EO 12333

1 2 3 19

Domestic Collection and Stellar Wind

I’m in the middle of comparing John Yoo’s May 17, 2002 letter to Colleen Kollar-Kotelly (which is largely the November 2, 2001 justification he wrote for Stellar Wind) with Jack Goldsmith’s May 6, 2004 memo on Stellar Wind, which reined in some aspects of Stellar Wind. And I realized something about the authorization process.

On page 17 of his memo, Goldsmith describes the previous opinions issued by OLC. The discussion is largely redacted, but it does describe say the October 4, 2001 memo “evaluated the legality of a hypothetical electronic surveillance program,” whereas the November 2, 2001 memo “examined the authorities granted by the President in the November 2, 2001 Authorization of STELLAR WIND and concluded that they were lawful.”

Already, that’s an interesting assertion given that the Yoo letter doesn’t do that entirely. First, at least in the letter to Kollar-Kotelly, Yoo also treated the program as hypothetical.

Electronic surveillance techniques would be part of this effort. The President would order warrantless surveillance in order to gather intelligence that would be used to prevent and deter future attacks on the United States. Given that the September 11 attacks were launched and carried out from within the United States itself, an effective surveillance program might include individuals and communications within the continental United States. This would be novel in two respects. Without access to any non-public sources, it is our understanding that generally the National Security Agency (NSA) only conducts electronic surveillance outside the United States that do not involve United States persons. Usually, surveillance of communications by United States persons within the unites states is conducted by the FBI pursuant to a warrant obtained under the Foreign Intelligence Surveillance Act (“FISA”). Second, interception could include electronic messages carried through the internet, which again could include communications within the United States involving United States persons. Currently, it is our understanding that neither the NSA nor law enforcement conducts broad monitoring of electronic communications in this matter within the United States, without specific authorization under FISA.

[snip]

Thus, for example, all communications between United States persons, whether in the United States or not, and individuals in [redacted–likely Afghanistan] might be intercepted. The President might direct the NSA to intercept communications between suspected terrorists, even if one of the parties is a United States person and the communication takes place between the United States and abroad. The non-content portion of electronic mail communications also might be intercepted, even if one of parties is within the United States, or one or both of the parties are non-citizen U.S. persons (i.e., a permanent resident alien). Such operations would expand the NSA’s functions beyond the monitoring only of international communications of non-U.S. persons. [my emphasis]

Importantly, these hypothetical descriptions come from the section of Yoo’s letter before it appears to begin tracking his earlier memo closely. So it’s unclear whether this description of Stellar Wind matches the one in the November 2 memo. It’s certainly possible that Yoo gave an incomplete version of what he had in the earlier memo or even pulled in (hypothetical) language from the October 4 memo. It’s possible, too, that language on domestic content collection reflected a retroactive review Yoo did of the first authorization. (An extended discussion of how Yoo’s early memos track the Authorizations — including discussion of another hypothetical memo Yoo wrote on September 17 — starts at PDF 361.)

Of particular interest, this hypothetical description includes the possibility of intercepting entirely domestic Internet communications (see emphasized language). We know — from the unredacted NSA Stellar Wind IG Report and even from the redacted Joint IG Report — that was something included in the first presidential Authorization, but not the subsequent ones.

The wording of the first authorization could have been interpreted to allow domestic content collection where both communicants were located in the U.S. or were U.S. persons. General Hayden recalled that when the Counsel to the Vice President pointed this out, General Hayden told him that NSA would not collect domestic communications because 1) NSA was a foreign intelligence agency, 2) NSA infrastructure did not support domestic collection, and 3) his personal standard was so high that there would be no problem getting a FISC order for domestic collection.

We also know NSA did collect some domestic collection — on about 3,000 selectors, possibly triggered to non-US persons within the US — at least until Stellar Wind got transitioned to FISA in 2009.

This is a minor, but potentially important one. Yoo was writing hypothetical authorizations for stuff the NSA later pretended not to be authorized to do, but was doing. Those earlier hypothetical authorizations didn’t go away. And therefore, no matter what the authorizations said, there’d still be that authorization sitting there.

SS7 and NSA’s Redundant Spying

SS7 countermeasuresOn Sunday, 60 Minutes brought attention to an issue first exposed by researchers some years back: the ease with which people can use the SS7 system that facilitates global mobile phone interoperability to spy on you.

Sharyn Alfonsi: If you just have somebody’s phone number, what could you do?

Karsten Nohl: Track their whereabouts, know where they go for work, which other people they meet when– You can spy on whom they call and what they say over the phone. And you can read their texts.

60 Minutes was smart in that they got Congressman Ted Lieu to agree to be targeted.

Congressman Lieu didn’t have to do anything to get attacked.

All Karsten Nohl’s team in Berlin needed to get into the congressman’s phone was the number. Remember SS7 –that little-known global phone network we told you about earlier?

Karsten Nohl: I’ve been tracking the congressman.

[snip]Sharyn Alfonsi: Are you able to track his movements even if he moves the location services and turns that off?

Karsten Nohl: Yes. The mobile network independent from the little GPS chip in your phone, knows where you are. So any choices that a congressman could’ve made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network. That of course, is not controlled by any one customer.

[snip]

Sharyn Alfonsi: What is your reaction to knowing that they were listening to all of your calls?

Rep. Ted Lieu: I have two. First, it’s really creepy. And second, it makes me angry.

Sharyn Alfonsi: Makes you angry, why?

Rep. Ted Lieu: They could hear any call of pretty much anyone who has a smartphone. It could be stock trades you want someone to execute. It could be calls with a bank.

Karsten Nohl’s team automatically logged the number of every phone that called Congressman Lieu — which means there’s a lot more damage that could be done than just intercepting that one phone call.

So now Lieu is furious — and pushing House Oversight Committee to conduct an investigation into SS7’s vulnerabilities.

Of course, it’s probably best to think of SS7’s vulnerabilities not as a “flaw,” as 60 Minutes describes it, but a feature. The countries that collectively aren’t demanding change are also using this vulnerability to spy on their subjects and adversaries.

But the fact that Lieu — who really is one of the smartest Members of Congress on surveillance issues — is only now copping onto the vulnerabilities with SS7 suggests how stunted our debate over dragnet surveillance was and is. For two years, we debated how to shut down the Section 215 dragnet, which collected a set of phone records that was significantly redundant with what we collected “overseas” — though in fact the telecoms’ production of such records was mixed together until 2009, suggesting for years Section 215 probably served primarily as legal cover, not the actual authorization for the collection method used. We had very credulous journalists talking about what a big gap in cell phone records NSA faced, in part because FISC frowned on letting NSA collect location data domestically. Yet all the while (as some smarter commenters here have said), NSA was surely exploiting SS7 to collect all the cell phone records it needed, including the location data. Members of Congress like Lieu — on neither the House Intelligence (which presumably has been briefed) or the House Judiciary Committees — would probably not get briefed on the degree to which our intelligence community thrives on using SS7’s vulnerabilities.

What I find perhaps most interesting about this new flurry of attention on SS7 is that the researchers behind it were hired by some “international telecoms” to find ways to improve security sometime in advance of December 2014 (when they first presented their work). The original CCC presentation on this vulnerability (see after 40:00) included a general discussion of what cell phone providers could do to increase the security of their users (see above). 60 Minutes noted that some US providers were doing more than others.

The NSA presumably could and did use entirely SS7 collection for cell phones — especially US based ones — until such time as domestic providers started making them less accessible (and once they were unaccessible overseas, then subject to legal process, though even some of the countermeasures would still leave a US user exposed to other US providers). That needs to be understood (should have been, before the passage of USA Freedom) to really understand the degree to which Congress has any influence over the NSA.

DOJ Places David Barron’s Anwar Awlaki Memos on the “Not Selected for Publication”

Sometime between March 27 and April 15 of last year, the Office of Legal Counsel posted the two memos David Barron wrote authorizing the execution of Anwar al-Awlaki (February 19, 2010; July 16, 2010) on its list of memos “Not selected for publication” in its reading room. The website explains that these are memos that have been posted through discretionary release, but “may not reflect the Office’s current views.”

Consistent with the President’s FOIA memorandum dated January 21, 2009, and the Attorney General’s FOIA guidelines dated March 19, 2009, OLC sometimes releases requested records as a matter of discretion, even if they fall within the scope of a FOIA exemption or have not been the subject of a FOIA request.  To make such documents generally available when they are the subject of repeated requests or may be of public or historical interest, the Office may post them in this electronic reading room.  Documents posted in this electronic reading room are being disclosed through discretionary release, but they have not been selected for official publication and thus they are not included among the Office’s formal published opinions.  Although these records may be of public or historical interest, the views expressed in some of these records may not reflect the Office’s current views.

Of course, a number of the memos (most but not all of which are tied to the war on terror) weren’t released at DOJ’s discretion. Rather, some of these memos (including the two Awlaki ones) were released after DOJ tried to suppress them, only to have a Federal judge force their release.

I’ve got a call in to see if OLC has some easy explanation. But I’m wondering if it means DOJ may have thought better of now Circuit Court judge David Barron’s advice that you can kill an American citizen with no real due process.

Particularly given the timing, I’m wondering whether any change in DOJ’s views about these memos would affect American citizens overseas, such as Liban Haji Mohamed, a Somali American who was put on the Most Wanted List last year, then detained (never to publicly have shown up in an American court) on March 2, 2015. Unlike Anwar al-Awlaki, Mohamed (who is the brother of Gulet Mohamed, who has had a whole different set of problems with the government) has actually been indicted.

ACLU’s Jameel Jaffer points to a potentially more cynical (and therefore likely) explanation though. As he noted last year, at about the same time DOJ was deeming the Barron memos discretionary releases, it submitted a filing in their lawsuit against ACLU, insisting that having been ordered by a court to release the memo doesn’t count as official disclosure. In a footnote of the April 2 filing, DOJ claimed,

We further note that the Court’s release of the OLC-DOD Memorandum and its order compelling disclosure by the government of additional information would not themselves constitute an independent official disclosure or waiver by the government that would strip protection from otherwise exempt information and material.

That is, during precisely the time period when it was deeming this memo discretionary on its website, it was making that argument to the courts.

So I assume they believe they still have the right to execute American citizens at their discretion. And keep their rationale for doing so secret.

The Obama Administration Almost Doubled Down on Yoo’s Illegality

Over at JustSecurity the other day, ACLU’s Patrick Toomey argued that the Administration’s current interpretation of FISA — especially its embrace of upstream surveillance — means the Obama Administration has gone beyond John Yoo’s thinking on surveillance as exhibited in his May 17, 2002 letter to FISC judge Colleen Kollar-Kotelly.

Perhaps most remarkably, however, the Obama Justice Department has pressed legal theories even more expansive and extreme than Yoo himself was willing to embrace. Yoo rounded out his Stellar Wind memo with an effort to reassure Judge Kollar-Kotelly that the government’s legal interpretation had limits, saying: “Just to be clear in conclusion. We are not claiming that the government has an unrestricted right to examine the contents of all international letters and other forms of communication.” But that is essentially the power the NSA claims today when it conducts Upstream surveillance of Americans’ Internet communications. The NSA has installed surveillance equipment at numerous chokepoints on the Internet backbone, and it is using that equipment to search the contents of communications entering or leaving the country in bulk. As the ACLU recently explained in Wikimedia v. NSA, this surveillance is the digital analogue of having a government agent open every letter that comes through a mail processing center to read its contents before determining which letters to keep. In other words, today the Obama administration is defending surveillance that was a bridge too far for even John Yoo.

I’m not sure I’m convinced. After all, the Administration claims it is not examining the contents of all international letters, but rather only looking at those where selected identifiers show up in data packets. Yeah, I know it’s a bullshit argument, but they pretend that’s not searching the contents, really. Moreover we have substantial reason to believe they were doing (some) of this anyway.

But there is a curious relationship between a claim Yoo made in his letter and the Obama Administration’s views on FISA.

In the letter, Yoo writes,

FISA purports to be the exclusive means for conducting electronic surveillance for foreign intelligence, … FISA establishes criminal and civil sanctions for anyone who engages in electronic surveillance, under color of law, except as authorized by statute, warrant, or court order. 50 U.S.C. § 1809-10. It might be thought, therefore, that a warrantless surveillance program, even if undertaken to protect the national security, would violate FISA’s criminal and civil liability provisions.

Such a reading of FISA would be an unconstitutional infringement on the President’s Article II authorities. FISA can regulate foreign intelligence surveillance only to the extent permitted by the Constitution’s enumeration of congressional authority and the separation of powers.

[snip]

[A]s we explained to Congress during the passage of the Patriot Act, the ultimate test of whether the government may engage in foreign surveillance is whether the government’s conduct is consistent with the Fourth Amendment, not whether it meets FISA.

This is especially the case where, as here, the executive branch possess [sic] the inherent constitutional power to conduct warrantless searches for national security purposes.

Effectively, Yoo is saying that even if they blow off FISA, they will be immune from the penalties under 50 USC §1809-10 so long as what they were doing fulfilled the Fourth Amendment, including an expansive reading of special needs that Yoo lays out in his memo. (Note, this was explained in the DOJ Stellar Wind IG Report — starting at PDF 47 — but this letter makes it more clear.)

As a reminder, on two occasions, John Bates disagreed with that interpretation, first in 2010 when he ruled NSA couldn’t continue to access the five years of data it overcollected under the PRTT Internet dragnet, and then again in 2011 when he said the government couldn’t disseminate the illegally collected upstream data (and Vaughn Walker disagreed in a series of rulings in the Al Haramain case in 2010, though the 9th Circuit partially overturned that in 2012). We know, thanks to Snowden, that the government considered appealing the order. And in his summary of the resolution of this issue, Bates made it clear that the government’s first response was to say that limits on illegally collected data don’t apply.

However, issues remained with respect to the past upstream collection residing in NSA’s databases. Because NSA’s upstream collection almost certainly included at least some acquisitions constituting “electronic surveillance” within the meaning of 50 U.S.C. § 1801 (f), any overcollection resulting from the government’s misrepresentation of the scope of that collection implicates 50 U.S.C. § 1809(a)(2). Section 1809(a)(2) makes it a crime to “disclose[] or use[] information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized” by statute. The Court therefore directed the government to make a written submission addressing the applicability of Section 1809(a), which the government did on November 22, 2011. See [redacted — probably a reference to Bates’ July 2010 opinion], Oct. 13, 2011 Briefing Order, and Government’s Response to the Court’s Briefing Order of Oct. 13, 2011 (arguing that Section 1809(a)(2) does not apply).

Ultimately, though, the government not only (said it) destroyed the illegal upstream data, but claims to have destroyed all its PRTT data in a big rush (so big a rush it didn’t have time to let NSA’s IG certify the intake collection of data).

And it replaced that PRTT program by searching data under SPCMA it claimed to have collected legally … somewhere.

I don’t pretend to understand precisely went on in those few weeks in 2011, though it’s clear that Obama’s Administration at least considered standing by the spirit of Yoo’s claim, even though the opinion itself had been withdrawn.

But I do know that at least through 2009, the government treated all its PRTT and Section 215 data as EO 12333 data, and in fact the providers appear not to have distinguished it either (more on this in upcoming days, hopefully). That is, it was collecting data with FISC sanction that it treated as data it collected outside of FISC sanction (that is, under EO 12333), and it was ignoring the rules FISC imposed.

Which leads me to wonder whether the government still doesn’t believe it remains immune from penalties laid out in FISA.

John Yoo’s Two Justifications for Stellar Wind

Because I’m a hopeless geek, I want to compare the what we can discern of the November 2, 2001 memo John Yoo wrote to authorized Stellar Wind with the letter he showed FISA Presiding Judge Colleen Kollar-Kotelly on May 17, 2002. The former is almost entirely redacted. But as I’ll show, the two appear to be substantially the same except for small variations within paragraphs (which possibly may reflect no more than citations). The biggest difference is that Yoo’s memo appears to have two pages of content not present in the letter to Kollar-Kotelly.

What follows is a comparison of every unredacted passage in the Yoo memo, every one of which appear in exactly the same form in the letter he wrote to Kollar-Kotelly.

The first unredacted line in Yoo’s memo — distinguishing between “electronic surveillance” covered by FISA and “warrantless searches” the President can authorize — appears in this paragraph in the letter.

FISA Safe Harbor

The line appears on page 7 of Yoo’s memo, but page 5 of his letter (which also includes some foofy introductory language for Kollar-Kotelly). That says there’s already 2 pages of information in Yoo’s memo that doesn’t appear in the letter. Yoo’s description of the surveillance program in the letter to Kollar-Kotelly is actually fairly short (and written entirely in the conditional voice), so there may be more of that in the actual memo. Also, anything that didn’t involve electronic surveillance — such as the collection of financial data — would not necessarily be relevant to FISC. But as I argue below, it’s also possible Yoo made claims about executive power in those two paragraphs that he rewrote as a two-page addition to for Kollar-Kotelly’s benefit.

The next unredacted passage in the memo consists of the first sentences of these two paragraphs.

Screen Shot 2016-04-05 at 5.34.32 PM

They appear on page 9 of Yoo’s memo and page 7 of the letter, and it appears that the space in between the two is consistent — suggesting that the interim content remains the same.

The next unredacted passage appears on page 12 of Yoo’s memo, page 10 of the letter.

FISA Restrict

While the general pagination still seems to be roughly tracking (again, suggesting the interim content is at least similar), the spacing of this paragraph is clearly different (note how the sentence begins in a different place in the column), suggesting Yoo may have made an even stronger defense of inherent authority in his memo, or perhaps that OLC has precedents for such a claim that Yoo thought inappropriate to share with the FISC. It’s possible this and later paragraph spacing differences arise from classification marks at the beginning of each paragraph, except the passages from the beginning of paragraphs seem to match up more closely than those from the middle of them.

Screen Shot 2016-04-05 at 7.30.51 PM

The next unredacted passage, on page 17 of Yoo’s memo and 15 of the letter, extend the claim that Congress can’t limit the President’s use of pen registers used to defend the nation. That’s followed closely by Yoo’s shift to arguing that intelligence gathering “in direct support” of military operations does not trigger the Fourth Amendment.

Intel Military Ops

Continue reading

Bob Litt Spins Sharing NSA-Collected Comms with DEA and FBI as Harmless

ODNI General Counsel Bob Litt has a pretty amusing post attempting to reassure us about the imminent change permitting the NSA to share intelligence it collects under EO 12333 more broadly. As part of it, he suggests that EO 12333 “imposes additional restrictions” (which amount to the procedures he is currently developing in secret) on the sharing of SIGINT.

Executive Order 12333 generally allows intelligence information to be shared within the Intelligence Community, in order to allow agencies to determine whether that information is relevant to their mission, but imposes additional restrictions on the sharing of signals intelligence, requiring that that be done only in accord with procedures established by the Director of National Intelligence in coordination with the Secretary of Defense, and approved by the Attorney General.

What Litt neglects to say is this was actually a change that the Bush Administration implemented in 2008, without fully consulting Congress. It likely wasn’t a change at all but instead a belated effort to change EO 12333 to reflect that the Executive really had secretly been doing since 2002. But it’s not something that even Saint Ronny thought necessary when he first implemented EO 12333.

Litt goes on to insist that we don’t need to worry our pretty little heads about this because the NSA will only [emphasis Litt’s] be sharing with elements of the intelligence community and only for foreign intelligence and CI purposes.

These procedures will thus not authorize any additional collection of anyone’s communications, but will only provide a framework for the sharing of lawfully collected signals intelligence information between elements of the Intelligence Community. Critically, they will authorize sharing only with elements of the Intelligence Community, and only for authorized foreign intelligence and counterintelligence purposes; they willnot authorize sharing for law enforcement purposes. They will require individual elements of the Intelligence Community to establish a justification for access to signals intelligence consistent with the foreign intelligence or counterintelligence mission of the element. And finally, they will require Intelligence Community elements, as a condition of receiving signals intelligence, to apply to signals intelligence information the kind of strong protections for privacy and civil liberties, and the kind of oversight, that the National Security Agency currently has.

As a threshold matter, both FBI and DEA are elements of the intelligence community. Counterterrorism is considered part of FBI’s foreign intelligence function, and cyber investigations can be considered counterintelligence and foreign intelligence (the latter if done by a foreigner). International narcotics investigations have been considered a foreign intelligence purpose since EO 12333 was written.

In other words, this sharing would fall squarely in the area where eliminating the wall between intelligence and law enforcement in 2001-2002 also happened to erode fourth amendment protections for alleged Muslim (but not white supremacist) terrorists, drug dealers, and hackers.

So make no mistake, this will degrade the constitutional protections of a lot of people, who happen to be disproportionately communities of color.

And without more details, you should be very skeptical of Litt’s assurances that the FBI and DEA and other receiving IC elements will have to, “apply to signals intelligence information the kind of strong protections for privacy and civil liberties, and the kind of oversight, that the National Security Agency currently has.” While both CIA and FBI had to adopt minimization procedures before receiving raw 702 data (the equivalent of what is being done here), those minimization procedures are actually more permissive than NSA’s. Significantly, both agencies are permitted to copy the metadata they receive in bulk, basically so they can dump that data into their own metadata databases. And, barring the publication of the newly more restrictive guidelines on FBI’s back door searches, we should assume EO 12333 back door searches, like FBI’s 702 back door searches at least until recently, aren’t even tracked closely, much less noticed to defendants.

I also suspect that Treasury will be a likely recipient of this data; as of February 10, Treasury still did not have written EO 12333 protections that were mandated 35 years ago (and DEA’s were still pending at that point).

All of which is to say Litt’s reassurances shouldn’t reassure you at all.

With Upcoming David Medine Departure, Will PCLOB Slip Back into Meaninglessness?

The Chair of the Privacy and Civil Liberties Oversight Board, David Medine, has announced he will resign effective  July 1 to work with a development organization “advising on data privacy and consumer protection for lower-income financial consumers.”

The move comes not long after Congress has, in several ways, affirmatively weakened or unexpectedly stopped short of expanding PCLOB’s mandate, by ensuring it could not review any covert programs, and by eliminating a PCLOB oversight role under OmniCISA.

In Medine’s statement, he promised the board would continue to work on their examination of CT activities relating to EO 12333.

I look forward to continuing to work on PCLOB’s current projects until my departure. I am pleased to know that, even after my departure, the Board Members and our dedicated staff remain committed to carrying forward the Board’s critical work, including its ongoing examination of counterterrorism activities under Executive Order 12333.

The EO 12333 approach (and the two CIA programs to examine) was formally approved July 1, a year to the day before Medine’s departure. It was initially scheduled to be done by the end of last year. But in their most recent semi-annual report (released at the end of December), PCLOB noted they were just starting on their public report.

In July, the Board voted to approve two in-depth examinations of CIA activities conducted under E.O. 12333. Board staff has subsequently attended briefings and demonstrations, as well as obtained relevant documents, related to the examinations. The Board also received a series of briefings from the NSA on its E.O. 12333 activities. Board staff held follow-up sessions with NSA personnel on the topics covered and on the agency’s E.O. 12333 implementing procedures. Just after the conclusion of the Reporting Period, the Board voted to approve one in-depth examination of an NSA activity conducted under E.O. 12333. Board staff are currently engaging with NSA staff to gather additional information and documents in support of this examination. Board staff also began work developing the Board’s public report on E.O. 12333, described above.

So while Medine promises PCLOB will continue to work on the EO 12333 stuff, I do worry that it will stall after his departure. I’m concerned, as well, about the makeup of the board. Board member Jim Dempsey’s term officially ended on January 29, though President Obama nominated him for another term on March 17, which means he will serve out 2016 (I believe as a temporary appointment until the end of the congressional term, but am trying to confirm; Update: this stems from PCLOB’s statute, but the appointment would extend through the end of the Congressional term), and longer if and when the Senate confirms him. But Medine’s departure will leave 2 members (counting Dempsey) who have been firmly committed to conducting this review, Rachel Brand, who has been lukewarm but positive, and Elisabeth Collins Cook who was originally opposed. That is, unless Medine is replaced in timely fashion (and given that this is a multiple year appointment, Republicans would have incentive to stall to get a GOP Chair), the board may be split on its commitment to investigating these issues.

There are a few other things happening on the EO 12333 front. Most urgently, the Intelligence Community is as we speak implementing new procedures for the sharing of EO 12333 with law enforcement agencies. PCLOB was involved in a review of those procedures, and had successfully pressed for more controls on the FBI’s back door access to 702 data (which is one reason I find the timing of Medine’s departure of particular concern). Two years after PCLOB first outed Treasury as having no EO 12333 implementing guidelines, they still have none.

That is, particularly after Congress’ successful attempts at undercutting PCLOB’s power, Medine’s departure has me seriously worried about whether the Intelligence Committee is willing to undergo any scrutiny of its EO 12333 activities.

DOJ Claims the Cybersecurity Related OLC Memo Is Also A Stellar Wind Memo

I’ve written a bunch of times about an OLC memo Ron Wyden keeps pointing to, suggesting it should be declassified so we all can know what outrageous claims DOJ made about common commercial service agreements. Here’s my most complete summary from Caroline Krass’ confirmation process:

Ron Wyden raised a problematic OLC opinion he has mentioned in unclassified settings at least twice in the last year (he also wrote a letter to Eric Holder about it in summer 2012): once in a letter to John Brennan, where he described it as “an opinion that interprets common commercial service agreements [that] has direct relevance to ongoing congressional debates regarding cybersecurity legislation.” And then again in Questions for the Record in September.

Having been ignored by Eric Holder for at least a year and a half (probably closer to 3 years) on this front and apparently concerned about the memo as we continue to discuss legislation that pertains to cybersecurity, he used Krass’ confirmation hearing to get more details on why DOJ won’t withdraw the memo and what it would take to be withdrawn.

Wyden: The other matter I want to ask you about dealt with this matter of the OLC opinion, and we talked about this in the office as well. This is a particularly opinion in the Office of Legal Counsel I’ve been concerned about — I think the reasoning is inconsistent with the public’s understanding of the law and as I indicated I believe it needs to be withdrawn. As we talked about, you were familiar with it. And my first question — as I indicated I would ask — as a senior government attorney, would you rely on the legal reasoning contained in this opinion?

Krass: Senator, at your request I did review that opinion from 2003, and based on the age of the opinion and the fact that it addressed at the time what it described as an issue of first impression, as well as the evolving technology that that opinion was discussing, as well as the evolution of case law, I would not rely on that opinion if I were–

Wyden: I appreciate that, and again your candor is helpful, because we talked about this. So that’s encouraging. But I want to make sure nobody else ever relies on that particular opinion and I’m concerned that a different attorney could take a different view and argue that the opinion is still legally valid because it’s not been withdrawn. Now, we have tried to get Attorney General Holder to withdraw it, and I’m trying to figure out — he has not answered our letters — who at the Justice Department has the authority to withdraw the opinion. Do you currently have the authority to withdraw the opinion?

Krass: No I do not currently have that authority.

Wyden: Okay. Who does, at the Justice Department?

Krass: Well, for an OLC opinion to be withdrawn, on OLC’s own initiative or on the initiative of the Attorney General would be extremely unusual. That happens only in extraordinary circumstances. Normally what happens is if there is an opinion which has been given to a particular agency for example, if that agency would like OLC to reconsider the opinion or if another component of the executive branch who has been affected by the advice would like OLC to reconsider the opinion they will  come to OLC and say, look, this is why we think you were wrong and why we believe the opinion should be corrected. And they will be doing that when they have a practical need for the opinion because of particular operational activities that they would like to conduct. I have been thinking about your question because I understand your serious concerns about this opinion, and one approach that seems possible to me is that you could ask for an assurance from the relevant elements of the Intelligence Community that they would not rely on the opinion. I can give you my assurance that if I were confirmed I would not rely on the opinion at the CIA.

Wyden: I appreciate that and you were very straightforward in saying that. What concerns me is unless the opinion is withdrawn, at some point somebody else might be tempted to reach the opposite conclusion. So, again, I appreciate the way you’ve handled a sensitive matter and I’m going to continue to prosecute the case for getting this opinion withdrawn.

The big piece of news here — from Krass, not Wyden — is that the opinion dates to 2003, which dates it to the transition period bridging Jay Bybee/John Yoo and Jack Goldsmith’s tenure at OLC, and also the period when the Bush Administration was running its illegal wiretap program under a series of dodgy OLC opinions. She also notes that it was a memo on first impression — something there was purportedly no law or prior opinion on — on new technology.

Back in November, ACLU sued to get that memo. The government recently moved for summary judgment based on the claim that a judge in DC rejected another ACLU effort to FOIA the document, which is a referral to ACLU’s 2006 FOIA lawsuit for documents underlying what was then called the “Terrorist Surveillance Program” and which we now know as Stellar Wind. Here’s the key passage of that argument.

The judgment in EPIC precludes the ACLU’s claim here. First, EPIC was an adjudication on the merits that involved the district court’s reviewing in camera the same document that is at issue in this litigation, and granting summary judgment to the government after finding that the government had properly asserted Exemptions One, Three, and Five – the same exemptions asserted here – to withhold the document. See Colborn Decl. ¶ 13; EPIC, 2014 WL 1279280, at *1. Second, the ACLU was a plaintiff in EPIC. Id. Finally, the claims asserted in this action were, or could have been, asserted in EPIC. The FOIA claim at issue in EPIC arose from a series of requests that effectively sought all OLC memoranda concerning surveillance by Executive Branch agencies directed at communications to or from U.S. citizens.2at See id.  Even if the ACLU did not know that this specific memorandum was included among the documents reviewed in camera by the EPIC court, the ACLU had a full and fair opportunity to make any and all arguments in seeking disclosure of that document. Indeed, in EPIC, the government’s assertion of exemptions received the highest level of scrutiny available to a plaintiff in FOIA litigation—the district court issued its decision after reviewing the document in camera and determining that the government’s assertions of Exemptions One, Three, and Five were proper. Colborn Decl. ¶ 13. The ACLU’s claim in this lawsuit is therefore barred by claim preclusion.

2 One of the FOIA requests at issue in EPIC sought “[a]ll memoranda, legal opinions, directives or instructions from [DOJ departments] issued between September 11, 2001, and December 21, 2005, regarding the government’s legal authority for surveillance activity, wiretapping, eavesdropping, and other signals intelligence operations directed communications to or from U.S. citizens.” Elec. Privacy Information Ctr. v. Dep’t of Justice, 511 F. Supp. 2d 56, 63 (D.D.C. 2007).

Wyden just sent a letter to Loretta Lynch disputing some claim made in DOJ’s memorandum of law.

I encourage you to direct DOJ officials to comply with the pending FOIA request.

Additionally, I am greatly concerned that the DOJ’s March 7, 2016 memorandum of law contains a key assertion which is inaccurate. This assertion appears to be central to the DOJ’s legal arguments, and I would urge you to take action to ensure that this error is corrected.

I am enclosing a classified attachment which discusses this inaccurate assertion in more detail.

Here are some thoughts about what the key inaccurate assertion might be:

ACLU never had a chance to argue for this document as a cybersecurity document

Even the section I’ve included here pulls a bit of a fast one. It points to EPIC’s FOIA request (these requests got consolidated), which asked for OLC memos in generalized fashion, as proof that the plaintiffs in the earlier suit had had a chance to argue for this document.

But ACLU did not. They asked for “legal reviews of [TSP] and its legal rationale.” In other words, back in 2006 and back in 2014, ACLU was focused on Stellar Wind, not on cybersecurity spying (which Wyden has strongly suggested this memo implicates). So they should be able to make a bid for this OLC memo as something affecting domestic spying for a cybersecurity purpose.

DOJ claimed only Wyden had commented publicly about the document, not Caroline Krass

DOJ makes a preemptive effort to discount the possibility that Ron Wyden’s repeated efforts to draw attention to this document might constitute new facts for the ACLU to point to to claim they should get the document.

Nor is there any evidence the memorandum has been expressly adopted as agency policy or publicly disclosed. Colborn Decl. ¶¶ 23-24. Although the ACLU’s complaint points to statements about the document by Senator Wyden, he is not an Executive Branch official, and his statements cannot effect any adoption or waiver

[snip]

The ACLU may argue that statements made by Senator Ron Wyden regarding the document, including in letters to the Attorney General, constitute new facts or changed circumstances. See Compl. ¶ 2 (“In letters sent to then–Attorney General Eric Holder, Senator Wyden suggested that the executive branch has relied on the Opinion in the past and cautioned that the OLC’s secret interpretation could be relied on in the future as a basis for policy.”). But such statements do not constitute new facts or changed circumstances material to the ACLU’s FOIA claim because they do not evince any change of the Executive Branch’s position vis-à-vis the document or otherwise affect its status under FOIA. See Drake, 291 F.3d at 66; Am. Civil Liberties Union, 321 F. Supp. 2d at 34. As the Senator is not an Executive Branch official, his statements about the document do not reflect the policy or position of any Executive Branch agency. See Brennan Center v. DOJ, 697 F.3d 184, 195, 206 (2d Cir. 2012); Nat’l Council of La Raza v. DOJ, 411 F.3d 350, 356-59 (2d Cir. 2005); infra at 11-12. Senator Wyden’s statements are simply not relevant to whether the document has been properly withheld under Exemptions One, Three, and Five, and do not undermine the applicability of any of those exemptions. Additionally, the Senator has made similar statements regarding the document at issue in letters sent during at least the last four years. Compl. ¶ 2. Thus, the Senator’s statements regarding the document are not new facts since they were available to Plaintiffs well before the district court ruled in EPIC.

That’s all well and good. But the entire discussion ignores that then Acting OLC head and current CIA General Counsel Caroline Krass commented more extensively on the memo than anyone ever has on December 17, 2013 (see my transcript above). This is a still-active memo, but the then acting OLC head said this about the memo in particular.

I have been thinking about your question because I understand your serious concerns about this opinion, and one approach that seems possible to me is that you could ask for an assurance from the relevant elements of the Intelligence Community that they would not rely on the opinion. I can give you my assurance that if I were confirmed I would not rely on the opinion at the CIA.

That seems to be new information from the Executive branch (albeit before the March 31, 2014, final judgment in that other suit).

I’d say this detail is the most likely possibility for DOJ’s inaccuracy, except that Krass’ comments are in the public domain, and have been been written about by other outlets. It wouldn’t seem that Wyden would need to identify this detail in secret.

(I think it’s possible some of the newly declassified language in Stellar Wind materials may be relevant to, but I will have to return to that.)

The document may be a different document

DOJ’s memo and the Paul Colborn declaration describe this as a March 30, 2003 memo written by John Yoo.

The withheld document is a 19-page OLC legal advice memorandum to the General Counsel of an executive branch agency, drafted at the request of the General Counsel, dated March 30, 2003 and signed by OLC Deputy Assistant Attorney General John Yoo. The memorandum was written in response to confidential communications from an executive branch client soliciting legal advice from OLC attorneys. As with all such OLC legal advice memoranda, the document contains confidential client communications made for the purpose of seeking legal advice and predecisional legal advice from OLC attorneys transmitted to an executive branch client as part of government deliberative processes. In light of the fact that the document’s general subject matter is publicly known, the identity of the recipient agency is itself confidential client information protected by the attorney-client privilege.

But their claim that ACLU has already been denied this document under FOIA is based on the claim that this document is the same document as one identified in a Steven Bradbury declaration submitted in the Stellar Wind suit. Here’s how he described the document.

DAG 42 is a 19-page memorandum, dated May 30, 2003, from a Deputy Assistant Attorney General in OLC to the General Counsel of another Executive Branch agency. This document is withheld under FOIA Exemptions One, Three, and Five.

This may be an error (if so, Bradbury is probably correct, as March 30, 2003 was a Sunday), but a document dated March 30, 2003 cannot be the same document as one dated May 30, 2003. If it’s not a simple error in dates, it may suggest that the document the DC court reviewed was a later revision, perhaps one making less outrageous claims. Moreover, as I’ll show in my post on newly learned Stellar Wind information, the change in date (as well as the confirmation that Yoo wrote the memo) make the circumstances surrounding this memo far more interesting.

Update: In Ron Wyden’s amicus in this case, he made it clear the correct date is May 30, 2003.

The document may not have been properly classified

As noted, this is a March 2003 OLC memo written by John Yoo. That’s important not just because Yoo was freelancing on certain memos at the time. But more importantly, because a memo he completed just 16 days earlier violated all guidelines on classification. Here’s what former ISOO head Bill Leonard had to say about John Yoo’s March 14, 2003 torture memo.

The March 14, 2003, memorandum on interrogation of enemy combatants was written by DoJ’s Office of Legal Counsel (OLC) to the General Counsel of the DoD. By virtue of the memorandum’s classification markings, the American people were initially denied access to it. Only after the document was declassified were my fellow citizens and I able to review it for the first time. Upon doing so, I was profoundly disappointed because this memorandum represents one of the worst abuses of the classification process that I had seen during my career, including the past five years when I had the authority to access more classified information than almost any other person in the Executive branch. The memorandum is purely a legal analysis – it is not operational in nature. Its author was quoted as describing it as “near boilerplate.”! To learn that such a document was classified had the same effect on me as waking up one morning and learning that after all these years, there is a “secret” Article to the Constitution that the American people do not even know about.

[snip]

In this instance, the OLC memo did not contain the identity of the official who designated this information as classified in the first instance, even though this is a fundamental requirement of the President’s classification system. In addition, the memo contained neither declassification instructions nor a concise reason for classification, likewise basic requirements. Equally disturbing, the official who designated this memo as classified did not fulfill the clear requirement to indicate which portions are classified and which portions are unclassified, leading the reader to question whether this official truly believes a discussion of patently unclassified issues such as the President’s Commander-in-Chief authorities or a discussion of the applicability to enemy combatants of the Fifth or Eighth Amendment would cause identifiable harm to our national security. Furthermore, it is exceedingly irregular that this memorandum was declassified by DoD even though it was written, and presumably classified, by DoJ.

Given that Yoo broke all the rules of classification on March 14, it seems appropriate to question whether he broke all rules of classification on March 30, 16 days later, especially given some squirrelly language in the current declarations about the memo.

Here’s what Colborn has to say about the classification of this memo (which I find to be curious language), after having made a far more extensive withholding argument on a deliberative process basis.

OLC does not have original classification authority, but when it receives or makes use of classified information provided to it by its clients, OLC is required to mark and treat that information as derivatively classified to the same extent as its clients have identified such information as classified. Accordingly, all classified information in OLC’s possession or incorporated into its products has been classified by another agency or component with original classifying authority.

The document at issue in this case is marked as classified because it contains information OLC received from another agency that was marked as classified. OLC has also been informed by the relevant agency that information contained in the document is protected from disclosure under FOIA by statute.

As far as the memo of law, it relegates the discussion of the classified nature of this memo to a classified declaration by someone whose identity remains secret.

As explained in the classified declaration submitted for the Court’s ex parte, in camera review,1 this information is also classified and protected from disclosure by statute.

Remember, this memo is about some secret interpretation of common commercial service agreements.  Wyden believes it should be “declassified and released to the public, so that anyone who is a party to one of these agreements can consider whether their agreement should be revised or modified.”

If this is something that affects average citizens relationships with service providers, it seems remarkable that it can, at the same time, be that secret (and remain in force). While Wyden certainly seems to treat the memo as classified, I’d really love to see whether it was, indeed, properly classified, or whether Yoo was just making stuff up again during a period when he is known to have secretly made stuff up.

In any case, given DOJ’s continued efforts to either withdraw or disclose this memo, I’d safe it’s safe to assume they’re still using it.

On the Coming Showdown over Promiscuous Sharing of EO 12333 Data

A number of outlets are reporting that Ted Lieu and Blake Farenthold have written a letter to NSA Director Mike Rogers urging him not to implement the new data sharing effort reported by Charlie Savage back in February. While I’m happy they wrote the letter, they use a dubious strategy in it: they suggest their authority to intervene comes from Congress having “granted” NSA authority to conduct warrantless collection of data.

Congress granted the NSA extraordinary authority to conduct warrantless collection of communications and other data.2

2 See Foreign Intelligence Surveillance Act and the Patriot Act.

As an initial matter, they’ve sent this letter to a guy who’s not in the chain of approval for the change. Defense Secretary Ash Carter and Attorney General Loretta Lynch will have to sign off on the procedures developed by Director of National Intelligence James Clapper; they might consult with Rogers (if he isn’t the one driving the change), but he’s out of the loop in terms of implementing the decision.

Furthermore, the Congressionally granted authority to conduct warrantless surveillance under FISA has nothing to do with the authority under which NSA collects this data, EO 12333. In his story, Savage makes clear that the change relies on the [what he called “little-noticed,” which is how he often describes stuff reported here years earlier] changes Bush implemented in the wake of passage of FISA Amendments Act. As I noted in 2014,

Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.

The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,

In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.

In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.

Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.

In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.

What Bush did just as he finished moving most of Stellar Wind over to FISA authorities, was to make it permissible to share EO 12333 data with other intelligence agencies under the same kind of DNI/AG/DOD approval process already in place for surveillance. They’ve already been using this change (though as I note, in some ways the new version of EO 12333 made FAA sharing even more permissive than EO 12333 sharing). And Savage’s article describes that they’ve intended to roll out this further expansion since Obama’s first term.

Obama administration has been quietly developing a framework for how to carry it out since taking office in 2009.

[snip]

Intelligence officials began working in 2009 on how the technical system and rules would work, Mr. Litt said, eventually consulting the Defense and Justice Departments. This month, the administration briefed the Privacy and Civil Liberties Oversight Board, an independent five-member watchdog panel, seeking input. Before they go into effect, they must be approved by James R. Clapper, the intelligence director; Loretta E. Lynch, the attorney general; and Ashton B. Carter, the defense secretary.

“We would like it to be completed sooner rather than later,” Mr. Litt said. “Our expectation is months rather than weeks or years.”

All of which is to say that if Lieu and Farenthold want to stop this, they’re going to have to buckle down and prepare for a fight over separation of powers, because Congress has had limited success (the most notable successes being imposition of FAA 703-705 and Section 309 of last year’s intelligence authorization) in imposing limits on EO 12333 collection. Indeed, Section 309 is the weak protection Dianne Feinstein and Mark Udall were able to get for activities they thought should be covered under FAA.

Two more points. First, I suspect such expanded sharing is already going on between NSA and DEA. I’ve heard RUMINT that DEA has actually been getting far more data since shutting down their own dragnets in 2013. The sharing of “international” narcotics trade data has been baked into EO 12333 from the very start. So it would be unsurprising to have DEA replicate its dragnet using SPCMA. There’s no sign, yet, that DEA has been included under FAA certifications (and there’s not, as far as we know, an FAA narcotics certificate). But EO 12333 sharing with DEA would be easier to implement on the sly than FAA sharing. And once you’ve shared with DEA, you might as well share with everyone else.

Finally, this imminent change is why I was so insistent that SPCMA should have been in the Brennan Center’s report on privacy implications of EO 12333 collection. What the government was doing, explicitly, in 2007 when they rolled that out was making the US person participants in internationally collected data visible. We’ve seen inklings of how NSA coaches analysts to target foreigners to get at that US person content. The implications of basing targeting off of SPCMA enabled analysis under PRISM (which we know they do because DOJ turned over the SPCMA document, but not the backup, to FISC during the Yahoo challenge), currently, are that US person data can get selected because US persons are involved and then handed over to FBI with no limits on its access. Doing so under EO 12333 will only expand the amount of data available — and because of the structure of the Internet, a great deal of it is available.

Probably, the best way to combat this change is to vastly expand the language of FAA 703-705 to over US person data collected incidentally overseas during next year’s FAA reauthorization. But it will take language like that, because simply pointing to FISA will not change the Executive’s ability to change EO 12333 — even secretly! — at will.

The Blind Spots Brennan Center’s EO 12333 Report

The Brennan Center released a report on EO 12333 Thursday that aims to spark a debate about the privacy impacts of (just) NSA’s surveillance overseas, in part by describing the privacy impacts of EO 12333.

In contrast, there has been relatively little public or congressional debate within the United States about the NSA’s overseas surveillance operations, which are governed primarily by Executive Order (EO) 12333—a presidential directive issued by Ronald Reagan in 1981 and revised by subsequent administrations. These activities, which involve the collection of communications content and metadata alike, constitute the majority of the NSA’s surveillance operations, yet they have largely escaped public scrutiny.

There are several reasons why EO 12333 and the programs that operate under its aegis have gone largely unnoticed. One is the misconception that overseas surveillance presents little privacy risk to Americans. Another is the scant information in the public domain about how EO 12333 actually operates. Finally, the few regulations that are public create a confusing and sometimes internally inconsistent thicket of guidelines.

Unfortunately the report misses some of the biggest threats EO 12333 surveillance poses to Americans’ privacy. Indeed, the report reads more like a hodgepodge of some risks, rather than a report on the ways in which the NSA and other agencies can spy on Americans overseas. When attempting to define the political battlefield in which future fights for reform will happen, we can’t afford to miss any ground.

Historical and technical discussion

Brennan’s excellent report on the FISA Court (like this report, written by Liza Goitein and Faiza Patel, though Amos Toh also worked on this recent report) started with a history of how we got to where we are now, with the FISA Court approving entire surveillance programs in secret. This report would have profited from doing the same. It would have contextualized EO 12333, as the third of a series of EOs issued in the wake of the Keith decision and the Church Committee, which arose out of a separation of powers debate between the Executive and Congress. It could have described the few details we know of the largely unknown process by which EO 12333’s protections for Americans started breaking down. It would have described how, with Stellar Wind, the Executive blew off FISA and secretly rewrote EO 12333 without notice to spy on Americans (in part by turning an existing DEA dragnet, which was at least partly authorized by domestic statute, inward). It would have described how, in the wake of the hospital confrontation, the Executive moved most of those activities under FISA, only to start moving them back (most notably with Internet metadata) as FISA again proved too restrictive, even as technology made bypassing FISA easier.

The discussion also would benefit from more discussion of the telecommunications infrastructure of the world, how packets get routed across it, and how tech companies (and the NSA!) operate servers in multiple places around the globe. As an example, the report discusses XKeyscore as a “database” even while linking to an article that describes it as a “a fully distributed processing and query system that runs on machines around the world.” I get using “database” as shorthand for repositories — I’ve done it myself, particularly for the federated queries that chained metadata from both Section 215, PRTT, and 12333 collection in unified queries (and in so doing alerted analysts when the same queries could be run entirely under EO 12333 and so be covered by more flexible rules). But understanding how that collect-and-query process exploits the flows of data across the Internet is key to understanding how even Americans talking to Americans can be exposed — but also to giving the NSA’s protections for US persons a fair shake (one of NSA’s most common Intelligence Oversight Board violations, from what we can see of the often redacted reports, seem to be about query construction, which shows NSA polices that part of the process closely). The privacy threat to Americans from EO 12333 authorized SIGINT stems from a “Collect it all” mentality and the structure of the Internet–  not from any discreet programs that employ a different approach for one particular country or unencrypted data source.

Treatment of SPCMA

I’m most baffled by the report’s silence on Special Procedures for Communications Metadata Analysis, SPCMA, especially given the report’s extended (and worthwhile) discussion of the word games DOD plays with “collection” and other terms, as in this passage based on language in place up until the moment DOJ started implementing SPCMA in 2007.

The Intelligence Law Handbook indicates that for intelligence agencies housed under the DoD, the act of “collection” is “more than ‘gathering’ — it could be described as ‘gathering, plus…’”91 But what additional action is required to complete “collection” depends on which agency you ask and which document you rely on. This makes it difficult to determine which rules, if any, apply when an intelligence agency gathers information. Our analysis shows that there are at least three definitions of “collection”:

1) the process by which information obtained is rendered “intelligible” to human understanding;

2) the process by which analysts filter out information they want from the information obtained; and

3) the gathering or obtaining of information (i.e., the ordinary meaning of the word “collection”).

Since EO 12333 procedures are triggered only upon “collection,” this ambiguity potentially allows the NSA to avoid restrictions simply by categorizing certain information as not having been “collected.”

After all, SPCMA involved precisely those same kinds of word games, creating a virgin birth for data collected overseas.

For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto, contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”

And those procedures were adopted explicitly in the service of being able to include US person data in EO 12333 analysis.

The Supplemental Procedures, attached at Tab A, would clarify that the National Security Agency (NSA) may analyze communications metadata associated with United States persons and persons believed to be in the United States.

In 2007, the government made an affirmative effort to be able to integrate foreign collected US person metadata into NSA’s analysis. It did so at a time when it was also working toward greater information-sharing between agencies (under ICREACH) and at a time when first getting the FISA Court to sanction the use of contact chaining — integrating SPCMA, though without revealing the rationale behind SPCMA!!! — as a basis for conducting domestic collection under Protect America Act. Starting in 2009 and significantly by 2011, the NSA replaced a huge domestic dragnet (one limited to counterterrorism purposes and with strict sharing rules), in part, with SPCMA (which has neither the counterterrorism limit nor the strict dissemination rules).

Screen Shot 2016-03-21 at 11.03.11 AM

In other words, amid all the examples the Brennan Report gives for how Americans might be surveilled by NSA under EO 12333 (which underplay the exposure both for international calls placed from the US and entirely domestic Internet communication), it doesn’t mention the one that had analysis including US person metadata as the explicit purpose.

Or to put it more simply, in 2007, at a time when the structure of international communication was such that it was possible to spy on entirely domestic communications overseas, the government either adopted or (my suspicion) resumed analyzing US person metadata collected overseas. That seems worth mentioning in a report on how Americans can be exposed under EO 12333. (I asked Patel why SPCMA was not included in the report but have gotten no response.) In terms of the political fight, that’s the difference between a politician trying to fight for more US person protections being called “speculative” and that same politician being able to point to actual evidence EO 12333 collection has implicated Americans’ privacy.

Other agencies

Finally, any discussion of the surveillance exposure of Americans under EO 12333 should, in my opinion, scope more broadly to include other agencies. I would include CIA (not least because PCLOB identified two CIA programs that appear to affect US persons) and Treasury (which tracks a great deal of international financial flows, even of Americans with ties to sanctioned countries; the report as a whole is unduly focused just on communications data).

But I would start with a discussion of (or at least questions we need answered about) DEA. After all, international drug investigations have always been included in EO 12333’s US person collection permissions.

Elements of the Intelligence Community are authorized to collect, retain, or disseminate information concerning United States persons only in accordance with procedures established by the head of the Intelligence Community element concerned or by the head of a department containing such element and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order, after consultation with the Director. Those procedures shall permit collection, retention, and dissemination of the following types of information:

(c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international drug or international terrorism investigation;

DEA engages in a great deal of information collection on its own right (and shares with with FBI, though the FBI went to some length to hide details of such sharing from DOJ’s Inspector General). We know many of the technologies first used on our foreign adversaries sometimes get introduced for use with Americans via DEA, most notably with that massive metadata dragnet. And DEA doesn’t have the same strict definition as a foreign intelligence organization as NSA, making the potential impact of overseas collection more direct for Americans. Plus, as the Brennan Report notes, DEA (along with Treasury) has never been in compliance with EO 12333’s requirement for enacting procedures.

I get that when non-experts think of surveillance they think of NSA. But that’s a problem, not just because NSA currently more closely hews to the rules such as they are given than DEA, CIA, and FBI are believed to do, but also because NSA has never posed the biggest threat to Americans as agencies that have the ability to prosecute Americans like FBI and DEA. If you’re going to write a report framing the debate, shouldn’t it frame it in a way that ties directly to the impact of it, even if we know far less about those areas that may have more direct impact?

This report feels like one written in the belief that you best understand surveillance by talking about law largely in isolation from technology and bureaucracy. That’s always problematic — indeed, the report suffers from some of the same blind spots that the debate about USA Freedom Act did, based as it was in knowledge about the Section 215 statute but little knowledge of its statutorily mandated minimization procedures. It’s especially problematic when writing about programs that operate in the space not limited by any law, where executive power is at its zenith.

Absent further successful effort to expand Congress’ authority over surveillance (the report describes Section 309 of last year’s Intelligence Authorization but doesn’t focus on Sections 703 through 705 of FISA Amendments Act, an earlier attempt to carve out protections for Americans under EO 12333), technology, not the law, sets the biggest limits on what the Executive can do under EO 12333.

It is time to focus more attention on EO 12333 and I’m grateful the Brennan Report has focused attention on EO 12333. But that focus should include all the ways, including the most central ones, it affects Americans.

1 2 3 19
Emptywheel Twitterverse
bmaz @HeidiOBrien8 I bet exactly the opposite.
5hreplyretweetfavorite
bmaz @VBalasubramani @trabernlaw You guys have all the fun!
5hreplyretweetfavorite
emptywheel RT @thegrugq: This is a massive clusterfuck of a terrorist network. This is what happens w/o professionals, or effective hierarchy https://…
6hreplyretweetfavorite
emptywheel @Realharampolice I'm a lit PhD who always believed imperfect works were the best, so I'll take it.
6hreplyretweetfavorite
emptywheel @msbellows Hope it works out. Can't be easy.
6hreplyretweetfavorite
emptywheel @Realharampolice If there's a lot of new beautiful music I don't much care what else is in the vault.
6hreplyretweetfavorite
emptywheel @Realharampolice Beautiful music?
6hreplyretweetfavorite
JimWhiteGNV RT @GatorsSB: T6: @AmandaLorenz18 records her first-career GRAND SLAM! UF leads TAMU, 14-3. #Wow #GoGators https://t.co/IZIEm1OZo2
6hreplyretweetfavorite
JimWhiteGNV RT @GatorsBB: That feeling when you hit two bombs in the ninth to win 5-4... #Gators 💣💣 https://t.co/oB60aC1OQj
6hreplyretweetfavorite
bmaz Urgh. That said, hard to see how Osweiller has not already shown up Nick Foles. #GoDevils! https://t.co/wFjXOJi3kl
6hreplyretweetfavorite
bmaz @dpottzzz Errr, just know which school will always dominate AZ collegiate football. It is written (as, apparently, basketball now is).
6hreplyretweetfavorite
April 2016
S M T W T F S
« Mar    
 12
3456789
10111213141516
17181920212223
24252627282930