May 5, 2014 / by emptywheel

 

New “Freedom” Equals Less Protection for All But the Telecoms (Working Thread)

A number of people have expressed appreciation for this analysis: if you’re one of them, please consider donating to support my work. 

As a number of outlets are reporting, the House Judiciary Committee will mark-up a Manager’s Amendment to the USA Freedom Act on Wednesday.

This post will lay out what the changes are, as a working thread (updated as I read). But the short version is this: the Manager’s Amendment offers us mere shmoes less protection than the original bill did — particularly with regards to upstream and back door searches. But it does add “liability protection” and financial compensation to the providers that wasn’t in the original bill.

Call Records

The Manager’s Amendment  (MA) provides for 2-hop production from providers, akin to President Obama’s reform proposal. Such orders last for 180 days and can be extended. The Manager’s amendment explicitly limits such protection to international terrorism (which Obama’s reform was wishy-washy on). Correction: it has no such limitation. This would expand the use of the dragnet well beyond terrorism.

It includes really bizarre language on multiple hops:

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii)  as the basis for production;

(II) using the results of the production under subclause (I) as the  basis for production; and

(III) using the results of the  production under subclause (II) as the  basis for production;

The bill mandates 5 year destruction for call records — except for those that are relevant to an investigation.

(v) direct the Government to destroy all call detail records produced under the order not later than 5 years after the date of the production of such records, except for records that are relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to protect against international terrorism.

Remember, by FISC opinion, “relevant to” now means “anything even remotely possiby relevant to.” Given that meaning, pretty much all records turned over to the government can be kept forever; strictly by being turned over they’re already more relevant than the definition of relevant the NSA and DOJ currently use.

Other Section 215 Production

The MA tries to limit bulk production differently than USA Freedom did, by requiring the search on a specific selector. I’ll have to reflect on whether this will be more restrictive or open for abuse.

The MA takes out language permitting the FISC to review whether the government has complied with minimization procedures.

The MA provides immunity and compensation where the USA Freedom Act had not.

Inspector General Reports

The MA changes mandated Inspector General Reports from USA Freedom in two interesting ways. First, it only requires reports from 2012 through 2014, whereas the USA Freedom had required them throughout (that is, including 2010 and 2011). I’ll have more to say about this in the future. There’s good reason to believe, however, that there are things the government doesn’t want reviewed that happened in 2010, especially.

Furthermore, it doesn’t require these reports until December 31, 2015 — that is, after PATRIOT Act Reauthorization. The bill also extends the PATRIOT Reauthorization to 2017, so this report would come in before that, but would extend the authorities as a whole for 2 more years.

Finally, it takes out this language:

describe any noteworthy facts or circumstances relating to orders under such title

This would allow IGs to ignore details about the actual practice of these programs.

PRTT

As with business records, the MA limits bulk collection by requiring the use of a specific selector, not by prohibiting bulk collection.

Interestingly, it does permit the Judge to assess compliance with minimization procedures, unlike with call records.

Backdoor searches

Here’s the language USA Freedom used to limit back door searches.

(2) CLARIFICATION ON PROHIBITION ON SEARCHING OF COLLECTIONS OF COMMUNICATIONS
23 OF UNITED STATES PERSONS.—

(A) IN GENERAL.—Except as provided in subparagraph (B), no officer or employee of the United States may conduct a search of a collection of communications acquired under this section in an effort to find communications of a particular United States person (other than a corporation).

(B) CONCURRENT AUTHORIZATION AND EXCEPTION FOR EMERGENCY SITUATIONS.—

Subparagraph (A) shall not apply to a search for communications related to a particular
10 United States person if—

(i) such United States person is the subject of an order or emergency authorization authorizing electronic surveillance or physical search under section 105, 304, 703, 704, or 705, or title 18, United States Code, for the effective period of that order;

(ii) the entity carrying out the search has a reasonable belief that the life or safety of such United States person is
21 threatened and the information is sought for the purpose of assisting that person; or

(iii) such United States person has consented to the search.

Here’s the language the MA uses to prohibit back door searches (and I’m not even sure that’s what it does, as opposed to prevent the MCAT collection Bates declared illegal in 2011), which is part of the minimization procedures.

prohibit the use of any discrete, non-target communication that is determined to be to or from a United States person or a person who appears to be located in the United States, except to protect against an immediate threat to human life.

We know they use back door searches to identify which selectors to further investigate. Does this permit such a use?

In any case, I believe — though am not 100% certain — that the MA takes out any protection against back door searches (save for stronger language on reverse targeting that is similar to what USA Freedom had).

Section 702

The MA takes out language that would have prevented the use of upstream searches for cybersecurity, which I wrote about here.

Remember how RuppRoge had a clause prohibiting the government to store illegally collected data (which they lost in the drafting process).

The MA retains this to Section 702, which appears to prohibit the use of illegally collected data but actually newly permits it. [Update note: most of this was in the USA Freedom]

‘‘(i) IN GENERAL.—Except as provided in clause (ii), no information obtained or evidence derived from an acquisition pursuant to a certification or targeting or minimization procedures subject to an order under subparagraph (B) concerning any United States person shall be received in evidence or otherwise disclosed in any trial, hearing, or other proceeding in or before any court, grand jury, department, office, agency, regulatory body, legislative committee, or other authority of the United States, a State, or political subdivision thereof, and no information cocerning any United States person acquired from the acquisition shall subsequently be used or disclosed in any other manner by Federal officers or employees without the consent of the United States person, except with the approval of the Attorney General if the information indicates a threat of death or serious bodily harm to any person.

(ii) EXCEPTION.—If the Government corrects any deficiency identified by the order of the Court under subparagraph (B), the Court may permit the use or disclosure of information acquired before the date of the correction under such minimization procedures as the Court shall establish for purposes of this clause.’’.

Remember, first of all, that NSA has secretly rewritten “serious bodily harm” to include threats to property, so that clause is already fairly limited.

But then add in the ability to use illegally collected data once you’ve fixed the problems that made it illegal and it makes this pretty broad. At a minimum, this would permit the government to use all the upstream collection John Bates deemed illegal in 2011.

The MA takes out some other changes to FAA, including a new sunset that would have coincided with the PATRIOT Sunset. Actually, the bill just extends PATRIOT so it coincides with FAA.

Special Advocate

The MA changes how the FISC Special Advocate is chosen. It had been that PCLOB would pick candidates and the Chief Justice (John Roberts!) would pick who got to be the advocates. The MA changes that to letting the presiding judge pick no less than 5 people, including people with technical as well as civil liberties expertise. The Executive still gets to decide whether those people get access however. And the FISC gets to decide if the Special Advocate participates, in which case she’ll be treated like an amicus curiae.

The new scheme also does not provide for appellate review, suggesting that the Special Advocate would not be in a position to raise challenges to decisions the court had already made.

The whole thing seems like a Super Clerk position, not anything really new.

Declassification

The MA also waters down the declassification language in USA Freedom, essentially adopting the language the Obama Administration claims to be currently using (under which it only releases opinions if Edward Snowden comes along and leaks them). Though this language is, roughly, the language that Jeff Merkley tried to get them to adopt back in 2012.

NSLs

The NSLs section repeats the method of prohibiting bulk collection by limiting use to a specific selector.

However, it also takes out limits USA Freedom had put on financial NSLs.

(A) the name of a customer of the financial institution;

(B) the address of a customer of the financial institution;

(C) the length of time during which a person has been, or was, a customer of the financial institution (including the start date) and the type of service provided by the financial institution to the customer; and

(D) any account number or other unique identifier associated with a customer of the financial institution.

(2) LIMITATION.—A request issued under this subsection may not require the production of records  or information not listed in paragraph (1).

As well as a new definition of financial institution borrowed from the Bank Secrecy Act.

(c) DEFINITION OF FINANCIAL INSTITUTION.—For purposes of this section (and sections 1115 and 1117, insofar as the sections relate to the operation of this section), the term ‘financial institution’ has the same meaning as in subsections (a)(2) and (c)(1) of section 5312 of  title 31, United States Code, except that the term shall include only a financial institution any part of which is located inside any State or territory of the United States, the District of Columbia, Puerto Rico, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, or the United States Virgin Islands.’’.

In addition, whereas the USA Freedom Act had repealed the Counterterrorism NSL for credit reports which permits FBI to get a more extensive credit report in the name of terrorism (adjusting the counterintelligence one such that it targets agents of foreign power) the MA keeps it.

USA Freedom had also put new limits on NSL gags. The MA eliminates those limits.

US Freedom had included the same mandated IG Reports for NSLs as it had for business records. The MA eliminates them.

Reporting

215 Orders

The law providing reports to Congress on how the government uses Section 215 now mandates reports only for HPSCI, SSCI, and SJC. USA Freedom had added HJC to that. But the HJC MA eliminates that change! Update: I need to check–they may have retained this in another part of the bill.

USA Freedom had required detailed descriptions of what the government was doing with 215 orders, and which agencies were using them. The MA eliminates that requirement.

Most troubling, USA Freedom had this language trying to understand how many people are affected by 215 orders.

(C) a good faith estimate of the total number  of individuals whose tangible things were produced  under an order entered under section 501, rounded  to the nearest 100;

(D) a good faith estimate of the total number  of United States persons whose tangible things were  produced under an order entered under section 501, rounded to the nearest 100; and

(E) a good faith estimate of the total number of United States persons whose tangible things were produced under an order entered under section 501 and subsequently reviewed or accessed by a Federal officer, employee, or agent, rounded to the nearest 100.;

That language is gone.

That pattern is repeated through the rest of the reporting requirements. Where USA Freedom had tried to quantify the number of people and US persons who got sucked up in surveillance, and how many of those whose records got reviewed, the MA no longer does so. Shouldn’t they be more willing to provide this data if they were really getting rid of bulk surveillance?

PCLOB

In addition to taking PCLOB out of the FISC advocate role, the MA  eliminates provision giving PCLOB subpoena authority.

Copyright © 2014 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2014/05/05/new-freedom-equals-less-protection-for-all-but-the-telecoms-working-thread/