni designed to substitute for the Executive’s notice to Congressmen about the phone and Internet dragnets, the following exchange took place.

Comment — Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

A — To the FBI’s knowledge, those authorities have not been abused.

While the balance of the briefing remains redacted, this seems to suggest the FBI did not brief House Republicans about the dragnet violations.

September 1, 2011: NSA did not provide notice to the House Judiciary Committee about its testing of geolocation data under Section 215 until after the reauthorization of PATRIOT Act, in spite of the fact that it had been conducting such tests throughout the 2010 and 2011 debates on the PATRIOT Act.

The Leahy-Sensenbrenner Language on Back Door Searches Improves But Doesn’t Eliminate the Back Door

/8 Comments/in , /by

As the top Intelligence Community lawyers have made clear, the IC maintains it can search US person data incidentally collected under Section 702 without any suspicion, as well as for the purposes of making algorithms, cracking encryption, and to protect property.

The Leahy-Sensenbrenner bill tries to rein in this problem. And its fix is far better than what we’ve got now. But it almost certainly won’t fix the underlying problem.

Here’s what the law would do to the “Limitations” section of Section 702. The underlined language is new.

(b) Limitations

(1) IN GENERAL.—An acquisition

(A) may not intentionally target any person known at the time of acquisition to be located in the United States;

(B) may not intentionally target a person reasonably believed to be located outside the United States if a significant purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;

(C) may not intentionally target a United States person reasonably believed to be located outside the United States;

(D) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and

(E) shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.

(2) CLARIFICATION ON PROHIBITION ON SEARCHING OF COLLECTIONS OF COMMUNICATIONS OF UNITED STATES PERSONS.—

(A) IN GENERAL.—Except as provided in subparagraph (B), no officer or employee of the United States may conduct a search of a collection of communications acquired under this section in an effort to find communications of a particular United States person (other than a corporation).

Read more

Why Swim Upstream Overseas?

/12 Comments/in , /by

Screen shot 2013-10-30 at 1.23.18 PMIn 2011, when John Bates declared the existing upstream collection illegal, he didn’t stop the practice. Instead, he imposed new minimization procedures on part of the collection (just that part that included transactions including communications that were completely unrelated to the search terms used). He required that collection be segregated. And he wrung assurances from NSA they wouldn’t do things — like search on data collected via upstream collection — that they could do with data collected under PRISM.

In short, it was actually a pretty permissive ruling, allowing the NSA to continue to collecting upstream data, at least for the terms and purposes they had claimed they were using it for.

So why go to the trouble of stealing data from Google and Yahoo links overseas instead of through PRISM — a question The Switch asks here — and upstream collection here?

Obviously, one of the problem is encryption. The graphic above makes it very clear NSA/GCHQ are trying to avoid Google’s default and Yahoo’s available SSL protection. Which mean they can’t do the same kind of upstream collection on encrypted content.

Now it’s clear from the aftermath of the 2011 ruling — in the way Google and Yahoo had to invest a lot to keep responding to new orders — that PRISM collection in the US is tied in some way to that upstream collection. Julian Sanchez suggests Google and Yahoo may now be unwilling to do keyword (actually key-selector, since some of these would be code) searches. And that may be the case (though it’s hard to see how they could refuse an order requiring that, given that the telecoms were responding to similar orders).

There are a few other possibilities, though.

First, remember that NSA wanted to continue its collection practice as it existed, with no changes. It considered appealing Bates’ decision. And it resisted his demands they clean up existing illegally collected data.

So it may be they simply continued doing what they were doing by stealing this data overseas. But that would only make sense if MUSCULAR dates to 2012, when Bates imposed new restrictions.

It’s also possible some of the restrictions he imposed wouldn’t allow NSA to accomplish what it wanted to. Two possibilities are his requirement that NSA segregate this collection. Another is his refusal to let NSA search “incidentally” collected data.

A third possibility is that other FISC restrictions — such as limits on how many contact chains one could do on Internet metadata (WaPo makes it clear this collection includes metadata) — provided reason to evade FISC as well.

Finally, I wonder whether the types of targets they’re pursuing have anything to do with this. For a variety of reasons, I’ve come to suspect NSA only uses Section 702 for three kinds of targets.

  • Terrorists
  • Arms proliferators
  • Hackers and other cyber-attackers

According to the plain letter of Section 702 there shouldn’t be this limitation; Section 702 should be available for any foreign intelligence purpose. But it’s possible that some of the FISC rulings — perhaps even the 2007-8 one pertaining to Yahoo (which the government is in the process of declassifying as we speak) — rely on a special needs exception to the Fourth Amendment tied to these three types of threats (with the assumption being that other foreign intelligence targets don’t infiltrate the US like these do).

Which would make this passage one of the most revealing of the WaPo piece.

One weekly report on MUSCULAR says the British operators of the site allow the NSA to contribute 100,000 “selectors,” or search terms. That is more than twice the number in use in the PRISM program, but even 100,000 cannot easily account for the millions of records that are said to be sent back to Fort Meade each day.

Given that NSA is using twice as many selectors, it is likely the NSA is searching on content outside whatever parameters that FISC sets for it, perhaps on completely unrelated topics altogether. This may well be foreign intelligence, but it may not be content the FISC has deemed worthy of this kind of intrusive search.

That’s just a wildarsedguess. But I do think it possible FISC has already told the NSA — whether it be in the 2011 opinion, opinions tied to the Internet dragnet problems (which themselves may have imposed limits on just this kind of behavior), or on the original PAA/FAA opinions themselves — that this collection violated the Fourth Amendment.

In which case the prediction Russ Feingold made back in 2007 — “So in other words, if they don’t like what we [or the FISA Court] come up with, they can just go back to Article II” — would prove, as so many Feingold comments have, prescient.

The Common Commercial Services OLC Memo and Zombie CISPA

/12 Comments/in , /by

Some time last summer, Ron Wyden wrote Attorney General Holder, asking him (for the second time) to declassify and revoke an OLC opinion pertaining to common commercial service agreements. He said at the time the opinion “ha[d] direct relevance to ongoing congressional debates regarding cybersecurity legislation.”

That request would presumably have been made after President Obama’s April 25, 2012 veto threat of CISPA, but at a time when several proposed Cybersecurity bills, with different information sharing structures, were floating around Congress.

Wyden asked for the declassification and withdrawal of the memo again this January as part of his laundry list of requests in advance of John Brennan’s confirmation. Then, after having been silent about this request for 8 months (at least in public), Wyden asked again on September 26.

It appears that Wyden had intended to ask the question of one of the witnesses at an open Senate Intelligence Committee hearing (perhaps Deputy Attorney General James Cole), but — having had warning of his questions (because he sent them to the witnesses in advance) — Dianne Feinstein and Susan Collins ensured there would not be a second round of questions.

As it happens, Wyden made the request for the memo two days after DiFi told The Hill she was preparing to advance her version of CISPA, and the day after Keith Alexander started calling for cybersecurity legislation again.

In a brief interview with The Hill in the U.S. Capitol on Tuesday, Feinstein said she has prepared a draft bill and plans to move it forward.

The legislation would be the Senate’s counterpart to the Cyber Intelligence Sharing and Protection Act, known as CISPA, which cleared the House in April.

CISPA would remove legal barriers that prevent companies from sharing information with each other and the government about cyber attacks. It would also allow the government to share more information with the private sector.

Since then, Alexander has pitched new cybersecurity legislation in an “interview” with the NYT, admitting he needs to be more open about his places for cybersecurity.

Now, the Executive Branch’s unwillingness to actually share the law as it interprets it with us mere citizens prevents us from understanding precisely what relationship this OLC memo has with proposed cybersecurity legislation — but Wyden made it clear in January that it does have one. But here are some things we might surmise about the memo:

  • The Administration is currently relying on this memo. If it weren’t using it, after all, it wouldn’t need to be revoked. That means that since at least January 14, 2011 (before which date Wyden and Russ Feingold first asked it be revoked), the Administration has had a secret interpretation of law relating in some way to cybersecurity.
  • The interpretation would surprise us. As Wyden notes, “this opinion is inconsistent with the public’s understanding of the law” (he doesn’t say what that law is, but I’ll hazard a guess and say it pertains to information sharing). It’s likely, then, that some form of online provider has been sharing cyber-intelligence with the federal government under some strained interpretation of our privacy protections (and, probably, some kind of Attorney General assurances everything’s cool).

Let’s use the lesson we learned during the FISA Amendments Act where the telecoms were clambering for the legislation and the retroactive immunity, but the Internet companies were grateful for “clarity,” but explicitly opposed to retroactive immunity. When we learned the telecoms had been turning over the Internet companies metadata and content, this all made more sense. The Internet Companies wanted the telecoms to be punished for stealing their data.

In this case, in the first round of CISPA (which had broad immunity protections), Facebook and Microsoft were supporters. But in this go-around (which has still generous but somewhat more limited immunity), the big supporters consist of:

  • Telecoms (AT&T, Verizon; interestingly, Sprint did not sign a letter of support)
  • Broadband and other backbone providers (Boeing, Cisco, Comcast, TimeWarner, USTelecom)
  • Banks and financial transfer
  • Power grid operators and other utilities

Now, who knows with which of these entities the government is already relying on this common commercial services memo, which of our providers we believe have made some assurances to us but in fact they’ve made entirely different ones.

But I will say the presence of the telecoms, again, angling for immunity for information sharing, along with their analogues the broadband providers does raise questions. Especially considering Verizon Exec’s trash talking about consumer-centric Internet companies that don’t prioritize national security.

Stratton said that he appreciated that “consumer-centric IT firms” such as Yahoo, Google, Microsoft needed to “grandstand a bit, and wave their arms and protest loudly so as not to offend the sensibility of their customers.”

“This is a more important issue than that which is generated in a press release. This is a matter of national security.”

After all, the telecoms have a history of willingly cooperating with the government, even if it bypassed the protections offered by Internet companies, even if it violated the law. Have they been joined by big broadband?

Well, DOJ could clear all this up by revoking and releasing the memo. Until they do, though, my wildarsed guess is that those operating the Toobz in the country — the telecom and broadband companies — have already started sharing consumers’ data that a plain reading of the law seemingly wouldn’t permit them to do.

Article II Is Article II: EO 12333 and Protect America Act, FISA Amendments Act, and FISC

/2 Comments/in /by

I’m reading a very old SSCI hearing on FISA today — from May 1, 2007, when then Director of National Intelligence Mike McConnell initiated the push for the Protect America Act.

Given recent revelations that NSA continues to conduct some collection under EO 12333 — including the address books of people all over the world, including Americans — I thought this part of the hearing might amuse some of you.

SEN. FEINGOLD: I thank the witnesses for testifying today. Can each of you assure the American people that there is not — and this relates to what — the subject Senator Wyden was just discussing — that there is not and will not be any more surveillance in which the FISA process is side-stepped based on arguments that the president has independent authority under Article II or the authorization of the use of military force?

MR. McCONNELL: Sir, the president’s authority under Article II is – – are in the Constitution. So if the president chose to exercise Article II authority, that would be the president’s call. What we’re attempting to do here with this legislation is to put the process under appropriate law so that it’s conducted appropriately to do two things — protect privacy of Americans on one hand, and conduct foreign surveillance on the other.

SEN. FEINGOLD: My understanding of your answer to Senator Wyden’s last question was that there is no such activity going on at this point. In other words, whatever is happening is being done within the context of the FISA statute.

MR. McCONNELL: That’s correct.

SEN. FEINGOLD: Are there any plans to do any surveillance independent of the FISA statute relating to this subject?

MR. McCONNELL: None that — none that we are formulating or thinking about currently. But I’d just highlight, Article II is Article II, so in a different circumstance, I can’t speak for the president what he might decide.

SEN. FEINGOLD: Well, Mr. Director, Article II is Article II, and that’s all it is. Read more

Imagine the Administration Lying to Congress about the Dragnet

/11 Comments/in , /by

As fundraising week comes to a close, please support this site

In a piece bemoaning the possibility that the dragnet programs created in secret might be scaled back now that citizens know what they entail, Ben Wittes lets his imagination run wild.

Imagine you were a high-level decision-maker in a clandestine intelligence agency. Imagine that you had played by the rules Congress had laid out for you, worked with oversight mechanisms to fix errors when they happened, and erected strict compliance regimes to minimize mistakes in a mind-bogglingly complex system of signals intelligence collection. Imagine further that when the programs became public, there was a firestorm anyway. Imagine that nearly half of the House of Representatives, pretending it had no idea what you had been doing, voted to end key collection activity. Imagine that in response to the firestorm, the President of the United States—after initially defending the intelligence community—said that what was really needed was more transparency and described the debate as healthy. Imagine that journalists construed every fact they learned in light of the need to keep feeding at the trough of a source who had stolen a huge volume of highly classified materials and taken it to China and Russia. [my emphasis]

Now, Ben sets up a few straw men here: journalists may have gotten some details wrong, but they’re probably doing better on accuracy than the Agencies that have all the information at hand, which continue to tell easily demonstrable lies. He suggests Obama is interested in debate, abundant evidence to the contrary. He excuses the NSA’s compliance problems because of complexity, when they introduced that complexity to make programs do what they legally weren’t supposed to (for example, allowing illegal access via 3 other systems and by 3 other agencies and inventing a pre-archive archive to skirt the rules in the case of the phone dragnet program). He suggests the NSA played by Congress’ rules, when in fact the FISC sets rules, and it says the government has repeatedly violated those rules and “misrepresented” claims about doing so.

But those straw men are nothing compared to the claim that those in the House who voted to defund the phone dragnet were “pretending it had no idea what you had been doing.”

The record shows that the 2011 PATRIOT Act extension was passed with the support of 65 people — enough to make the difference in the vote — who had had no opportunity to learn about the Section 215 dragnet except at hearings that didn’t provide notice of what they would present. Moreover, the record shows that when someone at one of (the only one of?) those hearings asked a question specifically designed to learn about problems with the dragnet, here’s what happened.

Comment — Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

A — To the FBI’s knowledge, those authorities have not been abused.

Then FBI Director Robert Mueller and then-General Counsel Valerie Caproni (the Administration waited to release the dragnet materials Monday almost until the second Caproni got confirmed to lifetime tenure as a judge) gave that answer in spite of the fact that Mueller had to submit a declaration to Judge Reggie Walton to explain why the program was important enough to keep in spite of the many abuses. Walton ordered that declaration, in part, because the government’s explanations about their gross violations “strain[] credulity,” according to Walton. And one of the abuses involved FBI getting access to this data directly.

But FBI knows nothing, Colonel Klink.

And even in what notice the government made somewhat available to Congress (but which Mike Rogers did not pass on), it provided just a one paragraph description of the abuses that would take a page to lay out in skeleton bullet form.

In other words, the record shows that many of those who voted against the dragnet in fact had no idea what the government had been doing, both about the dragnet itself, and about the abuses of the dragnet program.

And note, when almost half the House voted to defund the dragnet, they still hadn’t been informed of the full extent of these abuses (because the Administration was withholding the relevant opinions).

Congress is moving to rein in a program that the Executive Branch operated illegally for 5 years, then operated with FISC sanction for 7 years while abusing the terms of that sanction for at least 3 years. In Wittes imagination, that’s a bad thing.

Update: Also note Valerie Caproni got briefed on these abuses January 23, 2009.

NSA Has a Database Problem

/26 Comments/in , /by

Back in 2009 when the government released what we now know is a FISA Court of Review decision ordering Yahoo to cooperate in PRISM, I questioned a passage of the decision that relied on the government’s claim that it doesn’t keep a database of incidentally collected conversations involving US persons.

In this post, I just want to point to a passage that deserves more scrutiny:

The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26)

To translate, if the government collects information from a US citizen (here or abroad), a legal permanent US resident, a predominantly US organization, or a US corporation in the course of collecting information on someone it is specifically targeting, it it claims it does not keep that in a database (I’ll come back and parse this in a second). In other words, if the government has a tap on your local falafel joint because suspected terrorists live off their falafels, and you happen to call in a take out order, it does not that have in a database.

There are reasons to doubt this claim.

In the rest of the post, I showed how a response from Michaels Mukasey and McConnell to Russ Feingold’s efforts to protect US person incidental collection during the FISA Amendments Act had made it clear having access to this incidentally collected data was part of the point, meaning the government’s reassurances to the FISCR must have been delicate dodges in one way or another. (Feingold’s Amendments would have prevented 3 years of Fourth Amendment violative collection, by the way.)

Did the court ask only about a database consisting entirely of incidentally collected information? Did they ask whether the government keeps incidentally collected information in its existing databases (that is, it doesn’t have a database devoted solely to incidental data, but neither does it pull the incidental data out of its existing database)? Or, as bmaz reminds me below but that I originally omitted, is the government having one or more contractors maintain such a database? Or is the government, rather, using an expansive definition of targeting, suggesting that anyone who buys falafels from the same place that suspected terrorist does then, in turn, becomes targeted?

McConnell and Mukasey’s objections to Feingold’s amendments make sense only in a situation in which all this information gets dumped into a database that is exposed to data mining. So it’s hard to resolve their objections with this claim–as described by the FISA Appeals Court.

Which is part of the reason I’m so intrigued by this passage of John Bates’ October 3, 2011 decision ruling some of NSA’s collection and retention practices violated the Fourth Amendment. In a footnote amending a passage explaining why the retention of entirely US person communications with the permissive minimization procedures the government had proposed is a problem, Bates points back to that earlier comment.

The Court of Review plaining limited its holding regarding incidental collection to the facts before it. See In re Directives at 30 (“On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.” (emphasis added). The dispute in In re Directives involved the acquisition by NSA of discrete to/from communications from an Internet Service Provider, not NSA’s upstream collection of Internet transactions. Accordingly, the Court of Review had occasion to consider NSA’s acquisition of MCTs (or even “about” communications, for that matter). Furthermore, the Court of Review noted that “[t]he government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary.” Id. Here, however, the government proposes measures that will allow NSA to retain non-target United States person information in its databases for at least five years.

Ultimately, Bates’ approval for the government to query on US person identifiers on existing incidentally collected Section 702 material (see pages 22-23) show that he hasn’t really thought through what happens to US person incidental collection; he actually has a shocking (arguably mis-) understanding of how permissive the existing minimization rules are, and therefore how invasive his authorization for searching on incidentally collected information will actually be.

But his complaint with the proposed minimization procedures shows what he believes they should be.

The measures proposed by the government for MCTs, however, largely dispense with the requirement of prompt disposition upon initial review by an analyst. Rather than attempting to identify and segregate information “not relevant to the authorized purpose of the acquisition” or to destroy such information promptly following acquisition, NSA’s proposed handling of MCTs tends to maximize the retention of such information, including information of or concerning United States persons with no direct connection to any target.

As Bates tells it, so long as he’s paying close attention to an issue, the government should ideally destroy any US person data it collects that is not relevant to the authorized purpose of the acquisition. (His suggestion to segregate it actually endorses Russ Feingold’s fix from 2008.)

But the minimization rules clearly allow the government to keep such data (after this opinion, they made an exception only for the multiple communication transactions in question, but not even for the other search identifiers involving entirely domestic communication so long as that’s the only communication in the packet).

All the government has to do, for the vast majority of the data it collects, is say it might have a foreign intelligence or crime or encryption or technical data or threat to property purpose, and it keeps it for 5 years.

In a database.

Back when the FISCR used this language, it allowed the government the dodge that, so long as it didn’t have a database dedicated to solely US person communications incidentally, it was all good. But the language Bates used should make all the US person information sitting in databases for 5 year periods (which Bates seems not to understand) problematic.

Not least, the phone dragnet database, which — after all — includes the records of 310 million people even while only 12 people’s data has proved useful in thwarting terrorist plots.

Update: Fixed the last sentence to describe what the Section 215 dragnet has yielded so far.