1 2 3 129

No, Obama Doesn’t Need Legislation to Fix the Dragnet–Unless the “Fix” Isn’t One

In an editorial calling on Congress to pass the USA Freedom Act, the USA Today makes this claim.

Obama’s proposal last January — to leave the data with phone companies, instead of with the government — can’t happen without a new law. And, as in so many other areas, the deeply divided Congress has failed to produce one.

I don’t know whether that is or is not the case.

I do know 3 Senate Intelligence Committee members say it is not the case.

Ron Wyden, Mark Udall, and Martin Heinrich wrote Obama a letter making just this point in June. They argued that Obama could accomplish most, if not all, of what he claimed he wanted without legislation, largely with a combination of Section 215 Orders to get hops and Pen Registers to get prospective collection.

[W]e believe that, in the meantime, the government already has sufficient authorities today to implement most, if not all, of the Section 215 reforms laid out in your proposal without delay in a way that does not harm our national security. More comprehensive congressional action is vital, but the executive branch need not wait for Congress to end the dragnet collection of millions of Americans’ phone records for a number of reasons.

First, we believe that the Foreign Intelligence Surveillance Court’s (FISC) expansive interpretation of the USA PATRIOT Act to allow the collection of millions of Americans’ phone records makes it likely that the FISC would also agree to a more narrowly-drawn interpretation of the law, without requiring further congressional action. Certainly, it seems likely that the FISC would permit the executive branch to use its current authorities to obtain phone records up to two “hops” from a suspicious phone number or to compel technical assistance by and compensation for recipients of court orders. Unless the FISC has already rejected such a request from the government, it does not seem necessary for the executive branch to wait for Congress before taking action.

Second, we believe that the FISC would likely approve the defined and limited prospective searches for records envisioned under your proposal pursuant to current USA PATRIOT Act Section 214 pen register authorities, given how broadly it has previous interpreted these authorities. Again, we believe it is vital for Congress to enact reforms, but we also believe that the government has sufficient authorities today under the USA PATRIOT Act to conduct these targeted prospective searches in the interim.

Finally, although we have seen no evidence that the government has needed the bulk phone records collection program to attain any time-sensitive objectives, we agree that new legislation should provide clear emergency authorities to allow the government to obtain court approval of individual queries after the fact under specific circumstances. The law currently allows prospective emergency acquisitions of call records under Section 403 of the Foreign Intelligence Surveillance Act (FISA), and the acquisition of past records without judicial review under national security letter authorities. While utilizing a patchwork of authorities is not ideal, it could be done on an interim basis, while Congress works to pass legislation.

Just weeks before they sent this, Deputy Attorney General James Cole had seemed to say they could (if not already were) getting hybrid orders, in that case mixing phone and location. So it seems like DOJ is confident they could use such hybrid orders, using Section 215 for the hops and Pen Registers for the prospective collection (though, given that they’re already using Section 215 for prospective collection, I’m not sure why they’d need to use hybrids to get anything but emergency orders).

And it makes sense. After all, the public claims about what the Call Detail Record provision would do, at least, describe it as a kind of Pen Register on steroids, 2-degrees of Pen Register. As the Senators suggest, FBI already gets two-degree information of historical records with mere NSLs, so it’d be surprising if they couldn’t get 2 degrees prospectively with a court order.

So at least according to three members of the Senate Intelligence Committee, USA Today is simply wrong.

Mind you, I’m not entirely convinced they’re right.

That’s because I suspect the new CDR provision is more than a Pen Register on steroids, is instead something far more intrusive, one that gets far beyond mere call records. I suspect the government will ask the telecoms to chain on location, address books, and more — as they do overseas — which would require far more than a prospective Pen Register and likely would require super immunity, as the bill provides.

I suspect the Senators are wrong, but if they are, it’s because Obama (or his Intelligence Community) wants something that is far more invasive then they’ve made out.

Still, for USAF supporters, there seems no question. If all Obama wants to replace the phone dragnet is prospective 2-degree call (not connection) chaining on RAS targets, he almost certainly has that authority.

But if he needs more authority, then chances are very good he’s asking for something far more than he has let on.

Update: Note, USAT makes at least one other clear error in this piece, as where it suggests the “the program” — the phone dragnet — imposes costs on cloud companies like Microsoft and Google.

Another Attorney-Client Conversation Spied On

Last month, I laid out the several attorney client conversations to which Raez Qadir Khan was party that the government wiretapped. Among the 7 privileged conversations wiretapped by the government was a January 2010 conversation he had with his immigration attorney after being told by the FBI he could not travel to see his family.

One of the defendants in a key CO terrorism case just revealed in a filing that he, too, was wiretapped when conversing with his immigration attorney’s office.

Bakhtiyor Jumaev, who through co-defendant Jamshid Muhtorov was the first to get notice his prosecution stemmed from FISA Amendments Act collection, revealed in a filing that a conversation he had with his retained immigration counsel’s paralegal was recorded even after the FBI had first questioned him.

FBI agents interrogated Mr. Jumaev at his Philadelphia apartment on February 14, 2012; at that time, Mr. Jumaev had been charged with an immigration violation, had posted bond that included electronic monitoring, was represented by an immigration attorney, Francois Mazur, Esq., and for approximately two years, unbeknownst to him, had also been under investigation for activities related to this case.15 The next day, February 15, 2012, Mr. Jumaev called Mr. Mazur and spoke with the attorney’s paralegal, seeking legal advice relating to Mr. Jumaev’s having been questioned the day prior by the FBI. A copy of the recording of the call, labeled as S2675971321_20120215194017_416.WAV, has been provided in discovery.16

15 The criminal Complaint filed against Mr. Jumaev notes that the FBI had been investigating him in this matter since shortly after his arrest in February 2010 for immigration charges. See Doc. 1 at ¶ 13.

16 Based upon information and belief, to date, the government has not provided all of Mr. Jumaev’s intercepted communications. It is therefore currently unknown whether other communications between Mr. Jumaev and his immigration attorney were intercepted.

As the footnotes make clear, at this point the FBI had already been investigating him for years, but didn’t have the caution to avoid recording his conversations with his immigration attorney (something which, in the Khan case, the government admitted should have been treated as a privileged conversation).

Call me crazy, but this is beginning to look like a pattern — the FBI wiretapping the earliest privileged conversations after their targets get alerted to the FBI investigation into them.

Richard Burr Prepares to Capitalize on Refusing to Exercise Intelligence Oversight

In James Risen’s new book, he provides new details on what happened to the NSA whistleblowers — Bill Binney, Kurt Wiebe, Ed Loomis, Thomas Drake — who tried to stop President Bush’s illegal wiretap program, adding to what Jane Mayer wrote in 2011. He pays particular attention to the effort Diane Roark made, as a staffer overseeing NSA on the House Intelligence Committee, to alert people that the Agency was conducting illegal spying on Americans.

As part of that, Risen describes an effort Roark made to inform another Congressman of the program, one who had not been briefed: Richard Burr.

Despite the warning from (HPSCI’s Republican Staff Director Tim) Sample not to talk with anyone else on the committee about the program, she privately warned Chris Barton, the committee’s new general counsel, that “there was an NSA program of questionable legality and that it was going to blow up in their faces.” In early 2002, Roark also quietly arranged a meeting between Binney, Loomis, and Wiebe and Richard Burr, a North  Carolina Republican on the House Intelligence Committee. Binney told Burr everything they had learned about the NSA wiretapping program, but Burr hardly said a word in response. Burr never followed up on the matter with Roark, and there is no evidence he ever took any action to investigate the NSA program.

I’m not actually surprised that Burr learned the Intelligence Community was engaging in illegal behavior and did nothing. From what we’ve seen in his response to torture, he has served entirely to help CIA cover up the program and protect the torturers. Indeed, in his treatment of John Brennan’s confirmation, he made efforts to ensure Brennan would have to protect the torturers too.

So it’s no surprise that Burr heard details of an illegal program and ignored them.

Still, it’s worth highlighting this detail because, if Democrats do lose the Senate as they are likely to do in November, Richard Burr will most likely become Senate Intelligence Committee Chair. While Dianne Feinstein may be a badly flawed Chair overseeing the IC, Burr will be a nightmare, unloosing them to do whatever they’re ordered.

That’s the kind of career advancement that comes to a guy who remains silent about wrongdoing.

Jim Comey Lied When He Claimed FBI Needs a Judge to Read Your Email

I believe that Americans should be deeply skeptical of government power. You cannot trust people in power. The founders knew that. That’s why they divided power among three branches, to set interest against interest. — FBI Director Jim Comey

As part of a piece on James Risen’s stories, 60 Minutes did an interview with Jim Comey. It rehearsed his role in running up hospital steps in 2004 to prevent Andy Card from getting an ill John Ashcroft to rubber stamp illegal surveillance — without mentioning that Comey and the other hospital heroes promptly got the same program authorized by bullying the FISA Court. Trevor Timm called out this aspect of 60 Minutes’ report here.

CBS also permitted Comey to engage in Apple encryption fear-mongering without challenge. CNN, to its credit, called Comey on his misrepresentations here.

But perhaps Comey’s biggest stretcher came when Scott Pelley asked him whether FBI engages in surveillance without a court order.

Scott Pelley: There is no surveillance without court order?

James Comey: By the FBI? No. We don’t do electronic surveillance without a court order.

Scott Pelley: You know that some people are going to roll their eyes when they hear that?

James Comey: Yeah, but we cannot read your emails or listen to your calls without going to a federal judge, making a showing of probable cause that you are a terrorist, an agent of a foreign power, or a serious criminal of some sort, and get permission for a limited period of time to intercept those communications. It is an extremely burdensome process. And I like it that way.

Comey was admittedly careful to caveat his answer, stating that FBI does not engage in “electronic surveillance” without a court order. That probably excludes FBI’s use of National Security Letters. Though as DOJ’s Inspector General has made clear, FBI uses NSLs for a number of things — including communities of interest, obtaining one or possibly two degree collection of phone records, as well as a bunch of other things that remain redacted — that the NSL law didn’t envision. Indeed, FBI’s NSL requests have gotten so exotic that some Internet companies started to refuse — successfully — in 2009 to comply with the requests, forcing FBI to use Section 215 orders instead.

But the second part of that exchange — Comey’s claim that “we cannot read your emails without going to a federal judge” is egregiously false.

As both ODNI and PCLOB have made clear, FBI can and does query incidentally collected data obtained under Section 702 (PRISM) — that is, it accesses email content — without a warrant. Alarmingly, it does so at the assessment level, before FBI even has any real evidence of wrong-doing.

Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts.

That’s not conducting electronic surveillance — because FBI gets the email after the electronic surveillance has already occurred. But that does entail warrantless access of US person content, and does so without any review by a judge. Indeed, with Section 702 collection, a judge never even reviews the foreign targets, much less the US incidental collection accessed by the FBI.

Now I get that Jim Comey is a terrifically charismatic guy, with great PR instincts. But still, 60 Minutes is supposed to be a journalism show. Why, when Comey was telling 60 Minutes straight out they should not trust the government, did they let him make so many bogus claims?

The No Fly List and DOJ’s Notice Concessions

Congratulations to the ACLU, which last week got 6 of its 13 No Fly List plaintiffs moved off the No Fly List.

Seven American citizens who were banned by the government from air travel received word yesterday evening that they are cleared to fly. For them, the notice ends a years-long struggle to find out why they were blacklisted and clear their names. As of last night, the seven can finally make plans to visit family, travel for work, and take vacations abroad.

The seven – six men and one women – had been on the government No Fly List, which prevented them from flying to, from, and over U.S. airspace. Even after they were surrounded by TSA agents at the airport and questioned by the FBI, the government refused to officially confirm that they were included on the list. They were also never provided reasons for being banned from air travel, or given a meaningful opportunity to contest the ban. In short, our clients have been locked in a fight to regain their freedoms with virtually no information.

The notice that the seven are “not currently on the No Fly List” came after a federal court last week set deadlines for the government in the ACLU’s challenge to the No Fly List. The court ruled that the government must notify our clients of their status on or off the No Fly List, give reasons to those still on the list, and provide an opportunity for them to challenge those reasons. The first of those deadlines was yesterday, and the government must complete reconsideration of the remaining cases by January 16.

The remaining 6 (2 of whom, curiously, worked in the Middle East with tech companies) will now be given some kind of due process.

Which got me thinking about this Charlie Savage story from several weeks ago. It describes how, following DOJ’s recognition that it needs to give notice to some, but definitely not all of the people identified using Section 702, the government is now debating whether it needs to give those sanctioned by the Treasury notice under FISA. At the very end of the story, Savage notes that legal experts say DOJ may have to give notice to some on the No Fly List as well.

Legal specialists said the government could also be invoking arguments against providing a FISA notice even at the court stage, which is adversarial. It may say, for example, that Congress could not have intended the law to apply in situations where the recipients of the notice could not do anything with that information. For example, most foreigners abroad could not argue that the warrantless surveillance violated their rights — because the Constitution does not cover them — and so they could not ask to have the evidence suppressed.

Still, the experts said surveillance-derived information could affect Americans who did have constitutional rights, like the approximately 800 people placed on the “no fly” list, which prevents people from boarding aircraft, as well as applicants for licenses like those that allow people to work behind airport security checkpoints.

“Very significant decisions about people’s lives are made on this kind of evidence,” said Jameel Jaffer, an American Civil Liberties Union lawyer. “When all this takes place in secret, you don’t have an opportunity to challenge the constitutionality of the government’s surveillance methods.”

In June, a Federal District Court judge struck down the process for challenging being put on the “no fly” list, saying it was too opaque and violated Americans’ due-process rights. She ordered the government to give people more information about why they are on the list.

Which has me wondering: what may distinguish the 7 ACLU plaintiffs who were removed from the No Fly List from the 6 who remain on it is how they were identified. That is, the government can avoid giving notice simply by moving people off the list.

There is some reason to believe the government does use Section 702 data — and nothing more — to put people on the No Fly List. If that’s right, then the legal requirement that those affected get more notice may make the government more cautious about whom it places on the list.

Nobel Prize: The Surveillance Fight Remains Ahead of Us

This morning, the Nobel Prize awarded the Peace Price to Pakistani activist Malala Yousafzai.

In a piece published earlier this morning at Salon, I pointed out that so long as countries like Norway participate in the NSA’s dragnet, Edward Snowden will never get a Nobel Prize.

No European country but Russia has offered Snowden asylum, so it’s unlikely the Norwegians will do something just as likely to piss off the U.S. Numerous European countries, after all, play willing partners in America’s global dragnet. Europe — including Norway — are the spies Snowden warned us against.

But I also made a more important point.

Like Obama — who got a Nobel Prize well before he had delivered on his promises — the world community has not yet really acted on Edward Snowden’s invitation to reform.

Snowden has completed a courageous act, leaking a mother lode of documents revealing just how exposed we are to the NSA’s glare. He has continued to speak out, to the extent he is able from Russia.

But the response remains very much in flux. Across the world, it’s quite possible Snowden’s leaks provide more repressive government the excuse to crack down. Certainly America’s Five Eyes spying partners (in addition to the UK, New Zealand, Australia, and Canada) are doing so: all but Canada have passed or are passing expansive laws legalizing still more surveillance. Citizens — in Five Eyes countries and outside — have not yet seized the opportunity created by Snowden to roll back the dragnet. Even in the U.S., the only reform on offer, Patrick Leahy’s USA Freedom Act, worsens some aspects of spying while achieving the important goal of removing all Americans’ phone records from the government.

Snowden did a courageous thing by leaking the NSA’s secrets, and continues to engage, as possible, in constructive fashion. If the world responded well to those disclosures, it might lead to a more just world, one much safer for dissent and human relationships. But we — the rest of the world — have not yet delivered on that promise yet, and may not. So a prize for Snowden — no matter how important his actions — may yet reward the merehope of change, not real progress towards it.

The world’s relative inaction in response to Snowden’s warnings does not at all detract from Snowden’s courage. But it does mean it is far too early to conclude that we’ve used this opportunity Snowden gave us to reverse a dangerous dragnet.

A Good Reason to Encrypt Your iPhone: To Prevent DEA from Creating a Fake Facebook Account

At Salon yesterday, I pushed back against the Apple hysteria again. In it, I look at the numbers that suggest far more Apple handsets are searched under the border exception than using warrants.

Encrypting iPhones might have the biggest impact on law enforcement searches that don’t involve warrants, contrary to law enforcement claims this is about warranted searches. As early as 2010, Customs and Border Patrol was searching around 4,600 devices a year and seizing up to 300 using what is called a “border exception.” That is when CBP takes and searches devices from people it is questioning at the border. Just searching such devices does not even require probable cause (though seizing them requires some rationale). These searches increasingly involve smart phones like the iPhone.

These numbers suggest border searches of iPhones may be as common as warranted searches of the devices. Apple provided account content to U.S. law enforcement 155 times last year. It responded to 3,431 device requests, but the “vast majority” of those device requests involved customers seeking help with a lost or stolen phone, not law enforcement trying to get contents off a cell phone (Consumer Reports estimates that 3.1 million Americans will have their smart phones stolen this year). Given that Apple has by far the largest share of the smart phone market in the U.S., a significant number of border device searches involving a smart phone will be an iPhone. Apple’s default encryption will make it far harder for the government to do such searches without obtaining a warrant, which they often don’t have evidence to get.

Almost 20% of Americans this year will have an iPhone, and that number will be far higher among those who fly internationally. If only 20% of 5,000 border searches involve iPhones, then there are clearly more border iPhone searches than warranted ones.

Meanwhile, we have an appalling new look at what law enforcement does once it gets inside your smart phone. A woman in Albany is suing DEA because — after she permitted DEA to conduct a consensual search of her phone — DEA then took photos obtained during the search, including one of her wearing only underwear, and made a fake Facebook page for her with them. They even sent a friend request to a fugitive and accepted other friend requests. They also posted pictures of her son and niece, on a site intended to lure those involved in the drug trade.

And they consider this a legitimate law enforcement activity!

In a court filing, a U.S. attorney acknowledges that, unbeknownst to Arquiett, Sinnigen created the fake Facebook account, posed as her, posted photos, sent a friend request to a fugitive, accepted other friend requests, and used the account “for a legitimate law enforcement purpose.”

The government’s response lays out an argument justifying Sinnigen’s actions: “Defendants admit that Plaintiff did not give express permission for the use of photographs contained on her phone on an undercover Facebook page, but state the Plaintiff implicitly consented by granting access to the information stored in her cell phone and by consenting to the use of that information to aid in an ongoing criminal investigations [sic].”

To be sure, DEA and FBI would still be able to obtain consensual access to phones, as they did in this case, by threatening people with harsher charges if they don’t cooperate (which appears to be how they got her to cooperate).

But this demonstrates just how twisted is the government’s view of legitimate use of phone data. The next time you hear a top officer wail about pedophiles, you might ask whether they’re actually the one planning to post sexy pictures.

Clouded Transparency in USA Freedom Act

I noticed earlier yet another hole in USA Freedom Act’s “Transparency” provisions that I’m very intrigued about. It’s part of the definition of “individual whose communications were collected,” off of which all the individualized non-target reporting is based. That definition reads,

(3) INDIVIDUAL WHOSE COMMUNICATIONS WERE COLLECTED.—The term ‘individual whose communications were collected’ means any individual—

(A) who was a party to an electronic communication or a wire communication the contents or noncontents of which was collected; or


(i) who was a subscriber or customer of an electronic communication service or remote computing service; and

(ii) whose records, as described in subparagraph (A), (B), (D), (E), or (F) of section 2703(c)(2) of title 18, United States Code, were collected.

(A), as I’ve explained, clearly exempts all the non-communication tangible things collected under Section 215 — things like bank records and purchase records — from any individualized reporting. That has the effect of hiding at least two known dragnet programs, that collecting international money transfers and that collecting explosives precursors that usually have innocent uses–things like hydrogen peroxide, acetone, and pressure cookers.

I believe it also exempts location data — as communication from a tracking device — from any reporting, though would be welcome to be proven wrong on that point. If I’m right, though, it will have the effect of hiding likely Stingray and other location tracking programs under PRTT, potentially including the more systematic PRTT program FBI had at least as recently as 2012.

(B), though, is even more fascinating. First, note that (A) does not reflect all electronic communication records collected — only those that involve a “party to a communication” (and no, I don’t understand the boundary there). The underlying definition of communication is very broad, including a bunch of non-communication things, but this “party to” language might limit it. (B), by contrast, is built off a person being a “subscriber or customer” of an electronic communication service or remote computer service, which would include both Internet sites, including search engines, and cloud storage. So I believe this would, if measured in good faith, provide numbers relating to the collection on URL searches and cloud storage uses.

But here’s where it gets interesting. Note what is excluded from the definition being used here, which as far as I know is just pulled outta someone’s arse for this bill (in strikethrough).

(2) A provider of electronic communication service or remote computing service shall disclose to a governmental entity the—
(A) name;
(B) address;
(C) local and long distance telephone connection records, or records of session times and durations;
(D) length of service (including start date) and types of service utilized;
(E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and
(F) means and source of payment for such service (including any credit card or bank account number), of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena or any means available under paragraph (1).

This language from 2703(c)(2) describes what the government can obtain from stored communication providers without a court order; but note that 2703(c)(1) permits the government to obtain other information (though not content of communications) with a court order based on a relevance standard.

As I read it [insert standard caveats about not being a lawyer, invitations for lawyers to correct me here], if all the government obtains from a cloud or web provider is what are deemed call records or session times (or those other things permissible with a court oder under 2703(1), then it doesn’t count as a communication provided. If they ask for other stuff — identifying information — then it’s a communication. But if they only ask for the communications stuff, then it’s not a communication. And, if I’m reading this correctly (though I’m less sure of this), obtaining someone’s non-communication content stored in the cloud does not amount to collecting communications on them under the larger definition.

Given how crazy this formula is, I’m going to assume this pulled-outta-arse definition is designed to hide some fairly substantive dragnet.

I confess, I have no idea what this is designed to hide. But here are three non-exclusive possibilities.

The Exotic Section 215 Requests

First, consider that the stored communication definition used here is not a definition used for FISA. The closest definition to that is in 18 USC 2709, which is the NSL equivalent for what they’re using here, which is a Title III administrative subpoena. The NSL permits the government to obtain fewer things:

local and long distance toll billing records
length of service

In fact, that NSL definition is behind the bulk of Section 215 orders. After DOJ published an OLC memo limiting what FBI could get under that NSL definition, more than one Internet company started refusing NSLs for a certain kind of request in 2009, which led FBI to obtain that information under Section 215. Now such orders are now the majority of Section 215 orders.

I had been assuming these searches were for the URL searches of individuals, based on James Cole’s confirmation they can use Section 215 to get URL searches. And they may well be. But that shouldn’t generate a large number people affected (except insofar as someone searched on US businesses, which count as US persons). There’d be no reason to hide that (especially since it will show up as foreign, not domestic, collection under FBI’s exemption). Besides, a person’s URL search might count as a party to a communication.

Perhaps, though, these exotic requests are either collected in bulk (perhaps searches for a certain thing) or they are for some other kind of use.

PRISM Non-Communication

We usually talk about PRISM — Section 702 collection from US-based Internet providers — in terms of communications collected: emails and instant messages.

But we know that, even in the first year of Protect America Act, the government had broadened its requests to include 9 things. Even 6 years ago, those requests seem to include cloud storage, information searches, and Yahoo’s internal records on customers.

The definition of “communications collected from” would seem to exempt not only non-communication data stored in the cloud from its counts, but even communication data.

As with the exotic Internet requests, I’m not sure how these requests would drive up the numbers of people affected. But if they do, by structuring the request in this way, they’d artificially lower the number of people affected by PRISM.

Phone connection chaining 

We know the other two kinds of collection — the exotic Internet 215 requests and cloud collection under PRISM — occur. We don’t know what “connection chaining” means in the context of the phone dragnet.

As I have noted, the new Section 215 Call Detail Record function meant to replace the phone dragnet doesn’t actually chain on calls and texts made. It chains on “connections.” Nobody knows what the fuck that means, though in spite of promises ODNI would explain it in their letter supporting the bill, they did not do so. And ODNI has denied my FOIA requests for related language.

It’s SEKRIT. Which means it must be interesting.

That said, I have speculated that it might include finding burner phones (which is fairly uncontroversial, and FBI does it under Hemisphere anyway), using location to map connections (again, that’s something available under Hemisphere), or things like address books and calendars and even personal pictures.

And of course, most of those things would be accessible with smart phones because cloud content is available. Precisely the kind of cloud content dodged by this definition.

Now, I’m still not sure this works. After all, as a Verizon subscriber, if I get connection chained because I’m in someone else’s Verizon address book, it would seem they would have to count me. Or maybe not, because the actual request (all done at the telecom, of course!) wouldn’t be triggered to me, it’d be triggered to my friend.

But it seems at least possible that this definition would hide a great number of potential connections made via cloud information, whether obtained under PRISM or under Section 215′s CDR connection chaining.

The Continuing Myth about USA Freedom Transparency

Summary: This is a response to an Elizabeth Goitein claim that USA Freedom would provide detailed reporting on FISA programs. That’s false. As I show below, the only three kinds of collection for which reasonably real numbers will be reported are Individual FISA orders, NSLs (though FBI refuses to count those accurately), and the new CDR provision (though it will be presented as foreign collection even though it will be domestic). On everything else, the reporting will be excepted away beyond usefulness. Further, both PRTT and traditional 215 will likely get reported only as “fewer than 500,” a significant regression from current reporting.

In a piece at Just Security, Brennan Center’s Elizabeth Goitein bemoans what she claims as a distraction from passing the USA Freedom Act in the form of ISIS.

Then came ISIS. Following the group’s capture of territory in Iraq, its beheading of two American journalists, and its calls for followers to launch attacks in the US, some American lawmakers claimed it would be irresponsible to ratchet back surveillance authorities in the face of a new terrorist threat. 

I’m skeptical that USAF was going to pass anyway, and equally skeptical the Republicans are really responding to ISIS and not improving GOP Senate chances.

But I’m more interested in Goitein’s portrayal of the bill.

To her credit, she limits her most aggressive claims that the bill would end bulk collection to the phone dragnet. Though she claims continuation of the financial dragnets would be a misreading of the bill.

The bill also would prohibit bulk collection of other types of transactional data, although the wording of these bans is susceptible to distorted readings, as some have observed.

That’s something on which we can fairly disagree. In my opinion, this language does nothing to limit the financial dragnet.

(i) means a term that specifically identifies a person, account, address, or personal device, or another specific identifier, that is used by the Government to narrowly limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things; 

As I’ve noted, permitting “person” as a selector permits the use of “Western Union.” And the language “to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things” closely resembles claims we’ve seen in released applications and orders. I would be fairly shocked if the applications for the Western Union dragnet didn’t say — as NSA said of the phone dragnet — that FBI required all foreign money transfers to be able to track such transfers. If so, then FISC has already bought off on the government’s claim that the existing financial dragnets are as narrowly limited as “reasonably practicable, consistent with the purpose for seeking the tangible things.” If so – and given public FISC releases, this is actually not a distorted reading in the least – then this bill will not affect the existing dragnets in the least. 

Still, I commend Goitein for exercising far more caution than other USAF supporters have in the past about the extent of the bill.

But Goitein’s claims about the transparency required under the bill are simply wrong.

The USA Freedom Act also would require more detailed statistical reporting by the government on the number of people affected by specific surveillance authorities –including, for most FISA programs, a separate tally of U.S. persons affected. These numbers give meaning to abstract legal interpretations. It’s clear that the FISC endorsed a broad interpretation of the term “relevance,” but only the numbers can tell us exactly how broad.

This bill will be less than useless in helping us understand how broadly the government is collecting; it will be counter-productive.

Here’s what, to the best of my understanding, we’ll actually get:

Individual orders (Titles I, III, 703, 704): We’ll get a “good faith” estimate of how many individuals are targeted. The government won’t reveal the split of this targeting. That will likely hide that much of its “targeting” consists of obtaining already collected data. The government won’t reveal that it does not use 703. At all.

702: We’ll get the number “1″ for total orders, and something like 90,000 for targets. We’ll get a grossly misrepresentative number for number of people located in the US collected under PRISM, because the government will not be required to count IPs in the US as someone in the US. We’ll also get a certificate saying it cannot estimate whether more than 56,000 US persons are collected in upstream every year (because if the government did so it would then be illegal). We’ll get numbers like NSA 100 and CIA 1000 for back door searches, but we will get nothing on FBI back door searches, which can be done with no suspicion of wrong-doing. This leaves out 56,000 or more Americans affected via upstream, probably 100s of 1000s under an IP dodge, and probably 10s of 1000s affected in back door searches, and that’s assuming the DNI doesn’t use a Certificate to refuse to report all people affected by PRISM. Update: See this post for something else that may be hidden — non-communication cloud data.

Title IV (PRTT): We’ll start with a number like 140, as currently counted this would show as something like 300 targets, 70 of whom are named US persons who got their phone or email records collected. But this may not count US persons who have their email records collected, because the government won’t have to treat a US IP as a US person. It also won’t count the people sucked up in Stingray use, as that is not counted as a communication collected. That’ll ensure the number is fewer than 500, meaning that’s the only number we’ll get, which is far worse then reporting we currently get. Moreover, if as I suspect any bulkier PRTT program collects location, it will show only something like 4 al Qaeda related targets (because location data is not a communication). And the government can issue a claim that it can’t count those in the US (because if it did so it’d be illegal). One way or another, this will leave out hundreds of thousands, and perhaps millions, of affected Americans. 

Traditional 215: Under current counting we’d get a number like 210 orders, targeting 800 targets. Here’s how it’ll break out in this reporting:

Exotic Internet requests (currently the majority of 215 orders): These are in the US, but they won’t be counted as such because they’re FBI orders and FBI is exempted from counting that. I suspect they’re also exempted even more generally from total persons affected counts as subscriber session time (see below regarding the definition of communications collected), though that’s a guess. Update: see this post for more on this language.

Less exotic Internet orders: These won’t have to be reported as US persons either, because the government doesn’t have to treat US IPs as US location.

Known non-financial dragnets: Under current counting this would probably count as roughly 24 orders (assuming 6 programs with 90 day renewals), with 4 targets — the al Qaeda groups included — each. Under USAF reporting, none of the individuals affected by the known bulk non-communications dragnets — which we know to include financial records and purchase records and which may include travel records — will get reported because the bill doesn’t require non-communications 215 orders to be individualized.

Having exempted almost every known kind of 215 order from individualized reporting, it’ll bring the total number affected well under 500, meaning that’s all we’ll get for persons affected, a far worse report than we currently get. This will definitely leave out millions of affected Americans, and will present the false impression that most 215 orders affect foreigners. 

New-Fangled 215: For CIA and NSA — which are unlikely to use this provision — the government will have to report the targets, plus the people within 2 degrees sucked in with those targets. For FBI, which is likely to collect this data now that it doesn’t require ingesting all the phone records in the US and because FBI has far more liberal sharing rules, it’ll probably report 300 targets, and a total of 3 million people affected. But those won’t be identified as Americans because the FBI is exempted from that. Moreover, since this will bring the number under 500, that’s all we’ll get for targets (though not persons affected). This will probably hide hundreds of thousands of Americans affected.

Update, 10/5: See this post for one other thing USAF may hide: cloud-related metadata that might be used for connection chaining.

NSLs: This bill provides slightly more breakout on US/non-US NSL reporting, though that has largely been available via IG report (plus, FBI refuses to count it accurately), except for subscriber data.

To sum up, what USAF effectively does is require reporting on the number of people affected by surveillance programs, and for most requires a break-out of the number of US persons affected. But then it uses the following exemptions to hide by far the bulk of the US persons affected — and in most cases, the number of persons affected — by surveillance:

  • 603(b)(2): Only a phone number registered in the US provides a reasonable basis that a person is located in the US. Thus all bulky Internet collection in the US can and will be hidden as foreign collection.
  • 603(e)(2): For several target and affected numbers, DNI will report numbers under 500 as fewer than 500. This will result in significantly less granular reporting than we currently have for some authorities, especially PRTT and 215.
  • 603(e)(3): If records are held by FBI or queries are conducted for them, 702 back door searches, communications-related traditional 215 orders, and newfangled 215 results don’t have to report on US persons affected. FBI will effectively be even more of a black hole where reporting goes to die than it already is.
  • 603(e)(4): DNI can certify that it can’t report on the 702 and PRTT Americans caught in the dragnet. Unless they use the IP dodge, they’ll almost certainly do this because if they admit this is US person collection, it’ll become illegal.
  • 603(g)(3): The definition of “individual whose communications were collected,” on which non back door 702, PRTT, and both traditional and newfangled 215 individualized reporting is based, would (according to my reading–lawyers should definitely check this) exclude:
    • Any location data (tracking devices are excluded)
    • Any financial, purchase, or other non-communication record (they are non-communication)
    • Any subscriber to an electronic computer service who is not a party to a communication who has had only her call records or session times collected [(B)(ii) excludes subparagraph (C) of 2703(c)(2)]

That is, after requiring reporting for most FISA reports, it then exempts virtually all of it from reporting.


This is not serious transparency reporting. Rather, it’s a hoax, at best reporting knowingly false information, but usually creating nothing but propaganda creating a grossly misleading description of what collection occurs.

Updated 10/4 with summary and some clarifications.

Protect America Act Was Designed to Collect on Americans, But DOJ Hid that from the FISC

The government released a document in the Yahoo dump that makes it clear it intended to reverse target Americans under Protect America Act (and by extension, FISA Amendments Act). That’s the Department of Defense Supplemental Procedures Governing Communications Metadata Analysis.

The document — as released earlier this month and (far more importantly) as submitted belatedly to the FISC in March 2008 — is fairly nondescript. It describes what DOD can do once it has collected metadata (irrespective of where it gets it) and how it defines metadata. It also clarifies that, “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communcations, nor to they qualify as ‘us[ing] a selection term’.”

The procedures do not once mention US persons.

There are two things that should have raised suspicions at FISC about this document. First, DOJ did not submit the procedures to FISC in a February 20, 2008 collection of documents they submitted after being ordered to by Judge Walton after he caught them hiding other materials; they did not submit them until March 14, 2008.

The signature lines should have raised even bigger suspicions.

Gates Mukasey

First, there’s the delay between the two dates. Robert Gates, signing as Secretary of Defense, signed the document on October 17, 2007. That’s after at least one of the PAA Certifications underlying the Directives submitted to Yahoo (the government is hiding the date of the second Certification for what I suspect are very interesting reasons), but 6 days after Judge Colleen Kollar-Kotelly submitted questions as part of her assessment of whether the Certifications were adequate. Michael Mukasey, signing as Attorney General, didn’t sign the procedures until January 3, 2008, two weeks before Kollar-Kotelly issued her ruling on the certifications, but long after it started trying to force Yahoo to comply and even after the government submitted its first ex parte submission to Walton. That was also just weeks before the government redid the Certifications (newly involving FBI in the process) underlying PAA on January 29. I’ll come back to the dates, but the important issue is they didn’t even finalize these procedures until they were deep into two legal reviews of PAA and in the process of re-doing their Certifications.

Moreover, Mukasey dawdled two months before he signed them; he started at AG on November 9, 2007.

Then there’s the fact that the title for his signature line was clearly altered, after the fact.

Someone else was supposed to sign these procedures. (Peter Keisler was Acting Attorney General before Mukasey was confirmed, including on October 17, when Gates signed these procedures.) These procedures were supposed to be approved back in October 2007 (still two months after the first PAA Certifications) but they weren’t, for some reason.

The backup to those procedures — which Edward Snowden leaked in full — may explain the delay.

Those procedures were changed in 2008 to reverse earlier decisions prohibiting contact chaining on US person metadata. 

NSA had tried to get DOJ to approve that change in 2006. But James Baker (who was one of the people who almost quit over the hospital confrontation in 2004 and who is now FBI General Counsel) refused to let them.

After Baker (and Alberto Gonzales) departed DOJ, and after Congress passed the Protect America Act, the spooks tried again. On November 20, 2007, Ken Wainstein and Steven Bradbury tried to get the Acting Deputy Attorney General Craig Morford (not Mukasey, who was already AG!) to approve the procedures. The entire point of the change, Wainstein’s memo makes clear, was to permit the contact chaining of US persons.

The Supplemental Procedures, attached at Tab A, would clarify that the National Security Agency (NSA) may analyze communications metadata associated with United States persons and persons believed to be in the United States.

What the government did, after passage of the PAA, was make it permissible for NSA to figure out whom Americans were emailing.

And this metadata was — we now know — central to FISCR’s understanding of the program (though perhaps not FISC’s; in an interview today I asked Reggie Walton about this document and he simply didn’t remember it).

The new declassification of the FISCR opinion makes clear, the linking procedures (that is, contact chaining) NSA did were central to FISCR’s finding that Protect America Act, as implemented in directives to Yahoo, had sufficient particularity to be reasonable.

The linking procedures — procedures that show that the [redacted] designated for surveillance are linked to persons reasonably believed to be overseas and otherwise appropriate targets — involve the application of “foreign intelligence factors” These factors are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. As attested by affidavits  of the Director of the National Security Agency (NSA), the government identifies [redacted] surveillance for national security purposes on information indicating that, for instance, [big redaction] Although the FAA itself does not mandate a showing of particularity, see 50 U.S.C. § 1805(b). This pre-surveillance procedure strikes us as analogous to and in conformity with the particularly showing contemplated by Sealed Case.

In fact, these procedures were submitted to FISC and FISCR precisely to support their discussion of particularity! We know they were using these precise procedures with PAA because they were submitted to FISC and FISCR in defense of a claim that they weren’t targeting US persons.

Except, by all appearances, the government neglected to tell FISC and FISCR that the entire reason these procedures were changed, subsequent to the passage of the PAA, was so NSA could go identify the communications involving Americans.

And this program, and the legal authorization for it? It’s all built into the FISA Amendments Act.

1 2 3 129
Emptywheel Twitterverse
emptywheel @lizzwinstead Get the feeling there was some quick and broad and well-financed coordination on that response.
emptywheel @JasonLeopold Bingo. Saw that. Need to go back to that one. Timing is very interesting too. And the FoPo withholding.
emptywheel @JasonLeopold Oh, I remember. So this is CIA White PAper and the other is the DOJ White Paper? Or just that DOJ didn't refer other to CIA?
emptywheel @JasonLeopold Ah thanks.
emptywheel RT @TondaMacC: The easiest form of terrorism: no need for sophisticated plots, or training, or financing, by @shephardm:
emptywheel @JasonLeopold Which one is that on--11/11 or 5/11?
emptywheel RT @JasonLeopold: JUST FILED: CIA declaration in my #FOIA case re: CIA white ppr turned over to me justifying assassination of Awlaki https…
emptywheel @maassp Thanks for pointing that out. It has been a largely male celebration of a great career.
emptywheel @liferstate Not convinced any cohort is succeeding at this point.
emptywheel @liferstate Good point. But in the meantime our collective pants-peeing will prevent any effort to address climate change.
emptywheel @maassp I was interested in your comment abt being white male--his tributes are mostly from white men. Bc of the time?
emptywheel RT @abc7newsBayArea: JUST IN: Dallas nurse Amber Vinson who contracted Ebola from Thomas Duncan is virus-free. http:…
October 2014
« Sep