Posts

In These Times We Can’t Blindly Trust Government to Respect Freedom of Association

/39 Comments/in , , , /by

One of my friends, who works in a strategic role at American Federation of Teachers, is Iranian-American. I asked him a few weeks ago whom he called in Iran; if I remember correctly (I’ve been asking a lot of Iranian-Americans whom they call in Iran) he said it was mostly his grandmother, who’s not a member of the Republican Guard or even close. Still, according to the statement that Dianne Feinstein had confirmed by NSA Director Keith Alexander, calls “related to Iran” are fair game for queries of the dragnet database of all Americans’ phone metadata.

Chances are slim that my friend’s calls to his grandmother are among the 300 identifiers the NSA queried last year, unless (as is possible) they monitored all calls to Iran. But nothing in the program seems to prohibit it, particularly given the government’s absurdly broad definitions of “related to” for issues of surveillance and its bizarre adoption of a terrorist program to surveil another nation-state. And if someone chose to query on my friend’s calls to his grandmother, using the two-degrees-of-separation query they have used in the past would give the government — not always the best friend of teachers unions — a pretty interesting picture of whom the AFT was partnering with and what it had planned.

In other words, nothing in the law or the known minimization rules of the Business Records provision would seem to protect some of the AFT’s organizational secrets just because they happen to employ someone whose grandmother is in Iran. That’s not the only obvious way labor discussions might come under scrutiny; Colombian human rights organizers with tangential ties to FARC is just one other one.

When I read labor organizer Louis Nayman’s “defense of PRISM,” it became clear he’s not aware of many details of the programs he defended. Just as an example, Nayman misstated this claim:

According to NSA officials, the surveillance in question has prevented at least 50 planned terror attacks against Americans, including bombings of the New York City subway system and the New York Stock Exchange. While such assertions from government officials are difficult to verify independently, the lack of attacks during the long stretch between 9/11 and the Boston Marathon bombings speaks for itself.

Keith Alexander didn’t say NSA’s use of Section 702 and Section 215 have thwarted 50 planned attacks against Americans; those 50 were in the US and overseas. He said only around 10 of those plots were in the United States. That works out to be less than 20% of the attacks thwarted in the US just between January 2009 and October 2012 (though these programs have existed for a much longer period of time, so the percentage must be even lower). And there are problems with three of the four cases publicly claimed by the government — from false positives and more important tips in the Najibullah Zazi case, missing details of the belated arrest of David Headley, to bogus claims that Khalid Ouazzan ever planned to attack NYSE. The sole story that has stood up to scrutiny is some guys who tried to send less than $10,000 to al-Shabaab.

While that doesn’t mean the NSA surveillance programs played no role, it does mean that the government’s assertions of efficacy (at least as it pertains to terrorism) have proven to be overblown.

Yet from that, Nayman concludes these programs have “been effective in keeping us safe” (given Nayman’s conflation of US and overseas, I wonder how families of the 166 Indians Headley had a hand in killing feel about that) and defends giving the government legal access (whether they’ve used it or not) to — among other things — metadata identifying the strategic partners of labor unions with little question.

And details about the success of the program are not the only statements made by top National Security officials that have proven inaccurate or overblown. That’s why Nayman would be far better off relying on Mark Udall and Ron Wyden as sources for whether or not the government can read US person emails without probable cause than misstating what HBO Director David Simon has said (Simon said that entirely domestic communications require probable cause, which is generally but not always true). And not just because the Senators are actually read into these programs. After the Senators noted that Keith Alexander had “portray[ed] protections for Americans’ privacy as being significantly stronger than they actually are” — specifically as it relates to what the government can do with US person communications collected “incidentally” to a target — Alexander withdrew his claims.

Nayman says, “As people who believe in government, we cannot simply assume that officials are abusing their lawfully granted responsibility and authority to defend our people from violence and harm.” I would respond that neither should we simply assume they’re not abusing their authority, particularly given evidence those officials have repeatedly misled us in the past.

Nayman then admits, “We should do all we can to assure proper oversight any time a surveillance program of any size and scope is launched.” But a big part of the problem with these programs is that the government has either not implemented or refused such oversight. Some holes in the oversight of the program are:

  • NSA has not said whether queries of the metadata dragnet database are electronically  recorded; both SWIFT and a similar phone metadata program queries have been either sometimes or always oral, making them impossible to audit
  • Read more

The 2009 Draft NSA IG Report Makes No Mention of One Illegal Practice

/11 Comments/in , , /by

The 2009 Draft NSA IG Report released by the Guardian last week — and related reporting from Barton Gellman — seem to clarify and confirm what I’ve long maintained (12/19/057/29/07; 7/30/07): that one part of the illegal wiretap program that Jack Goldsmith and Jim Comey found “illegal” in 2004 was data-mining of Americans.

Eight days later on 19 March 2004, the President rescinded the authority to collect bulk Internet metadata and gave NSA one week to stop collection and block access to previously collected bulk Internet metadata. NSA did so on 26 March 2004. To close the resulting collection gap, DoJ and NSA immediately began efforts to recreate this authority in what became the PR/TT order.

Mind you, this bulk collection resumed after Colleen Kollar-Kotelly signed an order permitting NSA to collect the same data under a Pen Register/Trap & Trace order on July 14, 2004.

The FISC signed the first PR/TT order on 14 July 2004. ALthough NSA lost access to the bulk metadata from 26 March 2004 until the order was signed, the order essentially gave NSA the same authority to collect bulk Internet metadata that it had under the PSP, except that it specified the datalinks from which NSA could collect, and it limited the number of people that could access the data.

Indeed, we know the program was expanded again in 2007, to get 2 degrees of separation deep into US person Internet data. The Obama Administration claims it ended this in 2011, though there are also indications it simply got moved under a new shell.

Mystery solved, Scoob!

Not so fast.

It appears the bulk Internet metadata collection and mining is just one of two practices that Goldsmith and Comey forced Bush to at least temporarily halt in 2004. But the second one is not mentioned at all in the NSA IG Report.

I first noted that Bush made two modifications to the program in this post, where I noted that 6 pages (11-17) of Jack Goldsmith’s May 6, 2004 OLC opinion on the program described plural modifications made in March and one other month in 2004 (I correctly surmised that they had actually shifted parts of the program under parts of the PATRIOT Act, and that they had narrowed the scope somewhat, though over-optimistically didn’t realize that still included warrantless collection of known domestic content).

But there’s actually a far better authority than Goldsmith’s heavily redacted opinion that confirms Bush made two modifications to the program in this period.

Dick Cheney.

When his office disclosed to Patrick Leahy in 2007 what documents it had regarding authorizations for the illegal wiretap program, it listed two modifications to the program: the one on March 19 described in detail in the NSA IG Report, plus one on April 2.

[Cheney Counsel Shannen] Coffin’s letter indicates that Bush signed memos amending the program on March 19 and April 2 of that year.

But there’s no hint of a second modification in the NSA IG Report.

That could mean several things. It could mean the April 2 modification didn’t involve the NSA at all (and so might appear in a one of the other Agency IG Reports at the time — say, DNI — or might have been completed by an Agency, like some other part of DOD, that didn’t complete an IG Report). It could mean that part of the program was eliminated entirely on April 2, 2004. Or it could mean that in an effort to downplay illegality of the program, the IG simply didn’t want to talk about the worst prior practice eliminated in the wake of the hospital confrontation.

Goldsmith’s opinion does seem to indicate, however, that the modification pertained to an issue similar to the bulk metadata collection. He introduces that section, describing both modifications, by saying “it is necessary to understand some background concerning how the NSA accomplishes the collection activity authorized under” the program.

That may still pertain to the kind of data mining they were doing with the Internet metadata. After all, the fix of moving Internet metadata collection under the PR/TT order only eliminated the legal problem that the telecoms were basically permitting the government to steal Microsoft and Yahoo Internet content from their equipment. There still may have been a legal problem with the kind of data mining they were doing (perhaps arising out of Congress’ efforts in that year’s NDAA to prohibit funding for Total Information Awareness).

Whatever it is, one thing is clear. Even with the release of the unredacted Draft NSA IG Report, we still aren’t seeing all the details on what made the program so legally problematic.

Maybe it’s something the Senate Judiciary Committee might ask Jim Comey during his FBI Director confirmation hearing?

OMIGOD James Clapper Has Our Gun Purchase Records

/21 Comments/in /by

It’s a testament to Ron Wyden’s good faith that this letter — asking James Clapper for more information about the government’s secret use of the Section 215 provision of the PATRIOT Act — didn’t try to inflame the NRA.

It’s not until the third paragraph in until Wyden (and the 25 other Senators who signed on) say,

It can be used to collect information on credit card purchases, pharmacy records, library records, firearm sales records, financial information, and a range of other sensitive subjects. And the bulk collection authority could potentially be used to supersede bans on maintaining gun owner databases, or laws protecting the privacy of medical records, financial records, and records of book and movie purchases. [my emphasis]

And while Wyden is right that the letter is bipartisan, I really wonder how it is that only four Republicans — Mike Lee, Dean Heller, Mark Kirk, and Lisa Murkowski — signed a letter raising these issues. Seriously. Not even Rand Paul?

I’ll come back to the loaded questions Wyden asks (I’m frankly still working on some loaded questions he asked 6 months ago — it has turned into a nearly fulltime beat).

But in the meantime, why isn’t the NRA screaming yet?

Why Would You Segregate the FISA Orders, But Not the Directives?

/17 Comments/in , /by

The FBI, according to Eli Lake, thinks someone besides Edward Snowden may be responsible for leaking the Section 215 order to Verizon ordering them to turn over the metadata on all their American customers’ calls. They claim to think so because digital copies of such orders exist in only two places: computers at the FISA Court and FBI’s National Security Division that are segregated from the Internet. (Note: where Lake says “warrant” in this passage, he means “order.”)

Those who receive the warrant—the first of its kind to be publicly disclosed—are not allowed “to disclose to any other person” except to carry out its terms or receive legal advice about it, and any person seeing it for those reasons is also legally bound not to disclose the order. The officials say phone companies like Verizon are not allowed to store a digital copy of the warrant, and that the documents are not accessible on most NSA internal classified computer networks or on the Joint Worldwide Intelligence Communications System, the top-secret internet used by the U.S. intelligence community.

The warrants reside on two computer systems affiliated with the Foreign Intelligence Surveillance Court and the National Security Division of the Department of Justice. Both systems are physically separated from other government-wide computer networks and employ sophisticated encryption technology, the officials said. Even lawmakers and staff lawyers on the House and Senate intelligence committees can only view the warrants in the presence of Justice Department attorneys, and are prohibited from taking notes on the documents.

Now, when the order first leaked, I actually suspected the leaker might be in this general vicinity. If that’s right, then I also suspect the FBI is interested in finding this person because he or she would be reacting to the FBI’s own wrong-doing on another matter. Heck, the FBI could conduct a manhunt in this general vicinity just for fun to make sure their own wrong-doing doesn’t get exposed.

Such is the beauty of secret counterintelligence investigations.

That said, Lake’s reporting is an example of something I suggested in the first day of this leak: we’re going to learn more about how the NSA works from leaks about the investigation of it than from the leaks themselves.

And this story provides a lot of evidence that the government guards its generalized surveillance plans more jealously than it guards it particularized surveillance targets. (See this post for a description of the difference between orders and directives specifying targets.)

Consider what kinds of documents the FISA Court produces:

  • Standing Section 215 orders such as the Verizon one in question
  • Particularized Section 215 orders; an example might be an order for credit card companies and Big Box stores to turn over details on all purchases of pressure cookers in the country
  • FISA Amendments Act orders generally mapping out the FAA collection (we don’t know how detailed they are; they might describe collection programs at the “al Qaeda” and “Chinese hacker” level, or might be slightly more specific, but are necessarily pretty general)
  • Particularized FISA warrants, targeted at individual US persons (though most of this spying, Marc Ambinder and others have claimed, is conducted by the FBI under Title III)

Aside from those particularized warrants naming US persons, FISA Court doesn’t, however, produce (or even oversee) lists of the great bulk of people who are being spied on. Those are the directives NSA analysts draw up on their own, without court supervision. Those directives presumably have to be shared with the service providers in some form, though all the reporting on it suggests they don’t see much of it. But, Lake’s remainder that Google’s list of surveillance targets had been hacked by China to identify which of its agents in the US we had identified and were surveilling makes it clear they do get the list in some form.

In April, CIO.com quoted Microsoft’s Dave Aucsmith, the senior director of the company’s Institute for Advanced Technology in Governments, saying a 2009 hack of major U.S. Internet companies was a Chinese plot to learn the targets of email and electronic surveillance by the U.S. government. In May, the Washington Post reported Chinese hackers had accessed a Google database that gave it access to years’ worth of federal U.S. surveillance records of counter-intelligence targets.

But the prior hack makes obvious something that has been apparent since the Verizon order leaked: China doesn’t have much use for information that shows NSA is compiling a database of all calls made in the US. It does, however, have a great use for the list of its spies we’ve identified.

What this report seems to suggest, among other things (including that the Congressional committees don’t have enough scrutiny over these orders because they’re not allowed to keep their own copy of them), is that details on the particularized spying is more widely dispersed, in part because it has to be. Someone’s got to implement that particularized spying, after all, and that requires communication that traverses multiple servers.

But the generalized stuff — the stuff the FISA Court actually oversees — is locked up in a vault like the family jewels.

You might ask yourself why the government would go to greater lengths to lock up the generalized stuff — the stuff that makes it clear the government is spying on Americans — and not the particularized stuff that has far more value for our adversaries.

Update: After the hearing today, Keith Alexander said Snowden is the source of the order, and he got it during training at Fort Meade.

Alexander told reporters after a House Intelligence Committee hearing that the man who’s acknowledged being the source of the recent leaks, Booz Allen Hamilton information technology specialist Edward Snowden, had access to the Foreign Intelligence Surveillance Court order and related materials during an orientation at NSA.

“The FISA warrant was on a web server that he had access to as an analyst coming into the Threat Operations Center,” Alexander said. “It was in a special classified section that as he was getting his training he went to.”

Which suggests the leaking about someone in the FISA Court may, as I thought, be an effort to impugn people in the vicinity of the court the FBI would like to shut up.

Saxby Chambliss Reveals the Game

/15 Comments/in , /by

In an article explaining why Dianne Feinstein is in no rush to hold a hearing on the massive dragnet sucking up your communication and mine, Saxby Chambliss is quoted as saying,

“We so rarely have open hearings,” Chambliss said.

Eleven days ago, Saxby offered this as proof there is no problem with a dragnet collection of all Americans’ phone records.

To my knowledge, we have not had any citizen who has registered a complaint relative to the gathering of this information.

Congressional oversight in a democracy, ladies and gentlemen!

James Clapper Throws a Concentrated Nugget of Orwellian Turd-Splat

/22 Comments/in , /by

Hooboy.

I was going to leave the whole CNET thing well enough alone after Jerry Nadler issued a statement retracting his sort-of suggestion that the NSA could wiretap Americans without a warrant (more on that below).

But I can’t remember seeing a more concentrated piece of Orwellian turd-splat than this statement addressing the issue from James Clapper.

The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress. Members have been briefed on the implementation of Section 702, that it targets foreigners located overseas for a valid foreign intelligence purpose, and that it cannot be used to target Americans anywhere in the world.

The claim that NSA doesn’t wittingly “collect” data on millions of Americans was just an opening act for James Clapper, it seems. I know it won’t work this way for those who trust this program, but Clapper’s statement should raise more questions whether the thrust of what Nadler said, rather than four words taken out of context, are in fact true.

Let’s take this slowly.

I’ve put my transcription of the exchange between Jerry Nadler and Robert Mueller below for your reference. But one thing to keep in mind as you read Clapper’s turd-splat is that Nadler first described “getting the contents of the [American] phone” identified using the metadata database and, in repeating the question he had earlier asked a briefer who actually knows about how these programs are used, “getting specific information from that telephone.” It is true that in response to Mueller, he spoke of “listening to the phone,” the four words taken out of context, and his walk-back describes “listening to the content.” But the range of Nadler’s language suggests the distinct possibility the briefer discussed a different kind of collection, and Nadler never once explicitly described setting a dedicated wiretap on the phone of an American identified from conversations with suspected terrorists (which is what CNET blew it up as).

With that in mind, I offer you turd-splat:

The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization and was not briefed to Congress.

Clapper has set up a straw man that differs in at least three key ways from what Nadler asked about. First, he is addressing only eavesdropping, monitoring a phone in real time going forward, not accessing historic collections (though one thing these two programs in conjunction do is collapse historic and ongoing communications). I’m especially amused by this move, because it replicates a mistake that many have made when discussing these programs (especially the metadata one) as wiretapping. Clapper is only addressing the most inflammatory language Nadler used, not the language he used first and last in this exchange.

Then Clapper introduces the idea of domestic communications. This has no source in Nadler’s comment whatsoever, at least so long as you believe the only way NSA uses the metadata database is to see which Americans are talking to suspected foreign terrorist phone numbers. Given the government’s improbable claim they’re only making 300 queries a year, we may well be talking about domestic communications, but that’s not what Nadler addressed, which was about the American participant in a call with a suspected foreign terrorist phone number.

Nadler asked about an analyst deciding, on the basis of metadata analysis, that a US phone number looks suspicious, to “get the content” from that number. He implies that he has been told an analyst has that authority. Clapper addresses only whether an analyst without proper legal authorization can get US person content. That is, in response to Nadler’s question whether an analyst does have the legal authority to get content based on suspicion, Clapper says an analyst can’t get content without the proper legal authority. Nadler’s entire (implied) question was whether an analyst would have the legal authority to do so. Clapper doesn’t answer it.

So in other words, Clapper alters Nadler’s comment in three fundamental ways, changing its entire meaning, and then asserts Clapper’s now only tangentially related distortion of Nadler’s comment was not briefed to Congress.

No. Of course not. And Nadler hadn’t said it was, either.

And then Clapper describes what (he claims) members were briefed. Splat!

Members have been briefed on the implementation of Section 702, that it targets foreigners located overseas for a valid foreign intelligence purpose, and that it cannot be used to target Americans anywhere in the world.

Whoa! Do you see what Clapper did there? Nadler asked a question about how an analyst would move from metadata analysis — the Section 215 program — and then use it to access content, via whatever means. Nadler mentioned Section 215 specifically. Yet Clapper claims this is all about the implementation of Section 702. (Note, I find this interesting in part because Mueller suggests Nadler might be talking about another program entirely, which remains a possibility.)

I have pointed out on several times how desperate the Administration is to have you believe that Section 215 metadata collection and Section 702 content collection are unrelated, even if surrogates can’t keep them straight themselves. Clapper’s ploy is more of the same.

As is his emphasis that Section 702 targets foreigners located overseas for a valid foreign intelligence purpose. Now, just to make clear, the government has always held that any collection of information on what foreigners are doing is a valid foreign intelligence purpose. While Clapper doesn’t engage in suggesting this as directly as he and others have in past weeks, for Section 702 there is clearly no limitation of this authority to terrorism or counterintelligence or proliferation or hacking (the Administration and surrogates have suggested there is a terrorism limit for the Section 215 dragnet, but if there is, it comes from court-ordered minimization, not the law). But the real cherry here is the word “target,” which has become almost as stripped of common meaning as “collect” in this context.

In the 702 context, “target” refers to the node of communication at which collection is focused, not to all communications associated with that collection. So a directive to Verizon might ask for all communications that the original suspected terrorist phone number engages in (including its surfing and texting and pictures and email). But at a minimum that would include everyone the suspected terrorist communicates via his Verizon service, and there’s very good reason to believe it includes at least one and probably more degrees of separation out, if Verizon has it.

So when Clapper says 702 cannot be used to target Americans anywhere in the world, he means Americans cannot be the communication node on which collection is focused unless you have a FISA warrant (which is the practice Marc Ambinder, who is far more impressed with Clapper’s turd-splat than I am, addresses in this piece).

But what has never been answered — except perhaps in an off-hand comment in a debate defeating language that would actually prevent what everyone says is already prevented — is whether the government can, um, “collect” the content of Americans who communicate with those who are, um, “targeted.”

I’m not saying I have the answer to that question — though it is a concern that has been raised for years by the very same people who have been vindicated in their warnings about Section 215. But let’s be very clear what Clapper did here. He completely redefined Nadler’s comment, then divorced that redefined comment from the context of Section 215, and then threw the Orwellian term “target” at it to make it go away.

He could have denied Nadler’s more general assertions. That, he did not do.   Read more

NSA Spying: The Oversight of the Passive Voice

/9 Comments/in , /by

In a white paper claiming “the American people deserve to know what we are doing to protect both” privacy and liberty, and security, the government (Ellen Nakashima, at least, doesn’t specify which agency generated this) also includes this assertion:

The [dragnet metadata] program is subject to strict controls and oversight: the metadata is segregated and queries against the metadata are documented and audited.

The detail is one that NSA Director Keith Alexander had already claimed in his testimony before the Senate Appropriations Committee last week. He claimed,

Every time we query that database, it’s auditible by the committees, by DOJ, by the court, by the Administration.

In a telling comment to the press the other day, though, Dianne Feinstein, whose staffers on the Intelligence Committee would be the ones auditing the queries, said this:

Asked to confirm that intelligence officials do not need a court order for the query of the number itself, Feinstein said, “that’s my understanding.”

I found it really strange that a person who should be solidly in the thick of the audits Alexander was boasting about didn’t even seem sure about how someone accessed the database.

But then, Alexander said they were “auditable,” not that they were audited by all these people.

One of just a few explanations about oversight in a document trying to prove the government protects our privacy and liberty might be more persuasive if they weren’t presented in the passive voice. It doesn’t sound like DiFi knows Congress could audit the document; I wonder if the FISA Court, which Alexander claims also can audit the data, knows it can (I’d also like to see someone audit the claim it is segregated; is it ever copied?).

The white paper’s statements about the 702/PRISM program are equally unsatisfying.

Congress requires the Government to develop and obtain judicial approval for “minimization” procedures to ensure appropriate protection of any information about U.S. persons that may be incidentally acquired. The Government did that, and its procedures were approved by the Foreign Intelligence Surveillance Court.

As I’ve noted repeatedly, the FISC doesn’t get to review compliance with these procedures, only the adequacy of them if applied as promised. And since this white paper makes no claims that the government can’t access this US person data — which, after all, includes content and metadata — it suggests the most sensitive collection for Americans has only internal (DOJ and ODNI review) safeguards for Americans’ Internet communications.

Effectively, in addition to providing further evidence for Mark Udall’s assertions that the government could accomplish what it says it is doing via other, far less sensitive means, this document only serves to show how inadequate the oversight of these programs is.

PRISM: The Difference between Orders and Directives

/19 Comments/in , /by

The AP has a story that lays out the architecture of how PRISM fits in with the rest of the government surveillance programs. The short version is, as much prior reporting supports, it uses PRISM to target communications it has collected, as packets, from the telecom backbone. Like the Section 215 dragnet (and consistent with James Clapper’s metaphor that the dragnet serves as the Dewey Decimal system to direct the government were to find the conversations it wants) it seems to serve to tell the government where to look to get more content.

The story is most valuable, in my opinion, for the distinction it describes between orders — which courts approve — and directives — which courts don’t.

Every year, the attorney general and the director of national intelligence spell out in a classified document how the government plans to gather intelligence on foreigners overseas.

By law, the certification can be broad. The government isn’t required to identify specific targets or places.

A federal judge, in a secret order, approves the plan.

With that, the government can issue “directives” to Internet companies to turn over information.

While the court provides the government with broad authority to seize records, the directives themselves typically are specific, said one former associate general counsel at a major Internet company. They identify a specific target or groups of targets. Other company officials recall similar experiences.

I’ve seen some apologist reporting that conflates these two, suggesting that the courts approve individual targets.

The entire point of FISA Amendments Act is to have the courts approve broader targeting.

As Russ Feingold warned four years ago, there is less oversight of how you get from orders to the procedures that make them compliant with the Constitution.

AP goes on to explain the danger to this scheme, though: there’s far less oversight over individual targets. Which can — and in 2009, at least — led the NSA to take US person data.

A few months after Obama took office in 2009, the surveillance debate reignited in Congress because the NSA had crossed the line. Eavesdroppers, it turned out, had been using their warrantless wiretap authority to intercept far more emails and phone calls of Americans than they were supposed to.

Remember, this overcollection was self-reported by the Obama Administration at the time, not discovered by the FISA Court. Good for the Obama Administration, though we’re trusting them at their word that the overcollection was unintentional.

As part of a periodic review of the agency’s activities, the department “detected issues that raised concerns,” it said. [snip]

The overcollection problems appear to have been uncovered as part of a twice-annual certification that the Justice Department and the director of national intelligence are required to give to the Foreign Intelligence Surveillance Court on the protocols that the N.S.A. is using in wiretapping. That review, officials said, began in the waning days of the Bush administration and was continued by the Obama administration. It led intelligence officials to realize that the N.S.A. was improperly capturing information involving significant amounts of American traffic.

But that raises one of the problems with the program. The court oversight is removed from the specificity of the collection, and the law, by design, prevents the court from double-checking whether the government does at the directive level what it says it will do at the order level.

Trust us.

Read more

Robert Mueller’s Claims to Be Ignorant about Geolocation Probably Bullshit

/13 Comments/in , /by

As I laid out in this Guardian column on today’s House Judiciary Committee hearing, after citing Smith v. Maryland a bunch of times to justify getting all Americans’ phone records, FBI Director Robert Mueller went on to pretend not to know whether those records include geolocation.

New York Representative Jerry Nadler wasn’t convinced Mueller’s excuse was good enough. He noted that metadata includes so much more information than it did in 1979, and that that earlier ruling might not stand in this case. Utah’s Jason Chaffetz got much more specific about the difference between phones in 1979 and now: location.

Landlines include location information. But with cell phones, the same location information necessary to route a call effectively provides a rough idea of where a person is even as they move from place to place (map functions on smart phones, as well as a lot of applications, rely on this data). Thus, the geolocation available as part of cell phone metadata provides a much better idea of where a person goes and what they do than location data for a landline tied to a person’s address.

Chaffetz posed several questions that, he revealed, he had sent Mueller Wednesday so that he would be prepared to answer, starting with whether or not geolocation is part of this metadata collection. In spite of Chaffetz’s prior warning, Mueller said he did not know whether it was included.

Note that the order to Verizon the Guardian publishedspecifically includes routing information in its description of metadata, which gets to geolocation. It’s clear this collection includes geolocation.

Mueller was also unprepared to answer whether or not a different supreme court case from last year, US v Jones, which determined that installing a GPS tracking device on a suspect’s car constituted a search, meant that the geolocation provided by the GPS function on cell phones did not qualify as metadata. Mueller was also unprepared to answer whether tracking someone’s location by using their phone constituted metadata.

In fact, Mueller admitted his staffers had told him he’d be asked these questions – yet still hadn’t prepared. It seemed almost as if his inability to answer this question in public was intentional.

As I suggested, Mueller’s feigned ignorance was probably intentional.

Moreover, his professed ignorance about whether the phone records include location is probably bullshit. That’s true, as I noted, because the order in question includes routing information, which in the case of cell phones, includes tower location which is location.

And remember, according to Tom Coburn, the FBI Director’s role in approving this process is so central, Coburn was worried that legal challenges to Mueller’s two-year extension might put the entire dragnet program at risk. So it’s hard to believe all this time Mueller has been personally vouching for orders like the one to Verizon that ask explicitly for routing information without knowing he was asking for routing information.

Here’s the other reason I think Mueller is telling a least untruth that is too cute by half when he claims ignorance.

Shortly after the US v. Jones ruling, Ron Wyden asked Director of National Intelligence James Clapper to what degree Jones affected the intelligence community. He even invoked “secret law,” the way he always has done when referring to this dragnet program(s).

Wyden: Director Clapper, as you know the Supreme Court ruled last week that it was unconstitutional for federal agents to attach a GPS tracking device to an individual’s car and monitor their movements 24/7 without a warrant. Because the Chair was being very gracious, I want to do this briefly. Can you tell me as of now what you believe this means for the intelligence community, number 1, and 2, would you be willing to commit this morning to giving me an unclassified response with respect to what you believe the law authorizes. This goes to the point that you and I have talked, Sir, about in the past, the question of secret law, I strongly feel that the laws and their interpretations must be public. Read more

House Intelligence Parrot: These Programs Are Not Secret…

/10 Comments/in , /by

… but it’s a grave danger for you to know about them.

Bob Minehart, a staffer for Democrats (presumably Dutch Ruppersberger) on the House Intelligence Committee, has put together a pair of talking point documents for members of the House to talk about the programs revealed by the Guardian last week. (I found out Minehart is the author by checking the documents’ metadata.) The talking points largely track what James Clapper released, though with a few differences that may come from Mike Rogers which I may return to.

The talking points claim the reporting on the programs have inaccuracies.

The articles referenced above contain numerous inaccuracies that imply the United States Government is spying on Americans. That is just plain false.

But the documents include a number of claims that are meaningless, given the underlying standards involved.

The FISA Court authorizes intelligence collection only after the Intelligence Community has proven its case, based on underlying facts and investigations.

The most pathetic part of these talking points, however, is the claim that these are not secret programs. Not the Section 215 dragnet of every Americans’ call data.

There is no secret program involved here – it is strictly authorized by a U.S. statute.

And not the direct access to Internet companies data with just a 51% certainty that the data collected is foreign.

There is no secret program involved – it is strictly authorized by a U.S. statute.

But in spite of this claim that massive dragnets deceitfully denied in Congressional hearings are not secret, the PRISM-related set still warns about what grave danger the leak of the information created.

The unauthorized disclosure of information about this critical legal tool puts our national security in grave danger, puts Americans at risk of terrorist and cyber attacks, and puts our military intelligence resources in danger of being revealed to our adversaries.

These are not secret programs, Dutch Ruppersberger wants you to know. But revealing them will kill us all.