Posts

Jim Sensenbrenner Seems to Endorse Two Times Two Hops

/2 Comments/in /by

I’m working on a larger post about a theory I have about the Internet dragnet. But while working on that, I noticed that in 2009 the government admitted that it had used the Internet dragnet, like the phone dragnet, to contact chain on US emails that were connected with suspect emails, but which had not themselves found to be suspicious (or tied to a foreign power).

This practice involved an analyst running  query using as a seed “a U.S.-based e-mail account” thta had been in direct contact with a properly validated seed account, but had not itself been properly validated under the RAS approval process. [redacted] Response at 2-3. When he granted renewed authorization for bulk PR/TT surveillance on [redacted], Judge Walton ordered the government not to resume this practice without proper Court approval. See Docket No. PR/TT [redacted] Primary Order issued [redacted] at 10.

In its response, the government also described an automated means of querying, which it regarded as consistent with the applicable PR/TT orders. This form of querying involved the determination that an e-mail address satisfied the RAS standard, but for the lack of a connection to one of the Foreign Powers (e.g., there were sufficient indicia that the user of the e-mail address was involved in terrorist activities, but the user’s affiliation with a particular group was unknown).

[snip]

In the event that such an e-mail address was in contact with a RAS-approved seed-account on an NSA “Alert List,” that e-mail address would itself be used as a seed for automatic querying, on the theory that the requisite nexus to one of the Foreign Powers had been established.

Up until 2009, the government was blithely extending the chaining process by declaring US person targets new seeds and chaining from there.

I raise this because the NSA has been struggling, unsuccessfully, since 2009  to resume it’s alert function(s). It may be that’s one reason why NSA embraced outsourcing data retention to the telecoms.

And because, in effort to defeat a Zoe Lofgren amendment at least Wednesday’s markup of the Jim Sensenbrenner seemed to endorse this derivative hop process.

Lofgren’s amendment would have added language limiting upstream collection to that which involved the target of the acquisition.

Lofgren. Mr. Chairman, I believe that this amendment fixes a loophole that was created by the FISA court in its November 2011 decision that is now in the public arena. The amendment clarifies that the government can only use selectors to collect information to or from the target of an authorized investigation. Under the current law, as blessed by the FISA court, NSA is using 702 authority to collect communications that are to, from, or even about a foreign intelligence target so long as these communications are believed not to be wholly between U.S. persons. Now, the USA Freedom Act did not address this loophole, and actually the original PATRIOT Act did not either, this is a court-constructed document, but it allows false positives, and intentional use of vague about criteria could be used to lead to massive collection of U.S. persons’ communication. This amendment would prevent that adverse outcome by limiting the selectors to target and collect communications only when one of the parties to that communication is the target of an authorized investigation.

Sensenbrenner’s response was, at first, on point, claiming that the prohibition targeting that has reverse targeting as a purpose of the acquisition at all.

But then he went into this language about Section 215, a totally different part of FISA.

Sensenbrenner: Say there is a section 215 order that is aimed at a target, it goes two hops and on the second hop, there is a U.S. person who is not at the time of the second hop a target of an authorized investigation. What this amendment does is limits adding that person to a target of an authorized investigation and going the two hops from that. Now, a lot of these conspiracies are more than two hops. But I don’t think that if there is a reasonable suspicion that if it goes for more than two hops that we ought to preclude, finding out who those people are talking to in the furtherance of their plot.

In it, he seemed to say that NSA must be able to declare US person selection terms new RAS approved seeds without having enough evidence to declare them a target of an investigation. But in the process, he seemed to envision derivative seeds, the addition of new US person seeds off of existing contact chains.

Which sounds a lot like the old alert process that FISC ruled improper in 2009 (although this would presumably require a new FISC review).

My theory about the dragnet may explain a bit more about why Sensenbrenner seemed to offer such an inapt argument against Lofgren’s memo (and why Lofgren’s warnings that upstream collection can easily become the new dragnet).

But for the moment, note that Sensenbrenner at least seems to envision the 2 hops permitted by his bill could, in turn, become two more hops without any more reasonable basis for suspicion.

About HR 3361, the NSA Surveillance Efficiency Act, AKA USA Freedom Act

/9 Comments/in /by

The House Intelligence Committee passed a bill out of its committee Thursday, HR 3361, that will reportedly solve a problem (or problems) the NSA has been struggling with since 2009. The bill will now move to the full House for a vote.

The public — and surely a great majority of members of Congress — have no idea precisely what problem this bill will solve is: planted leaks suggest it has to do with difficulties dealing with cell phone records, perhaps because they include location data. If that is part of the problem, then it’s a fairly recent development, perhaps arising after US v. Jones raised new concerns about the legality of collecting location data without a warrant. There’s also the presumably-related issue of an automated query function; NSA has been struggling to resume that function since its alert function got shut down as a legal violation in 2009. The ability to tie multiple identities from the same person together as NSA runs those alerts may be a related issue.

The bill has not been reported as a fix for NSA’s long-term legal and technical struggles (though LAT’s Ken Dilanian has asked why civil liberties groups are so happy about this given that it will expose more data to NSA collection). Rather, it has been called the USA Freedom Act and reported as a reform of the phone dragnet program, a successful effort to “end” “bulk collection.”

The bill does have the critically important effect of ending the government’s practice of collecting and storing some significant portion of all US call records, beyond whatever US person call records it collects overseas. That, by itself, is the equivalent of defusing a nuclear bomb. It is a very important improvement on the status quo.

It remains entirely unclear — and unexamined, as far as I can tell — whether the bill will increase or decrease the number of entirely innocent Americans who will be subjected to the full range of NSA’s analytical tradecraft because they got swept up based on the guilt by association principle behind contact-chaining, or whether the bill will actually expose more kinds of US person records to the scrutiny of the NSA.

The bill the press is calling USA Freedom Act may also — though we don’t know this either — have the salutary benefit of changing the way the NSA currently collects data under other Section 215, Pen Register, and NSL collection efforts.  The bill requires that all Section 215 (both call record and otherwise), Pen Register, and NSL queries be based on a specific selection term that remains vaguely defined (a definition the House Intelligence Committee considered eliminating before Thursday’s hearing). But it remains unclear how much that rule — even ignoring questions about the definition — will limit any current practices. At Wednesday’s hearing Bob Goodlatte said the bill “preserves the individual use of Section 215 under the existing relevancy standard for all business records,” and at least for several NSL authorities, the new “restrictions” almost certainly present no change (and another NSL authority, the Right to Financial Privacy Act, uses the same “entity” language the bill definition does, suggesting it is unlikely to change either). Plus, at least according to DOJ’s public claims and court filings, it ended the bulk domestic collection under PRTT in 2011. So the language “ending” “bulk collection” may do no more than make it harder for FBI to construct its own phone books of phone company and ISP subscribers using NSLs, if it does even that.

What the bill doesn’t do — because this part of the bill was stripped as part of the compromise — is provide the Intelligence Community’s oversight committees detailed reports of what kind of records the government obtains under Section 215 (and for what agencies), and how many Americans are subject to all the FISA authorities, including Section 215. That is, the compromise eliminated the one thing that could measure whether the bill really did “end” “bulk collection” as you or I would understand it. In its stead, the bill largely codifies an existing reporting agreement that AT&T has already demonstrated to be completely deceptive. In Wednesday’s hearing, Zoe Lofgren called provider reporting “the canary in the coal mine” the committee would rely on to understand what collection occurred.

So this bill that “ends” “bulk collection” still prevents us, or even the oversight committees working in our name, from learning whether it does so.

It does, however, have some interesting features, given its other purpose of solving one or more challenges facing the NSA.

The first of those is immunity.

No cause of action shall lie in any court against a person who produces tangible things or provides information, facilities, or technical assistance pursuant to an  order issued or an emergency production required under this section. 

This is another part of the bill the underlying reasons for which the public, and probably much of Congress, doesn’t understand. At one level, it seems to immunize the process that may have telecoms playing a role the NSA previously did, analyzing the data; it may also pertain to providing NSA access to the telecoms’ physical facilities. But given the background to the move to telecoms — NSA’s legal-technical problems dealing with cell phone data because it ties to location — it is possible the immunity gives the telecoms protection if they use but don’t turn over data they have already, such as location data or even Internet metadata, to perform the interim analysis.

Consider how the bill describes the call record query process.

[T]he Government  may require the production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using the results of the production under subclause (I) as the basis for production;

So a 2-hop query goes from a “specific selection term” to “the results of the production” to the “call detail record” handed over to the government. While the definition of call detail records clearly prohibits the final production to the government of either content or cell location, nothing in this process description prevents the telecoms from using such things (most Internet metadata is legally content to the telecoms) in that interim hop; indeed, the “results of the production under subclause (I)” available to the telecoms almost certainly would include some of this information, particularly for smart phones. We know the Hemisphere program (the AT&T-specific program for the DEA) uses cell location in its analysis. Remember, too, how NSA is gobbling up smart phone data (including things like address books) in overseas programs; this may permit analysis of similar data — if not collection of it — domestically.  So at the very least, this scheme seems to give the NSA access to cell location and possibly a whole lot more data for analysis they otherwise couldn’t get (which David Sanger’s sources confirm).

And consider two more details from Wednesday’s House Judiciary hearing. At it, Lofgren repeated a list of business records the government might obtain under Section 215 she got Deputy Attorney General James Cole to confirm at an earlier hearing. It includes:

  • ATM photos
  • location where phone calls made
  • credit card transactions
  • cookies
  • Internet searches
  • pictures captured by CCTV cameras

So long as the word “entity” in the definition of specific selection term remains undefined, so long as FISC precedents permit the tapping of entire circuits in the name of collecting on an entity, the government may still be able to collect massive amounts of this data, not actually targeted at a suspect but rather something defined as an entity (in both the existing 215 program and the new call records one the bill retains the “relevant to” language that has been blown up beyond meaning).

Finally, consider what happened with Lofgren’s last attempted amendment. After having submitted a number of other failed amendments, Lofgren submitted an amendment to fix what she called an inadvertent error in the manager’s amendment specifically prohibiting the collection of content under Section 215.

I believe this amendment fixes — at least I hope — an error that was created in the manager’s amendment that I cannot believe was intended. As you know we have specified that the content is not included in business records. This amendment clarifies that business records do not include the content of communication. We specify that in the new section about call detail records, but but the specification that content was not included somehow got dropped out of the business records section. It was included in your original bill but it didn’t make it into the manager’s amendment. I think this amendment clarifies the ambiguity that could be created and I hope it was not intentional.

This is a problem I pointed out here.

Almost without missing a beat after she introduced this, Jim Sensenbrenner recessed the hearing, citing votes. While there were, in fact, votes, Luis Pierluisi (who cast the decisive vote in favor of an amendment to redefine counterintelligence) and possibly Lofgren got a lecture at the break about how any such amendments might blow up the deal the Committee had with Mike Rogers and HPSCI. After the break, Lofgren withdrew the amendment, expressing hope it could be treated as a clerical fix.

That purported error was not fixed before HPSCI (which explicitly permitted the collection of content under its bill) voted out the bill.

Perhaps it will be “fixed” before it comes to the floor.

But if it doesn’t, it may expand (or, given Lofgren’s stated concerns about what records Section 215 might cover, sustain) the use of Section 215 to collect content, not just metadata. Imagine the possibility this gets yoked to expanded analysis at telecoms under the new CDR program?

We don’t know. This bill has gotten past two committees of Congress (we didn’t get to see any of the debate at HPSCI) without these details becoming clear. But the questions raised by this bill when you consider it as the fix to one or more problems the NSA has been struggling with, it does raise real questions.

Again, I don’t want to make light of the one thing we know this bill will do — take a database showing all phone-based relationships in the country out of NSA’s hands. That eliminates an intolerably risky program. That is an important fix.

But that shouldn’t lead us to ignore the potential expansion of spying that may come with this bill.

DOJ Says You Can’t Know If They’ve Used the Dragnet Against You … But FISC Says They’re Wrong

/3 Comments/in , /by

As I noted the other day in yet another post showing why investigations into intelligence failures leading up to the Boston Marathon attack must include NSA, the government outright refuses to tell Dzhokhar Tsarnaev whether it will introduce evidence obtained using Section 215 at trial.

Tsarnaev’s further request that this Court order the government to provide notice of its intent to use information regarding the “. . . collection and examination of telephone and computer records pursuant to Section 215 . . .” that he speculates was obtained pursuant to FISA should also be rejected. Section 215 of Pub. L. 107-56, conventionally known as the USA PATRIOT Act of 2001, is codified in 50 U.S.C. § 1861, and controls the acquisition of certain business records by the government for foreign intelligence and international terrorism investigations. It does not contain a provision that requires notice to a defendant of the use of information obtained pursuant to that section or derived therefrom. Nor do the notice provisions of 50 U.S.C. §§ 1806(c), 1825(d), and 1881e apply to 50 U.S.C § 1861. Therefore, even assuming for the sake of argument that the government possesses such evidence and intends to use it at trial, Tsarnaev is not entitled to receive the notice he requests.

This should concern every American whose call records are likely to be in that database, because the government can derive prosecutions — which may not even directly relate to terrorism — using the digital stop-and-frisk standard used in the dragnet, and never tell you they did so.

Note, too, Dzhokhar’s lawyers are  not just asking for phone records, but also computer records collected using Section 215, something Zoe Lofgren has made clear can be obtained under the provision.

And in the case in which Dzhokhar’s college buddies are accused of trying to hide his computer and some firecracker explosives, prosecutors profess to be unable to provide any of the text messages Dzhokhar sent after his last text to them. That stance seems to pretend they couldn’t get at least the metadata from those texts from the phone dragnet.

The government, then, claims that defendants can’t have access to data collected using Section 215. They base that claim on the absence of any language in the Section 215 statute, akin to that found in FISA content collection statutes, providing for formal notice to defendants.

But at least in the case of the phone dragnet, that stance appears to put them in violation of the dragnet minimization procedures. That’s because since at least September 3, 2009 and continuing through the last dragnet order released (note, ODNI seems to be taking their time on releasing the March 28 order),  the minimization procedures have explicitly provided a way to make the query results available for discovery. Here’s the language from 2009.

Notwithstanding the above requirements, NSA may share information derived from the BR metadata, including U.S. person identifying information, with Executive Branch personnel in order to enable them to determine whether the information contains exculpatory or impeachment information or is otherwise discoverable in legal proceedings.

The government routinely points to these very same minimization procedures to explain why it can’t provide information to Congress or other entities. But if the minimization procedures trump other statutes to justify withholding information, surely they must have the weight of law for disclosure to criminal defendants. And all that’s before you consider the Brady and Constitutional reasons that should trump the government’s interpretation as well.

Using the formulation the government always uses when making claims about the dragnet’s legality, on at least 21 occasions, FISC judges have envisioned discovery to be part of the minimization procedures with which the government must comply. At least 7 judges have premised their approval of the dragnet, in part, on the possibility exculpatory information may be shared in discovery.

Now, there is a limit to the discovery envisioned by these 21 FISA orders; this discovery language, in the most recently published order, reads:

Notwithstanding the above requirements, NSA may share results from intelligence analysis queries of the BR metadata, including U.S. person identifying information, with Executive Branch personnel (1) in order to enable them to determine whether the information contains exculpatory or impeachment information or is otherwise discoverable in legal proceedings …

That is, this discovery language only includes the “results from intelligence analysis queries.” It doesn’t permit new queries of the entire database, a point the government makes over and over. But in the case of the Marathon bombing, we know the queries have been run, because Executive Branch officials have been bragging about the queries they did after the bombing that gave them “peace of mind.”

Those query results are there, and the FISC judges explicitly envisioned the queries to be discoverable. And yet the government, in defiance of the minimization procedures they claim are sacred, refuse to comply.

The Schneier Briefing: Some Observations

/23 Comments/in /by

6 Congresspersons and a security researcher walk into an unsecure room. … And that’s the best briefing they can get on some of the things NSA might be doing.

This morning I spent an hour in a closed room with six Members of Congress: Rep. Logfren, Rep. Sensenbrenner, Rep. [Bobby] Scott, Rep. Goodlate, Rep [Mike] Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn’t forthcoming about their activities, and they wanted me — as someone with access to the Snowden documents — to explain to them what the NSA was doing. Of course I’m not going to give details on the meeting, except to say that it was candid and interesting. And that it’s extremely freaky that Congress has such a difficult time getting information out of the NSA that they have to ask me. I really want oversight to work better in this country.

I’m as intrigued by the make-up of the group as I am by the fact they needed to do this.

Schneier makes it clear that Lofgren — who is not only a strong supporter of civil liberties, but also happens to represent Silicon Valley — set up the briefing. In addition to her House Judiciary Committee colleagues Sensenbrenner, Scott, and Goodlatte, she invited Amash (who’s not on the Committee but a loud defender of civil liberties — thanks, my Rep!), and N and E Bay Area Republican Democratic colleague Mike Thompson, who’s not a member of the Committee either, but is a member of the Intelligence Committee.

As I’ve noted, Goodlatte is not a named sponsor of USA Freedom; neither is Thompson (though Schneier describes them as all people who want to “rein in the NSA”).

And yet these are the individuals whom Lofgren chose to bring to this briefing.

Schneier, of course, is not focused on the actual spying that NSA is doing, but on the corruption of encryption, a threat to the business model of Lofgren’s district. [See Saul’s well-take correction here.]

Also note, while I’ve got real worries about some opponents to reining in the NSA in the Senate, I do think people are not considering the significance of the House Judiciary Chair, who voted against Amash-Conyers, increasingly complaining about the NSA.

I’m not sure what the best way to stop the NSA from making us all less safe (especially since NSA has apparently not even told HPSCI members what they’re doing). But I gather than Lofgren is trying to figure out a way to do so.

DOJ Did Not Fulfill Legally Required Disclosure on Section 215 to Congress Until After PATRIOT Reauthorization

/6 Comments/in , /by

In the Guardian’s superb summary of the importance of the NSA leaks, Zoe Lofgren challenges the claims that Congress has received all the documents NSA claims it has gotten.

I do serve on the Judiciary Committee and various statements have been made that the Judiciary Committee members were told about all of this and those statements are untrue, not the facts, we have not been provided the documents that the Agency said that we were.

In a Privacy and Civil Liberties Oversight Board today, NSA General Counsel Raj De and ODNI General Counsel Robert Litt both repeated such claims (these are from my notes on twitter; I’ll check my transcription later). De said that Section 215 “had all indicia of official legitimacy” which in part came because it was “twice reauthorized by Congress with full information from exec.” And Litt said they are “by statute required to provide copies [of FISC documents] to both houses. They got materials relating to this [Section 215] program.”

Obviously, we know De is wrong, and he must know it, because a sufficiently large block of Congressmen never had the opportunity to read the Executive’s official notice to make the difference in the 2011 reauthorization. His statement is a clear lie.

But I’m just as interested in Litt’s claim (which would rely on notice to the Judiciary and Intelligence Committees).

This most recent I Con dump provides some evidence that illuminates Lofgen’s implicit dispute of Litt’s claims. Remember this paragraph, which is one of the most specific claims about what notice the Administration gave to Congress about using Section 215 to authorize the phone dragnet.

Moreover, in early 2007, the Department of Justice began providing all significant FISC pleadings and orders related to this [Section 215] program to the Senate and House Intelligence and Judiciary committees. By December 2008, all four committees had received the initial application and primary order authorizing the telephony metadata collection. Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees.

As I noted in this post, the specific language (in bold) regarding the first, May 2006, authorization of the phone dragnet at least suggested, in this context, there wasn’t an opinion at all, as did a lot more evidence. But recent reporting strongly suggests there was (see this post where I argue this is likely the phone dragnet opinion).

Government lawyers have told the ACLU that they are withholding at least two significant FISC opinions — one from 2008 and one from 2010 — relating to the Patriot Act’s Section 215, or “business records” provision.

This would seem to indicate that Congress was not provided the original 2006 opinion (as distinct from the application and primary order) “by December 2008.”

With that mind, consider this document released by the I Con, an August 16, 2010 memo from Office of Legislative Affairs Assistant Attorney General Ronald Weich to the Chairs of the Judiciary and Intelligence Committees.

Pursuant to section 1871 of United States Code Title 50, we are providing the Committees with copies of the remaining decisions, orders, or opinions issued by the Foreign Intelligence Surveillance Court, and pleadings, applications, or memoranda of law associated therewith, that contain significant constructions or interpretations of any provision of FISA during the five-year period ending July 10, 2008. See 50 U.S.C. § 1871(c)(2). We have provided similar materials for the same time period. 

Now remember, while ODNI made a big show of releasing these documents, they released them as part of the ACLU’s FOIA for documents on Section 215 and all the documents released pertain to Section 215. I Con describes the memo as referring to “several documents to the Congressional Intelligence and Judiciary Committees relating to NSA collection of bulk telephony metadata under Section 501 of the FISA, as amended by Section 215 of the USA PATRIOT Act,” confirming they pertain to Section 215.

The Patriot Act was reauthorized in February 2010.

At a minimum, this suggests the White Paper provided in August may have been highly misleading. When it said “Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees,” it did not mean that by December 2008, the four oversight committees had all the significant opinions in hand. Even assuming the Weich brief was correct, which Lofgren’s comment suggests it might not be, they didn’t get around to handing over opinions pertaining to Section 215 going back to July 10, 2003 until August 2010. That period — July 10, 2003 to July 10, 2008 — would cover both the July 2004 Colleen Kollar-Kotelly opinion authorizing using the Pen Register/Trap and Trace to collect Internet metadata, and the May 2006 opinion authorizing the phone dragnet. While we don’t know that the Kollar-Kotelly opinion was withheld until 2010, the language of the White Paper (which suggests the opinion itself was not provided) strongly suggests the May 2006 one was.

The law requiring such disclosure, 50 U.S.C. § 1871(c)(2), was part of the FISA Amendments Act, so had been in place for a full year by the time the PATRIOT Act reauthorization got started, yet DOJ didn’t get around to complying with it until 2 years after the law passed. And the law specifically requires disclosure of both the PR/T&T and the Section 215 authorities.

The possibility that DOJ did not turn over the original phone dragnet opinion is utterly damning given David Kris’ suggestion that the initial approval of the phone dragnet — the 2006 opinion — may have been erroneous.

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch.

[snip]

The briefings and other historical evidence raise the question whether Congress’s repeated reauthorization of the tangible things provision effectively incorporates the FISC’s interpretation of the law, at least as to the authorized scope of collection, such that even if it had been erroneous when first issued, it is now—by definition—correct.

David Kris at least entertains the possibility that the original May 2006 opinion was “erroneous,” but points to Congress’ reauthorization of the PATRIOT Act to claim it had incorporated FISC’s interpretation of the law.

But now we know that DOJ did not provide all of FISC’s significant opinions pertaining to Section 215 to the key oversight committees until August 16, 2010, over two years after they were obligated to do so — and the plain language of the White Paper strongly suggests that DOJ did not provide the key May 2006 opinion to the oversight committees.

This doesn’t yet prove that DOJ withheld the May 2006 opinion that Kris suggests might be “erroneous” until after Congress reauthorized the PATRIOT Act. But it strongly suggests that is the case.

Update: PATRIOT Act Reauthorization line moved per Anonster’s suggestion.

Update: Added the language I Con used to describe the documents handed over in August 2010.

Amash-Conyers Fails 205-217

/25 Comments/in , /by

In one of the closest votes in a long time for civil liberties, the Amash-Conyers amendment just failed, but only barely, by a vote of 205-217.

The debate was lively, with Mike Rogers, Michele Bachmann, and Iraq verteran Tom Cotton spoke against the amendment; Amash closely managed time to include a broad mix of Democrats and Republicans.

The only nasty point of the debate came when Mike Rogers (R-MI) suggested Justin Amash (R-MI) was leading this charge for Facebook likes.

Update: Here’s the roll call.

In These Times We Can’t Blindly Trust Government to Respect Freedom of Association

/39 Comments/in , , , /by

One of my friends, who works in a strategic role at American Federation of Teachers, is Iranian-American. I asked him a few weeks ago whom he called in Iran; if I remember correctly (I’ve been asking a lot of Iranian-Americans whom they call in Iran) he said it was mostly his grandmother, who’s not a member of the Republican Guard or even close. Still, according to the statement that Dianne Feinstein had confirmed by NSA Director Keith Alexander, calls “related to Iran” are fair game for queries of the dragnet database of all Americans’ phone metadata.

Chances are slim that my friend’s calls to his grandmother are among the 300 identifiers the NSA queried last year, unless (as is possible) they monitored all calls to Iran. But nothing in the program seems to prohibit it, particularly given the government’s absurdly broad definitions of “related to” for issues of surveillance and its bizarre adoption of a terrorist program to surveil another nation-state. And if someone chose to query on my friend’s calls to his grandmother, using the two-degrees-of-separation query they have used in the past would give the government — not always the best friend of teachers unions — a pretty interesting picture of whom the AFT was partnering with and what it had planned.

In other words, nothing in the law or the known minimization rules of the Business Records provision would seem to protect some of the AFT’s organizational secrets just because they happen to employ someone whose grandmother is in Iran. That’s not the only obvious way labor discussions might come under scrutiny; Colombian human rights organizers with tangential ties to FARC is just one other one.

When I read labor organizer Louis Nayman’s “defense of PRISM,” it became clear he’s not aware of many details of the programs he defended. Just as an example, Nayman misstated this claim:

According to NSA officials, the surveillance in question has prevented at least 50 planned terror attacks against Americans, including bombings of the New York City subway system and the New York Stock Exchange. While such assertions from government officials are difficult to verify independently, the lack of attacks during the long stretch between 9/11 and the Boston Marathon bombings speaks for itself.

Keith Alexander didn’t say NSA’s use of Section 702 and Section 215 have thwarted 50 planned attacks against Americans; those 50 were in the US and overseas. He said only around 10 of those plots were in the United States. That works out to be less than 20% of the attacks thwarted in the US just between January 2009 and October 2012 (though these programs have existed for a much longer period of time, so the percentage must be even lower). And there are problems with three of the four cases publicly claimed by the government — from false positives and more important tips in the Najibullah Zazi case, missing details of the belated arrest of David Headley, to bogus claims that Khalid Ouazzan ever planned to attack NYSE. The sole story that has stood up to scrutiny is some guys who tried to send less than $10,000 to al-Shabaab.

While that doesn’t mean the NSA surveillance programs played no role, it does mean that the government’s assertions of efficacy (at least as it pertains to terrorism) have proven to be overblown.

Yet from that, Nayman concludes these programs have “been effective in keeping us safe” (given Nayman’s conflation of US and overseas, I wonder how families of the 166 Indians Headley had a hand in killing feel about that) and defends giving the government legal access (whether they’ve used it or not) to — among other things — metadata identifying the strategic partners of labor unions with little question.

And details about the success of the program are not the only statements made by top National Security officials that have proven inaccurate or overblown. That’s why Nayman would be far better off relying on Mark Udall and Ron Wyden as sources for whether or not the government can read US person emails without probable cause than misstating what HBO Director David Simon has said (Simon said that entirely domestic communications require probable cause, which is generally but not always true). And not just because the Senators are actually read into these programs. After the Senators noted that Keith Alexander had “portray[ed] protections for Americans’ privacy as being significantly stronger than they actually are” — specifically as it relates to what the government can do with US person communications collected “incidentally” to a target — Alexander withdrew his claims.

Nayman says, “As people who believe in government, we cannot simply assume that officials are abusing their lawfully granted responsibility and authority to defend our people from violence and harm.” I would respond that neither should we simply assume they’re not abusing their authority, particularly given evidence those officials have repeatedly misled us in the past.

Nayman then admits, “We should do all we can to assure proper oversight any time a surveillance program of any size and scope is launched.” But a big part of the problem with these programs is that the government has either not implemented or refused such oversight. Some holes in the oversight of the program are:

  • NSA has not said whether queries of the metadata dragnet database are electronically  recorded; both SWIFT and a similar phone metadata program queries have been either sometimes or always oral, making them impossible to audit
  • Read more

Zoe Lofgren Didn’t Vote to Let Presidents Wage Unlimited War, But John Yoo Did

/6 Comments/in , , /by

As a series of Presidents continue to claim the September 18, 2001 Authorization to Use Military Force authorizes fairly unlimited power on an unlimited battlefield, I keep coming back to this Tom Daschle op-ed, in which he described how Congress refused to extend the AUMF to US soil.

Just before the Senate acted on this compromise resolution, the White House sought one last change. Literally minutes before the Senate cast its vote, the administration sought to add the words “in the United States and” after “appropriate force” in the agreed-upon text. This last-minute change would have given the president broad authority to exercise expansive powers not just overseas — where we all understood he wanted authority to act — but right here in the United States, potentially against American citizens. I could see no justification for Congress to accede to this extraordinary request for additional authority. I refused.

The op-ed is, as far as I know, the only public statement describing how Congress narrowed a breathtakingly broad claim for military force.

Until Wednesday’s drone hearing, that is.

In response to a comment from John Bellinger that it was appropriate for the Executive Branch to refuse to share its OLC memos with Congress, Zoe Lofgren suggested (1:36 and following) the President was exceeding the terms of the AUMF (she comes very close to saying the President broke the law, but stops herself). She refers to — as Daschle did — negotiations leading up to the AUMF that actually did get passed.

Lofgren: If you take a look at the Authorization to Use Military Force, which all of us voted for — those of us who were here (there was only one no vote in the House) — it says “the President is authorized to use all necessary and appropriate force against those nations, organizations, or persons he determines planned, authorized, committed, or aided the terrorist attacks.” Now, are we to believe that everyone on this list was responsible for the 9/11 attack? I mean, is that the rationale?

Bellinger: No, your exactly right. All four of us agree with you that the 2001 AUMF, which was only about 60 words long — I was involved in drafting it literally almost on the back of an envelope while the World Trade Center was still smoldering — now is very long in the tooth. The good government solution, while extremely difficult and controversial, would be for Congress to work together with the Executive Branch to revise that AUMF. It’s completely unclear about what it covers, who it covers, where it covers.

Lofgren: If I may, I think it’s not as unclear as you suggest. There are — this was a limitation, and there were big arguments about it as you’re, I’m sure, aware, there was a prior draft that was  much more expansive. There was a prior draft that was much more expansive and it was narrowed so we could get bipartisan consensus and it was narrowed for an important reason. And I guess I — yes, the Executive has the ability to keep his legal advice confidential, that’s a long-standing principle, but since it looks like — at least, questions are raised — as to whether the executive is complying with the law, then if he feels he is, then I feel it would be a very positive thing for the Administration to share that legal advice with this committee and with the American people. Read more

DHS Inspector General Fluffs the Success of Secure Communities

/9 Comments/in /by

Last Friday, DHS’ Inspector General released two reports purportedly written in response to an April 28, 2011 request from Zoe Lofgren to determine whether Immigration and Customs Enforcement and DHS more generally were lying about the Secure Communities program, and if so, if doing so was criminal.

As a threshold matter, the completion of two reports, rather than just the one, seems to be a bit of a smokescreen. Lofgren asked if government officials lied. In response, DHS’ IG decided to answer two questions:

  • Whether Secure Communities was effective in identifying criminal aliens and prioritizing cases for action
  • Whether ICE clearly communicated to stakeholders the intent of Secure Communities and the expectation of States’ and local jurisdictions’ participation

In addition to reframing Lofgren’s question to avoid fully considering why people had misinformed Congress and localities (and also, given the scope of their work, to avoid inquiring whether DHS, rather than ICE, had decided to do so), DHS IG first decided to see whether Secure Communities was effective. According to the list of major contributors included with each report, with the sole exception of Communications Analyst Kelly Herberger, two entirely different teams conducted the reviews. The report that at least sort of responded to Lofgren’s questions was issued on March 27, whereas the non-responsive efficacy report was issued April 5, though both were apparently sent out Friday together. ICE responded to both reports on the same day–February 23, 2012–so it seems the different release dates comes because the efficacy report was revised in some way (the date on the conveyance letter for the efficacy report is in a non-standard sans serif font, which sort of makes you wonder…).

In short, the submission of these two reports together stinks, though it presumably had the desired effect, as the NYT reported “mixed reviews” for Secure Communities. HuffPo and LAT were less compliant, focusing instead on the communications report instead.

That said, the purported “good” efficacy report doesn’t actually prove that Secure Communities is working all that well. Here’s the summary of their results:

We performed this audit to determine if Secure Communities was effective in identifying criminal aliens and if Immigration and Customs Enforcement appropriately prioritized cases for removal action.

Secure Communities was effective in identifying criminal aliens, and in most cases, ICE officers took enforcement actions according to agency enforcement policy. Under Secure Communities, the agency expanded its ability to identify criminal aliens in areas not covered by its other programs. In addition, it was able to identify criminal aliens earlier in the justice process, some of whom it would not have identified under other programs. Secure Communities was implemented at little or no additional cost to local law enforcement jurisdictions. Although ICE was able to identify and detain criminal aliens, field offices duplicated the research associated with their detention, and officers did not always sufficiently document their enforcement actions. To improve the transparency and thoroughness of its processes under Secure Communities, the agency needs to eliminate the duplication of research and ensure that officers fully document their actions.

One of the ways they quantify that success is with a claim that they had identified 692,000 “criminal aliens.”

According to ICE, as of September 30, 2011, it had spent most of the $750 million and identified more than 692,000 criminal aliens.

Now, the graphics they provide to back up this claim do show 692,788 “IDENT” matches in the last 3 fiscal years.

Never mind that the program has become less efficient over the years. In FY2009, ICE had 1,087 fingerprint matches for each activated jurisdiction, in FY2011 ICE had 372 matches. To some degree that’s expected–jurisdictions along the southern border joined in first–but  also suggests getting every jurisdiction in the country involved has diminishing returns.

More troubling, the report also reveals that some of the people–it doesn’t say how many–in IDENT are citizens.

Individuals with fingerprints in IDENT include persons with an immigration history, such as aliens who have been removed but have reentered the country, immigration visa applicants, legal permanent residents, naturalized citizens, and some U.S. citizens.
IDENT includes two categories of U.S. citizens:

  • Citizens who have adopted a child from abroad (which involves U.S. Citizenship and Immigration Services), participated in a trusted traveler program, or may have been fingerprinted by immigration officials for smuggling aliens or drugs across U.S. borders;
  • Individuals who were not citizens at the time that their fingerprints were collected, but subsequently became citizens through naturalization, legal permanent residency, or immigration.

So if you’ve adopted a kid from China? You’re in this database too. Read more

The State Secret Protection Act

/48 Comments/in /by

This will get dragged into court right away, even assuming Congressmen Conyers, Nadler, Delahunt, Petri and Congresswoman Lofgren can get it passed. Still, with Obama’s inexcusable support for Bush’s state secrets invocation the other day, there’s no time like the present to really push this bill, which would establish a CIPA-like process to allow the admission of evidence over which the executive has invoked State Secrets. (via email)

Congressmembers Jerrold Nadler (NY-08), Chair of the Judiciary Subcommittee on the Constitution, Civil Rights and Civil Liberties, Thomas Petri (WI-6), House Judiciary Chairman John Conyers, Jr. (MI-14), Bill Delahunt (MA-10) and Zoe Lofgren (CA-16) today reintroduced legislation that would ensure meaningful judicial determination of the state secrets privilege. The bi-partisan State Secret Protection Act of 2009 would curb abuse of the privilege while providing protection for valid state secrets.

"The Administration’s decision this week to adopt its predecessor’s argument that the state secret privilege requires the outright dismissal of a case challenging rendition to torture was a step in the wrong direction and a reminder that legislation is required to ensure meaningful review of the state secret privilege," said Rep. Nadler. "This important bill recognizes that protecting sensitive information is an important responsibility for any administration and requires that courts protect legitimate state secrets while preventing the premature and sweeping dismissal of entire cases. The right to have one’s day in court is fundamental to protecting basic civil liberties and it must not be sacrificed to overbroad claims of secrecy."

Rep. Petri commented, "Imagine the government locks you up but says you can’t see the evidence for reasons of national security. I’m sure there are cases where national security is truly at risk, and that information must be protected. But we shouldn’t have to simply take the executive branch’s word for it. Shouldn’t an independent, responsible party apart from the executive branch review the material to determine when and how national security really necessitates restricting the use of sensitive material? The answer is, quite obviously, yes. We have a procedure for criminal cases, and we need one for civil cases as well."

"National security and the search for justice are not mutually exclusive," said Rep. Zoe Lofgren. "By allowing a neutral arbiter to evaluate assertions of the state secret privilege with appropriate safeguards to protect national security information, the State Secret Protection Act strikes the appropriate balance between protecting our national security and protecting the rights of citizens."

Read more