Posts

I Con the Record Transparency Bingo (1): Only One Positive Hit on a Criminal Search

/in /by

As we speak, a bunch of privacy experts are on Twitter trying to make sense of I Con the Record’s transparency report, which is a testament to the fact that the Transparency Report obfuscates as much as makes transparent (and the degree to which you need to have read a great deal of other public reports to understand these things).

So I’m going to deal with the obvious errors I’m seeing made as I see them, then will do a more comprehensive working thread.

The first confusion I’m seeing pertains to this factoid showing how many US person queries designed to return criminal information returned a positive hit.

First, it is not the case that this number, 1, means the FBI affirmatively searched a dedicated FISA 702 database for criminal data and only found data once. The FISA 702 data, the traditional FISA data, and other data are all mixed in together. What this means is when the FBI searched databases including that FISA 702 data and other stuff looking for information on a criminal case, on just one occasion did they get a positive hit showing evidence of a non-national security crime that landed in the database via Section 702 and no other authority (some amount of this information will come into the database via multiple authorities), then obtain that information (whether via their own 702 clearance or by asking a buddy cleared into 702), and review it.

So right off the bat, there are some things this number doesn’t include: positive hits on criminal queries that a person receives but doesn’t receive and review. One reason they might get a positive hit they don’t review is if a non-cleared person doesn’t go through the effort to get a FISA-cleared person to access it. But as I pointed out when the opinion ordering this count got released, there are other possibilities.

FBI’s querying system can be set such that, even if someone has access to 702 data, they can run a query that will flag a hit in 702 data but won’t actually show the data underlying that positive return. This provides one way for 702-cleared people to learn that such information is in such a collection and — if they want the data without having to report it — may be able to obtain it another way. It is distinctly possible that once NSA shares EO 12333 data directly with FBI, for example, the same data will be redundantly available from that in such a way that would not need to be reported to FISC. (NSA used this arbitrage method after the 2009 problems with PATRIOT-authorized database collections.)

Furthermore, this will only count a positive hit if the Agent is making an exclusively criminal search. Hogan’s opinion and (we now know from some recently liberated documents) the underlying discussion didn’t deal with the full scope of queries done for assessment reasons in the name of national security, such as profiling various ethnic communities or more generally searching on leads identified via national security mapping. Those queries would count as national security queries, but a big point of doing them would be to find derogatory information, including evidence of criminal behavior, to use to recruit informants.

Finally, consider how the Attorney General Guidelines defines Foreign Intelligence information.

Plus, such reporting depends on the meaning of foreign intelligence information as defined under the Attorney General Guidelines.

FOREIGN INTELLIGENCE: information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations or foreign persons, or international terrorists.

It would be relatively easy for FBI to decide that any conversation with a foreign person constituted foreign intelligence, and in so doing count even queries on US persons to identify criminal evidence as foreign intelligence information and therefore exempt from the reporting guidance. Certainly, the kinds of queries that might lead the FBI to profile St. Paul’s Somali community could be considered a measure of Somali activities in that community. Similarly, FBI might claim the search for informants who know those in a mosque with close ties overseas could be treated as the pursuit of information on foreign activities in US mosques.

As I understand it, the reporting to Congress on this has been a bit more circumspect than members might have liked. That means the other details FISC judge Thomas Hogan required about this one positive hit — what query resulted in a positive hit, what kind of investigative action it led to, and why FBI believes it to fall under minimization procedures — aren’t as sexy as this number, 1.

Prior to this positive hit, the FBI had always assured oversight authorities that the possibility that Section 702 data would result in criminal information was “theoretical.”

Even as a factoid of limited meaning, it does mean the possibility is no longer theoretical.

Since September 20, 2012, FBI Has Been Permitted to Share FISA-Derived Hacking Information with Internet Service Providers

/7 Comments/in /by

As I noted, yesterday Reuters reported that in 2015, Yahoo had been asked to scan its incoming email for certain strings. Since that time, Yahoo has issued a non-denial denial saying the story is “misleading” (but not wrong) because the “mail scanning described in the article does not exist on our systems.”

As I suggested yesterday, I think this most likely pertains to a cybersecurity scan of some sort, in part because FISC precedents would seem to prohibit most other uses of this. I’ve addressed a lot of issues pertaining to the use of Section 702 for cybersecurity purposes here; note that FISC might approve something more exotic under a traditional warrant, especially if Yahoo were asked to scan for some closely related signatures.

If you haven’t already, you should read my piece on why I think CISA provided the government with capabilities it couldn’t get from a 702 cyber certificate, which may explain why the emphasis on present tense from Yahoo is of particular interest. I think it quite likely tech companies conduct scans using signatures from the government now, voluntarily, under CISA. It’s in their best interest to ID if their users get hacked, after all.

But in the meantime, I wanted to point out this language in the 2015 FBI minimization procedures which, according to this Thomas Hogan opinion (see footnote 19), has been in FBI minimization procedures in some form since September 20, 2012, during a period when FBI badly wanted a 702 cyber certificate.

The FBI may disseminate FISA-acquired information that … is evidence of a crime and that it reasonably believes may assist in the mitigation or prevention of computer intrusions or attacks to private entities or individuals that have been or are at risk of being victimized by such intrusions or attacks, or to private entities or individuals (such as Internet security companies and Internet Service Providers) capable of providing assistance in mitigating or preventing such intrusions or attacks. Wherever reasonably practicable, such dissemination should not include United States person identifying information unless the FBI reasonably believes it is necessary to enable the recipient to assist in the mitigation or prevention of computer intrusions or attacks. [my emphasis]

This is not surprising language: it simply permits the FBI (but not, according to my read of the minimization procedures, NSA) to share cyber signatures discovered using FISA with private sector companies, either to help them protect themselves or because private entities (specifically including ISPs) might provide assistance in mitigating attacks.

To be sure, the language falls far short of permitting FBI to demand PRISM providers like Yahoo to use the signatures to scan their own networks.

But it’s worth noting that Thomas Hogan approved a version of this language (extending permitted sharing even to physical infrastructure and kiddie porn) in 2014. He remained presiding FISA judge in 2015, and as such would probably have reviewed any exotic or new programmatic requests. So it would not be surprising if Hogan were to approve a traditional FISA order permitting FBI (just as one possible example) to ask for evidence on a foreign-used cyber signature. Sharing a signature with Yahoo — which was already permitted under minimization procedures — and asking for any  results of a scan using it would not be a big stretch.

There’s one more detail worth remembering: way back the last time Yahoo challenged a PRISM order in 2007, there was significant mission creep in the demands the government made of Yahoo. In August 2007, when Yahoo was initially discussing compliance (but before it got its first orders in November 2007), the requests were fairly predictable: by my guess, just email content. But by the time Yahoo started discussing actual compliance in early 2008, the requests had expanded, apparently to include all of Yahoo’s services  (communication services, information services, storage services), probably even including information internal to Yahoo on its users. Ultimately, already in 2008, Yahoo was being asked to provide nine different things on users. Given Yahoo’s unique visibility into the details of this mission creep, their lawyers may have reason to believe that a request for packet sniffing or something similar would not be far beyond what FISCR approved way back in 2008.

The Government Uses FISCR Fast Track to Put Down Judges’ Rebellion, Expand Content Collection

/6 Comments/in /by

Since it was first proposed, I’ve been warning (not once but twice!) about the FISCR Fast Track, a part of the USA Freedom Act that would permit the government to immediately ask the FISA Court of Review to review a FISC decision. The idea was sold as a way to get a more senior court to review dodgy FISC decisions. But as I noted, it was also an easy way for the government to use the secretive FISC system to get a circuit level decision that might preempt traditional court decisions they didn’t like (I feared they might use FISCR to invalidate the Second Circuit decision finding the phone dragnet to be unlawful, for example).

Sure enough, that’s how it got used in its first incarnation — not just to confirm that the FISC can operate by different rules than criminal courts, but also to put down a judges rebellion.

As I noted back in 2014, the FISC has long permitted the government to collect Post Cut Through Dialed Digits using FISA pen registers, though it requires the government to minimize anything counted as content after collection. PCTDD are the numbers you dial after connecting a phone call — perhaps to get a particular extension, enter a password, or transfer money. The FBI is not supposed to do this at the criminal level, but can do so under FISA provided it doesn’t use the “content” (like the banking numbers) afterwards. FISC reviewed that issue in 2006 and 2009 (after magistrates in the criminal context deemed PCTDD to be content that was impermissible).

At least year’s semiannual FISC judges’ conference, some judges raised concerns about the FISC practice, deciding they needed to get further briefing on the practice. So when approving a standing Pen Register, the FISC told the government it needed further briefing on the issue.

Screen Shot 2016-08-22 at 5.39.13 PM

The government didn’t deal with it for three months until just as they were submitting their next application. At that point, there was not enough time to brief the issue at the FISC level, which gave then presiding judge Thomas Hogan the opportunity to approve the PRTT renewal and kick the PCTDD issue to the FISCR, with an amicus.

Screen Shot 2016-08-22 at 5.43.08 PM

This minimized the adversarial input, but put the question where it could carry the weight of a circuit court.

Importantly, when Hogan kicked the issue upstairs, he did not specify that this legal issue applies only to phone PRTTs.

Screen Shot 2016-08-22 at 5.45.02 PM

At the FISCR, Mark Zwillinger got appointed as an amicus. He saw the same problem as I did. While the treatment of phone PCTDD is bad but, if properly minimized, not horrible, it becomes horrible once you extend it to the Internet.

Screen Shot 2016-08-22 at 5.59.12 PM

The FISCR didn’t much care. They found the collection of content using a PRTT, then promising not to use it except to protect national security (and a few other exceptions to the rule that the government has to ask FISC permission to use this stuff) was cool.

Screen Shot 2016-08-22 at 5.47.34 PM

Along the way, the FISCR laid out several other precedents that will have really dangerous implications. One is that content to a provider may not be content.

Screen Shot 2016-08-22 at 5.55.29 PM

This is probably the issue that made the bulk PRTT dragnet illegal in the first place (and created problems when the government resumed it in 2010). Now, the problem of collecting content in packets is eliminated!

Along with this, the FISCR extended the definition of “incidental” to apply to a higher standard of evidence.

Screen Shot 2016-08-22 at 6.07.50 PM

Thus, it becomes permissible to collect using a standard that doesn’t require probable cause something that does, so long as it is “minimized,” which doesn’t always mean it isn’t used.

Finally, FISCR certified the redefinition of “minimization” that FISC has long adopted (and which is crucial in some other programs). Collecting content, but then not using it (except for exceptions that are far too broad), is all good.

Screen Shot 2016-08-22 at 6.01.41 PM

In other words, FISCR not only approved the narrow application of using calling card data but not bank data and passwords (except to protect national security). But they also approved a bunch of other things that the government is going to turn around and use to resume certain programs that were long ago found problematic.

I don’t even hate to say this anymore. I told privacy people this (including someone involved in this issue personally). I was told I was being unduly worried. This is, frankly, even worse than I expected (and of course it has been released publicly so the FBI can start chipping away at criminal protections too).

Yet another time my concerns have been not only borne out, but proven to be insufficiently cynical.

The US Person Back Door Search Number DOJ Could Publish Immediately

/3 Comments/in /by

The Senate Judiciary Committee had a first public hearing on Section 702 today, about which I’ll have several posts.

One piece of good news, however, is that both some of the witnesses (Liza Goitein and David Medine; Ken Wainstein, Matt Olsen, and Rachel Brand were the other witnesses) and some of the Senators supported more transparency, including requiring the FBI to provide a count of how many US person queries of 702-collected data it does, as well as a count of how many US persons get sucked up by Section 702 more generally.

Liza Goitein presented a very reasonable view of the efforts the privacy community is making to work with the government to come up with reasonable counts.

But no one mentioned the very easy count of US person back door searches that FBI could provide today.

As I noted when this was released, as part of last year’s 702 Certification process, Judge Thomas Hogan required FBI to report every time FBI reviews data on a US person query of 702 data that doesn’t pertain to National Security.

[Hogan] imposed a requirement that FBI “submit in writing a report concerning each instance … in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.” Such reporting, if required indefinitely, is worthwhile — and should have been required by Congress under USA Freedom Act.

But FBI can and presumably will game this information in two ways. First, FBI’s querying system can be set such that, even if someone has access to 702 data, they can run a query that will flag a hit in 702 data but won’t actually show the data underlying that positive return. This provides one way for 702-cleared people to learn that such information is in such a collection and — if they want the data without having to report it — may be able to obtain it another way. It is distinctly possible that once NSA shares EO 12333 data directly with FBI, for example, the same data will be redundantly available from that in such a way that would not need to be reported to FISC. (NSA used this arbitrage method after the 2009 problems with PATRIOT-authorized database collections.)

Plus, such reporting depends on the meaning of foreign intelligence information as defined under the Attorney General Guidelines.

FOREIGN INTELLIGENCE: information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations or foreign persons, or international terrorists.

It would be relatively easy for FBI to decide that any conversation with a foreign person constituted foreign intelligence, and in so doing count even queries on US persons to identify criminal evidence as foreign intelligence information and therefore exempt from the reporting guidance. Certainly, the kinds of queries that might lead the FBI to profile St. Paul’s Somali community could be considered a measure of Somali activities in that community. Similarly, FBI might claim the search for informants who know those in a mosque with close ties overseas could be treated as the pursuit of information on foreign activities in US mosques.

Hogan imposed a worthwhile new reporting requirement. But that’s still a very far cry from conducing a fair assessment of whether FBI’s back door searches are constitutional.

This requirement went into effect on December 4, 2015, and Hogan required updates on such reporting by January 27, 2016, so FBI is already reporting on this.

It would take minimal effort for ODNI to release how many of these notices got sent to FISC — it could do it quarterly so we didn’t learn too much from the process. Maybe there wouldn’t be any notices, though for a variety of reasons I doubt it. Maybe, as I note, the number is too fake to be useful.

But it is a number, one FBI is already required to report. So they should start reporting it.

Rosemary Collyer’s Worst FISA Decision

/4 Comments/in /by

In addition to adding former National Security Division head David Kris as an amicus (I’ll have more to say on this) the FISA Court announced this week that Rosemary Collyer will become presiding judge — to serve for four years — on May 19.

Collyer was the obvious choice, being the next-in-line judge from DC. But I fear she will be a crummy presiding judge, making the FISC worse than it already is.

Collyer has a history of rulings, sometimes legally dubious, backing secrecy and executive power, some of which include,

2011: Protecting redactions in the Torture OPR Report

2014: Ruling the mosaic theory did not yet make the phone dragnet illegal (in this case she chose to release her opinion)

2014: Erroneously freelance researching the Awlaki execution to justify throwing out his family’s wrongful death suit

2015: Serially helping the Administration hide drone details, even after remand from the DC Circuit

I actually think her mosaic theory opinion from 2014 is one of her (and FISC’s) less bad opinions of this ilk.

The FISC opinion I consider her most troubling, though, is not a FISC decision at all, but rather a ruling from last year in an EFF FOIA. Either Collyer let the government hide something that didn’t need hidden, or it has exploited EFF’s confusion to hide the fact that the Internet dragnet and the Upstream content programs are conducted by the same technical means, a fact that would likely greatly help EFF’s effort to show all Americans were unlawfully spied on in its Jewell suit.

Back in August 2013, EFF’s Nate Cardozo FOIAed information on the redacted opinion referred to in this footnote from John Bates’ October 3, 2011 opinion ruling that some of NSA’s upstream collected was illegal.

Screen Shot 2015-10-31 at 6.52.30 PM

Here’s how Cardozo described his FOIA request (these documents are all attached as appendices to this declaration).

Accordingly, EFF hereby requests the following records:

1. The “separate order” or orders, as described in footnote 15 of the October 3 Opinion quoted above, in which the Foreign Intelligence Surveillance Court “address[ed] Section 1809(a) and related issues”; and,

2. The case, order, or opinion whose citation was redacted in footnote 15 of the October 3 Opinion and described as “concluding that Section 1809(a)(2) precluded the Court from approving the government’s proposed use of, among other things, certain data acquired by NSA without statutory authority through its ‘upstream collection.’”

Request 2 was the only thing at issue in Collyer’s ruling. By my read, it would ask for the entire opinion the citation to which was redacted, or at least identification of the case.

EFF, of course, is particularly interested in upstream collection because it’s at the core of their many years long lawsuit in Jewell. To get an opinion that ruled upstream collection constituted unlawful collection sure would help in EFF’s lawsuit.

In her opinion, Collyer made a point of defining “upstream” surveillance by linking to the 2012 John Bates opinion resolving the 2011 upstream issues (as well as to Wikipedia!), rather than to the footnote he used to describe it in his October 3, 2011 opinion.

The opinion in question, referred to here as the Section 1809 Opinion, held that 50 U.S.C. § 1809(a)(2) precluded the FISC from approving the Government’s proposed use of certain data acquired by the National Security Agency (NSA) without statutory authority through “Upstream” collection. 3

3 “Upstream” collection refers to the acquisition of Internet communications as they transit the “internet backbone,” i.e., principal data routes via internet cables and switches of U.S. internet service providers. See [Caption Redacted], 2012 WL 9189263, *1 (FISC Aug. 24, 2012); see also https://en.wikipedia.org/wiki/Upstream_collection (last visited Oct. 19, 2015); https://en.wikipedia.org/wiki/Internet_backbone (last visited Oct. 19, 2015).

As it was, Collyer paraphrased where upstream surveillance comes from as ISPs rather than telecoms, which was redacted in the opinion she cited. But by citing that and not Bates’ 2011 opinion, she excluded an entirely redacted sentence from the footnote Bates used to explain it, which in context may have described a little more about the underlying opinion.

Screen Shot 2016-04-28 at 11.38.32 AM

Having thus laid out the case, Collyer deferred to NSA declarant David Sherman’s judgment — without conducting a review of the document — that releasing the document would reveal details about the implementation of upstream surveillance.

Specifically, the release of the redacted information would disclose sensitive operational details associated with NSA’s “Upstream” collection capability. While certain information regarding NSA’s “Upstream” collection capability has been declassified and publicly disclosed, certain other information regarding the capability remains currently and properly classified. The redacted information would reveal specific details regarding the application and implementation of the “Upstream” collection capability that have not been publicly disclosed. Revealing the specific means and methodology by which certain types of SIGINT collections are accomplished could allow adversaries to develop countermeasures to frustrate NSA’s collection of information crucial to national security. Disclosure of this information could reasonably be expected to cause exceptionally grave damage to the national security.

[snip]

With respect to the FISC opinion withheld in full, it is my judgment that any information in the [Section 1809 Opinion] is classified in the context of this case because it can reasonably be expected to reveal classified national security information concerning particular intelligence methods, given the nature of the document and the information that has already been released. . . . In these circumstances, the disclosure of even seemingly mundane portions of this FISC opinion would reveal particular instances in which the “Upstream” collection program was used and could reasonably be expected to encourage sophisticated adversaries to adopt countermeasures that may deprive the United States of critical intelligence. [my emphasis]

Collyer found NSA had properly withheld the document as classified information the release of which would cause “grave damage to national security.”

Read more

The Easy Section 702 Surveillance Number James Clapper Can Share

/2 Comments/in /by

Last week, a bunch of House Judiciary Committee members set James Clapper a letter stating that before the Committee deals with Section 702 reauthorization next year, they’d like:

  • The number of telephone communications in which one caller is located in the United States
  • The number of Internet communications acquired through upstream collection that originate or terminate in the United States
  • The number of communications of or concerning U.S. persons that the NSA positively identifies as such in the routine course of its work

They asked for those numbers by May 6.

In response, Clapper is humming and hawing about “several options” for disclosing how many Americans get spied on under Section 702.

Clapper said that “any methodology we come up with will not be completely satisfactory to all parties.”

“If we could have made such an estimate and if such an estimate were easy to do — explainable without compromise — we would’ve done it a long time ago,” he said.

We just learned there is, however, one number that should be easy-peasy to make public (and one I’m frankly alarmed the HJC members didn’t mention, as they should have known about it for some time): the number of back door searches FBI conducts on Section 702 data for reasons other than national security.

As I noted the other day, in response to FISC amicus (and former Eric Holder counsel) Amy Jeffress’ argument that FBI’s back door searches of Section 702 are unconstitutional, Thomas Hogan required FBI “submit in writing a report concerning each instance … in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.” As I noted, that’s an easily gamed number — I’m sure FBI treats a lot of criminal matters as national security ones, and FBI has the ability to see if there is 702 data without looking at it, permitting it to see if the same data is available under another authority.

Nevertheless, DOJ must have an exact number of reports they’ve submitted in response to this reporting requirement, which has been in place for over four months.

That’s not to say HJC shouldn’t insist on getting estimates for all the other numbers they’re seeking. But they should also demand that this number — the number of times FBI is using a foreign intelligence exception for criminal prosecutions that should be subject to a probable cause standard — be made public.

NSA Failed to Fully Inform FISC Even After It Started Fact-Checking Itself

/4 Comments/in /by

On Friday, I described how, for four years after the FISA Court ruled that NSA couldn’t keep otherwise unlawfully collected information from a single traditional FISA order, the NSA continued to do just that with data from 702 orders.

Hogan was [] surprised to learn NSA was doing the same thing — and had been! — with Section 702 data that had otherwise been purged, which the NSA confessed to Hogan in July of last year. That is, having stopped the practice with a single traditional FISA order, they kept doing it with programmatic 702 data.

In light of the May 2011 [redacted], the Court was very surprised to learn from the July 13, 2015 Notice that the NSA had not been deleting from [redacted] Section 702 records placed on the NSA’s Master Purge List (“MPL”).

[snip]

As the Court explained to the government at the October 8 Hearing, it expects the government to comply with its heightened duty of candor in ex parte proceedings at all times. Candor is fundamental to this Court’s effective operation in considering ex parte submissions from the government, particularly in matters involving large and complex operations such as the implementation of Section 702.

That’s pathetic, given the history of material misstatements to FISC.

All the more so given that it happened after NSA implemented an effort to make sure it started telling FISC the truth (the date is redacted, but it probably happened sometime between October 2011 and March 2013).

As laid out in a 2013 reissue of a 2012 NSA IG report (this report starts at PDF 55; Charlie Savage liberated this via FOIA), NSA implemented a fact-checking process on its own FISC submissions. (See PDF 101)

Screen Shot 2016-04-25 at 9.15.54 AM

NSA is hiding when they first started fact-checking themselves, but it happened by March 2013. Which means the 2013 and 2014 702 recertification submissions were fact-checked. “The [Verification of Accuracy] procedures require all factual statements within the declarations to be verified.” Yet neither told FISC that NSA continued to retain communications from selectors on the Master Purge List in a management database two and three years after the time (at that point) FISC had told NSA, in an order titled, “Opinion and Order Requiring Destruction of Information Obtained by Unauthorized Electronic Surveillance,” it could not do so, not even with data unlawfully obtained on a single targeted FISA order. It took another year before NSA confessed to FISC it was keeping 702 data that should have been purged.

Perhaps the continued discovery of three to four violations every time NSA submits its recertification process reflects the slow implementation of fact-checking. Or perhaps there are just too many databases in which willing NSA employees can stash information before it gets purged off all the other databases.

But if the VoA was supposed to “increase confidence” in what NSA says to courts and Congress, it’s not clear how continuing to miss things like ongoing retention of unlawfully collected information does that.

Related posts on the November 6, 2015 reauthorization opinion

The NSA Has Never Not Been Violating FISA Since It Moved Stellar Wind to FISA in 2004

The Government Admits 9 Defendants Spied On Under Section 702 Have Not Gotten FISA Notice

Former Top Holder Aide Says Back Door Searches Violate Fourth Amendment; FISC Judge Thomas Hogan Doesn’t Care

FBI’s Back Door Searches: Explicit Permission … and Before That
Last July, NSA and CIA Decided They Didn’t Have to Follow Minimization Procedures, and Judge Hogan Is Cool with That

Please consider a donation to support this work.

The NSA Has Never Not Been Violating FISA Since It Moved Stellar Wind to FISA in 2004

/5 Comments/in /by

Back in 2013, I noted that FISA Judge John Bates had written two opinions finding NSA had violated 50 U.S.C. §1809(a)(2), which prohibits the “disclos[ure] or use[ of] information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized by” FISA. Each time he did it, Bates sort of waggled around the specter of law-breaking as a way of forcing NSA to destroy data they otherwise wanted to retain and use. I suspect that is why NSA moved so quickly to shut down its PRTT program in 2011 in the wake of his upstream opinion.

In his November 6, 2015 opinion reauthorizing Section 702, presiding judge Thomas Hogan described two more definite violations of 50 U.S.C. §1809(a)(2), and one potential one, bringing the list of times the FISC caught NSA illegally surveilling Americans to four, and potentially five, times.

  1. Fall 2009 confession/July 2010 opinion: Collection of categories of data under the bulk PRTT program not permitted by the FISC (Bates’ opinion describes a category violation reported to FISC in the very first PRTT docket, along with NSA’s assurances it would never happen again)
  2. June 2010 confession/December 10 2010, May 13, 2011 opinions: Retention of overcollected data from a traditional FISA warrant in mission management systems ultimately not deemed necessary for collection avoidance
  3. May 2011 confession/October 3, 2011 opinion: Collection of entirely domestic communications on upstream surveillance MCTs
  4. July 13, 2015 confession/November 6, 2015 opinion: Retention of 702 communications that had been otherwise purged in mission management systems, even though FISC had ruled against such retention in 2011
  5. [Potential] July 13, 2015 confession/November 6, 2015 opinion: Retention of data that should have been purged or aged off in compliance databases

Hogan describes these incidents starting on 56.

Between June and August of 2010, the government filed some notices of violation in conjunction with a single electronic surveillance order (on page 58, he describes that as dealing “exclusively with Title I collection in a particular case.”) It’s unclear whether the scope of the surveillance extended beyond what had been authorized, or whether the government had conducted surveillance based on illegally collected data (Hogan refers to it both as overcollection but also as poison fruit). As part of its efforts to resolve the problem, the government argued it could keep some of this poisonous fruit in some kind of oversight database to prevent further collection. But it also argued that its minimization procedures “only applied to interceptions authorized by the Court and did not apply to the fruits of unlawful surveillance,” effectively arguing that if it broke the law the FISC could then not tell it what to do because it had broken the law. The government also argued 50 U.S.C. §1809(a)(2) “only prohibits use or disclosure of unlawfully obtained information for investigative or analytic purposes,” meaning it could keep illegal data for management purposes.

FISC didn’t buy this argument generally, but in a December 10, 2010 opinion did permit NSA to retain “the results of unauthorized surveillance [that] are needed to remedy past unauthorized surveillance or prevent similar unauthorized surveillance in the future.” In that opinion, FISC cited John Bates’ July 2010 PRTT opinion discussing the application of 50 U.S.C. §1809(a)(2).

After further review, on May 13, 2011, the court ruled that the specific data in question did not fall within that exception.

[C]ourts should not attempt “to restrict the unqualified language of a [criminal] statute to the particular evil that Congress was trying to remedy — even assuming that it is possible to identify that evil from something other than the text of the statute itself.” Brogan v United States, 522 U.S. 398, 403 (1998) … The exception recognized in the December 10, 2010 Opinion stands on narrower but firmer ground: that in limited circumstances, prohibiting use of disclosure of the results of unauthorized electronic surveillance would be “so ‘absurd or glaringly unjust’ … as to [call into] question whether Congress actual intended what the plain language of Section 1809(a)(2) “so clearly imports.”

That decision only related to one traditional FISA order — but it did lay out the principle that NSA couldn’t keep illegally collected data for vague management reasons.

Which is why Hogan was so surprised to learn NSA was doing the same thing — and had been! — with Section 702 data that had otherwise been purged, which the NSA confessed to Hogan in July of last year. That is, having stopped the practice with a single traditional FISA order, they kept doing it with programmatic 702 data.

In light of the May 2011 [redacted], the Court was very surprised to learn from the July 13, 2015 Notice that the NSA had not been deleting from [redacted] Section 702 records placed on the NSA’s Master Purge List (“MPL”).

[snip]

As the Court explained to the government at the October 8 Hearing, it expects the government to comply with its heightened duty of candor in ex parte proceedings at all times. Candor is fundamental to this Court’s effective operation in considering ex parte submissions from the government, particularly in matters involving large and complex operations such as the implementation of Section 702.

After the hearing, the government submitted several filings effectively saying it was purging the data, then admitting that the technical process it had implemented to effect the purge was only purging some of the selectors that had been illegally collected.

In any case, after 4 years of retaining 702 data that had to be purged, they were finally moving towards deleting it last year.

The second violation pertains to two tools (both names of which are redacted) that help determine whether a selector can be or has been properly tasked (on page 76, Hogan suggests “most Section 702 information [in these databases] that is otherwise subject to purge pertains to roamer communications.”

The first appears to be a pre-tasking tool to see whether it properly tasked. This tool has not aged off PRISM data within the required 5 years, nor upstream data within the required 2 years, though it has aged off pre-October 31, 2011 upstream data. NSA has not done so “because of the utility of these records for compliance and collection avoidance purposes.”  It also helps to respond to OSD and ODNI oversight questions.

The second is a post-tasking tool to identify whether a Section 702 target may be in the US. It doesn’t age off PRISM data within the required 5 years, though it does treat upstream data properly. In addition, it doesn’t purge items that have been added to the Master Purge List. Rather than purging, it just masks certain fields from most users.

In general, Hogan seemed to believe most of this data did fall within the narrow exception laid out in the December 2010 opinion permitting the retention of unauthorized data for the purposes of collection avoidance, though he asked for further briefing that would have taken place in January.

He did point to the inclusion in these two tools of other selectors that had been put on the purge list, however, which would raise additional questions:

Examples would be incidentally acquired communications of or concerning United States persons that are clearly not relevant to the authorized purpose of the acquisition or that do not contain evidence of a crime which may be disseminated under the minimization procedures … attorney-client communications that do not contain foreign intelligence information or evidence of a crime … and any instances in which the NSA discovers that a United Staes person or person not reasonably believed to be outside the United States at the time of targeting has been intentionally targeted under Section 702.

That is, Hogan raised the possibility that these tools included precisely the kind of information that should be deliberately avoided.

Ah well. He still reauthorized Section 702.

Consider what this means: between the five years between when, in fall 2004, NSA told Colleen Kollar-Kotelly it was violating her category restrictions on the bulk Internet dragnet until the time, in 2009, it admitted it continued to do so with every single record collected, between the non-disclosure of what NSA was really doing with upstream surveillance between 2008 and 2011, and between the time FISC told NSA it couldn’t keep illegally collected data for management reasons in May 2011 to the time in July 2015 it confessed it had continued to do that with 702 data, NSA has always been in violation of 50 U.S.C. §1809(a)(2) since it moved Stellar Wind to FISA.

And that’s just the stuff they have admitted to.

The Government Admits 9 Defendants Spied On Under Section 702 Have Not Gotten FISA Notice

/1 Comment/in /by

As I noted, in his opinion approving the Section 702 certifications from last year, Judge Thomas Hogan had a long section describing the 4 different kinds of violations the spooks had committed in the prior year.

One of those pertained to FBI agents not establishing an attorney-client review team for people who had been indicted, as mandated by the FBI’s minimization procedures.

In his section on attorney-client review team violations, Hogan describes violations in all four of the Quarterly Reports submitted since the previous 702 certification process: December 19, 2014, March 20, 2015, June 19, 2015, and September 18, 2015. He also cites three more Preliminary Compliance Reports that appear not to be covered in that September 18, 2015 report: one on September 9, 2015, one on October 5, 2015, and one on October 8, 2015. His further discussion describes the government claiming at a hearing on October 8 to discuss the issue that, thanks to a new system FBI had deployed to address the problem, “additional instances of non-compliance with the review team requirement were discovered by the time of the October 8 Hearing.”

But as Hogan notes in his November 2015 opinion, FBI discovered a lot of these issues because FBI had had a similar problem the previous year and he required them to review for it closely in his 2014 order. A July 30, 2014 letter submitted as part of the recertification process describes two instances in depth: one noticed in February 2014 and reported in the March Quarterly report, and one noticed in April and reported in the June 2014, each involving multiple accounts. A footnote to that discussion admits “there have been additional, subsequent instances of this type of compliance incident.”

Set aside, for the moment, the persistence with which FBI failed to set up review teams to make sure prosecutorial teams were not reading the attorney-client conversations of indicted defendants (who are the only ones who get such protection!!!). Set aside the excuses they gave, such as that they thought this requirement — part of the legally mandatory minimization procedures — didn’t apply for sealed indictments or with targets located outside the United States.

Conservatively, this significantly redacted discussion identifies 9 examples (2 reported in Compliance Reports in 2014, at least 1 reported each in each of four quarterly Compliance report between applications, plus 3 individual compliance reports submitted after the September Compliance report) when people who have been indicted had their communications collected under Section 702, whether they were the target of the 702 directives or not.

And yet, as Patrick Toomey wrote in December, not a single defendant has gotten a Section 702 notice during the period in question.

Up until 2013, no criminal defendant received notice of Section 702 surveillance, even though notice is required by statute. Then, after reports surfaced in the New York Times that the Justice Department had misled the Supreme Court and was evading its notice obligations, the government issued five such notices in criminal cases between October 2013 and April 2014. After that, the notices stopped — and for the last 20 months, crickets.

We know both Mohamed Osman Mohamud — who received a 702 notice personally — and Bakhtiyor Jumaev — who would have secondary 702 standing via Jamshid Muhtorov, with whom he got busted — had their attorney-client communications spied on. But that wasn’t (damn well better not have been!!) 702 spying, because both parties to all those conversations were in the US.

These are 9 different defendants who’ve not yet been told they were being spied on under 702.

Why not?

The answer is probably the one Toomey laid out: that even though members of a prosecutorial team were listening in on attorney-client conversations collected under 702, DOJ made sure nothing from those conversations (or anything else collected via 702) got used in another court filing, and thereby avoided the notice requirement.

Based on what can be gleaned from the public record, it seems likely that defendants are not getting notice because DOJ is interpreting a key term of art in Fourth Amendment law too narrowly — the phrase “derived from.” Under FISA itself, the government is obliged to give notice to a defendant when its evidence is “derived from” Section 702 surveillance of the defendant’s communications. There is good reason to think that DOJ has interpreted this phrase so narrowly that it can almost always get around its own rule, at least in new cases.

It is clear from public reporting and DOJ’s filings in the ACLU’s lawsuit that it has spent years developing a secret body of law interpreting the phrase “derived from.” Indeed, from 2008 to 2013, National Security Division lawyers apparently adopted a definition of “derived” that eliminated notice of Section 702 surveillance altogether. Then, after this policy became public, DOJ came up with something else, which produced a handful of notices in existing cases.

Savage reports in Power Wars that then-Deputy Attorney General James Cole decided that Section 702 information had to have been “material” or “critical” to trigger notice to a defendant. But the book doesn’t provide any details about the legal underpinnings for this rule or, crucially, how Cole’s directive was actually implemented within DOJ. The complete absence of Section 702 notices since April 2014 suggests DOJ may well have found new ways of short-circuiting the notice requirement.

One obvious way DOJ might have done so is by deeming evidence to be “derived from” Section 702 surveillance only when it has expressly relied on Section 702 information in a later court filing — for instance, in a subsequent FISA application or search warrant application. (Perhaps DOJ’s interpretation is slightly more generous than this, but probably not by much.) DOJ could then avoid giving notice to defendants simply by avoiding all references to Section 702 information in those court filings, citing information gleaned from other investigative sources instead — even if the information from those alternative sources would never have been obtained without Section 702.

So these 9 mystery defendants don’t tell us anything new. They just give us a number — 9 — of defendants the government now has officially admitted have been spied on under 702 who have not been told that.

As I noted, Judge Hogan did not include this persistent attorney-client problem among the things he invited Amy Jeffress to review as amicus. Whether or not she would have objected to the persistent violation of FBI’s minimization procedures, a review of them would also have given her evidence from which she might have questioned FBI’s compliance with another part of 702, that defendants get notice.

But DOJ seems pretty determined to flout that requirement going forward.

Former Top Holder Aide Says Back Door Searches Violate Fourth Amendment; FISC Judge Thomas Hogan Doesn’t Care

/8 Comments/in , /by

My apologies to Amy Jeffress.

When I first realized that FISA Court Presiding Judge Thomas Hogan picked her to serve as amicus for the review of the yearly 702 certifications last year, I complained that she, not Marc Zwillinger, got selected (the pick was made in August, but Jeffress would later be picked as one of the standing amicus curiae, along with Zwillinger). After all, Zwillinger has already argued that PRISM (then authorized by Protect America Act) was unconstitutional when he represented Yahoo in its challenge of the program. He’s got experience making this precise argument. Plus, Jeffress not only is a long-time national security prosecutor and former top Eric Holder aide, but she has been involved in some actions designed to protect the Executive. I still think Zwillinger might have done a better job. But Jeffress nevertheless made what appears to be a vigorous, though unsuccessful, argument that FBI’s back door searches of US person data are unconstitutional.

A former top DOJ lawyer believes FBI’s back door queries are unconstitutional

But it says a lot that Jeffress — someone who narrowly missed being picked as Assistant Attorney General for National Security and who presumably got at least some visibility on back door searches when working with Holder — argued that FBI’s warrantless back door searches of communications collected under Section 702 is unconstitutional. (I presume it would be unethical for Jeffress to use information learned while counseling Holder in this proceeding, which might have put her in an interesting position of knowing more than she could say.)

Sadly, Hogan didn’t care. Worse, his argument for not caring doesn’t make sense. As I’ll note, not only did Hogan pick a less than optimal person to make this argument, but he may have narrowly scoped her input, which may have prevented her from raising evidence in Hogan’s own opinion that his legal conclusion was problematic.

To be clear, Jeffress was no flaming hippie. She found no problem with the NSA and CIA practice of back door searches, concluding, “that the NSA and CIA minimization procedures are sufficient to ensure that the use of U.S. person identifiers for th[e] purpose of [querying Section 702-acquired information] complies with the statutory requirements of Section 702 and with the Fourth Amendment.” But she did find the FBI practice problematic.

Jeffress’ amicus brief included at least 10 pages of discussion of her concerns with the practice, though ODNI did not release her brief and Hogan cited very limited bits of it. She argued, “the FISA process cannot be used as a device to investigate wholly unrelated ordinary crimes” and said because the queries could do so they “go far beyond the purpose for which the Section 702-acquired information is collected in permitting queries that are unrelated to national security.”

To dismiss Jeffress’ arguments, Hogan does several things. He,

  • Notes the statute requires foreign intelligence just be “a significant purpose” of the collection, and points back to the 2002 In Re Sealed Case FISCR decision interpreting the “significant purpose” language added in the PATRIOT Act to permit the use of traditional FISA information for prosecutions
  • Cites the FISA minimization procedure language that “allow[s] for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed”
  • Dismisses a former top DOJ official’s concerns about the use of FISA data for non-national security crimes as “hypothetical”
  • Doesn’t address — at all — language in the FBI minimization procedures that permits querying of data for assessments and other unspecified uses
  • Invests a lot of faith in FBI’s access and training requirements that later parts of his opinion undermine

There are several problems with his argument.

In Re Sealed Case ties “significant purpose” to the target of an interception

First, Hogan extends the scope of what the FISA Court of Review interpreted the term “significant purpose,” which got added to traditional FISA in the PATRIOT Act and then adopted in FISA Amendments Act.

Hogan cites the FISCR decision in In Re Sealed Case to suggest it authorized the use of information against non-targets of surveillance. He does so by putting the court’s ultimate decision after caveats it uses to modify that. “The Court of Review concluded that it would be an “anomalous reading” of the “significant purpose” language of 50 U.S.C. § 1804(a)(6)(B) to allow the use of electronic surveillance in such a case. See id. at 736. The Court nevertheless stressed, however, that “[s]o long as the government entertains a realistic option of dealing with the agent other than through criminal prosecution that it satisfies the significant purpose test.”

But that’s not what FISCR found. Here’s how that reads in the original, with Hogan’s citations emphasized.

On the one hand, Congress did not amend the definition of foreign intelligence information which, we have explained, includes evidence of foreign intelligence crimes. On the other hand, Congress accepted the dichotomy between foreign intelligence and law enforcement by adopting the significant purpose test. Nevertheless, it is our task to do our best to read the statute to honor congressional intent. The better reading, it seems to us, excludes from the purpose of gaining foreign intelligence information a sole objective of criminal prosecution. We therefore reject the government’s argument to the contrary. Yet this may not make much practical difference. Because, as the government points out, when it commences an electronic surveillance of a foreign agent, typically it will not have decided whether to prosecute the agent (whatever may be the subjective intent of the investigators or lawyers who initiate an investigation). So long as the government entertains a realistic option of dealing with the agent other than through criminal prosecution, it satisfies the significant purpose test.

The important point is–and here we agree with the government–the Patriot Act amendment, by using the word “significant,” eliminated any justification for the FISA court to balance the relative weight the government places on criminal prosecution as compared to other counterintelligence responses. If the certification of the application’s purpose articulates a broader objective than criminal prosecution–such as stopping an ongoing conspiracy–and includes other potential non-prosecutorial responses, the government meets the statutory test. Of course, if the court concluded that the government’s sole objective was merely to gain evidence of past criminal conduct–even foreign intelligence crimes–to punish the agent rather than halt ongoing espionage or terrorist activity, the application should be denied.

The government claims that even prosecutions of non-foreign intelligence crimes are consistent with a purpose of gaining foreign intelligence information so long as the government’s objective is to stop espionage or terrorism by putting an agent of a foreign power in prison. That interpretation transgresses the original FISA. It will be recalled that Congress intended section 1804(a)(7)(B) to prevent the government from targeting a foreign agent when its “true purpose” was to gain non-foreign intelligence information–such as evidence of ordinary crimes or scandals. See supra at p.14. (If the government inadvertently came upon evidence of ordinary crimes, FISA provided for the transmission of that evidence to the proper authority. 50 U.S.C. § 1801(h)(3).) It can be argued, however, that by providing that an application is to be granted if the government has only a “significant purpose” of gaining foreign intelligence information, the Patriot Act allows the government to have a primary objective of prosecuting an agent for a non-foreign intelligence crime. Yet we think that would be an anomalous reading of the amendment. For we see not the slightest indication that Congress meant to give that power to the Executive Branch. Accordingly, the manifestation of such a purpose, it seems to us, would continue to disqualify an application. That is not to deny that ordinary crimes might be inextricably intertwined with foreign intelligence crimes. For example, if a group of international terrorists were to engage in bank robberies in order to finance the manufacture of a bomb, evidence of the bank robbery should be treated just as evidence of the terrorist act itself. But the FISA process cannot be used as a device to investigate wholly unrelated ordinary crimes.

Hogan ignores three key parts of this passage. First, FISCR’s decision only envisions the use of evidence against the target of the surveillance, not against his interlocutors, to in some way neutralize him. Any US person information collected and retained under 702 is, by definition, not the targeted person (whereas he or she might be in a traditional FISA order). Furthermore, FBI’s queries of information collected under 702 will find and use information that has nothing to do with putting foreign agents in prison — that is, to “investigate wholly unrelated ordinary crimes,” which FISCR prohibited. Finally, by searching data that may be years old for evidence of a crime, FBI is, in effect, “gaining evidence of past criminal conduct” — itself prohibited by FISCR — of someone who isn’t even the target of the surveillance.

Hogan only treats querying for criminal purposes

Having, in my opinion, expanded on what FISCR authorized back in 2002, Hogan then ignores several parts of what FBI querying permits.

Here’s (some of) the language FBI added to its minimization procedures, at the suggestion of PCLOB, to finally, after 8 years, fully disclose what it was doing to the FISC.

It is a routine and encouraged practice for FBI to query databases containing lawfully acquired information, including FISA-acquired information, in furtherance of the FBI’s authorized intelligence and law enforcement activities, such as assessments, investigations and intelligence collection. Section III.D governs the conduct of such queries. Examples of such queries include, but are not limited to, queries reasonably designed to identify foreign intelligence information or evidence of a crime related to an ongoing authorized investigation or reasonably designed queries conducted by FBI personnel in making an initial decision to open an assessment concerning a threat to national security, the prevention or protection against a Federal crime, or the collection of foreign intelligence, as authorized by the Attorney General Guidelines. These examples are illustrative and neither expand nor restrict the scope of the queries authorized in the language above.

This language makes clear FBI may do back door searches for:

  • To identify foreign intelligence information
  • To identify evidence of a crime related to an ongoing investigation
  • To decide whether to open an assessment concerning a threat to national security, the prevention or protection against a Federal crime, or the collection of foreign intelligence
  • Other things, because FBI’s use of such queries “are not limited to” these uses

Given Hogan’s stingy citations from Jeffress’ brief, it’s unclear how much of these things she addressed (or whether she was permitted to introduce knowledge gained from having worked closely with Eric Holder when these back door searches were being formalized).

Read more