emptywheel

1 2 3 831

Why USAF’s “Transparency” Provisions Will Make Ongoing Organizing Difficult

I’ve had some discussions of late about whether the flawed transparency provisions in the USA Freedom Act are a net good. Until I read them closely, I believed they couldn’t hurt. Now I believe they do.

That’s because the transparency provisions are designed to withhold data on all the collection programs to which privacy activists would like to make further changes — or would, if we knew about them. And while bill supporters note we don’t receive the information that would be withheld under the bill now, I believe the selective way the transparency provisions work, however, will make it harder to oppose these programs.

To explain what I mean, let me first separate programs into three categories:

Confirmed programs

USAF withholds information on two of the most abusive practices: FBI’s back door searches, including on people against whom it has no concrete evidence of wrong-doing, and illegal domestic wiretapping under the upstream program. USAF hides FBI’s back door searches under the FBI exemptions. It hides illegal domestic wiretapping by permitting the DNI to get a certificate saying he can’t count people in the US collected under upstream collection, and also (probably) by treating only US-based phone numbers as proof of US location.

I agree that passing USAF won’t set back mobilization on these two. We’ve got documented acknowledgment of both, so it will be easy to insist on the continued existence of the practice, even while transparency reports come out showing no FBI back door searches (as compared to 100 NSA ones and 1,300 CIA ones), and a certificate asserting the NSA can’t count illegal domestic wiretapping.

So while the Intelligence Community’s refusal to count these things helps them by not making it easier to organize against them, keeping the scope of these programs hidden won’t make it any harder (I believe the secrecy on these programs serves more nefarious discovery purposes).

Known but not confirmed programs

I do, however, fear the transparency provisions will make it harder to organize to fix two other programs: Non-communications Section 215 programs and FBI’s apparent PRTT program, and will invite abuse in a third, the Internet Section 215 orders.

USAF not only permits the use of corporate persons as selectors for non-communications Section 215 programs, but it also requires no individualized reporting. So bulk collection of international Western Union transfers would be unaffected by this bill; Section 215 has also been confirmed for use collecting purchase records of TATP precursors — large volumes of acetone and hydrogen peroxide — and probably is also used to track fertilizer and pressure cooker purchases. Travel records are another likely use. Thus, even ignoring the likelihood the government will roll out new collection programs in the future, these programs will all likely remain unchanged.

But, in spite of the probability these programs collect the records of hundreds of thousands or millions of Americans, they will each show up in reporting as something like 4 orders affecting 4 or so targets. Worse, NGOs and Senate bull supporters have been telling the public for months, wrongly, that the bill would end bulk collection. So even if they later wanted to insist that such collection still went on, who would believe them, after they boasted that the bill would end precisely this kind of bulk collection? So by permitting this ongoing collection and excluding it from transparency reporting, USAF would make these — and (just as importantly) any new non-communications bulk Section 215 programs invisible –and that invisibility would be reinforced by the public comments of people who overstated the bill’s effects.

FBI’s PRTT program (or rather bulk PRTT programs generally) is similarly something that bill supporters have claimed would be eliminated by the program. As a reminder, we know the existence of this — at least as recently as February 2012 — from Snowden’s leaks. A classification guide from that month made it clear that the actual numbers relating to the “FBI Pen Register Trap Trace program were among the most sensitive FISA secrets.

PRTT3

 

But that’s about it. We don’t know anything more about this program (or whether, as is possible, it got shut down for some reason).  That said, unless it exactly replicates the defunct NSA PRTT program (collecting on most switches in the US), there’s no reason to believe USAF would shut it down. My guess — backed both by the structure of the transparency procedures and by other details (we’ve recently learned, for example, that FBI uses criminal PRTTs for location data, including stingrays) — is that it is a program to collect location data on some subset of targets. And if that’s the case, I believe it would be entirely hidden under USAF, because – as with traditional Section 215s — PRTT reporting only requires individualized reports for communications, using a definition of communications that would exclude phones pinging providers.

If this program is closer to the old NSA PRTT program — collecting Internet metadata — it will show up as a huge number, but one affecting only foreigners, because the US persons affected can be hidden in two ways: both because only phone numbers are used to track US location under this bill, and because DNI can certify that he can’t count the US persons collected under this.

Whichever it is, it thwarts key legal battles civil libertarians are increasingly winning. And does so without any hint of doing so.

In any case, both of these are known programs that bill supporters claim will not exist after passage of the bill. Yet they do and, according to a close reading of the bill, will exist. Which sort of makes it impossible to oppose them.

I would add that the Internet Section 215 orders — which make up a majority of current Section 215 orders — pose a unique problem. We learned in a recent NSL IG report that starting in 2009, some Internet companies refused certain production under NSLs, and since then the government has used 215 orders to get the data. Given that the companies successfully refused that production as NSLs, they are likely exotic collections — possibly up to and including content — protected by FISC imposed minimization procedures (which may get weaker with the passage of USAF). My wildarseguess is that they are targets’ URL searches. Since these make up a majority of current 215 orders, they are probably 110 to 180 of these a year.

Continue reading

About Apple’s Dead Warrant Canary

There were two significant pieces of Apple security news yesterday.

In laudable news, Apple’s new privacy policy makes clear that it will be unable to unlock locally stored content for law enforcement.

On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

I find the comment as interesting for the list of things Apple envisions potentially having to hand over as I do for the security claim (though the security claim is admirable).

  • Photos
  • Messages, including attachments
  • Email
  • Contacts
  • Call history
  • iTunes content
  • Notes
  • Reminders

Though Apple’s promise to protect this kind of data only goes so far; as the NYT makes clear, that doesn’t extend to data stored on Apple’s cloud.

The new security in iOS 8 protects information stored on the device itself, but not data stored on Apple’s cloud service. So Apple will still be able to hand over some customer information stored on iCloud in response to government requests.

Which brings us to the second piece of news. As GigaOm notes, Apple’s warrant canary indicating that it has never received a Section 215 order has disappeared.

When Apple published its first Transparency Report on government activity in late 2013, the document contained an important footnote that stated:

“Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.”

Writer and cyber-activist Cory Doctorow at the time recognized that language as a so-called “warrant canary,” which Apple was using to thwart the secrecy imposed by the Patriot Act.

Warrant canaries are a tool used by companies and publishers to signify to their users that, so far, they have not been subject to a given type of law enforcement request such as a secret subpoena. If the canary disappears, then it is likely the situation has changed — and the company has been subject to such request.

Now, Apple’s warrant canary has disappeared. A review of the company’s last two Transparency Reports, covering the second half of 2013 and the first six months of 2014, shows that the “canary” language is no longer there.

Note, GigaOm goes on to mistakenly state that Section 215 is the basis for PRISM, which doesn’t detract from the importance of noting the dead warrant canary. The original PRISM slides indicate that Apple started complying with Section 702 (PRISM) in October 2012, and the ranges in Apple’s government request data probably reflect at least some of its Section 702 compliance to provide content.

So Apple receiving its first Section 215 order sometime last year would reflect either a different kind of request — one not available by targeting someone overseas, as required under Section 702 — or a request for the kind of information it has already provided via a new authority, Section 215.

Many of the things listed above — at a minimum, call history, but potentially things like contacts and the titles of iTunes content (remember, James Cole has confirmed the government could use Section 215 to get URL searches, and we know they get purchase records) — can be obtained under Section 215.

I find Apple’s dead warrant canary of particular interest given the revelation in the recent DOJ IG Report on National Security Letters that some “Internet companies” started refusing NSLs for certain kinds of content starting in 2009; that collection has moved to Section 215 authority, and it now constitutes a majority of the 200-some Section 215 orders a year.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

[snip]

We asked whether the disagreement and uncertainty over electronic communication transactional records has negatively affected national security investigations. An Assistant General Counsel in NSLB told us that the additional time it takes to obtain transactional records through a Section 215 application slows down national security investigations, all of which he said are time-sensitive. He said that an investigative subject can cease activities or move out of the country within the time-frame now necessary to obtain a FISA order. [my emphasis]

These Internet company refusals must pertain to somewhat exotic requests, otherwise the government would simply take the companies to court one time apiece and win that authority. So we should assume the government was making somewhat audacious requests using NSLs, some companies refused, and it now uses Section 215 to do the collection. Another signal that these requests are fairly audacious is that the FISA Court appears to have imposed minimization procedures, which for individualized content must reflect a good deal of irrelevant content that would be suppressed.

While my wildarse guess is that this production pertains to URL searches, everything cloud providers like Apple store arguably falls under the Third Party doctrine and may be obtained using Section 215.

That’s not to say Apple’s dead canary pertains to this kind of refusal. But it ought to raise new questions about how the government has been using Section 215.

This production will likely be increasingly obtained using USA Freedom Act’s emergency provisions, which permit the government to retain data even if it is not legal, if the bill passes. And the bill’s “transparency” provisions hide how many Americans would be affected.

Someone Treasure Mapped JP Morgan

Treasure Map

Map the entire Internet — any device, anywhere, all the time. — NSA TREASUREMAP PPT

Last week, The Intercept and Spiegel broke the story of NSA’s TREASUREMAP, an effort to map cyberspace, relying on both NSA’s defensive (IAD) and offensive (TAO) faces.

As Rayne laid out, it aspires to map out cyberspace down to the device level. As all great military mapping does, this will permit the US to identify strategic weaknesses and visualize a battlefield — even before many of adversaries realize they’re on a battlefield.

Against that background, NYT provided more details on the penetration of JP Morgan’s networks that has been blamed on Russia. The new details make it clear this was about reconnaissance, not — at least not yet — theft.

Over two months, hackers gained entry to dozens of the bank’s servers, said three people with knowledge of the bank’s investigation into the episode who spoke on the condition of anonymity. This, they said, potentially gave the hackers a window into how the bank’s individual computers work.

They said it might be difficult for the bank to find every last vulnerability and be sure that its systems were thoroughly secured against future attack.

The hackers were able to review information about a million customer accounts and gain access to a list of the software applications installed on the bank’s computers. One person briefed said more than 90 of the bank’s servers were affected, effectively giving the hackers high-level administrative privileges in the systems.

Hackers can potentially crosscheck JPMorgan programs and applications with known security weaknesses, looking for one that has not yet been patched so they can regain access.

Though the infiltrators did observe metadata — which, the NSA assures us, is not really all that compromising.

A fourth person with knowledge of the matter, also speaking on condition of anonymity, said hackers had not gained access to account holders’ financial information or Social Security numbers, and may have reviewed only names, addresses and phone numbers.

I’m not trying to make light of the mapping of one of America’s most important banks. Surely, such surveillance may enable the same kind of sophisticated attack we launched against Iran, having done similar kind of preparation.

But we should keep in mind what the US has been doing as we consider these reports. If and when Russia or Germany catch us conducting similar reconnaissance on the networks of their private companies, they will surely make a big stink, as we have been with JP Morgan (though the response to the Spiegel story has been muted enough I suspect Germany’s intelligence services knew about that one, particularly given NSA’s reliance on Germany for targets in Africa).

But if the US is going to treat digital reconnaissance as routine spying (and the President’s cyberwar Presidential Policy Directive makes it pretty clear we consider our own similar reconnaissance to be mere clandestine spying), then we should expect the same treatment of our most lucrative targets.

That doesn’t make it legal or acceptable. But that does make it equivalent to what we’re doing to the rest of the world.

One final point. If you’re going to map the entire Internet, any device, anywhere, by definition you need to map America’s Internet as well. Are we so sure our own Intelligence Community hasn’t been snooping in JP Morgan’s networks?

Now That It Is Finally Convential Wisdom the Saudis Are Part of the Problem…

There’s nothing terrifically insightful about Tom Friedman’s observation that the Saudis have fostered the extremist ideology that fuels ISIS.

The al-Sauds get to rule and live how they like behind walls, and the Wahhabis get to propagate Salafist Islam both inside Saudi Arabia and across the Muslim world, using Saudi oil wealth. Saudi Arabia is, in effect, helping to fund both the war against ISIS and the Islamist ideology that creates ISIS members (some 1,000 Saudis are believed to be fighting with jihadist groups in Syria), through Salafist mosques in Europe, Pakistan, Central Asia and the Arab world.

This game has reached its limit. First, because ISIS presents a challenge to Saudi Arabia. ISIS says it is the “caliphate,” the center of Islam. Saudi Arabia believes it is the center. And, second, ISIS is threatening Muslims everywhere.

But the fact that one of the chosen clerics of mushy conventional wisdom now feels it’s safe (admittedly in the second half of his column) to call out the Saudis for their extremism that has been ignored for over a decade is notable.

This comes against the background of renewed attention on the 28 pages from the Joint Congressional Inquiry George Bush suppressed 13 years ago to hide the Saudi role in 9/11.

Former Senate Intelligence Chair Bob Graham has been tireless at calling to have these pages — which he co-authored — released publicly.

Presidents Bush and Obama have both refused to release 28 pages of those classified records. Though Graham cannot reveal the specific contents, he accuses the Saudi government of working against us behind the scenes, and he accuses the U.S. government of keeping it a secret (possibly to protect our oil interests or alliance with the Saudi Arabia).

“For 13 years, that information has been denied to the American people,” said Graham. “The pot is going to break soon.”

He says only a few members of congress have seen the information.

“Without exception, when they have put down the 28 pages, their reaction has been, ‘Oh God, I can’t believe this has really happened!”

Lawrence Wright points to several unreliable sources — Bandar bin Sultan, Philip Zelikow — suggesting it would not reveal anything alarming.

The Saudis have also publicly demanded that the material be released. “Twenty-eight blanked-out pages are being used by some to malign our country and our people,” Prince Bandar bin Sultan, who was the Saudi Ambassador to the United States at the time of the 9/11 attacks, has declared. “Saudi Arabia has nothing to hide. We can deal with questions in public, but we cannot respond to blank pages.”

[snip]

The questions raised by the twenty-eight pages were an important part of the commission’s agenda; indeed, its director, Philip Zelikow, hired staffers who had worked for the Joint Inquiry on that very section to follow up on the material. According to Zelikow, what they found does not substantiate the arguments made by the Joint Inquiry and by the 9/11 families in the lawsuit against the Saudis. He characterized the twenty-eight pages as “an agglomeration of preliminary, unvetted reports” concerning Saudi involvement. “They were wild accusations that needed to be checked out,” he said.

Zelikow and his staff were ultimately unable to prove any official Saudi complicity in the attacks.

One of Zelikow’s staffers (I suppose it could be Zelikow himself) reveals the real issue: reading these pages will make it harder for us to remain cozy with Saudi Arabia.

A former staff member of the 9/11 Commission who is intimately familiar with the material in the twenty-eight pages recommends against their declassification, warning that the release of inflammatory and speculative information could “ramp up passions” and damage U.S.-Saudi relations.

But given that the Saudis were far more closely tied to 9/11 (and, probably, some other attacks) than any other country, don’t we deserve to know that to act accordingly, especially as we prepare to fight a terrorist group strengthened by Bandar?

Matt Stoller calls all this censorship — and notes how it has prevented us from having the discussion we really need to have to resolve the underlying problems in the Middle East.

But the other part of the 9/11 narrative, aside from propaganda, was censorship. In America it’s not popular to talk about censorship, because it’s presumed that we don’t have it, as such. There are no rooms full of censors who choose what goes into newspapers, and what doesn’t. Our press is free. It’s right there in the First Amendment: “Congress shall make no law… prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press..”

Somehow, though, Senators, Congressmen, and intelligence officials are not supposed to talk about those 28 pages in the 9/11 Commission report which are classified. And why not? Well because according to President Bush (and now President Obama), doing so would compromise “national security”. But what, exactly, is censorship, if it’s not a prohibition on individuals to speak about certain topics? Traditionally, First Amendment law gives the highest protection to political speech, allowing for certain restrictions on commercial speech (like false advertising). But there is no higher form of speech than political speech, and there is more important form of political speech than the exposition of wrongdoing by the government. So how is this not censorship?

It clearly is. In other words, explicit government censorship combined with propaganda helped prevent the public from having a full discussion of what 9/11 meant, and what this event implied for our government’s policies. Explicit censorship, under the guise of national security, continues today. While there are people in the U.S. government who know which Saudis financed and organized 9/11, the public at large does not. No government official can say ‘this person funded Al Qaeda in 2001, he might be funding ISIS now’, because that would reveal classified information.

[snip]

Unwinding the classified state, and beginning the adult conversation put off for seventy years about the nature of American power, is the predicate for building a global order that can drain the swampy brutal corners of the world that allow groups like ISIS to grow and thrive. To make that unwinding happen, we need to start demanding the truth, not what ‘national security’ tells us we need to know. The Constitution does not mention the words ‘national security’, it says ‘common defense.’ And that means that Americans should be getting accurate information about what exactly we are defending.

In yesterday’s SASC hearing on ISIS, Joint Chiefs Chair Martin Dempsey said there is not military solution to ISIS (though he later, at the prodding of Carl Levin, modified that comment). But the non-military things we’d do — to combat the sources of and funding for ISIS’ ideology — all point in one direction, and it’s not Iraq or Syria.

Just as an example, the Obama Administration has repeatedly suggested that because the Iraqi government now has an “inclusive” government, it will mitigate the impetus behind terrorism. If that’s true, then why don’t we demand the same from the Sauds before we fight another war for them?

Whether or not you believe military involvement is wise or will be effective, it seems critical to do the other things to fight the treat of extremism. And for 13 years, we’ve been lying to ourselves about where that fight needs to start.

John Bates Gets Slapped Down for Speaking Out of Turn, Again

A few weeks back, I pointed to 9th Circuit Chief Judge Alex Kozinski’s criticism of John Bates’ presumption to speak for the judiciary in his August 5 letter complaining about some aspects of USA Freedom Act. Kozinski was pretty obviously pissed.

But compared to the op-ed from retired District Court Judge Nancy Gertner – who effectively scolds Bates, as the Administrative staff, speaking out of turn — Kozinski was reserved.

[W]hatever the merits of Bates’ concerns—and other judges have dissented from it—he most assuredly does not speak for the Third Branch.

[snip]

Bates has been appointed by Chief Justice John Roberts to serve as director of the Administrative Office of the U.S. Courts, the body that administers the federal courts. It was created in 1939 to take the administration of the judiciary out of the Department of Justice. Its principal tasks were data collection and the creation of budgets and, while its duties have grown over the years, they remain administrative (dealing with such things as court reporters, interpreters, judicial pay, maintenance of judicial buildings, staffing etc.).

When members of Congress solicit the “judiciary’s” opinion they may write to the office’s director, but he has no authority to make policy for the federal judiciary. It is the Judicial Conference of the United States Courts, to which the AO director is only the “secretary,” that has that responsibility.

I’m very supportive of Gertner’s defense of judicial independence and her concern about the operation of the FISA Court.

But her critique goes off the rails when she points to DOJ’s purported support of USA Freedom Act as a better indication of the Executive’s views than Bates’ comments.

Moreover, a great deal of Bates’ letter focuses on the Senate proposals’ impact on the executive branch and the intelligence community. The Senate bill would burden the executive with more work and even delay the FISA court’s proceedings, he suggests. Worse yet, the executive may be reluctant to share information with an independent advocate—a troubling claim.

Bates’ concerns are belied by the support voiced by the Department of Justice and the president for the Senate proposal. Surely, the executive branch understands its own needs better than does Bates. Surely, the executive branch has confidence in the procedures that the FISA court would have in place for dealing with classified information, just as the courts that have dealt with other national security issues have had.

And surely, the executive would abide by what the law requires, notwithstanding Bates’ predictions about its “reluctance” to share information with a special advocate.

DOJ’s “support” of the bill was expressed when Eric Holder co-signed a letter (which Gertner tellingly doesn’t mention, much less link) from James Clapper which, when read with attention, clearly indicated the Executive would interpret the bill to be fairly permissive on most of the issues on which the Senate bill would otherwise improve on the House one. Holder’s “support” of the bill strongly indicates that DOJ, with ODNI, plans to use the classification and privilege “protections” in the bill to refuse to share information with the special advocate.

And that’s precisely the part of the letter where Holder and Clapper invoke Bates.

Continue reading

A Yahoo! Lesson for USA Freedom Act: Mission Creep

I’m still wading through the Yahoo documents released last week.

But there is a lesson in them that — given the debate over USA Freedom Act — deserves immediate attention: mission creep.

At least in this case, the actual implementation of the Protect America Act appears to have quickly and secretly outstripped the public understanding surrounding of the scope of the law.

In response to an order from Reggie Walton to provide precise details about what the government was asking for provide hints of this, the FBI and Yahoo submitted a series of declarations. In January 2008, an FBI engineer submitted a declaration detailing what the government demanded (though it is almost entirely redacted).

In response, Yahoo’s VP and Associate General Counsel submitted a declaration covering his (or her) involvement; he was the only one who attended all the meetings with the government. Interestingly the first meeting was in August, but before the law was passed. That’s interesting because it was slammed through in a rush on August 4, 2007, meaning, Yahoo must have first met with the government about a bill making dramatic demands on it just days before it passed.

The AGC ends his declaration by laying out what data had been discussed while he was involved, but then saying the discussions about a particular issue had not ended when he exited the discussions, so he could not agree with or disagree with some part of the FBI declaration.

In a declaration dated the next day, the Manager of Yahoo’s Legal Compliance team (the declaration describes that he or she had the lead on FISA response) submitted her declaration. It says she will be listing the kinds of data Yahoo provides to the government.

But before she can do that, she has to lay out that Yahoo offers email and IMs, information services (like Yahoo finance), cloud storage, as well as facilitating all that with communications between the various components. That suggests the government was — already — asking for more than just emails and IMs and, possibly, data storage contents (which would be unsurprising). This seems to be the stuff the AGC couldn’t speak to.

The final FISCR opinion listed 9 things the government had demanded, as compared to the one-line long description that Yahoo originally believed — and had been told — it would have to turn over.

Screen Shot 2014-09-15 at 4.35.32 PM

 

I followed the PAA debate closely (though not as closely as I’ve followed the USAF debate — I learned you have to watch these things like a hawk!). And I understood the chief goal of the bill was to access the email of the largest free providers, Yahoo, Microsoft, and Google, which all happened to be in the US. I wouldn’t have imagined that the government would also be obtaining the info services habits of targets, though now that idea also seems obvious.

And that appears to have happened in less than a year.

It just appears that once the government got what they needed, they then started looking around for other ways they could use their new toy. And so kept grabbing more data.

This is among the concerns I have about the ambiguous language in USA Freedom Act’s “connection chaining” language — that once they get to the telecoms without a limit to stick to call chaining (they must return a CDR at each stage, but the bill doesn’t say how they get there), they’ll just grab what they can get.

Yahoo’s Lawyer’s Take on the Yahoo Trove

Even back in 2009, when Russ Feingold made it clear that Yahoo had no access to the data it needed to aggressively challenge the Protect American Act orders it received, I realized what a tough legal fight it was to litigate blind. That has only been made more clear by the document trove released last week.

Which is why Mark Zwillinger’s comments about the trove are so interesting.

First, ZwillGen points out that the challenge to the PAA directives may not have helped Yahoo avoid complying, but it did win an important victory allowing providers to challenge surveillance orders.

[I]n this fight, the government argued that Yahoo had no standing to challenge a directive on the basis of the Fourth Amendment rights of its users. See Government’s Ex Parte Brief at pages 53-56.Although the government was forced to change its position after it lost this issue at both the FISC and the FISCR — and such standing was expressly legislated into the FAA – had the government gotten its way, surveillance orders under § 702 would have been unchallengeable by any party until the fruits of the surveillance were sought to be used against a defendant in a criminal case. That would have given the executive branch even greater discretion to conduct widespread surveillance with little potential for judicial review. Even though Yahoo lost the overall challenge, winning on the standing point was crucial, and by itself made the fight personally worthwhile.

ZwillGen next notes that the big numbers reported in the press — the $250K fines for non-compliance — actually don’t capture the full extent of the fines the government was seeking. It notes that the fines would have added up to $400 million in the second month of non-compliance (it took longer than that to obtain a final decision from the FISCR).

Simple math indicates that Yahoo was facing fines of over $25 million dollars for the 1st month of noncompliance, and fines of over $400 million in the second month if the court went along with the government’s proposal. And practically speaking, coercive civil fines means that the government would seek increased fines, with no ceiling, until Yahoo complied. 

Finally — going directly to the points Feingold made 5 years ago — Yahoo had no access to the most important materials in the case, the classified appendix showing all the procedures tied to the dragnet.

The ex parte, classified appendix was just that: a treasure trove of documents, significantly longer than the joint appendix, which Yahoo had never seen before August 22, 2014. Yahoo was denied the opportunity to see any of the documents in the classified, ex parteappendix—even in summary form. Those documents bear a look today. They include certifications underlying the § 702 directives, procedures governing communications metadata analysis, a declaration from the Director of National Intelligence, numerous minimization procedures regarding the FBI’s use of process, and, perhaps most importantly, a FISC decision from January 15, 2008regarding the procedures for the DNI/AG Certification at issue, which Yahoo had never seen. It examines those procedures under a “clearly erroneous” standard of review – which is one of the most deferential standards used by the judiciary. Yahoo did not have these documents at the time, nor the opportunity to conduct any discovery. It could not fully challenge statements the government made, such as the representation to FISCR “assur[ing the Court] it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary.” Nor could Yahoo use the January 15, 2008 decision to demonstrate how potential flaws in the targeting process translated into real world effects.

This blind litigation is, of course, still the position defense attorneys challenging FISA orders for their clients are in.

Yahoo actually made a pretty decent argument 6 years ago, pointing to incidental collection, collection of Americans’ records overseas (something curtailed, at least in name, under FISA Amendments Act), and dodgy analysis underlying the targeting decisions handed off to Yahoo. But they weren’t permitted the actual documentation they needed to make that case. Which left the government to claim — falsely — that the government was not conducting back door searches on incidentally collected data.

For years, ex parte proceedings have allowed the government to lie to courts and avoid real adversarial challenges to their spying. And not much is changing about that anytime soon.

Transpartisan Coalition Calls on Senate for More NSA Reform

Apparently, I’m not the only one who thinks USA Freedom Act does not do enough to reform the dragnet.

A transpartisan coalition of people and organizations — including whistleblowers Bill Binney, Thomas Drake, Dan Ellsberg, Mark Klein, Ed Loomis and Kirk Wiebe — just released a letter calling out the problems with the bill. The letter starts,

We, the undersigned civil liberties advocates, organizations, and whistleblowers, are alarmed that Senator Leahy’s recently introduced bill, the USA FREEDOM Act (S. 2685), legalizes currently illegal surveillance activities, grants immunity to corporations that collaborate to violate privacy rights, reauthorizes the PATRIOT Act for an additional 2.5 years, and fails to reform EO 12333 or Section 702, other authorities used to collect large amounts of information on Americans. For these reasons, we encourage both the House and the Senate to oppose this legislation in its current form.

I hope reform supporters in Congress take this call for more meaningful reform seriously!

The Hemisphere Decks: A Comparison and Some Hypotheses

Last week, Dustin Slaughter published a story using a new deck of slides on the Hemisphere program, the Drug Czar program that permits agencies to access additional telecommunications analytical services to identify phones, which then gets laundered through parallel construction to hide both how those phones were found, as well as the existence of the program itself.

It has some significant differences from the deck released by the New York Times last year.  I’ve tried to capture the key differences here:

140915 Hemisphere Comparison

 

The biggest difference is that the NYT deck — which must date to no earlier than June 2013 — draws only from AT&T data, whereas the Declaration deck draws from other providers as well (or rather, from switches used by other providers).

In addition, the Declaration deck seems to reflect approval for use in fewer states (given the mention of CA court orders and the recent authorization to use Hemisphere in Washington in the AT&T deck), and seems to offer fewer analytical bells and whistles.

Thus, I agree with Slaughter that his deck predates — perhaps by some time — the NYT/AT&T deck released last year.  That would mean Hemisphere has lost coverage, even while it has gained new bells and whistles offered by AT&T.

While I’m not yet sure this is my theory of the origin of Hemisphere, some dates are worth noting:

From 2002 to 2006, the FBI had telecoms onsite to provide CDRs directly from their systems (the FBI submitted a great number of its requests without any paperwork). One of the services provided — by AT&T — was community of interest tracking. Presumably they were able to track burner phones (described as dropped phones in these decks) as well.

In 2006, FBI shut down the onsite access, but retained contracts with all 3 providers (AT&T, Verizon, and probably Sprint). In 2009, one telecom — probably Verizon – declined to renew its contract for whatever the contract required.

AT&T definitely still has a contract with FBI, and in recent years, it has added more services to what it offers the FBI.

It’s possible the FBI multi-provider access moved under ONCDP (the Drug Czar) in 2007 as a way to retain its authorities without attracting the attention of DOJ’s excellent Inspector General (who is now investigating this in any case). Though I’m not sure that program provided the local call records the deck at least claims it could have offered. I’m not sure that program got to the telecom switches the way the deck seems to reflect. It’s possible, however, that the phone dragnet in place before it was moved to Section 215 in 2006 did have that direct access to switches, and the program retained this data for some years.

The phone dragnet prior to 2006 and NSL compliance (which is what the contracts with AT&T and one other carrier purportedly provide now) are both authorized in significant part (and entirely, before 2006) through voluntary compliance, per David Kris, the NSA IG Report, and the most recent NSL report. That’s a big reason why the government tried to keep this secret — to avoid any blowback on the providers.

In any case, if I’m right that the program has lost coverage (though gained AT&T’s bells and whistles) in the interim, then it’s probably because providers became unwilling, for a variety of reasons (and various legal decisions on location data are surely one of them) to voluntarily provide such information anymore. I suspect that voluntary compliance got even more circumscribed with the release of the first Horizon deck last year.

Which means the government is surely scrambling to find additional authorities to coerce this continued service.

The Curious Timing of FBI’s Back Door Searches

The very first thing I remarked on when I read the Yahoo FISCR opinion when it was first released in 2009 was this passage.

The petitioner’s concern with incidental collections is overblown. It is settled beyond peradventure that incidental collections occurring as a result of constitutionally permissible acquisitions do not render those acquisitions unlawful.9 See, e.g., United States v. Kahn, 415 U.S. 143, 157-58 (1974); United States v. Schwartz, 535 F.2d 160, 164 (2d Cir. 1976). The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26 in original release; 30 in current release)

The government claimed to FISCR that it did not maintain a database of incidentally collected information from non-targeted US persons.

Barring some kind of neat parse, I didn’t buy the claim, not even in 2009.

Since then, we’ve found out that — barring some kind of neat parse — I was absolutely right. In fact, they are doing back door searches on this data, especially at FBI.

What I’m particularly intrigued by, now, is the timing.

FISCR said that in an opinion dated August 22, 2008 — over a month after the July 10, 2008 passage of the FISA Amendments Act. I have not yet found evidence of when the government said that to FISCR. It doesn’t appear in the unredacted part of their Jun 5, 2008 Merits brief (which cites Kahn but not Schwartz; see 49-50), though it might appear behind the redaction on 41. Of note, the April 25, 2008 FISC opinion doesn’t even mention the issue in its incidental collection discussion (starting at 95), though it does discuss amended certifications filed in February 2008.

So I’m guessing the government made that representation at the hearing in June, 2008.

We know, from John Bates’ rationale for authorizing NSA and CIA back door searches, such back door searches were first added to FBI minimization procedures in 2008.

When Bates approved back door searches in his October 3, 2011 opinion, he pointed to FBI’s earlier (and broader) authorities to justify approving it for NSA and CIA. While the mention of FBI is redacted here, at that point it was the only other agency whose minimization procedures had to be approved by FISC, and FBI is the agency that applies for traditional FISA warrants.

[redacted] contain an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information. See [redacted]. In granting [redacted] applications for electronic surveillance or physical search since 2008, including applications targeting United States persons and persons in the United States, the Court has found that the [redacted] meet the definitions of minimization procedures at 50 U.S.C. §§ 1801(h) and 1821(4). It follows that the substantially-similar querying provision found at Section 3(b)(5) of the amended NSA minimization procedures should not be problematic in a collection that is focused on non-United States persons located outside the United States and that, in aggregate, is less likely to result in the acquisition of nonpublic information regarding non-consenting United States persons.

So since 2008, FBI has had the ability to do back door searches on all the FISA-authorized data they get, including taps targeting US persons.

The FBI Minimization procedures submitted with the case all date to the 1990s, though a 2006 amendment changing how they logged the identities of US persons collected (note, in 2011, John Bates was bitching at FBI for having ignored an order to reissue all its minimization procedures with updates; I can see why he complained).

As described in the Government’s response of June 16, 2006, identities of U.S. persons that have not been logged are often maintained in FBI databases that contain unminimized information. The procedures now simply refer to “the identities” of U.S. persons, acknowledging that the FBI may not have previously logged such identities.

But there’s reason to believe the FBI minimization procedures — and this logging process — was changed in 2008, because a government document submitted in the Basaaly Moalin case — we know Moalin was wiretapped from December 2007 to April 2008, so during precisely the period of the Yahoo challenge, though he was not indicted until much later – referenced two sets of minimization procedures, seeming to reflect a change in minimization during the period of his surveillance (or perhaps during the period of surveillance of Aden Ayro, which is how Moalin is believed to have been identified).

That is, it all seems to have been happening in 2008.

The most charitable guess would be that explicit authorization for back door searches happened with the FAA, so before the FISCR ruling, but after the briefing.

Except in a letter to Russ Feingold during early debates  on the FAA, Mike Mukasey and Mike McConnell (the latter of whom was involved in this Yahoo fight) strongly shot down a Feingold amendment that would have required the government to segregate all communications not related to terrorism (and a few other things), and requiring a FISA warrant to access them.

The Mukasey-McConnell attack on segregation is most telling. They complain that the amendment makes a distinction between different kinds of foreign intelligence (one exception to the segregation requirement in the amendment is for “concerns international terrorist activities directed against the United States, or activities in preparation therefor”), even while they claim it would “diminish our ability swiftly to monitor a communication from a foreign terrorist overseas to a person in the United States.” In other words, the complain that one of the only exceptions is for communications relating terrorism, but then say this will prevent them from getting communications pertaining to terrorism.

Then it launches into a tirade that lacks any specifics:

It would have a devastating impact on foreign intelligence surveillance operations; it is unsound as a matter of policy; its provisions would be inordinately difficult to implement; and thus it is unacceptable.

As Feingold already pointed out, the government has segregated the information they collected under PAA–they’re already doing this. But to justify keeping US person information lumped in with foreign person information, they offer no affirmative reason to do so, but only say it’s too difficult and so they refuse to do it.

Even 5 years ago, the language about the “devastating impact” segregating non-terrorism data might have strongly suggested the entire point of this collection was to provide for back door searches.

But that letter was dated February 5, 2008, before the FISCR challenge had even begun. While not definitive, this seems to strongly suggest, at least, that the government planned — even if it hadn’t amended the FBI minimization procedures yet — to retain a database of incidentally data to search on, before the government told FISCR they did not.

Update: I forgot a very important detail. In a hearing this year, Ron Wyden revealed that NSA’s authority to do back door searches had been closed some time during the Bush Administration, before it was reopened by John “Bates stamp” Bates.

Let me start by talking about the fact that the House bill does not ban warrantless searches for Americans’ emails. And here, particularly, I want to get into this with you, Mr. Ledgett if I might. We’re talking of course about the backdoor search loophole, section 702 of the FISA statute. This allows NSA in effect to look through this giant pile of communications that are collected under 702 and deliberately conduct warrantless searches for the communications of individual Americans.  This loophole was closed during the Bush Administration, but it was reopened in 2011, and a few months ago the Director of National Intelligence acknowledged in a letter to me that the searches are ongoing today. [my emphasis]

When I noted that Wyden had said this, I guessed that the government had shut down back door searches in the transition from PAA to FAA, but that seems less likely, having begun to review these Yahoo documents, then that it got shut down in response to the hospital confrontation.

But it shows that more extensive back door searches had been in place before the government implied to the FISCR that they weren’t doing back door searches that they clearly were at least contemplating at that point. I’d really like to understand how the government believes they didn’t lie to the FISCR in that comment (though it wouldn’t be the last time they lied to courts about their databases of Americans).

1 2 3 831

Emptywheel Twitterverse
JimWhiteGNV Tragic: "2 adults, six children dead in Gilchrist shootings" - via @GainesvilleSun http://t.co/icorlFfx0N
13mreplyretweetfavorite
JimWhiteGNV RT @ionacraig: Sporadic gunfire and very tense by tv station. Gunmen behind sand bags on one side of road, soldiers on other. #Yemen
16mreplyretweetfavorite
emptywheel @jilliancyork And domestically, the dragnet is equally designed to coerce informants.
23mreplyretweetfavorite
bmaz Today Maricopa County Attorney @MontgomeryforCA @marcoattorney proves himself an ignorant Islamophobic hateful bigot http://t.co/b7tAohI841
24mreplyretweetfavorite
bmaz @BeckyPallack Excellent job tweet covering it.
6hreplyretweetfavorite
bmaz RT @kasie: Hey, America -- if you're unhappy with Washington, maybe look to the Scots and try voting in huge numbers. #rights #ScotlandDeci
7hreplyretweetfavorite
bmaz @robertcaruso Congress will give him the authority, they are too chicken not to, just go ahead and do it right.
7hreplyretweetfavorite
bmaz @robertcaruso Tired of separation of powers being eroded
7hreplyretweetfavorite
bmaz @robertcaruso @nytimesworld And if that is Obama's tact, he should be impeached on the spot.
7hreplyretweetfavorite
bmaz @Will_Bunch Wow. I blew that off (yeah, Bai, you know) before seeing your tweet. Glad I read it. And you're right about the end. Jeez.
7hreplyretweetfavorite
bmaz RT @Will_Bunch: Don Spirit has killed 4X as many Americans as ISIS
8hreplyretweetfavorite
bmaz @JoshMBlackman @mucha_carlos Actually, my understanding is Virginia Seitz left OLC at least partially over the targeted killing of citizens.
8hreplyretweetfavorite
September 2014
S M T W T F S
« Aug    
 123456
78910111213
14151617181920
21222324252627
282930