The Dead-Enders Insist Their Illegal Dragnet Was and Is Not One

As I noted in my last post, seven Bush dead-enders plus KS Representative and House Intelligence member Mike Pompeo wrote a letter to … someone … pushing back against the RNC condemnation of the NSA dragnet. As I noted in that post, along with waggling their collective national security experience, the dead-enders used the same old stale tricks to deny that the dragnet surveils US person content.

The stale tricks, by now, are uninteresting. I find the list of the dead-enders (Eli Lake fleshed it out here) more so.

Here’s the list of the dead-enders:

  • Michael Hayden (NSA Director until 2005, DDNI 2005-2006, CIA Director 2006-2009)
  • Mike Mukasey (AG 2007-2008)
  • Michael Chertoff (DOJ Criminal AAG 2001-2003, DHS Secretary 2005-2009)
  • Stewart Baker (Assistant DHS Secretary 2005-2009)
  • Steven Bradbury (Acting OLC head 2005-2009)
  • Eric Edelman (National Security lackey in OVP 2001-2003, Undersecretary of Defense for Policy 2005-2009)
  • Ken Wainstein (AAG for National Security 2006-2008, White House CT Czar 2008-2009)

Some of these we expect. Michael Hayden and Stewart Baker have been two of the main cheerleaders for NSA since the start of Snowden’s leaks, and Michael Chertoff’s firm (at which Hayden works) seems to be working under some kind of incentive to have as many of its top people defend the dragnet as well. Further, both Bradbury and Wainstein have testified to various entities along the way.

So in some senses, it’s the usual gang of dead-enders.

But I find the collection of Michael Mukasey, Bradbury, and Wainstein, to be particularly interesting.

After all, they’re the 3 names (and in Mukasey’s case, authorizing signature) on this memo, which on January 3, 2008 authorized NSA to contact chain Internet (and phone) “metadata” of Americans collected via a variety of means, including FISA, broadly defined, which would include Protect America Act, and EO 12333 and potentially other means — but let’s just assume it was collected legally, Bradbury and Wainstein say twice in the memo.

They implemented this change, in part, to make it easier to share “United States communications metadata” outside of the NSA, including with CIA, by name (though CIA made that request in 2004, before Hayden had moved over to CIA).

When implementing the change, they defined Internet “metadata” this way:

b) For electronic communications, “metadata” includes the information appearing on the “to,” “from,” “cc,” and “bcc” lines of a standard e-mail or other electronic communication. For e-mail communications, the “from” line contains the e-mail address of the sender, and the “to,” “cc,” and “bcc” lines contain the e-mail addresses of the recipients. “Metadata” also means (1) information about the Internet-protocol (IP) address of the computer from which an e-mail or other electronic communication was sent and, depending on the circumstances, the IP address of routers and servers on the Internet that have handled the communication during transmission; (2) the exchange of an IP address and e-mail address that occurs when a user logs into a web-based e-mail service; and (3) for certain logins to web-based e-mail accounts, inbox metadata that is transmitted to the user upon accessing the account. “Metadata” associated with electronic communications does not include information from the “subject” or “re” line of an e-mail or information from the body of an e-mail.

It includes IP (both sender and recipient, as well as interim), email address, inbox metadata which has reported to include content as well.

But let’s take a step back and remember some timing.

In 2004 DOJ tried to clean up NSA’s Internet metadata problem which legally implicated Michael Hayden directly (because he personally continued it after such time as DOJ said it was not legal). The solution was to get Colleen Kollar-Kotelly sign an opinion (dated July 14, 2004) approving the Internet collection as a Pen Register/Trap and Trace order. But she limited what categories of “metadata” could be collected, almost certainly to ensure the metadata in question was actually metadata to the telecoms collecting it.

Before the very first order expired — so before October 12, 2004 — the NSA already started breaking those rules. When they disclosed that violation, they provided some of the same excuses as when they disclosed the phone dragnet violations in 2009: that the people who knew the rules didn’t communicate them adequately to the people implementing the rules (see page 10ff of this order). As part of those disclosures, however, they falsely represented to the FISC that they had only collected the categories of “metadata” Kollar-Kotelly had approved.

The Court had specifically directed the government to explain whether this unauthorized collection involved the acquisition of information other than the approved Categories [redacted] Order at 7. In response, the Deputy Secretary of Defense [Paul Wolfowitz] stated that the “Director of NSA [Michael Hayden] has informed me that at no time did NSA collect any category of information … other than the [redacted] categories of meta data” approved in the [redacted] Opinion, but also note that NSA’s Inspector General [Joel Brenner] had not completed his assessment of this issue. [redacted] Decl. at 21.13 As discussed below, this assurance turned out to be untrue.

13 At a hearing on [redacted] Judge Kollar-Kotelly referred to this portion of the Deputy Secretary’s declaration and asked: “Can we conclude that there wasn’t content here?” [redacted] of NSA, replied, “There is not the physical possibility of our having [redacted] [my emphasis]

We don’t know precisely what were the categories NSA had collected in defiance of Kollar-Kotelly’s orders. But Julian Sanchez laid out why they’d be important in this post, in which he noted that because of the layered structure of the Internet, what is “metadata” for one layer of the Internet is legally content to another.

The crucial point here is that the detailed “metadata” for a particular Internet communication, past the IP layer, typically wouldn’t be processed or stored by the ISP in the way that phone numbers and other call data is stored by the phone company. From the ISP’s perspective, all of that stuff is content. Depending on the particular communication, those further layers of metadata might be stored as business records by some other “third party” service provider, like Google—or they might not.

Either way, the acquisition of “metadata” other than IP addresses from an ISP or off the backbone is pretty clearly dissimilar from the collection of call data at issue in Smith in every important respect. It is not information conveyed to the Internet provider for the purpose of routing the communication; it is routing information conveyed through the provider just like any other content.

As the redacted exchange from John Bates’ 2010 order above makes clear, the NSA told Kollar-Kotelly they were in compliance with the categories she laid out. She asked them specifically if they had collected content (which almost certainly refers to routing information that would not be metadata to the telecoms collecting it), and they assured her, at least twice, they weren’t.

As Reggie Walton and John Bates would discover sometime around October 2009, not only had NSA in fact been collecting routing information that legally qualified as content, but they never stopped doing so.

Notwithstanding this and many similar prior representations [made on the fall 2009 reauthorization] there in fact had been systemic overcollection since [redacted]. On [redacted] the government provided written notice of yet another form of substantial non-compliance discovered by NSA OGC on [redacted] this time involving the acquisition of information beyond the [redacted] authorized categories.


This overcollection, which had occurred continuously since the initial authorization in [redacted] included the acquisition of [long redaction]. [my emphasis]

In March 2004, DOJ told Michael Hayden and others that routing information was content. In July 2004, Colleen Kollar-Kotelly told Michael Hayden and others that certain routing information was content they could not legally collect. Before October 2004, NSA “discovered” they were collecting content still, but Michael Hayden personally lied about doing so (though Paul Wolfowitz is probably the one who passed that onto the Court).

Then, soon after Mukasey replaced Alberto Gonzales in 2007, Wainstein and Bradbury got him to approve contact-chaining of “metadata” that used a definition of “metadata” that almost certainly constituted content under the guidelines laid out by Kollar-Kotelly.

And Michael Mukasey signed their authorization letter, without asking for written clarity as to where the data came from or whether it complied with FISC’s rulings on metadata (Bradbury and Wainstein used largely the same argument about metadata that Kollar-Kotelly had done).

Now, it may well be what Mukasey authorized was at least partly legal (assuming the initial collection was legal, as Bradbury and Wainstein would like you to do). Collecting metadata from FISA authorized collection — whether via individual warrant, PAA order, or stored communication under a physical search — would seem to permit the collection of metadata that counted as content, since FISA warrants and orders are meant ti authorize the collection of content (there are reasons to believe NSA still collects a lot of metadata under FAA orders). But if it were domestic upstream collection — perhaps transit collection — it would amount to the illegal dissemination of domestically collected US person content, which Bates would go on to tell the government was illegal in 2010. And as I’ve noted repeatedly, later in 2008, FISA Amendments Act arguably made such collection overseas illegal, absent a warrant, as well.

When this document first came out, we didn’t know that FISC had told some of these same dead-enders that such collection — if collected domestically — was not legal. But it had, years earlier.

12 replies
  1. orionATL says:

    does this mean obama is refusing to seriously reform nsa and continues stonewalling admission of the illegality of its programs

    as a means of fulfilling his presidential promise/obligation not to expose the illegalities of a previous president (g.w.bush) ?

    as well, to protect himself and numetous of his admin officers from charges of illegality?

    in short, is the prez conducting a cover-up of his and bush’s illegalities ?

    is this what all the hoo-ha about terrorism and national security and snowden the traitor has been about since young snowden opened pandora’s last june –

    presidential/official legal liability ??

    with some congressional liability thrown in (ford) ?

  2. emptywheel says:

    @orionATL: Not sure. But I suspect his Internet stuff may be illegal, under this framework. But when he tried to proceed anyway (and threatened to expose the PRTT files) he was reminded that he too is breaking the rules.

  3. joanneleon says:

    The only thing she (Kollar-Kotelly) counts as content, not metadata, is the subject line and the body. She also mentions “inbox” data which is pretty interesting. What is that exactly? If it’s the inbox data you see when you use a web-based email service, that’s a whole file of metadata, exactly what NSA is looking for. (But not everyone uses web-based email, and it’s not complete because you can and do delete messages, but it might include draft messages which NSA might be interested in).

    Also, I think “routing information” has a specific meaning with email. It is the details of the various servers your email passed through in order to get to you, as in, the IP addresses (unlike the names of recipients like hard copy memo also known as routing information). When you do a TRACEROUTE command, you find out how a packet got to you – a list of IP addresses of the servers your packet passed through to get to you.

    Just to repeat some of what you and Julian Sanchez have said, and to add some bits that I know, thinking “aloud” here for myself as much as anyone else who might be interested:

    Email out on the internet is just a bunch of packets being passed from server to server until it reaches its destination. It doesn’t look like the neatly formatted thing you see when you open up your email. An email server and the client browser or email program (or webmail program & browser) displaying that email does all of that, collecting packets and assembling them into something that makes sense and looks nice.

    I guess what Sanchez is saying that since internet providers don’t charge you for every email or even necessarily keep track of how many emails you send, they don’t have the kind of transactional records that telecoms have for phone calls (and SMS text messages I guess, given that some of them charge for SMS messages). Back in the old days you might be charged for every phone call you made. Some business phone lines still get charged for every call, even local calls, or they did the last time I priced one out. And before the “anywhere in the US” plans became available you definitely got charged for long distance calls. But for emails, none of that kind of transactional level billing happens and records of the same never needed to be kept, so a customer didn’t have any expectation that there would be a transactional bill created for their emails, with billing data that they shouldn’t have any expectation of privacy for.

    So there’s that. It’s a really good point. But email servers can create that metadata, or the providers are storing it, I’m not sure which, because when you open up your inbox everything is sorted out in a transactional, metadata kind of way. I’ve never written any email server or client software so I’m not sure exactly where that metadata is created or stored. Google stores it though. We know from the news stories about the data center fiber lines being tapped that Google synchs up inbox and contact info for their gmail customers. Does NSA court order that information? As far as I know, they don’t.

    But what is that “inbox” data mentioned in the Kollar-Kotelly list of valid metadata items along with the to, from, etc? It sounds a lot like email metadata, just not for billing purposes.

    The issue of the upstream collection is the most interesting. That’s where they’d be grabbing individual packets as they fly by. A packet could contain any kind of internet request and corresponding content – part of an email message, an HTTP/S web server request, part of an FTP file transfer, or any other kind of packet that the standard protocols allow. The only thing the internet backbone cares about is getting it to the next IP address/hop. If you have to open up every packet to see what’s in it and then extract and construct the metadata from it, you’ve technically collected content and not only that, you’ve read it. But I’m not entirely sure whether internet providers who provide email accounts construct their own metadata or not. If I understood what Sanchez was saying, he says that providers (like Google) might construct email metadata and make things easy for the NSA by handing them a nicely formatted set of metadata for all the customers who have email accounts with them. That might cover a significant percentage of emails in the world, but it wouldn’t come close to providing metadata for all the email in the world or any country. Most businesses, for example, have their own email servers and their own internet hosting services.

    Anybody who owns a domain name has (or shares) IP addresses and they can choose the servers on which that internet traffic is processed, including email. I have some domain names and a business and I run my own email server on my hosted server. There’s no Verizon or Comcast doing our email or constructing any email metadata for emails to those domain names or at least not that I know of. So, as far as I know, if they are getting metadata from the email traffic on my email servers, somebody is constructing it, from somewhere. Now my internet hosting service provider has a provider of their own. I’m not sure who it is. It might be Verizon. They all do business internet services too. So maybe that’s how they’re doing it. Maybe AT&T, Verizon and other backbone providers do it. But if they do, I think the only reason they’d need to do that is for someone like the NSA or possibly a Big Data company because they wouldn’t need it for their own billing purposes. If they bill for traffic they bill for bytes transferred, not by the number of emails or that kind of thing. I don’t know of any other reason why those lower level providers would need email metadata.

    And then there are all the emails in the world being handled by providers who NSA can’t compel to construct and give them metadata. So they’d have to read those packets and construct it themselves. They can probably filter out IP addresses that they need to examine since IP addresses are assigned in blocks.

  4. joanneleon says:

    One more thing and I should know the answer to this but I don’t. In 2011, did they say that they stopped collecting email metadata altogether? So at this point, the only metadata they admit to collecting is telephone calls? Or are they still admittedly collecting all our email metadata and we just aren’t sure how they’re doing it?

  5. emptywheel says:

    @joanneleon: The list of metadata above is how Wainstein and Bradbury defined metadata. I’m arguing several things they count as metadata aren’t, according to K-K’s guidelines, for some of the reasons you say.

    The problem here arises — except where they’re getting data from Google, which is effectively getting a series of envelopes that have been opened up and laid out on a table (which is where you get the trace you were talking about — from the fact that the people who are supplying the data — either the telecoms or NSA taking signal directly — technically can’t get that info w/o opening up the packets. So, content.

  6. jerryy says:

    @joanneleon: The ISPs have been looking at the metadata for a long time… because, broadly speaking, of spam and net-neutrality-like issues.

    Your mail server often uses white-listing and black-listing to accept/deny emails, to do so requires knowing about the information in the header. As well as bounce-backs — files that have to be returned for whatever reason. Additionally, the spam filter at the ISP will look at the packets to see if any match varoius malware/virus definitions and the resulting file can be quarantined. If you go back through the various developmental RFCs, starting with probably RFC 522 which is the essence of the modern email delivery system, all of that metadata is there to make sure the internet delivery works, which required the participants knowing a lot about the information in the header in order to act on it and make sure the package got there or the sender found out it did not make it.

    What other folks do with it, welllllllll………..

  7. joanneleon says:

    @jerryy: Good point about the spam filters. They have to look at content for that because they (at least some) don’t just look at originating IP or email address, they also examine content, I’m pretty sure, with intelligent software to see if the emails fit a pattern.

    My hosting service allows me to whitelist and blacklist but that’s for all traffic, not just email.

    I’m not sure what the hosting service does and what their underlying service provider does too. Again, I run my own mail servers on my (virtual, I don’t have dedicated machines, don’t need them yet). So I don’t know who would be collecting metadata on the email packets coming in to my server. Perhaps my hosting service does. There are a number of utilities running as a package that the host installs and maintains as part of my service package. They might be scanning email packets coming into my server before my email server gets it.

  8. joanneleon says:

    @emptywheel: Thanks. Sorry if I’m still not understanding the information, but after 2011, what did they stop doing? Did they claim to have stopped collecting email metadata altogether? And has there been any information about text (SMS) metadata under FISA, other than the recent investigative journalism about what gets collected?

  9. What may be missing says:

    I’ve been pondering a massive fraud that didn’t get caught in the phone dragnet, the multimillion-dollar scam perpetrated by a former Army intelligence agent now serving a life sentence for raising $100 million dollars by pretending to benefit Navy veterans. The only known beneficiaries (most of the money was never recovered) were Republican candidates for office. “Bobby Thompson” – not his real name – claimed the group was a secret CIA operation. It remains a mystery why his fingerprints disappeared from the FBI database. What I’ve been wondering is whether the dragnets removal of common telemarketing numbers created an opening for this scam. And whether alternative systems might have caught it earlier. See Kris Hundley’s byline stories in Tampa Bay Times.

  10. What Constitution? says:

    I guess that, on the plus side, we can all be a little bit relieved that at least the group of complicit dead-enders signing on to this “nothing to see here” letter doesn’t openly include Woolsey — the guy who in 2007 took to the op-ed pages while at Booz to emphasize how important it would be to pass retroactive immunity for the illegal wiretaps being disclosed at that time by suggesting it would set a good precedent for reassuring US companies that they could comply without fear of liability “the next time” the government wanted to extract illegal cooperation from US companies. Yep. I guess we’ll be hearing from him again soon enough, though.

  11. LeMoyne says:

    Read the 2007 memo. None of it – neither the 4th, EO12333, FISA nor PR/TT – no restrictions apply because they already have the data. WTF?

    At least they are like the rest of us in that they forgot the attachments ;-)

    One might logically assume that attachments are content, but given that attachments sure aren’t in the body of the emails, and seeing the NSA attitude described by Drake and Binney that its all theirs until someone makes them stop…

    I was wondering what defines dead-ender and now that I see: *facepalm*

Comments are closed.