September 10, 2014 / by emptywheel

 

USA Freedom Act’s So-Called “Transparency” Provisions Enable Illegal Domestic Surveillance

I regret that I am only now taking a close look at the “transparency” provisions in Patrick Leahy’s version of USA Freedom Act. They are actually designed not to provide “transparency,” but to give a very misleading picture of how much spying is going on. They are also designed to permit the government to continue not knowing how much content it collects domestically under upstream and pen register orders, which is handy, because John Bates told them if they didn’t know it was domestic then collecting domestic isn’t illegal.

In this post, I’ve laid out the section of the bill that mandates reporting from ODNI, with my comments interspersed along with what the “transparency” report Clapper did this year showed.

(b) MANDATORY REPORTING BY DIRECTOR OF NATIONAL INTELLIGENCE.—

(1) IN GENERAL.—Except as provided in subsection (e), the Director of National Intelligence shall annually make publicly available on an Internet Web site a report that identifies, for the preceding 12-month period—

This language basically requires the DNI to post a report on I Con the Record every year. But subsection (e) provides a number of outs.

Individual US Person FISA Orders

(A) the total number of orders issued pursuant to titles I and III and sections 703 and 704 and a good faith estimate of the number of targets of such orders;

This language requires DNI to describe, in bulk, how many individual US persons are targeted in a given year (there were 1,767 orders and 1,144 estimated targets last year). But it only requires DNI to give a “good faith estimate” of these numbers (and that’s what they’re listed as in ODNI’s report from last year)! If there’s one thing DNI should be able to give a rock-solid number for, it’s individual USP targets. But … apparently that’s not the case.

Screen Shot 2014-09-10 at 10.29.15 AM

Section 702 Orders

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders;

(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

This language requires DNI to provide an estimate of the number of targets of Section 702 which includes both upstream and PRISM production. Last year, this was one order (ODNI doesn’t tell us, but there were at least 3 certificates –Counterterrorism, Counterproliferation, and Foreign Government) affecting 89,138 targets.

Screen Shot 2014-09-10 at 10.23.26 AM

The new reporting requires the government to come up with some estimate of how many communications are collected, as well as how many are located inside the US.

Except DNI is permitted to issue a certification saying that there are operational reasons why he can’t provide that last bit — how many are in the US. Thus, 4 years after refusing to tell John Bates how many Americans’ communications NSA was sucking up in upstream collection, Clapper is now getting the right to continue to refuse to provide that ratified by Congress. And remember — Bates also said that if the government didn’t know it was collecting that content domestically, then it wasn’t really in violation of 50 USC 1809(a). So by ensuring that it doesn’t have to count this, Clapper is ensuring that he can continue to conduct illegal domestic surveillance.

Don’t worry though. The bill includes language that says, even though this provision permits the government to continue conducting illegal domestic collection, “Nothing in this section affects the lawfulness or unlawfulness of any government surveillance activities described herein. ”

Back Door Searches

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

This language counts back door searches.

But later in the bill, the FBI — which we know does the bulk of these back door searches — is exempted from all of this reporting. As I noted in this post, effectively the Senate is saying it’s no big deal of FBI doesn’t track how many warrantless searches of US person content it does, even of people against whom the FBI has no evidence of wrongdoing.

In addition, note that odd limit to (v). DNI only has to report metadata searches “initiated by an officer, employee, or agent” of the United States. That would seem to exempt any back door metadata searches by foreign governments (it might also exempt contractors, but they should be included as “agents” of the US). Which, given that CIA doesn’t currently count its metadata searches, and given that CIA conducts a bunch of metadata searches on behalf of other entities, leads me to suspect that CIA may be doing metadata searches “initiated” by foreign governments. But that’s a guess. One way or another, though, this clause was written to not count some of these metadata searches. [Update: On reflection, that language may be designed to avoid counting automated processes as searches — if they’re initiated by a robot rather than an employee they’re not counted!]

Pen Register Orders

C) the total number of orders issued pursuant to title IV and a good faith estimate of—

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders; and

(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

This language counts how many Pen Register orders the government obtains, how many individuals get sucked up, and how many are in the US, both of which are additions on what ODNI reported this year.

Screen Shot 2014-09-10 at 10.50.08 AM

But that last bit — counting people in the US — is again a permissible exemption under the bill. Which is, as you’ll recall, the other way NSA has been known to engage in illegal domestic content collection. The only known bulk pen register is currently run by FBI, but in any case, the exemption has the same effect, of permitting the government from ever having to admit that it is breaking the law.

Traditional Section 215 Collection

(D) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of—

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders; and

(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

This requires DNI to report on traditional Section 215 orders, but the entire requirement is a joke on two counts.

Screen Shot 2014-09-10 at 11.09.02 AM

First, note that, for a reporting requirement for a law permitting the government to collect “tangible things,” it only requires individualized reporting for “communications.” “Individuals whose communications were collected” are specifically defined as only involving phone calls and electronic communications.

So this “transparency” bill will not count how many individuals have their financial records, beauty supply purchases, gun purchases, pressure cooker purchases, medical records, money transfers, or other things sucked up, much of which we know to be done under this bill. And this is particularly important, because the law still permits bulk collection of these things. Thus, this “transparency” report creates the illusion that far less collection is done under Section 215 than actually is, it creates the illusion that bulk collection is not going on when it is.

But it gets worse!

After having limited the individualized reporting solely to communications, the bill also exempts FBI from (iii). And that’s important because we know the majority of Section 215 orders are being used to order Internet companies to provide something that the government failed to obtain using NSLs. Those orders are almost certainly minimized, meaning they involve significant bulk either in terms of people sucked up or in terms of sensitive First Amendment materials (which might be the case for URL searches). So while the bill will show how many people have their communications collected, the reports will wrongly suggest Americans’ communications aren’t being sucked up.

So the traditional 215 reporting will show the orders and targets of the orders, but will hide how many individuals are having their non-communications records sucked up, and how many Americans communications records the FBI is sucking up. This report will give an unbelievably deceptive picture of how Section 215 is being used.

Newfangled Section 215 Reporting

(E) the total number of orders issued pursuant to applications made under section 501(b)(2)(C) and a good faith estimate of—

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders;

(iii) the number of individuals whose  communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection; and

(iv) the number of search terms that included information concerning a United States person that were used to query any database of call detail records obtained through the use of such orders; and

This is the reporting on the new Call Detail Record provision. It purports to show how many orders are issued, the number of targets, the number of individuals collected, and the number of Americans implicated, either by having their communications collected or using information from a US person to conduct the query.

But … you guessed it! There’s another exemption for the FBI, covering the two US person provisions.

Now, I assume that, given this provision will no longer require the ingestion of all the call records of all Americans every day, this collection amy actually go back to the FBI, where it belongs. If that’s the case, then it means the CDR “transparency” report will, again, provide a completely misleading impression that no Americans are being sucked up.

National Security Letters

(F) the total number of national security letters issued and the number of requests for information contained within such national security letters.

This bill prohibits bulk collection!!!! its supporters claim. But with NSLs — a collection conducted with no oversight from courts — the bill doesn’t require  reporting of the total people affected. (Current reporting hides bulk collection with NSLs of what are basically phone books by not requiring those to be broken out by US person.)  This is, admittedly, way down on my list of things that worry me about these “transparency” provisions. But still, another indication of how seriously this bill takes “transparency.”

Update, 10/4: This is incorrect. A different provision requires reporting on this, which is in fact slightly better than what we currently get.

The Fine Print and Other Loopholes

(2) BASIS FOR REASONABLE BELIEF INDIVIDUAL IS LOCATED IN UNITED STATES.—A phone number registered in the United States may provide the basis for a reasonable belief that the individual using the phone number is located in the United States at the time of collection.

I’m not sure whether this is the intent, but I believe this language provides DNI another way to not report when it collects Internet data in the US — because an IP address located in the US is not considered a reasonable basis to believe the person using that IP address is located in the US. So it may well make the Internet reporting even more inaccurate.

(c) DISCRETIONARY REPORTING BY DIRECTOR OF NATIONAL INTELLIGENCE.—The Director of National Intelligence may annually make publicly available on an Internet Web site a report that identifies, for the preceding 12-month period—

(1) a good faith estimate of the number of individuals whose communications were collected pursuant to orders issued pursuant to titles I and III and sections 703 and 704 reasonably believed to have been located in the United States at the time of collection whose information was reviewed or accessed by an officer, employee, or agent of the United States;

(2) a good faith estimate of the number of individuals whose communications were collected pursuant to orders issued pursuant to section 702 reasonably believed to have been located in the United States at the time of collection whose information was reviewed or accessed by an officer, employee, or agent of the United States;

(3) a good faith estimate of the number of individuals whose communications were collected pursuant to orders issued pursuant to title IV reasonably believed to have been located in the United States at the time of collection whose information was reviewed or accessed by an officer, employee, or agent of the United States;

(4) a good faith estimate of the number of individuals whose communications were collected pursuant to orders issued pursuant to applications made under section 501(b)(2)(B) reasonably believed to have been located in the United States at the time of collection whose information was reviewed or accessed by an officer, employee, or agent of the United States; and

(5) a good faith estimate of the number of individuals whose communications were collected pursuant to orders issued pursuant to applications made under section 501(b)(2)(C) reasonably believed to have been located in the United States at the time of collection whose information was reviewed or accessed by an officer, employee, or agent of the United States.

This discretionary reporting is all designed to allow James Clapper to come out every year and say, “sure, we’ve got all your Gmail in a server somewhere, but don’t worry, we didn’t look at it.” Note that it doesn’t talk about electronic access, just human access, and doesn’t talk about foreign person access.

(d) TIMING.—The annual reports required by subsections (a) and (b) and permitted by subsection (c) shall be made publicly available during April of each year and include information relating to the previous year.

The timing of reports will match current timing.

(e) EXCEPTIONS.—

(1) REPORTING BY UNIQUE IDENTIFIER.—If it is not practicable to report the good faith estimates required by subsection (b) and permitted by subsection (c) in terms of individuals, the good faith estimates may be counted in terms of unique identifiers, including names, account names or numbers, addresses, or telephone or instrument numbers.

This is, I think, a totally innocuous provision permitting DNI to not have to run its correlations tool against this reporting.

(2) STATEMENT OF NUMERICAL RANGE.—If a good faith estimate required to be reported under clauses (ii) or (iii) of each of subparagraphs (B),(C), (D), and (E) of paragraph (1) of subsection (b) or permitted to be reported in subsection (c), is fewer than 500, it shall exclusively be expressed as a numerical range of ‘fewer than 500’ and shall not be expressed as an individual number.

This says that DNI can use 500 rather than provide a specific number for the individualized reports. Note that’s worse than what they did this year on Section 215.

(3) FEDERAL BUREAU OF INVESTIGATION.— Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

As I noted, the FBI has exemptions for things that the FBI does the bulk of. There is another grave problem with this exemption, which I’ll get to in another post.

(4) CERTIFICATION.—

(A) IN GENERAL.—If the Director of National Intelligence concludes that a good faith estimate required to be reported under subparagraph (B)(iii) or (C)(iii) of paragraph (1) of subsection (b) cannot be determined accurately, including through the use of statistical sampling, the Director shall—

(i) certify that conclusion in writing to the Permanent Select Committee on Intelligence and the Committee on the Judiciary of the House of Representatives and the Select Committee on Intelligence and the Committee on the Judiciary of the Senate; and

(ii) make such certification publicly available on an Internet Web site.

(B) CONTENT.—

(i) IN GENERAL.—The certification described in subparagraph (A) shall state with specificity any operational, national security, or other reasons why the Director of National Intelligence has reached the conclusion described in subparagraph (A).

This is the language that permits DNI to not count the stuff that would be illegal if he counted it. Also note — one of my favorite bits! — House Judiciary does not get this report (the bill fixes non-reporting to HJC on most other provisions).

Remarkably, it permits DNI to provide “national security” reasons why he can’t count this accurately. Such certification will say something like, “If I count this stuff, it then becomes illegal, and I’ll no longer be able to illegally collect US person content in the US anymore, which will be bad for national security, so I certify that I can’t count it.”

GOOD FAITH ESTIMATES OF CERTAIN INDIVIDUALS WHOSE COMMUNICATIONS WERE COLLECTED UNDER ORDERS ISSUED UNDER SECTION 702.—A certification described in subparagraph (A) relating to a good faith estimate required to be reported under subsection (b)(1)(B)(iii) may include the information annually reported pursuant to section 702(l)(3)(A).

‘(iii) GOOD FAITH ESTIMATES OF CERTAIN INDIVIDUALS WHOSE COMMUNICATIONS WERE COLLECTED UNDER ORDERS ISSUED UNDER TITLE IV.—If the Director of National Intelligence determines that a good faith estimate required to be reported under subsection (b)(1)(C)(iii)  cannot be determined accurately as that estimate pertains to electronic communications, but can be determined accurately for wire communications, the Director shall make the certification described in subparagraph (A) with respect to electronic communications and shall also report the good faith estimate with respect to wire communications.

This says that DNI may report only the phone conversations collected under 702, but not the wire communications — the stuff that’s illegal.

(C) FORM.—A certification described in subparagraph (A) shall be prepared in unclassified form, but may contain a classified annex.

(D) TIMING.—If the Director of National Intelligence continues to conclude that the good faith estimates described in this paragraph cannot be determined accurately, the Director shall annually submit a certification in accordance with this paragraph.

Hey! At least we’ll know that DNI refuses to count its illegal domestic collection. Every year he’ll write a note to Congress saying, “I still refuse to count how many people get sucked up under 702,” with the classified bit explaining that if he counted it, then it’d be illegal.

Copyright © 2018 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2014/09/10/usa-freedom-acts-so-called-transparency-provisions-enable-illegal-domestic-surveillance/