Leahy USA Freedom’s Bulky Corporate Persons

As I said in my post the other day, the definition of Specific Selection Term in the Leahy version of USA Freedom addresses almost all my concerns about bulk collection under USA Freedom Act.

But not all of them.

I have two concerns.

First, some background. The bill actually uses two definitions of “specific selection term.” The definition as it applies to traditional Section 215, PRTT, and NSL collection is,

(i) means a term that specifically identifies a person, account, address, or personal device, or another specific identifier, that is used by the Government to narrowly limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things; and [my emphasis]

It defines “address” this way:

ADDRESS.—The term ‘address’ means a physical address or electronic address, such as an electronic mail address, temporarily assigned network address, or Internet protocol address.

That’s my first concern. IP addresses can represent entire companies. And who knows what the NSA might consider “temporarily assigned network addresses”?

Then there’s the difference between that definition of “specific selection term” and the more narrow one used with the prospective contact chaining at telecoms, which is:

CALL DETAIL RECORD APPLICATIONS.—For purposes of an application submitted under subsection (b)(2)(C), the term ‘specific selection term’ means a term that specifically identifies an individual, account, or personal device. [my emphasis]

You’ll note the bill targets “individual” for its contact chaining, but “person” for the rest of Section 215 collection. The obvious reason to do that is if you’re collecting on an entire corporate person, like Western Union (which WSJ and NYT reported CIA uses Section 215 to collect on).

The bill does include limits on what kinds of corporate persons can be collected. The bill explicitly prohibits using electronic communication service providers and cloud providers as specific selection terms, unless they are being investigated.

(II) a term identifying an electronic communication service provider (as that term is defined in section 701) or a provider of remote computing service (as that term is defined  in section 2711 of title 18, United States Code), when not used as part of a specific identifier as described in clause (i), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

That still seems to leave a whole slew of corporate persons who can be the selection term for collection.

The bill limits that collection in another way, through minimization procedures.

‘(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—

(i) a subject of an authorized investigation;

(ii) a foreign power or a suspected agent of a foreign power;

(iii) reasonably likely to have information about the activities of—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation; or

(iv) in contact with or known to—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation,

unless the tangible thing or information therein indicates a threat of death or serious bodily harm to any person or is disseminated to another element of the intelligence community for the sole purpose of determining whether the tangible thing or information therein relates to a person who is described in clause (i), (ii), (iii),  or (iv)

This language is almost certainly not new — as CDT’s otherwise decent analysis suggests. We know the FISC has been modifying orders more and more in recent years. We don’t know — we have to rely on Congress, blindly — whether these minimization procedures are more strict or (likely, because other parts of this bill are) less restrictive than what the FISC itself has been imposing.

But even the existence of this language — and the differential use of “person” and “individual” — makes it clear the bill still permits the bulk collection of data. It just requires the agency in question to purge the data … sometime.

The question is whether this “agency protocol” — what Chief Justice John Roberts said was not enough to protect Americans’ privacy — is sufficient to protect Americans’ privacy.

I don’t think it is.

First, it doesn’t specify how long the NSA and FBI and CIA can keep and sort through these corporate records (or what methods it can use to do so, which may themselves be very invasive).

It also permits the retention of data that gets pretty attenuated from actual targets of investigation: agents of foreign powers that might have information on subjects of investigation and people “in contact with or known to” suspected agents associated with a subject of an investigation.

Known to?!?! Hell, Barack Obama is known to all those people. Is it okay to keep his data under these procedures?

Also remember that the government has secretly redefined “threat of death or serious bodily harm” to include “threats to property,” which could be Intellectual Property.

So CIA could (at least under this law — again, we have no idea what the actual FISC orders this is based off of) keep 5 years of Western Union money transfer data until it has contact chained 3 degrees out from the subject of an investigation or any new subjects of investigation it has identified in the interim.

In other words, probably no different and potentially more lenient than what it does now.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

5 replies
  1. wallace says:

    quote”In other words, probably no different and potentially more lenient than what it does now.”unquote

    Shades of whudda thunk.

    Meanwhile, thanks to the OOD(Office of Obfuscation, the entire DCOTP(tm)(Dumbest Country on the Planet) breath’s a collective sigh of relief, and finally gets back to concentrating on KUWTK (Keeping up with the Kardasians), knowing now they can use their smartphones to their hearts content without worrying some NSA schmuck is watching them take selfies with Todo while striping for their #one in real time..because their hero Senator Leahey has saved the day with a “historic” rescue of privacy . After all..he said so.

    Meanwhile, in order to comply, the entire IC cartel is forced to request doubling their budgets to completely redesign every training manual, policy doc, webpages by the 1000’s, train personnel, translate and transfer data, paperwork, files, machines, programs, desks, workstations, computers, etc etc.. and then return to exactly the same thing they were doing before Freedumber 3… at a cost of $30billion, or more of course.

    Isn’t the rule of law wunnerful?

  2. wallace says:

    ps..I forgot my manners. Thank you Marcy for De-cyphering the OOD’s bill encryption in detail. Amazing their cryptologists still use the NIST DOLTvx2 standard.

  3. earlofhuntingdon says:

    “Threats” to property would indeed include intellectual property. Someone’s got to protect Mickey’s ears. And, of course, categorizing a corporation, conceivably employing 100,000 people at home and abroad, as a single entity, would vastly expand the reach of such a program while appearing not to.

  4. wallace says:

    quote”And, of course, categorizing a corporation, conceivably employing 100,000 people at home and abroad, as a single entity, would vastly expand the reach of such a program while appearing not to.”quote

    Please refrain from decrypting NSA’s lawful right to categorize Earth Inc. as a single entity as you might inadvertently inform your fellow citizens the extent of our capabilities. Next time we won’t be so nice.

    Thnx. Team NSA.

  5. anonymous says:

    With all respect to @emptywheel and colleagues, I say again: there is no chance of reform through the political process in the United States at the current time. What is now required is to create a New America. To form a new American guerilla army so that each man, woman and child can live off the land and defend their compatriots. In the near future, the only jobs in America will be police/military/corrections. The Constitution is not coming back. Edward Snowden was a sign of the times, a warning shot. War is coming along with societal collapse. Resist through encryption, non-payment of taxes, boycott, strike and guerilla warfare.

Comments are closed.