EO 12333

1 2 3 8

Section 309: A Band-Aid for a Gaping Wound in Democracy

Someone surveilling our conversation "connection chained" Bob Litt and I while chatting at CATO.

Metadata: Someone surveilling our conversation “connection chained” Bob Litt and me chatting about spying on Americans in the Hayek Auditorium at CATO on 12/12/14.

On Friday, officials from James Clapper’s office confirmed in a number of different ways that the government obtains “vast troves” of Americans’ communication overseas. And rather than enforce Dianne Feinstein and Mark Udall’s suggestion that the intelligence community treat it under FISA — as the spirit of FISA Amendment Acts, which extended protection to Americans abroad, would support — Congress instead passed Section 309, a measure to impose limited protections on vast unregulated spying on Americans.

This all happened at CATO’s conference on surveillance, an awesome conference set up by Julian Sanchez.

My panel (moderated very superbly by Charlie Savage) revisited at length the debate between former State Department whistleblower John Napier Tye and Director of National Intelligence Civil Liberties Officer Alex Joel (into which I stuck my nose). As he did in his Politico post responding to Tye’s alarms about the risk of EO 123333 collection against Americans to democracy, Joel pointed to the topical limits on bulk collection Obama imposed in his Presidential Policy Directive 28, which read,

The United States must consequently collect signals intelligence in bulk in certain circumstances in order to identify these threats. Routine communications and communications of national security interest increasingly transit the same networks, however, and the collection of signals intelligence in bulk may consequently result in the collection of information about persons whose activities are not of foreign intelligence or counterintelligence value. The United States will therefore impose new limits on its use of signals intelligence collected in bulk. These limits are intended to protect the privacy and civil liberties of all persons, whatever their nationality and regardless of where they might reside.

In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.

I noted — as I did in my Salon piece on the topic — that bulk collection for even just one topic means the collection of everything, as counterterrorism serves as the excuse to get all phone records in the US in the phone dragnet. Joel did not dispute that, explaining that PPD-28 only limits the use of data that has been bulk collected to these six purposes. PPD-28 does nothing to limit bulk collection itself. Though the fact that these limitations have forced a change in how the NSA operates is testament that they were using data collected in bulk for even more reasons before January.

The NSA is, then, aspiring to collect it all, around the world.

Which was a point confirmed in an exchange between Joel and Tye. Joel claimed we weren’t collecting nearly all of the Internet traffic out there, saying it was just a small fraction. Tye said that was disingenuous, because 80% of Internet traffic is actually things like Netflix. Tye stated that the NSA does collect a significant percentage of the remainder (he implied most, but I’d want to see the video before I characterize how strongly he said that).

Again, collect it all.

Our panel didn’t get around to talking about Section 309 of the Intelligence Authorization, which I examined here. The Section imposes a 5 year retention limit on US person data except for a number of familiar purposes — foreign intelligence, evidence of a crime, encryption, all foreign participants, tech assurance or compliance, or an Agency head says he needs to retain it longer (which requires notice to Congress). Justin Amash had argued, in an unsuccessful attempt to defeat the provision, that the measure provides affirmative basis for sharing US person content collected under EO 12333.

In a later panel at the CATO conference, DNI General Counsel Bob Litt said that the measure doesn’t change anything about what the IC is already doing.  Continue reading

The Emergency EO 12333 Fix: Section 309

In a last minute amendment to the Intelligence Authorization, the House and Senate passed a new section basically imposing minimization procedures for EO 12333 or other intelligence collection not obtained by court order. (See Section 309)

(3) Procedures.–

(A) Application.–The procedures required by paragraph (1) shall apply to any intelligence collection activity not otherwise authorized by court order (including an order or certification issued by a court established under subsection (a) or (b) of section 103 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803)), subpoena, or similar legal process that is reasonably anticipated to result in the acquisition of a covered communication to or from a United States person and shall permit the acquisition, retention, and dissemination of covered communications subject to the limitation in subparagraph (B).

(B) Limitation on retention.–A covered communication shall not be retained in excess of 5 years, unless–

(i) the communication has been affirmatively determined, in whole or in part, to constitute foreign intelligence or counterintelligence or is necessary to understand or assess foreign intelligence or counterintelligence;

(ii) the communication is reasonably believed to constitute evidence of a crime and is retained by a law enforcement agency;

(iii) the communication is enciphered or reasonably believed to have a secret meaning;

(iv) all parties to the communication are reasonably believed to be non-United States persons;

(v) retention is necessary to protect against an imminent threat to human life, in which case both the nature of the threat and
the information to be retained shall be reported to the congressional intelligence committees not later than 30 days after the
date such retention is extended under this clause;

(vi) retention is necessary for technical assurance or compliance purposes, including a court order or discovery obligation, in which case access to information retained for technical assurance or compliance purposes shall be reported to the congressional
intelligence committees on an annual basis; or

(vii) retention for a period in excess of 5 years is approved by the head of the element of the intelligence community responsible for such retention, based on a determination that retention is necessary to protect the national security of the United States, in which case the head of such element shall provide to the congressional intelligence committees a written certification describing–
(I) the reasons extended retention is necessary to protect the national security of the United States; (II) the duration for which the head of the element is authorizing retention;

(III) the particular information to be retained; and

(IV) the measures the element ofthe intelligence community is taking toprotect the privacy interests of UnitedStates persons or persons locatedinside the United States.

The language seems to be related to — but more comprehensive than — language included in the RuppRoge bill earlier this year. That, in turn, seemed to arise out of concerns raised by PCLOB that some unnamed agencies had not revised their minimization procedures in the entire life of EO 12333.

Whereas that earlier passage had required what I’ll call Reagan deadenders (since they haven’t updated their procedures since him) to come up with procedures, this section effectively imposes minimization procedures similar to, though not identical, to what the NSA uses: 5 year retention except for a number of reporting requirements to Congress.

I suspect these are an improvement over whatever the deadenders have been using But as Justin Amash wrote in an unsuccessful letter trying to get colleagues to oppose the intelligence authorization because of the late addition, the section provides affirmative basis for agencies to share US person communications whereas none had existed.

Sec. 309 authorizes “the acquisition, retention, and dissemination” of nonpublic communications, including those to and from U.S. persons. The section contemplates that those private communications of Americans, obtained without a court order, may be transferred to domestic law enforcement for criminal investigations.

To be clear, Sec. 309 provides the first statutory authority for the acquisition, retention, and dissemination of U.S. persons’ private communications obtained without legal process such as a court order or a subpoena. The administration currently may conduct such surveillance under a claim of executive authority, such as E.O. 12333. However, Congress never has approved of using executive authority in that way to capture and use Americans’ private telephone records, electronic communications, or cloud data.

[snip]

In exchange for the data retention requirements that the executive already follows, Sec. 309 provides a novel statutory basis for the executive branch’s capture and use of Americans’ private communications. The Senate inserted the provision into the intelligence reauthorization bill late last night.

Which raises the question of what the emergency was to have both houses of Congress push this through at the last minute? Back in March, after all, RuppRoge was happy to let the agencies do this on normal legislative time.

I can think of several possibilities:

  • The government is imminently going to have to explain some significant EO 12333 collection — perhaps in something like the Hassanshahi case or one of the terrorism cases explicitly challenging the use of EO 12333 data and it wants to create the appearance it is not a lawless dragnet (though the former was always described as metadata, not content)
  • The government is facing new scrutiny on tools like Hemisphere, which the DOJ IG is now reviewing; if 27-year old data is owned by HIDTA rather than AT&T, I can see why it would cause problems (though again, except insofar as it includes things like location, that’s metadata, not content)
  • This is Dianne Feinstein’s last ditch fix for the “trove” of US person content that Mark Udall described that John Carlin refused to treat under FISA
  • This is part of the effort to get FBI to use EO 12333 data (which may be related to the first bullet); these procedures are actually vastly better than FBI’s see-no-evil-keep-all-data for up to 30 years approach, though the language of them doesn’t seem tailored to the FBI

Or maybe this is meant to provide the patina of legality to some other dragnet we don’t yet know about.

Still, I find it an interesting little emergency the intelligence committees seem to want to address.

Dead Mediators Belie the Claim US Didn’t Know about Pierre Korkie

A number of people have been pointing to the buried lead in a NYT story about the US killing South African aide worker Pierre Korkie the day before the charity he worked for finalized his freedom. Back in November, a group of tribal leaders who were brokering the deal got killed in a drone strike.

After months of silence, Gift of the Givers had a breakthrough in August, when tribal leaders sent a delegation, acting on behalf of the charity, into the remote badlands. The assembled Qaeda fighters took a vote on reducing the ransom, and half the jihadists voted “yes” while half voted “no,” Mr. Sooliman said. In October, the abductors said that they would accept $700,000. The family, which had already said it could not afford $3 million, still did not have enough money.

In November, the tribal leaders went back to meet with Qaeda members. The car was hit by a drone strike, killing the mediators, according to Mr. Sooliman. “We thought it was over,” he said.

Not only is it fairly shocking that the US first killed these mediators, then killed the guy they were trying to free, but this detail undermines the US claim they had no idea who was with Luke Somers when they tried to rescue him.

US special forces who tried to rescue photojournalist Luke Somers from al-Qaeda in Yemen were not aware of the identity of the other hostage held with him, a US official has told the BBC.

Both South African teacher Pierre Korkie and Mr Somers were shot by the militants during the raid, US officials say, and died as a result.,

A charity working with Mr Korkie said he was to have been freed on Sunday.

Its project director said the US rescue attempt had “destroyed everything”.

To believe this claim you’d have to believe the NSA’s 2-degree spying techniques, which just weeks ago had gotten some tribal leaders killed, had completely collapsed such that the US had no affirmative intelligence on the kidnappers (which of course they did because they knew where to try to rescue Somers). You’d also have to believe that a South African charity had managed to set up ongoing communications with the kidnappers, but the NSA wasn’t monitoring those communications (or, just as likely, using them as a means to track the kidnappers). The only way that’d be true is if we had forsworn SIGINT in favor of dodgy intelligence from our partners in the neighborhood; while I think many of our catastrophes in Yemen and Syria can be blamed on our dodgy partners lying to us, it is inconceivable we would not at the same time be checking their claims with SIGINT.

It may be convenient for the US to pretend it doesn’t engage in SIGINT in Yemen. But it is not longer believable.

The Government’s Unexplained Iran Dragnet

Just the other day, I observed that the government likely has a problem with the authorities it has used to police its sanction regime against Iran. First, the government appears to have had a counterproliferation certification under Protect America Act that may have had legal issues; with FISA Amendments Act, Congress authorized such a certification as foreign intelligence. Then, at some point over the course of the phone dragnet, FISC approved the use of the dragnet with Iran under an alleged terrorism purpose. But the primary claimed Iranian terrorism in this country was propagated by DEA; clearly the NSA was using the dragnet for an inherently counterproliferation purpose.

A judge in DC just ruled for the government in a case against an Iranian American, Shantia Hassanshahi, that implicates many of these problems, and broader problems with the dragnet, though he did so by largely sidestepping the underlying issue.

Basically, the case that Hassanshahi violated sanctions stems from the following evidentiary steps:

  1. An unsolicited tip from an (apparently) paid informant
  2. A query request submitted to some unnamed database on a suspect number, which returned a single call with a number associated with Hassanshahi
  3. Based on that and 1 other call to Iran, the government stopped Hassanshahi as he returned from a trip to Iran and seized his devices in CA
  4. A forensic search of his laptop resulted in incriminating documents showing the sale of non-military energy-related goods to Iran

Hassanshahi argued that the query of the database — which he argued was either the phone dragnet database or something nearly identical and therefore just as unconstitutional — was illegal, citing Richard Leon’s Larry Klayman ruling. And he argued that everything else not only followed as fruit of the poison tree from there, but that the device search violated the 9th Circuit’s precedent requiring probable cause to conduct a forensic border search (his devices were seized in CA, not in DC). Judge Rudolph Contreras rejected Hassanshahi’s bid to have the evidence suppressed by dodging the question of the legality of the database query, treating it as unconstitutional (I think this overstates what the government was saying here).

In response, the Government sidesteps Hassanshahi’s argument by taking the position that although the NSA telephony database was not used, the Court nevertheless should assume arguendo that the law enforcement database HSI did use was unconstitutional. See Gov’t’s  Mem. Opp’n Mot. Suppress 12. Consistent with this position, the Government refuses to provide details about its law enforcement database on the basis that such information is irrelevant once the Court accepts the facial illegality of the database. See id. at 11-12. Regrettably, the Court therefore starts its analysis from the posture that HSI’s initial search of the mysterious law enforcement database, which uncovered one call between Sheikhi’s business telephone number and the 818 number linked to Hassanshahi, was unconstitutional

But based on the time that elapsed between the query he treated as unconstitutional and the border search, and based on Hassanshahi’s voluntary arrival in LAX (where a 9th Circuit ruling would require reasonable suspicion) and some really crazy details even the government didn’t argue that strongly constituted reasonable suspicion, he ruled the forensic search in LA legal.

This is where things get bizarre. Having already ruled that this was not flagrant enough to make the subsequent search improper, Contreras then throws up his hands, notes that if the government did use the NSA phone dragnet  (which is supposed to be limited to counterterrorism purposes and therefore should be inapplicable in this case) or if the dragnet it used doesn’t have the controls that the NSA dragnet does it might be a problem, he says he will require the government to submit an ex parte filing explaining the database.

But, at the same time, the Court does not know with certainty whether the HSI database actually involves the same public interests, characteristics, and limitations as the NSA program such that both databases should be regarded similarly under the Fourth Amendment. In particular, the NSA program was specifically limited to being used for counterterrorism purposes, see Klayman, 957 F. Supp. 2d at 15-16, and it remains unclear if the database that HSI searched imposed a similar counterterrorism requirement. If the HSI database did have such a limitation, that might suggest some level of flagrancy by HSI because it was clear that neither Sheikhi nor Hassanshahi was involved in terrorism activities. With so many caveats, the Government’s litigation posture leaves the Court in a difficult, and frustrating, situation. Yet, even assuming that the HSI database was misused to develop the lead into Hassanshahi, HSI’s conduct appears no more flagrant than law enforcement conduct in other “unlawful lead” cases,which still held that the attenuation exception applied nonetheless.6

66 The Government’s silence regarding the nature of the law enforcement database has made the Court’s analysis more complex than it should be. Although the Court still concludes that the attenuation exception applies in large part based on the “unlawful lead” line of cases, the Court will order that the Government provide the Court with an ex parte declaration summarizing the contours of the mysterious law enforcement database used by HSI, including any limitations on how and when the database may be used.

Of course he only requires this after ruling that the evidence can come in!

Now, I can think of four possibilities to explain the search:

  • The government searched the dragnet under its “Iranian” allowance (which only Josh Gerstein and I have ever reported), exposing what I noted above — that they’re using a CT tool for a fundamentally CP function
  • The government searched Hemisphere
  • The government searched SPMCA, the authority permitting it to contact-chain on US person data collected under EO 12333 or it originally searched on the Section 215 phone dragnet then re-ran the search under EO 12333 so it could share the link
  • There’s yet another dragnet

Something’s definitely fishy about the government’s claims, because the Homeland Security investigator in the case, Joshua Akronowitz changed his story twice in meaningful ways.

For example, the affidavit the government used to justify his arrest said he personally searched “HSI accessible law enforcement databases.” Continue reading

A Radical Proposal of Following the Law

Mieke Eoyang, the Director of Third Way’s National Security Program, has what Ben Wittes bills as a “disruptive” idea: to make US law the exclusive means to conduct all surveillance involving US companies.

But reforming these programs doesn’t address another range of problems—those that relate to allegations of overseas collection from US companies without their cooperation.

Beyond 215 and FAA, media reports have suggested that there have been collection programs that occur outside of the companies’ knowledge. American technology companies have been outraged about media stories of US government intrusions onto their networks overseas, and the spoofing of their web pages or products, all unbeknownst to the companies. These stories suggest that the government is creating and sneaking through a back door to take the data. As one tech employee said to me, “the back door makes a mockery of the front door.”

As a result of these allegations, companies are moving to encrypt their data against their own government; they are limiting their cooperation with NSA; and they are pushing for reform.  Negative international reactions to media reports of certain kinds of intelligence collection abroad have resulted in a backlash against American technology companies, spurring data localization requirements, rejection or cancellation of American contracts, and raising the specter of major losses in the cloud computing industry. These allegations could dim one of the few bright spots in the American economic recovery: tech.

[snip]

How about making the FAA the exclusive means for conducting electronic surveillance when the information being collected is in the custody of an American company? This could clarify that the executive branch could not play authority shell-games and claim that Executive Order 12333 allows it to obtain information on overseas non-US person targets that is in the custody of American companies, unbeknownst to those companies.

As a policy matter, it seems to me that if the information to be acquired is in the custody of an American company, the intelligence community should ask for it, rather than take it without asking. American companies should be entitled to a higher degree of forthrightness from their government than foreign companies, even when they are acting overseas.

Now, I have nothing against this proposal. It seems necessary but wholly inadequate to restoring trust between the government and (some) Internet companies. Indeed, it represents what should have been the practice in any case.

Let me first take a detour and mention a few difficulties with this. First, while I suspect this might be workable for content collection, remember that the government was not just collecting content from Google and Yahoo overseas — they were also using their software to hack people. NSA is going to still want the authority to hack people using weaknesses in such software, such as it exists (and other software companies probably still are amenable to sharing those weaknesses).  That points to the necessity to start talking about a legal regime for hacking as much as anything else — one that parallels what is going on with the FBI domestically.

Also, this idea would not cover the metadata collection from telecoms which are domestically covered by Section 215, which will surely increasingly involve cloud data that more closely parallels the data provided by FAA providers but that would be treated as EO 12333 overseas (because thus far metadata is still treated under the Third Party doctrine here). This extends to the Google and Yahoo metadata taken off switches overseas. So, such a solution would be either limited or (if and when courts domestically embrace a mosaic theory approach to data, including for national security applications) temporary, because some of the most revealing data is being handed over willingly by telecoms overseas.

Continue reading

How to Fix the FISA Court … Or Not

The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26)

That line, from the FISCR opinion finding the Protect America Act constitutional, gets to the core problem with the FISA Court scheme. Even in 2009, when the line was first made public, it was pretty clear the government had made a false claim to the FISA Court of Review.

Now that we know that FBI had already been given authority to keep PAA-collected content in databases that they could search at what is now called the assessment stage of investigations – warrantless searches of the content of Americans against whom the FBI has no evidence of wrong-doing — the claim remains one of the signature moments where the government got approval for a program by being less than candid to the court (the government has been caught doing so in both Title III courts and at FISC, and continues to do so).

That’s also why I find Greg McNeal’s paper on Reforming the FISC, while very important, ultimately unconvincing.

McNeal’s paper is invaluable for the way he assesses the decision — in May 2006 — to authorize the collection of all phone records under Section 215. Not only does the paper largely agree with the Democratic appointees on PCLOB that the program is not authorized by the Section 215 statute, McNeal conducts his own assessment of the government’s application to use Section 215 for that purpose.

The application does not fare well.

Moreover, the government recognized that not all records would be relevant to an investigation, but justified relevance on what could best be described as usefulness or necessity to enable the government’s metadata analysis, stating:

The Application fully satisfies all requirements of title V of FISA. In particular, the Application seeks the production of tangible things “for” an international terrorism investigation. 50 U.S.C. § 1861(a)(1). In addition, the Application includes a statement of facts demonstrating that there are reasonable grounds to believe that the business records sought are “relevant” to an authorized investigation. Id.  § 1861(b)(2). Although the call detail records of the [redacted] contain large volumes of metadata, the vast majority of which will not be terrorist-related, the scope of the business records request presents no infirmity under title V. All of the business records to be collected here are relevant to FBI investigations into [redacted] because the NSA can effectively conduct metadata analysis only if it has the data in bulk.49

The government went even further, arguing that if the FISC found that the records were not relevant, that the FISC should read relevance out of the statute by tailoring its analysis in a way that would balance the government’s request to collect metadata in bulk against the degree of intrusion into privacy interests. Disregarding the fact that the balancing of these interests was likely already engaged in by Congress when writing section 215, the government wrote:

In addition, even if the metadata from non-terrorist communications were deemed not relevant, nothing in title V of FISA demands that a request for the production of “any tangible things” under that provision collect only information that is strictly relevant to the international terrorism investigation at hand. Were the Court to require some tailoring to fit the information that will actually be terrorist-related, the business records request detailed in the Application would meet any proper test for reasonable tailoring. Any tailoring standard must be informed by a balancing of the government interest at stake against the degree of intrusion into any protected privacy interests. Here, the Government’s interest is the most compelling imaginable: the defense of the Nation in wartime from attacks that may take thousands of lives. On the other side of the balance, the intrusion is minimal. As the Supreme Court has held, there is no constitutionally protected interest in metadata, such as numbers dialed on a telephone.50

Thus, what the government asked the court to disregard the judgment of the Congress as to the limitations and privacy interests at stake in the collection of business records. Specifically, the government asked the FISC to disregard Congress’s imposition of a statutory requirement that business records be relevant, and in disregarding that statutory requirement rely on the fact that there was no constitutionally protected privacy interest in business records. The government’s argument flipped the statute on its head, as the purpose of enhancing protections under section 215 was to supplement the constitutional baseline protections for privacy that were deemed inadequate by Congress.

McNeal is no hippie. That he largely agrees and goes beyond PCLOB’s conclusion that this decision was not authorized by the statute is significant.

But as I said, I disagree with his remedy — and also with his assessment of the single source of this dysfunction.

McNeal’s remedy is laudable. He suggests all FISC decisions should be presumptively declassified and any significant FISC decision should get automatic appellate review, done by FISCR. That’s not dissimilar to a measure in Pat Leahy’s USA Freedom Act, which I’ve written about here. With my cautions about that scheme noted, I think McNeal’s remedy may have value.

The reason it won’t be enough stems from two things.

First, the government has proven it cannot be trusted with ex parte proceedings in the FISC. That may seem harsh, but the Yahoo challenge — which is the most complete view we’ve ever had of how the court works, even with a weak adversary — really damns the government’s conduct. In addition to the seemingly false claim to FISCR about whether the government held databases of incidentally collected data, over the course of the Yahoo challenge, the government,

  • Entirely restructured the program — bringing the FBI into a central role of the process — without telling Reggie Walton about these major changes to the program the challenge he was presiding over evaluated; this would be the first of 4 known times in Walton’s 7-year tenure where he had to deal with the government withholding materially significant information from the court
  • Provided outdated versions of documents, effectively hiding metadata that would have shown EO 12333, which was a key issue being litigated, was more fluid than presented to the court
  •  Apparently did not notice either FISC or FISCR about an OLC opinion — language from which was declassified right in the middle of the challenge — authorizing the President to pixie dust EO 12333 at any time without noting that publicly
  • Apparently did not provide the underlying documents explaining another significant change they made during the course of the challenge, which would have revealed how easily Americans could be reverse targeted under a program prohibiting it; these procedures were critical to FISCR’s conclusion the program was legal

In short, the materials withheld or misrepresented over the course of the Yahoo challenge may have made the difference in FISCR’s judgment that the program was legal (even ignoring all the things withheld from Yahoo, especially regarding the revised role of FBI in the process). (Note, in his paper, McNeal rightly argues Congress and the public could have had a clear idea of what Section 702 does; I’d limit that by noting that almost no one besides me imagined they were doing back door searches before that was revealed by the Snowden leaks).

One problem with McNeal’s suggestion, then, is that the government simply can’t be trusted to engage in ex parte proceedings before the FISC or FISCR. Every major program we’ve seen authorized by the court has featured significant misrepresentations about what the program really entailed. Every one! Until we eliminate that problem, the value of these courts will be limited.

But then there is the other problem, my own assessment of the source of the problem with FISC. McNeal thinks it is that Congress wants to pawn its authority off onto the FISC.

The underlying disease is that Congress wants things to operate the way that they do; Congress wants the FISC and has incentives to maintain the status quo.

Why does Congress want the FISC? Because it allows them to push accountability off to someone else. If members ofCongress are responsible for conducting oversight of secretoperations, their reputations are on the line if the operations gotoo far toward violating civil liberties, or not far enoughtoward protecting national security. However, with the FISC conducting operations, Congress has the ability to dodge accountability by claiming they have empowered a court to conduct oversight.

I don’t, in general, disagree with this sentiment in the least. The last thing Congress wants to do is make a decision that might later be tied to an intelligence failure, a terrorist attack, a botched operation. Heck, I’d add that the last thing most members of Congress serving on the Intelligence Committees would want to do is piss off the contractors whose donations provide one of the perks of the seat.

But the dysfunction of the FISC stems, in significant part, from something else.

In his paper on the phone dragnet (which partly incorporates the Internet dragnet), David Kris suggests the original decision to bring the dragnets under the FISC (in the paper he was limited by DOJ review about what he could say of the Internet dragnet, so it is not entirely clear whether he means the Colleen Kollar-Kotelly opinion that paved the way for the flawed Malcolm Howard one McNeal critiques, or the Howard one) was erroneous. Continue reading

If the NSA “Won” the War in Iraq, Why Are We Still Losing It?

To Shane Harris’ misfortune, his book, @War, out today, came out on the same day that General Daniel Bolger’s book, Why We Lost, came out.

That means Harris’ first excerpt, initially titled “How the NSA Sorta Won the Last Iraq War,” came out just days before Bolger’s op-ed today, mourning another Veteran’s Day to contemplate the 80 men he lost. Bolger wants us to stop telling the lie that the surge won the Iraq War.

Here’s a legend that’s going around these days. In 2003, the United States invaded Iraq and toppled a dictator. We botched the follow-through, and a vicious insurgency erupted. Four years later, we surged in fresh troops, adopted improved counterinsurgency tactics and won the war. And then dithering American politicians squandered the gains. It’s a compelling story. But it’s just that — a story.

The surge in Iraq did not “win” anything. It bought time. It allowed us to kill some more bad guys and feel better about ourselves. But in the end, shackled to a corrupt, sectarian government in Baghdad and hobbled by our fellow Americans’ unwillingness to commit to a fight lasting decades, the surge just forestalled today’s stalemate. Like a handful of aspirin gobbled by a fevered patient, the surge cooled the symptoms. But the underlying disease didn’t go away. The remnants of Al Qaeda in Iraq and the Sunni insurgents we battled for more than eight years simply re-emerged this year as the Islamic State, also known as ISIS.

Harris’s story, which explains how network analysis and then hacking of Iraqi insurgents — including Al Qaeda in Iraq — helped us to win the surge, relies on that legend.

TAO hackers zeroed in on the leaders of the al Qaeda group. Centering their operations in Baghdad, they scooped up e-mail messages that the terrorists had left in draft form in their personal accounts, where they could be picked up by fellow fighters without having to be sent over the Internet. This was a common trick terrorists used to avoid detection. TAO had been on to it for years.

For TAO, hacking into the communications network of the senior al Qaeda leaders in Iraq helped break the terrorist group’s hold on the neighborhoods around Baghdad. By one account, it aided U.S. troops in capturing or killing at least ten of those senior leaders from the battlefield.

[snip]

For the first time in the now four-year-old Iraq War, the United States could point to a strategy that was actually working. The overall success of the surge, which finally allowed U.S. forces to leave Iraq, has been attributed to three major factors by historians and the commanders and soldiers who served there. First, the additional troops on the ground helped to secure the most violent neighborhoods, kill or capture insurgents, and protect Iraq’s civilians. The cities became less violent, and the people felt safer and more inclined to help the U.S. occupation. Second, insurgent groups who were outraged by al Qaeda’s brutal, heavyhanded tactics and the imposition of religious law turned against the terrorists, or were paid by U.S. forces to switch their allegiances and fight with the Americans. This so-called Sunni Awakening included 80,000 fighters, whose leaders publicly denounced al Qaeda and credited the U.S. military with trying to improve the lives of Iraqi citizens.

But the third and arguably the most pivotal element of the surge was the series of intelligence operations undertaken by the NSA and soldiers such as Stasio. Former intelligence analysts, military officers, and senior Bush administration officials say that the cyber operations opened the door to a new way of obtaining intelligence, and then integrating it into combat operations on the ground. The information about enemy movements and plans that U.S. spies swiped from computers and phones gave troops a road map to find the fighters, sometimes leading right to their doorsteps. This was the most sophisticated global tracking system ever devised, and it worked with lethal efficiency.

Gen. David Petraeus, the commander of all coalition forces in Iraq, credited this new cyber warfare “with being a prime reason for the significant progress made by U.S. troops” in the surge, which lasted into the summer of 2008, “directly enabling the removal of almost 4,000 insurgents from the battlefield.” The tide of the war in Iraq finally turned in the United States’ favor.

I didn’t get a review copy of Harris’ book, so I’ll have to let you know whether he grapples with the fact that this victory lap instead led us to where we are now, escalating the war in Iraq again, with ISIL even more powerful for having combined Saddam’s officers with terrorist methods. I’ll also have to let you know why Harris claims this started in 2007, when we know NSA was even wiretapping Iraqi targets in the US as early as 2004, a program that got shut down in the hospital confrontation.

Harris would have done well to consider Bolger’s call for an assessment of this failure.

That said, those who served deserve an accounting from the generals. What happened? How? And, especially, why? It has to be a public assessment, nonpartisan and not left to the military. (We tend to grade ourselves on the curve.) Something along the lines of the 9/11 Commission is in order. We owe that to our veterans and our fellow citizens.

Such an accounting couldn’t be more timely. Today we are hearing some, including those in uniform, argue for a robust ground offensive against the Islamic State in Iraq. Air attacks aren’t enough, we’re told. Our Kurdish and Iraqi Army allies are weak and incompetent. Only another surge can win the fight against this dire threat. Really? If insanity is defined as doing the same thing over and over and expecting different results, I think we’re there.

That is, if this network analysis and hacking is so superb, then why didn’t it work? Did we not understand the networks that our spectacular tech exposed? Or did we do the wrong thing with it, try to kill it rather than try to win it over? Not to mention, did we account for the necessarily temporary value of all these techniques, given that targets will figure out that their cell phones, the RFID tags, their laptops, or whatever new targeting means we devise are serving as a beacon.

And there’s one more lesson in Harris’ excerpt, one I doubt he admits.

Earlier in the except, he explains in giddy language how the NSA’s hackers broke an insurgent method of leaving draft unsent emails.

Centering their operations in Baghdad, they scooped up e-mail messages that the terrorists had left in draft form in their personal accounts, where they could be picked up by fellow fighters without having to be sent over the Internet. This was a common trick terrorists used to avoid detection. TAO had been on to it for years.

Even while he provides David Petraeus opportunity to do a victory lap for the surge that in fact did not win the war, he doesn’t mention that Petraeus adopted this insurgent technique to communicate with his mistress, Paula Broadwell. Harris also doesn’t mention that the FBI, like the NSA before it, easily broke the technique.

More important still, Harris doesn’t mention that FBI found reason to do so. These techniques — described with such glee — were turned back on even the man declaring victory over them. They didn’t win the war in either Iraq or Afghanistan, but they sure made it easy for President Obama to take out Petraeus when he became inconvenient.

I have no sympathy for Petraeus, don’t get me wrong. But he is an object lesson in how these techniques have not brought victory to the US. And it’s time to start admitting that fact, and asking why not.

Update: In a post I could have written (though probably not as well), Stephen Walt engages in a counterfactual asking if we didn’t have the dragnet we might be doing better at fighting terrorism. Go read the whole thing, but here’s part of it:

Second, if we didn’t have all these expensive high-tech capabilities, we might spend a lot more time thinking about how to discredit and delegitimize the terrorists’ message, instead of repeatedly doing things that help them make their case and recruit new followers. Every time the United States goes and pummels another Muslim country — or sends a drone to conduct a “signature strike” — it reinforces the jihadis’ claim that the West has an insatiable desire to dominate the Arab and Islamic world and no respect for Muslim life. It doesn’t matter if U.S. leaders have the best of intentions, if they genuinely want to help these societies, or if they are responding to a legitimate threat; the crude message that drones, cruise missiles, and targeted killings send is rather different.

If we didn’t have all these cool high-tech hammers, in short, we’d have to stop treating places like Afghanistan, Pakistan, Iraq, and Syria as if they were nails that just needed another pounding, and we might work harder at marginalizing our enemies within their own societies. To do that, we would have to be building more effective partnerships with authoritative sources of legitimacy within these societies, including religious leaders. Our failure to do more to discredit these movements is perhaps the single biggest shortcoming of the entire war on terror, and until that failure is recognized and corrected, the war will never end.

Even the Government Can’t Figure Out How It Uses Its FISA Dragnet

Things are getting interesting in the case of Raez Qadir Khan in Oregon, who was charged in 2011 with conspiring to materially support a suicide bombing that took place in Pakistan in 2009.

As I laid out in September, his lawyers asked to know what types of surveillance it used to collect all the data that went into a search warrant on Khan’s house.

At a hearing on September 11, the government said that it had provided all the notice Khan needed with its traditional, FAA, and physical search FISA notices.

JUDGE MOSMAN: Am I reading your brief correctly that in some way the defense has been told which authorities they ought to think about challenging here, maybe informally?

MR. GORDER: Well, both formally and informally, Your Honor. The formal way was the notices that we filed with the Court, which indicates that the government intends to use evidence derived from FISA Title I and FISA Title IIand FISA Title VII.

In response, at the hearing, Khan attorney Amy Baggio said she’d hold the government to those 3 FISA authorities.

MS. BAGGIO: Now, I understand the point that you made earlier, Your Honor, is they’ve narrowed that somewhat if we’re going to hold them to Title 1, 3 and 7,

Just over a month later, the government wrote the judge, Michael Mosman, a letter, changing its mind. It basically said:

  • It didn’t have to give Khan notice that they used FISA’s PRTT authority against him (most likely in the illegal Internet dragnet), because he didn’t meet all 5 of the criteria required before the government would have to give notice.
  • It didn’t have to give notice under FAA 703 because the government doesn’t intend to enter that electronic surveillance into evidence.
  • It didn’t have to give notice it used Section 215 (note, they almost surely used both the phone dragnet and the Western Union dragnet against him), because Khan lacks standing to contest the admission of this evidence. (Predictably, the government made no mention of the language in phone dragnet orders specifically permitting it to be used for discovery purposes.)

The government said nothing about Protect America Act, Section 704 of FISA (at least according to a Snowden document, the government doesn’t use 703, they use 704, which if that remains true Judge Mosman should know as a FISC judge), or EO 12333. The latter of which, in particular, Baggio has raised repeatedly.

In short, after a month of thinking about it, the government realized that its statements at the hearing were not correct, and that these other authorities were used, and maybe it ought to sort of confess to that after all.

Which Baggio pointed out in a letter filed yesterday.

In the October 15, 2014, letter, the government no longer claims that FISA Titles I, II, and VII (§702) are the only authorities relied on in this case. Instead the government advances, for the first time, arguments about why it is not legally required to provide Mr. Khan with notice that it used FISA subchapters III (PR/TT), IV (§ 215 business records), or FAA § 703. Effectively, the October 15, 2014, letter tacitly admits use of these provisions, but goes on to argue that there are other reasons it need not provide notice.

She also pointed out that, in submitting its letter over a month after the hearing, the government had violated the court’s briefing schedule without obtaining permission to do so.

On October 15, 2014, 65 days after the government’s briefing was due and 34 days after the motion was taken under advisement by the Court, the government submitted a letter raising new arguments and taking new positions in support of its request that the Court deny Mr. Khan’s Motion to Compel Notice. Exhibit B.

[snip]

When the Court sets deadlines in a Rule 12(c) scheduling order, a party who fails to raise a “defense, objection, or request” related to a pretrial motion to suppress waives that argument. Fed. R. Crim. P. 12(e).1 A court may grant a party leave to submit a late argument if the party establishes “good cause.” Id. Here, the government did not seek leave before offering additional arguments over two months after its briefing was due. Moreover, the letter makes no attempt to establish good cause.

She goes on to hammer the government for its tortured definitions of “collect,” citing — among other things — James Clapper’s lie to Oregon’s Senator.

That is, the DoD definition permits the NSA to obtain communications and store them in a government database without a “collection” occurring. These regulations establish that government takes the position that the communications were “collected” only after an algorithm searches them for key words and analyzes the metadata.

Similarly, Director of National Intelligence (DNI) Clapper explained in Senate testimony in response to a direct question from Senator Wyden in which DNI Clapper denied “collecting” data on millions or hundreds of millions of Americans by stating: “[T]here are honest differences on the semantics when someone says ‘collection’ to me, that has a specific meaning, which may have a different meaning to him [Senator Wyden].”

While she doesn’t say it, we know that the government uses both phone and Internet dragnet data — the Section 215 and PRTT collection the government refuses to notice — as the index to pull up this already collected data. Given that the investigation into Khan likely started only after his alleged co-conspirator’s suicide bombing, much of the evidence was almost certainly stored communication, pulled up using metadata as an index.

Baggio ends by calling on Mosman — a Title III judge but also a FISC judge — to guard his prerogative as the former.

The government’s letter attempts to justify a blanket policy of non-disclosure by coopting this Court’s constitutional role to resolve legal questions about whether (1) particular government conduct constitutes a search or seizure, (2) whether the search or seizure violated Mr. Khan’s constitutional rights and (3) if so, whether evidence obtained or derived from the search or seizure should be suppressed. The government’s argument amounts to an assertion that it need not provide Mr. Khan with notice because, even if it did, Mr. Khan would lose a motion to suppress. Such arguments offend the fundamental principles of the criminal justice system, and the Court should reject them. Without the type of notice requested in Mr. Khan’s Motion to Compel Notice,

I originally thought that having Mosman preside over this case would be a bit of a disaster, given FISC judges’ apparent willingness to make ridiculous arguments to defend the viability of their secret court. But I think Baggio is giving Mosman an important lesson in how the authorities he approves in secret actually play out in practice.

We’ll see whether he’s more interested in defending the prerogative of his Title III role or the claimed legitimacy of his secret judge role.

New and Improved FBI! Now with 12 New Pages of Investigative Methods!

Among the documents ACLU obtained as part of its EO 12333 FOIA are 3 pages out of the bajillion-paged Domestic Investigations and Operations Guide.

The actual content of the pages isn’t all that interesting. The content has been available for years.

But this is interesting.

Screen Shot 2014-11-03 at 2.29.38 PM

The pagination of the third page, discussing wiretapping of a targeted American overseas, shows two things.

First — as the description of the document provided to ACLU also describes — this is a new version of the DIOG. The publicly available DIOG is dated October 15, 2011. This DIOG is dated October 16, 2013, two years later.

Also, the pagination reveals that there are at least 12 new pages in Section 18, which describes investigative methods.

What do you want to bet FBI has already added hacking to its investigative methods?

Update: Via Mike German, I learn that FBI did a 2012 edition as well, for which just a fragment plus the Table of Contents got released. The methods section grew about 4 pages between 2011 and 2012. So that leaves 8 pages that are new in this 2013 edition.

Also note, the latest revision came the day before Charlie Savage reported that DOJ would start giving defendants notice of Section 702 usage.

An Unclassified Statement about Where NSA’s Internet Dragnet Went

In a declaration submitted in EPIC’s FOIA for the PRTT dragnet data, NSA’s David Sherman tried to explain why NSA can’t reveal additional details of the domestic Internet dragnet shut down in 2011.

In an effort to explain why NSA can’t reveal the categories of content-as-metadata the NSA had been (illegally) collecting in the US, as well as why it can’t reveal all the types of electronic communications metadata it collects (ALL), he says the following.

While the bulk PR/TT electronic communications metadata program is no longer operational, NSA is authorized to acquire and collect certain categories of electronic communications metadata under other authorities (such as Executive Order 12333, as amended, and Section 702 of the FISA Amendments Act of 2008). The continuing importance of the specific categories of Internet metadata that were collected under the bulk PR/TT program underscores the need to protect the still-classified operational details of this activity.

[snip]

As noted above, while the  bulk PR/TT program is no longer operational, NSA’s core mission continues to include the acquisition and collection of electronic communications under other authorities.

That is, in a declaration reminding that NSA shut down its domestic bulk dragnet program, it admits it still conducts Internet metadata collection, and suggests it does so under EO 12333 and FAA.

Which is precisely where I’ve been suggesting it moved the program.

There are other aspects of this declaration that are interesting — especially when read in conjunction with DOJ National Security Division Mark Bradley’s declaration.

But for the moment, I’ll just leave it at this language, affirming NSA’s known continued collection of Internet metadata, even after shutting down the domestic Internet dragnet.

1 2 3 8
Emptywheel Twitterverse
bmaz Welp, #HasPatLynchLandedYet? Cause if Justine Sacco is out of a job and a belligerent jackass like Lynch still has one, the world is screwed
31mreplyretweetfavorite
bmaz Apparently I have a fever. Or meh TeeVee is malfunctioning. Cause otherwise the world has ended and the Cowboys are up by 28. cc: @OKnox
34mreplyretweetfavorite
bmaz Does anybody know where the game for NFC Norske Division is next weekend? Might be helpful to know. Also, anybody know who Packers' QB is?
2hreplyretweetfavorite
emptywheel RT @msnbc: Chris Christie asks Obama to demand the extradition of Assata Shakur: http://t.co/nUk4gPtKFf (Getty) http://t.co/e7EEaXrydl
2hreplyretweetfavorite
bmaz .@kevinjonheller Only a Cowboys fan would ever even deign to equate a Lions QB w/Brett Favre. Even @emptywheel wouldn't do that silly stuff.
2hreplyretweetfavorite
JimWhiteGNV Bucs should have thought twice about starting Scrawny Armed Josh McCown.
2hreplyretweetfavorite
JimWhiteGNV Bucs Suck 4 Duck
2hreplyretweetfavorite
emptywheel Good thing the D finally made it on the slow ferry.
2hreplyretweetfavorite
emptywheel Brian Football!
3hreplyretweetfavorite
emptywheel @KagroX The sun's pretty close w/Ft. Meade. If you do it, better encrypt.
3hreplyretweetfavorite
emptywheel There's a way to avoid throwing the pick.
3hreplyretweetfavorite
bmaz Matt Stafford may think he is, but he is not Brett Favre.
3hreplyretweetfavorite
December 2014
S M T W T F S
« Nov    
 123456
78910111213
14151617181920
21222324252627
28293031