Posts

“There Is No Database”

I Con the Record has released the transcript for the Yahoo hearing before the FISA Court of Review.

I’ll come back to the substance of it, but I did want to point to the lie that underscores this entire case.

There Is No Database

 

On page 41, Acting Solicitor General Gregory Garre claims there is no database of incidentally collected information.

That’s of course false — the incidentally collected information is kept right along with the targeted information.

The FISCR used this in its ruling Protect America Act was constitutional.

Funny how that works…

Former Surveillance Lawyer Peter Keisler Pushes for Surveillance Limits

Screen Shot 2014-11-18 at 2.33.55 PMI’ve been laying low so supporters of USA Freedom can try to get a vote for cloture allowing debate for their bill in the Senate (and also trying to duck getting back into the arguments I made about Jonathan Gruber in 2009 and 2010). I’ve had my say on the former issue here and here.

But even as USA Freedom faces an uncertain future in the Senate, something interesting happened in the 11th Circuit.

I wrote in June about the 11th Circuit decision in US v. Quartavious Davis. In a decision written by David Sentelle (on loan from the DC Circuit) the Circuit overturned a conviction based almost entirely on stored cell site location information (CSLI).

The government filed for rehearing en banc which was granted.

AT&T just submitted an amicus brief generally supporting a higher standard for CSLI.

This is no hippie brief. Generally, it calls for more clarity for the providers, and ultimately concludes asking for one standard.

However the scope of the Fourth Amendment’s protection is resolved, a clear and categorical rule will benefit all parties involved in the application of Section 2703(d), including the technology companies subject to orders to produce information. Whatever standard the Court ultimately determines the government must satisfy, the third party records cases may provide an unsatisfactory basis for resolving this case. Smith and Miller rested on the implications of a customer’s knowing, affirmative provision of information to a third party and involved less extensive intrusions on personal privacy. Their rationales apply poorly to how individuals interact with one another and with information using modern digital devices. In particular, nothing in those decisions contemplated, much less required, a legal regime that forces individuals to choose between maintaining their privacy and participating in the emerging social, political, and economic world facilitated by the use of today’s mobile devices or other location based services.

But to support that stance, it argues that because of increasing accuracy, CSLI is probably more intrusive than the car-based GPS tracker found to require a warrant in US v. Jones.

CSLI at times may provide more sensitive and extensive personal information than the car tracking information at issue in Jones. Users typically keep their mobile devices with them during the entire day, potentially providing a much more extensive and continuous record of an individual’s movements and living patterns than that provided by tracking a vehicle; CSLI, therefore, is not limited to the largely public road system or to when the device user is in a vehicle.

More interesting still, it argues that the 3rd Party doctrine doesn’t work anymore.

The privacy and related social interests implicated by the use of modern mobile devices and by CSLI are fundamentally different and more significant than those evaluated in Miller and Smith. Miller, 425 U.S. at 443 (“We must examine the nature of the particular documents sought to be protected in order to determine whether there is a legitimate ‘expectation of privacy’ concerning their contents”); Smith, 442 U.S. at 741-42 (emphasizing the “limited capabilities” of pen registers). Use of mobile devices, as well as other devices or location based services, has become integral to most individuals’ participation in the new digital economy: those devices are a nearly ever-present feature of their most basic social, political, economic, and personal relationships. In recent years, this has become especially true of the data communications – from email and texting to video to social media connections – that occur on a nearly continuous basis whenever mobile devices are
turned on.

[snip]

Nor does Miller or Smith address how individuals interact with one another and with different data and media using mobile devices in this digital age. Location enabled services of all types provide a range of information to their users. At the same time, mobile applications, vehicle navigation systems, mobile devices, or wireless services for mobile devices often collect and use data in the background.

As part of that, AT&T talks about CSLI shows interactions.

But perhaps my favorite part of the brief is this:

Screen Shot 2014-11-18 at 4.19.09 PM

The brief was written by Peter Keisler, a longtime telecom attorney but also — during his brief stint as Acting Attorney General in 2007 — the guy who signed at least Directives (and possibly 2 Certificates) in Protect America Act. See page 34 for where Keisler signed Directives to Yahoo on his last day as Acting AG, November 8, 2007.

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

If the documents relating to Yahoo’s challenge of Protect America Act released last month are accurate reflections of the documents actually submitted to the FISC and FISCR, then the government submitted a misleading document on June 5, 2008 that was central to FISCR’s ultimate ruling.

As I laid out here in 2009, FISCR relied on the the requirement  in EO 12333 that the Attorney General determine there is probable cause a wiretapping technique used in the US is directed against a foreign power to judge the Protect America Act met probable cause requirements.

The procedures incorporated through section 2.5 of Executive Order 12333, made applicable to the surveillances through the certifications and directives, serve to allay the probable cause concern.

The Attorney General hereby is delegated the power to approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes, provided that such techniques shall not be undertaken unless the Attorney General has determined in each case that there is probable cause to believe that the technique is directed against a foreign power or an agent of a foreign power.

44 Fed. Reg. at 59,951 (emphasis supplied). Thus, in order for the government to act upon the certifications, the AG first had to make a determination that probable cause existed to believe that the targeted person is a foreign power or an agent of a foreign power. Moreover, this determination was not made in a vacuum. The AG’s decision was informed by the contents of an application made pursuant to Department of Defense (DOD) regulations. See DOD, Procedures Governing the Activities of DOD Intelligence Components that Affect United States Persons, DOD 5240.1-R, Proc. 5, Pt. 2.C.  (Dec. 1982).

Yahoo didn’t buy this argument. It had a number of problems with it, notably that nothing prevented the government from changing Executive Orders.

While Executive Order 12333 (if not repealed), provides some additional protections, it is still not enough.

[snip]

Thus, to the extent that it is even appropriate to examine the protections in the Executive Order that are not statutorily required, the scales of the reasonableness determination sway but do not tip towards reasonableness.

Yahoo made that argument on May 29, 2008.

Sadly, Yahoo appears not to have noticed the best argument that Courts shouldn’t rely on EO 12333 because the President could always change it: Sheldon Whitehouse’s revelation on December 7, 2007 (right in the middle of this litigation) that OLC had ruled the President could change it in secret and not note the change publicly. Whitehouse strongly suggested that the Executive in fact had changed EO 12333 without notice to accommodate its illegal wiretap program.

But the government appears to have intentionally withheld further evidence about how easily it could change EO 12333 — and in fact had, right in the middle of the litigation.

This is the copy of the Classified Annex to EO 12333 that (at least according to the ODNI release) the government submitted to FISCR in a classified appendix on June 5, 2008 (that is, after Yahoo had already argued that an EO, and the protections it affords, might change). It is a copy of the original Classified Appendix signed by Ed Meese in 1988.

As I have shown, Michael Hayden modified NSA/CSS Policy 1-23 on March 11, 2004, which includes and incorporates EO 12333, the day after the hospital confrontation. The content of the Classified Annex released in 2013 appears to be identical, in its unredacted bits, to the original as released in 1988 (see below for a list of the different things redacted in each version). So the actual content of what the government presented may (or may not be) a faithful representation of the Classified Appendix as it currently existed.

But the version of NSA/CSS Policy 1-23 released last year (starting at page 110) provides this modification history:

This Policy 1-23 supersedes Directive 10-30, dated 20 September 1990, and Change One thereto, dated June 1998. The Associate Director for Policy endorsed an administrative update, effective 27 December 2007 to make minor adjustments to this policy. This 29 May 2009 administrative update includes changes due to the FISA Amendments Act of 2008 and in core training requirements.

That is, Michael Hayden’s March 11, 2004 modification of the Policy changed to the Directive as existed before 2 changes made under Clinton.

Just as importantly, the modification history reflects “an administrative update” making “minor adjustments to this policy” effective December 27, 2007 — a month and a half after this challenge started.

By presenting the original Classified Appendix — to which Hayden had apparently reverted in 2004 — rather than the up-to-date Policy, the government was presenting what they were currently using. But they hid the fact that they had made changes to it right in the middle of this litigation. A fact that would have made it clear that Courts can’t rely on Executive Orders to protect the rights of Americans, especially when they include Classified Annexes hidden within Procedures.

In its language relying on EO 12333, FISCR specifically pointed to DOD 5240.1-R. The Classified Annex to EO 12333 is required under compliance with part of that that complies with the August 27, 2007 PAA compliance.

That is, this Classified Annex is a part of the Russian dolls of interlocking directives and orders that implement EO 12333.

And they were changing, even as this litigation was moving forward.

Only, the government appears to have hidden that information from the FISCR.

Update: Clarified that NSA/CSS Policy 1-23 is what got changed.

Update: Hahaha. The copy of DOD 5240.1 R which the government submitted on December 11, 2007, still bears the cover sheet labeling it as an Annex to NSA/CSS Directive 10-30. Which of course had been superseded in 2004.

Note how they cut off the date to hide that it was 1990?

Note how they cut off the date to hide that it was 1990?

Read more

Protect America Act Was Designed to Collect on Americans, But DOJ Hid that from the FISC

The government released a document in the Yahoo dump that makes it clear it intended to reverse target Americans under Protect America Act (and by extension, FISA Amendments Act). That’s the Department of Defense Supplemental Procedures Governing Communications Metadata Analysis.

The document — as released earlier this month and (far more importantly) as submitted belatedly to the FISC in March 2008 — is fairly nondescript. It describes what DOD can do once it has collected metadata (irrespective of where it gets it) and how it defines metadata. It also clarifies that, “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communcations, nor to they qualify as ‘us[ing] a selection term’.”

The procedures do not once mention US persons.

There are two things that should have raised suspicions at FISC about this document. First, DOJ did not submit the procedures to FISC in a February 20, 2008 collection of documents they submitted after being ordered to by Judge Walton after he caught them hiding other materials; they did not submit them until March 14, 2008.

The signature lines should have raised even bigger suspicions.

Gates Mukasey

First, there’s the delay between the two dates. Robert Gates, signing as Secretary of Defense, signed the document on October 17, 2007. That’s after at least one of the PAA Certifications underlying the Directives submitted to Yahoo (the government is hiding the date of the second Certification for what I suspect are very interesting reasons), but 6 days after Judge Colleen Kollar-Kotelly submitted questions as part of her assessment of whether the Certifications were adequate. Michael Mukasey, signing as Attorney General, didn’t sign the procedures until January 3, 2008, two weeks before Kollar-Kotelly issued her ruling on the certifications, but long after it started trying to force Yahoo to comply and even after the government submitted its first ex parte submission to Walton. That was also just weeks before the government redid the Certifications (newly involving FBI in the process) underlying PAA on January 29. I’ll come back to the dates, but the important issue is they didn’t even finalize these procedures until they were deep into two legal reviews of PAA and in the process of re-doing their Certifications.

Moreover, Mukasey dawdled two months before he signed them; he started at AG on November 9, 2007.

Then there’s the fact that the title for his signature line was clearly altered, after the fact.

Someone else was supposed to sign these procedures. (Peter Keisler was Acting Attorney General before Mukasey was confirmed, including on October 17, when Gates signed these procedures.) These procedures were supposed to be approved back in October 2007 (still two months after the first PAA Certifications) but they weren’t, for some reason.

The backup to those procedures — which Edward Snowden leaked in full — may explain the delay.

Those procedures were changed in 2008 to reverse earlier decisions prohibiting contact chaining on US person metadata. 

NSA had tried to get DOJ to approve that change in 2006. But James Baker (who was one of the people who almost quit over the hospital confrontation in 2004 and who is now FBI General Counsel) refused to let them.

After Baker (and Alberto Gonzales) departed DOJ, and after Congress passed the Protect America Act, the spooks tried again. On November 20, 2007, Ken Wainstein and Steven Bradbury tried to get the Acting Deputy Attorney General Craig Morford (not Mukasey, who was already AG!) to approve the procedures. The entire point of the change, Wainstein’s memo makes clear, was to permit the contact chaining of US persons.

The Supplemental Procedures, attached at Tab A, would clarify that the National Security Agency (NSA) may analyze communications metadata associated with United States persons and persons believed to be in the United States.

What the government did, after passage of the PAA, was make it permissible for NSA to figure out whom Americans were emailing.

And this metadata was — we now know — central to FISCR’s understanding of the program (though perhaps not FISC’s; in an interview today I asked Reggie Walton about this document and he simply didn’t remember it).

The new declassification of the FISCR opinion makes clear, the linking procedures (that is, contact chaining) NSA did were central to FISCR’s finding that Protect America Act, as implemented in directives to Yahoo, had sufficient particularity to be reasonable.

The linking procedures — procedures that show that the [redacted] designated for surveillance are linked to persons reasonably believed to be overseas and otherwise appropriate targets — involve the application of “foreign intelligence factors” These factors are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. As attested by affidavits  of the Director of the National Security Agency (NSA), the government identifies [redacted] surveillance for national security purposes on information indicating that, for instance, [big redaction] Although the FAA itself does not mandate a showing of particularity, see 50 U.S.C. § 1805(b). This pre-surveillance procedure strikes us as analogous to and in conformity with the particularly showing contemplated by Sealed Case.

In fact, these procedures were submitted to FISC and FISCR precisely to support their discussion of particularity! We know they were using these precise procedures with PAA because they were submitted to FISC and FISCR in defense of a claim that they weren’t targeting US persons.

Except, by all appearances, the government neglected to tell FISC and FISCR that the entire reason these procedures were changed, subsequent to the passage of the PAA, was so NSA could go identify the communications involving Americans.

And this program, and the legal authorization for it? It’s all built into the FISA Amendments Act.

Hiding Yahoos: ORCON and the FISC Special Advocate

Some weeks ago, I noted the language in James Clapper’s letter purportedly “supporting” Patrick Leahy’s USA Freedom Act making it clear he intended to retain the information asymmetry that currently exists in the FISA Court — specifically, ex parte communication with the court.

We note that, consistent with the President’s request, the bill estsablishes a process for the appointment of an amicus curiae to assist the FISA Court and FISA Court of Review in matters that present a novel or significant interpretation of the law. We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

The Yahoo documents released a few weeks back illustrate how this might work in practice.

We’ve known since January 2009 that Yahoo (which we then only knew was an Internet company) didn’t receive the materials — perhaps most importantly, the minimization procedures — it needed to adequately challenge the program.

The cover sheet to the ex parte appendix provided to the FISCR illustrates the range of things withheld from Yahoo’s attorney, Marc Zwillinger, who apparently had a Top Secret clearance. In addition to the minimization procedures for NSA and FBI, the government withheld the “linking” procedures used to identify targets (the titles of these documents are redacted in the released version, but this post explains why at least some must pertain to these procedures; note, I think the government also withheld these from Judge Reggie Walton at the FISC level!), and a January 15, 2008 Colleen Kollar-Kotelly FISC opinion assessing the adequacy of the original certifications.

Comparing two versions of Walton’s April 25, 2008 opinions — a version redacted for Yahoo’s use in 2008, and the version redacted for public release now — provides context on the key issues obscured or suppressed entirely from Yahoo’s view. (Note two things about these redactions: first, with the exception of language on the information the government demanded from Yahoo, we’re receiving more information than Yahoo’s cleared attorney received when he was fighting this case. And the older document actually includes two sets of redactions: the more faded redactions used for Yahoo, and a more opaque set done for this release, the latter of which hide details about the Directives given to Yahoo.)

Effectively, the government hid what they changed when they rewrote Certifications underlying their demands to Yahoo just 2 weeks before the law expired. A significant part of those changes involves getting FBI involved in the process (I increasingly suspect those January 29, 2008 Certifications are when the government first obtained official permission for FBI back door searches).

Notice of the new Certificates was given to Yahoo on February 16, 2008, the day PAA expired, and signed by then Solicitor General Paul Clement, though signed as Acting Attorney General (see page 81). One day earlier, Judge Walton had given the government an ex parte order requiring them to address whether the ex parte materials they had submitted to him in December “constitutes the complete and up-to-date set of certifications … applicable to the directives that are at issue in this proceeding.” Walton also required the government to provide notice to Yahoo they were going to submit a new classified appendix.

Apparently, Walton had gotten wind of the fact — but had not been told formally — that the government had submitted entirely new Certifications affecting their treatment of the data they would obtain from Yahoo. So he ordered them to update the record so his review actually considered the surveillance as it would be implemented.

I’ve listed most of the differences between the two memoranda below. While much of it pertains to prior classified decisions and the operation of FISC generally, the biggest sections redacted from Yahoo but released in part to us now describe the new certifications, including FBI’s new role in the process.  Of particular concern, the government withheld Walton’s comment admonishing the government for changing the certifications, “without appropriately informing the Court or supplementing the record in this matter until ordered to do so” (page 4), though footnote 4 and page 35 make it clear that Walton revealed some details of the government’s belated disclosures in a February 29 order for more briefing.

More troubling still, they hid Walton’s still significantly-redacted assessment that the changes in the Certifications would not change the nature of the government’s demand from Yahoo (page 38).

Neither type of amendment altered the nature of the assistance to be rendered by Yahoo,40

40 Yahoo has submitted a sworn statement that, prior to serving the directives on Yahoo, representatives of the government “indicated that, at the outset, it only would expect…

I wrote about these changing requests here. And while on paper the changing requests couldn’t have been a result of the changed Certification — Yahoo’s Manager of Legal Compliance described them in a January 23 submission, and the new Certifications were issued the following week — I find the timing, and the government’s failure to notice Walton on them, suspect enough that it’s the kind of thing that should have been briefed. Plus, as I’ll show in a follow-up post, I’m fairly certain the government hid  from both FISC and FISCR the degree to which this was about targeting Americans.

Once Walton learned that the government’s requests to Yahoo had changed between the date of Kollar-Kotelly’s initial approval and the expiration of the law, it seems it should have merited more direct briefing, but that would have required admitting that the changes put domestic law enforcement in the center of the program, which presents (or should present) significantly different Fourth Amendment concerns, notably increasing the importance of prior interpretations of the “significant purpose” language instituted under the PATRIOT Act.

In other words, not only did the ex parte nature of this proceeding hide the details Yahoo would have needed to make a robust Fourth Amendment argument, as well as evidence that the government was not being entirely forthcoming to FISC (which would have bolstered Yahoo’s separation of powers claim), it also hid what may be specifically pertinent details behind the government’s last minute changed certifications.

In theory, this shouldn’t happen with the USA Freedom Advocate, because the bill specifically requires the Advocate have access to certifications necessary for her to complete her duties.

(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—

[snip]

(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;

By comparison, the government was challenging Yahoo’s legal standing to take this challenge in the first place.

But I find the apparent basis for withholding information from Yahoo to be relevant. This memorandum, at least, was originally classified Top Secret/ORCON (Originator Controlled); the redacted memorandum given to Yahoo was classified Secret. That means that the changes arose, at least in part, from the ability of the originator (which may be DOJ’s National Security Division, given that Mark Bradley conducted the declassification review) to determine who gets the document. As I noted, there are two bases in USAF that would permit the government to withhold information, classification and privilege. Withholding information under an ORCON claim likely stems from both (though I am checking this).

So while the government should not be able to treat the advocate the same way they treated Yahoo (which, after all, FISC treated as a Congressionally sanctioned challenger to the orders, just as it would the advocate), they seem to have the prerogative to. (Update: I should add that Walton permitted the government to do all the ex parte briefing here under FISA’s ex parte briefing language; given that USAF doesn’t change that for any of the authorities in question, we should assume this precedent will apply to the advocate.)

To be clear, the USAF advocate is not one of the things that I believe sets back a slow reform process (as, for example, I believe the “transparency” provisions and some weakened minimization procedures do). I think it most likely that the advocate will evolve the way PCLOB has, which was first authorized in 2004, thwarted by Executive obstruction (on precisely these kinds of issues), reauthorized as a more effective body in 2007, then slow-walked again — partly by President Obama, though partly by Congress — for another 6 years. That is, if the advocate is at least as self-respecting as Lanny Davis (!), she will quit if the Executive ignores the intent of Congress that she have access to the materials she needs to do her job, exposing the inefficacy of the existing system. All that, of course, assumes she will cop onto what has been withheld. Clearly, Yahoo got a sense of it during this process, though FISC and FISCR seem to have realized only some of the other stuff withheld from them.

That is, judging by the PCLOB example, if all goes well and if USAF were to pass this year, we might have a fully functional advocate by 2023!

The Yahoo materials released show that the government withheld pertinent information from Yahoo, FISC, and FISCR until forced to provide it, and they never provided any of them with all the information they should have.

That it retains the ability to do so under USAF doesn’t bode well for the advocate. But that’s really just a subset to a larger issue that, even when authorized by Congress to provide oversight of this executive spying, the government has consistently, for years, been less than fully cooperative with FISC’s authority to do so.

As I’ve said, the surest way to reform surveillance is to eliminate the FISA Court.

Read more

Yahoo’s FISA Content Requests Went up 30% in Second Half of Last Year

Yahoo just released their transparency report for the first half of this year, which means they can report on the National Security requests from the last half of last year.

And that data shows a pretty alarming spike in FISA Content Requests.

The first half of the year showed their FISA content requests affected <40,000 accounts.

Screen Shot 2014-09-25 at 4.00.32 PM

 

The second half of the year showed their FISA content requests affected <51,000 accounts.

Screen Shot 2014-09-25 at 3.58.48 PM

 

That’s a 30% increase in accounts affected in just 6 months.

It’s possible, of course, what we’re seeing is a new kind of service being accessed by the government, which might by itself justify such a spike. Or it may be that the government is doing that much more spying.

A Yahoo! Lesson for USA Freedom Act: Mission Creep

I’m still wading through the Yahoo documents released last week.

But there is a lesson in them that — given the debate over USA Freedom Act — deserves immediate attention: mission creep.

At least in this case, the actual implementation of the Protect America Act appears to have quickly and secretly outstripped the public understanding surrounding of the scope of the law.

In response to an order from Reggie Walton to provide precise details about what the government was asking for provide hints of this, the FBI and Yahoo submitted a series of declarations. In January 2008, an FBI engineer submitted a declaration detailing what the government demanded (though it is almost entirely redacted).

In response, Yahoo’s VP and Associate General Counsel submitted a declaration covering his (or her) involvement; he was the only one who attended all the meetings with the government. Interestingly the first meeting was in August, but before the law was passed. That’s interesting because it was slammed through in a rush on August 4, 2007, meaning, Yahoo must have first met with the government about a bill making dramatic demands on it just days before it passed.

The AGC ends his declaration by laying out what data had been discussed while he was involved, but then saying the discussions about a particular issue had not ended when he exited the discussions, so he could not agree with or disagree with some part of the FBI declaration.

In a declaration dated the next day, the Manager of Yahoo’s Legal Compliance team (the declaration describes that he or she had the lead on FISA response) submitted her declaration. It says she will be listing the kinds of data Yahoo provides to the government.

But before she can do that, she has to lay out that Yahoo offers email and IMs, information services (like Yahoo finance), cloud storage, as well as facilitating all that with communications between the various components. That suggests the government was — already — asking for more than just emails and IMs and, possibly, data storage contents (which would be unsurprising). This seems to be the stuff the AGC couldn’t speak to.

The final FISCR opinion listed 9 things the government had demanded, as compared to the one-line long description that Yahoo originally believed — and had been told — it would have to turn over.

Screen Shot 2014-09-15 at 4.35.32 PM

 

I followed the PAA debate closely (though not as closely as I’ve followed the USAF debate — I learned you have to watch these things like a hawk!). And I understood the chief goal of the bill was to access the email of the largest free providers, Yahoo, Microsoft, and Google, which all happened to be in the US. I wouldn’t have imagined that the government would also be obtaining the info services habits of targets, though now that idea also seems obvious.

And that appears to have happened in less than a year.

It just appears that once the government got what they needed, they then started looking around for other ways they could use their new toy. And so kept grabbing more data.

This is among the concerns I have about the ambiguous language in USA Freedom Act’s “connection chaining” language — that once they get to the telecoms without a limit to stick to call chaining (they must return a CDR at each stage, but the bill doesn’t say how they get there), they’ll just grab what they can get.

Yahoo’s Lawyer’s Take on the Yahoo Trove

Even back in 2009, when Russ Feingold made it clear that Yahoo had no access to the data it needed to aggressively challenge the Protect American Act orders it received, I realized what a tough legal fight it was to litigate blind. That has only been made more clear by the document trove released last week.

Which is why Mark Zwillinger’s comments about the trove are so interesting.

First, ZwillGen points out that the challenge to the PAA directives may not have helped Yahoo avoid complying, but it did win an important victory allowing providers to challenge surveillance orders.

[I]n this fight, the government argued that Yahoo had no standing to challenge a directive on the basis of the Fourth Amendment rights of its users. See Government’s Ex Parte Brief at pages 53-56.Although the government was forced to change its position after it lost this issue at both the FISC and the FISCR — and such standing was expressly legislated into the FAA – had the government gotten its way, surveillance orders under § 702 would have been unchallengeable by any party until the fruits of the surveillance were sought to be used against a defendant in a criminal case. That would have given the executive branch even greater discretion to conduct widespread surveillance with little potential for judicial review. Even though Yahoo lost the overall challenge, winning on the standing point was crucial, and by itself made the fight personally worthwhile.

ZwillGen next notes that the big numbers reported in the press — the $250K fines for non-compliance — actually don’t capture the full extent of the fines the government was seeking. It notes that the fines would have added up to $400 million in the second month of non-compliance (it took longer than that to obtain a final decision from the FISCR).

Simple math indicates that Yahoo was facing fines of over $25 million dollars for the 1st month of noncompliance, and fines of over $400 million in the second month if the court went along with the government’s proposal. And practically speaking, coercive civil fines means that the government would seek increased fines, with no ceiling, until Yahoo complied. 

Finally — going directly to the points Feingold made 5 years ago — Yahoo had no access to the most important materials in the case, the classified appendix showing all the procedures tied to the dragnet.

The ex parte, classified appendix was just that: a treasure trove of documents, significantly longer than the joint appendix, which Yahoo had never seen before August 22, 2014. Yahoo was denied the opportunity to see any of the documents in the classified, ex parteappendix—even in summary form. Those documents bear a look today. They include certifications underlying the § 702 directives, procedures governing communications metadata analysis, a declaration from the Director of National Intelligence, numerous minimization procedures regarding the FBI’s use of process, and, perhaps most importantly, a FISC decision from January 15, 2008regarding the procedures for the DNI/AG Certification at issue, which Yahoo had never seen. It examines those procedures under a “clearly erroneous” standard of review – which is one of the most deferential standards used by the judiciary. Yahoo did not have these documents at the time, nor the opportunity to conduct any discovery. It could not fully challenge statements the government made, such as the representation to FISCR “assur[ing the Court] it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary.” Nor could Yahoo use the January 15, 2008 decision to demonstrate how potential flaws in the targeting process translated into real world effects.

This blind litigation is, of course, still the position defense attorneys challenging FISA orders for their clients are in.

Yahoo actually made a pretty decent argument 6 years ago, pointing to incidental collection, collection of Americans’ records overseas (something curtailed, at least in name, under FISA Amendments Act), and dodgy analysis underlying the targeting decisions handed off to Yahoo. But they weren’t permitted the actual documentation they needed to make that case. Which left the government to claim — falsely — that the government was not conducting back door searches on incidentally collected data.

For years, ex parte proceedings have allowed the government to lie to courts and avoid real adversarial challenges to their spying. And not much is changing about that anytime soon.

Remember Joseph Nacchio?

Yahoo just announced that it will shortly be releasing the docket from its 2008 effort to challenge a Protect America Act order.

In a report on the release, WaPo notes that the government threatened Yahoo with a $250,000 day fine for not complying with the Protect America Act order (appreciate the irony of that law’s name!).

The U.S. government threatened to fine Yahoo $250,000 a day in 2008 if it failed to comply with a broad demand to hand over user data that the company believed was unconstitutional, according to court documents unsealed Thursday that illuminate how federal officials forced American tech companies to participate in the NSA’s controversial PRISM program.

Umph. That kind of fine would add up quickly.

Which got me thinking about Joseph Nacchio, the Qwest CEO who claims the real source of his insider trading scandal arose from government retaliation when he refused to do something — in January 2001, before NineElevenChangedEverything — that he considered illegal.

According to Nacchio, his troubles can be traced back to a meeting at the NSA’s Fort Meade, Md., headquarters on Feb. 27, 2001. The agency asked that Qwest participate in a surveillance program, but Nacchio considered the proposed action to be illegal.

Nacchio was unable to explain the exact nature of the request, which remains classified. However, contrary to news reports, he said discussions with the NSA at the February 2001 meeting didn’t involve turning over telephone records.

“I found that request to be peculiar. I didn’t think it was legal. I asked for legal justification. We never got it, and therefore we never did it,” said Nacchio, who completed his prison sentence in September. “That was the moment things turned down for me.”

The former AT&T (T) executive resigned from his post at Qwest in 2002 after the Securities and Exchange Commission launched an insider-trading investigation. In 2007, he was charged with 42 counts of insider trading.

Nacchio was ultimately convicted on 19 counts for selling stock between April and May 2001, leading to the forfeiture of $44.6 million and a $19 million fine. He was sentenced to six years in jail, but his time was reduced to 70 months.

Obviously, the size of Yahoo’s fine — for a congressionally authorized, even if unconstitutional program — lends far more credibility to the claim that the government retaliated by setting Nacchio up for an insider trading prosecution. (See also this post which tracks some interesting discrepancies in the stories, which is one of a number of reasons I believe the NSA IG report on the illegal dragnet is itself incorrect.)

It also makes me wonder about two other companies — an Internet company, and what is probably something like Cisco — that refused to cooperate with the illegal dragnet.

There really isn’t a lot of rule of law surrounding the government’s spying.

Tech Companies: Hurry Up and Give Us Immunity and Compensation

The tech industry has issued a letter urging the Senate to hurry up and give them immunity and compensation pass USA Freedom Act.

The letter is actually pretty funny. The letter claims:

The revelations about the U.S. government’s surveillance programs that began in June of 2013 have led to an erosion of public trust in the U.S. government and the U.S. technology sector. In an effort to begin restoring that trust, the USA FREEDOM Act will prevent the bulk collection of Internet metadata, call detail records, and other tangible things in a manner that both enhances privacy and protects national security.

I mean, it’s not funny that the NSA has fucked with the tech companies’ business model. The funny part is the bill doesn’t do what the tech companies say it does!

It only limits the bulk collection of Internet metadata — to the extent it does do that — via the use of Pen Register or Section 215 authorities. It doesn’t do anything about the bulky collection of Internet metadata (and content) through PRISM. And it definitely doesn’t do anything to end the biggest part of bulk Internet metadata collection, which happens overseas. Hell, this doesn’t even give the Internet companies any more assurances they won’t have their data stolen overseas (though some at least are making that more difficult by encrypting their data).

Then the letter makes this claim.

As a result of the surveillance program revelations, U.S. technology companies have experienced negative economic implications in overseas markets. In addition, other countries are considering proposals that would limit data flows between countries, which would have a negative impact on the efficiencies upon which the borderless Internet relies. The transparency measures in the USA FREEDOM Act are designed to alleviate some of the concerns behind such actions by allowing companies to be more transparent about the orders they receive from the government to its surveillance authorities.

Now, it is true that the law tweaks the agreement the government previously made with the Internet companies so they can show more about what they do. That’s a good thing.

But the “transparency” provisions in the bill are actually designed to obscure key details about surveillance. They hide how many Americans will be exposed to most Section 215 orders (though will reveal the total people exposed) because FBI, which will get most of the orders, is exempted from that reporting. They hide the FBI’s use of “back door searches” of Internet metadata collected under PRISM. And it may (though I’m less sure about this) hide requests for PRISM metadata searches executed by the CIA for foreign governments.

All hidden right there in the “transparency” procedures.

Finally, I’m not sure why the tech companies think their foreign customers will be impressed with deceptive “transparency” provisions that leave the bulk (in all senses of the word) of the collection the US is doing against foreigners still hidden.

But hey! I can imagine why the tech companies want their absurdly broad immunity and compensation for spying, which this bill does give them.

Oddly, the letter doesn’t emphasize that part of it.