1 2 3 122

David Medine’s PCLOB Defense

Today, David Medine attempts to answer (most) of the questions Jennifer Granick argues weren’t answered in the Privacy and Civil Liberties Oversight Board’s report on Section 702. Here’s my summary of how he does so:

Screen shot 2014-07-22 at 9.15.15 AM

Even while Medine “challenges” Granick’s assessment that her questions weren’t answered, he admits “Professor Granick may not find that all of her questions have been fully answered.”

And that’s clear from my summary: for classification reasons, PCLOB didn’t answer the questions about volume of US person communications collected (question 1) or the kinds of selectors used (question 5), and only hinted at an answer to whether NSA had direct access to providers’ networks (question 2). As I’ve suggested, even with the 100 new pieces of data PCLOB got declassified, their subjection to obviously bogus government classification claims discredits their report.

The most useful response Medine provides Granick — though not for what it says about the underlying question – is to inform us that buddy lists and a bunch of other things are treated as communications.

  1. “Do intelligence agencies minimize address books, buddy lists, stored documents, system backups and/or other electronic transmissions where there is no human being on the received end of the transmission as “communications” under the minimization procedures? Or are those fair game?”

The report answers this question directly: “Everything that is collected under Section 702 is treated as a ‘communication’ and therefore is protected by the applicable minimization procedures.” PCLOB report at p. 127 n. 524. As explained elsewhere in the report, the statute itself “requires that all acquired data be subject to minimization procedures.” PCLOB report at p. 50 (emphasis added).

In a sense, Granick’s original question was overtaken by events when it was confirmed – both in the WaPo’s analysis of 702 collected data and in PCLOB — that minimization doesn’t work as mandated by law (though PCLOB seems relatively untroubled by that). Sure, US person names in an address book will be masked, but they won’t be destroyed because they have no foreign intelligence value. So even US person names in buddy lists will be available for analysis.

But Medine’s answer — emphasizing that “everything .. is treated as ‘communication’” — is important for his answer regarding what the government uses for upstream selectors. Continue reading

Dick Durbin’s Obscure Transparency Bid

Steven Aftergood notes that the Senate Appropriations Committee has included a reporting requirement on NSA on its “bulk collection” programs.

That’s all well and good, if the language isn’t stripped before final passage. But there are a couple of limits to the language.

First, the reporting requirements on Section 215 only go back to 2009.

For the last 5 years, on an annual basis, the number of records acquired by NSA as part of the bulk telephone metadata program authorized by the Foreign Intelligence Surveillance Court, pursuant to section 215 of the USA PATRIOT Act, and the number of such records that have been reviewed by NSA personnel in response to a query of such records;

Of course, the program changed significantly in 2009; the collection scope may have narrowed at that point. And many of the abuses were ended in that year.

And there are two problems with the requirement to provide a list of all “bulk collection” programs.

A report, unclassified to the greatest extent possible, and with a classified annex if necessary, describing all NSA bulk collection activities, including when such activities began, the cost of such activities, what types of records have been collected in the past, what types of records are currently being collected, and any plans for future bulk collection.

We know the intelligence community only includes programs that use no discriminator as “bulk collection.” So the report would list what the IC considers bulk collection, not what normal human beings do.

In addition, only NSA would have to report its bulk programs. We know, for example, that the FBI has a Pen Register program that presumably involves some bulk. That would not show up in this list.

So, great! Transparency!

But not transparency that will tell us what we need to know.

Edward Snowden’s Smut

In an interview with the Guardian published yesterday, Edward Snowden claimed that compromising pictures get shared around NSA.

Made a startling claim that a culture exists within the NSA in which, during surveillance, nude photographs picked up of people in “sexually compromising” situations are routinely passed around.

Boing Boing transcribed his comments on it.

The usual whiners are suggesting Snowden is making this up and demanding proof.

They seem to have forgotten the proof we’ve already seen of NSA officially retaining sexually compromising material. Here’s what Bart Gellman described in a follow-up to WaPo’s recent report on the data collected under Section 702.

Among the large majority of people who are not NSA targets, many of the conversations in our sample are exceedingly private. Often they are very far from publishable, without editing.

Him: “How about you [verb, possessive adjective, noun]

Her: “I [verb] if you [another verb].”

Him: “That can be arranged.”

Her: “I really need punishment.”

Another young woman, also not a target, responds to a suitor who proposes to pay a visit.

Her: “don’t think that would b fair on the guy im seeing”

Him: “you can be a bit naughty at times lol”

Her: “Yeah lol”

The conversation proceeds from there.

This is stuff officially retained by NSA. This is stuff they claim has foreign intelligence value. This is sexually compromising. And Gellman says many of the retained communications are like that.

Sure, I get that NSA wants to contact chain on who’s fucking whom, just as they want to chain on who’s calling whom.  But to do that, they’re retaining smut.

NSA Only Finds 59% of Its Targeting of US Persons

This will be a minor point, but one that should be made.

The Privacies and Civil Liberties Oversight Board report on Section 702 included this little detail:

In 2013, the DOJ undertook a review designed to assess how often the foreignness determinations that the NSA made under the targeting procedures as described above turned out to be wrong — i.e., how often the NSA tasked a selector and subsequently realized after receiving collection from the provider that a user of the tasked selector was either a U.S. person or was located in the United States. The DOJ reviewed one year of data and determined that 0.4% of NSA’s targeting decisions resulted in the tasking of a selector that, as of the date of tasking, had a user in the United States or who was a U.S. person. As is discussed in further detail below, data from such taskings in most instances must be purged. The purpose of the review was to identify how often the NSA’s foreignness determinations proved to be incorrect. Therefore, the DOJ’s percentage does not include instances where the NSA correctly determined that a target was located outside the United States, but post-tasking, the target subsequently traveled to the United States.

0.4% of NSA’s targeting decisions falsely determine someone is a foreigner who is in fact a US person.

That’s a pretty low amount. Though based on ODNI’s number — showing 89,138 people were targeted in 2013 — that means 356 US persons get wrongly targeted each year. Again, still not a huge number, but it compares rather interestingly with the 1,144 people targeted under FISA each year. Those wrongly targeted under Section 702 actually make up 24% of those targeted in a year.

Just as interesting is comparing the NSA’s internal audit (see page 6)  with DOJ’s results. For a period presumably covering some of the same time period, NSA discovered 20 US persons tasked (for some reason there was a big increase in this number for the last quarter of the report) and 191 incidences of “other inadvertent” tasking violations, which are described as, “situations where targets were believed to be foreign but who later turn out to be U.S. persons and other incidents that do not fit into the previously identified categories” (my emphasis). Not all of those 191 incidents should be counted as wrongly targeted US persons — the description includes other inadvertent targeting. But even counting them all as such, that means NSA only found 211 of the potential wrongly targeted US persons in a year, while DOJ found 356.

Again, in a country of 310 million people, these numbers are small, particularly as compared to the collection of US person communications under upstream collection, which is thousands of times higher.

But it does say that NSA’s internal reviews don’t find all the Americans who get wrongly targeted.

Correction: I originally mistranscribed DOJ’s number as .o4%–though I had calculated using .4%.

Anonymous Pushback Emphasizes that Surveillance Leads to Informants

I’ve already suggested I suspect the government falsely claimed it didn’t have a a FISA warrant on CAIR’s Executive Director Nihad Awad in an attempt to gain an advantage in EFF’s suit challenging the phone dragnet.

The conflicting denials anonymous officials gave to ABC about the story — with one senior official implying the people the Intercept profiled actually were profiled, but other current and former officials claiming the Intercept may have misunderstood what they were looking at — don’t change that suspicion in the least.

A senior government official said without knowing the underlying probable cause presented to a federal judge from the FISA court in each case, Greenwald and The Intercept cannot know why the e-mails of the purported targets were collected.

As a result, the official said, Greenwald and Snowden cannot know whether the surveillance revealed evidence or intelligence in each case that was incriminating or exculpatory — or whether some targets later cooperated with the FBI. Several officials said it was “irresponsible” to name individuals as surveillance targets when no public court record exists. The identified targets could be guilty or innocent or even cooperating with the government, the officials said.

You don’t know if somebody was later approached to become an informant,” the senior official said. “To the extent any of these people were targets, [The Intercept report] is a serious compromise. And if they weren’t targets, they shouldn’t be named.”

The Intercept said many of the emails on the spreadsheet titled “FISA Recap,” which they said Snowden provided, “appear to belong to foreigners whom the government believes are linked to al Qaeda, Hamas and Hezbollah.” But the report says their three-month investigation showed that “in practice, the system for authorizing NSA surveillance affords the government wide latitude in spying on U.S. citizens.”

However, current and former U.S. officials told ABC News that Snowden or Greenwald may have misunderstood some of the NSA documents, which they reported are spreadsheets with 7,485 email addresses, including many among multiple accounts by individuals.

“You should not assume all of the names Glenn Greenwald has were targets of surveillance,” a senior official familiar with Snowden’s pilfered cache told ABC News last week.

A former senior official once closely involved in the FISA warrant process told ABC News that The Intercept’s reporters were repeatedly warned by him that they “were getting it wrong” in how they interpreted what the NSA spreadsheets from Snowden signified. The documents also were curiously absent of the markings secret files typically carry which denote its specific level of classification and distribution limitations.

“The documents indicated to me that they were not targets,” the former official said. [brackets original, emphasis mine]

Surely DOJ will point to any doubts about the document in an effort to prevent it from being used to obtain standing to sue.

I’m just as interested in the logic the anonymous senior official used to say these names shouldn’t be released: that the person might have been approached to be an informant!

Sure, I get why the FBI probably wouldn’t want its informants exposed (though more and more GWOT era informants have exposed themselves without being harmed).

But I’m particularly interested in how quickly this official talked about informants. As Ted Olson did, more obliquely, back in 2002.

NSA has offered hint after hint that its surveillance does serve to identify people to coerce into informing. I find it odd that this official, hiding behind the veil of anonymity, introduces it with such little self-awareness.

All These Muslim Organizations Have Probably Been Associationally Mapped

The Intercept has published their long-awaited story profiling a number of Muslim-American leaders who have been targeted by the FBI and NSA. It shows that:

  • American Muslim Council consultant Faisal Gill was surveilled from April 17, 2006 to February 8, 2008
  • al-Haramain lawyer Asim Ghafoor was surveilled under FISA (after having been surveilled illegally) starting March 9, 2005; that surveillance was sustained past March 27, 2008
  • American Muslim Alliance founder Agha Saeed was surveilled starting June 27, 2007; that surveillance was sustained past May 23, 2008
  • CAIR founder Nihad Awad was surveilled from July 17, 2006 to February 1, 2008
  • American Iranian Council founder Hooshang Amirahmadi was surveilled from August 17, 2006 to May 16, 2008

In other words, the leaders of a number of different Muslim civil society organizations were wiretapped for years under a program that should require a judge agreeing they represent agents of a foreign power.

But they probably weren’t just wiretapped. They probably were also used as seeds for the phone and Internet dragnets, resulting in the associational mapping of their organizations’ entire structure.

On August 18, 2006, the phone dragnet primary order added language deeming “telephone numbers that are currently the subject of FISA authorized electronic surveillance … approved for meta data querying without approval of an NSA official due to the FISA authorization.”

Given the way the phone and Internet dragnet programs parallel each other (and indeed, intersect in federated queries starting at least by 2008), a similar authorization was almost certainly included in the Internet dragnet at least by 2006.

That means as soon as these men were approved for surveillance by FISA, the NSA also had the authority to run 3-degree contact chaining on their email and phone numbers. All their contacts, all their contacts’ contacts, and all their contacts’ contacts’ contacts would have been collected and dumped into the corporate store for further NSA analysis.

Not only that, but all these men were surveilled during the period (which continued until 2009) when the NSA was running automated queries on people and their contacts, to track day-to-day communications of RAS-approved identifiers.

So it is probably reasonable to assume that, at least for the period during which these men were under FISA-authorized surveillance, the NSA has an associational map of their organizations and their affiliates.

Which is why I find it interesting that DOJ refused to comment on this story, but told other reporters that FBI had never had a FISA warrant for CAIR founder Nihad Awad specifically.

The Justice Department did not respond to repeated requests for comment on this story, or for clarification about why the five men’s email addresses appear on the list. But in the weeks before the story was published, The Intercept learned that officials from the department were reaching out to Muslim-American leaders across the country to warn them that the piece would contain errors and misrepresentations, even though it had not yet been written.

Prior to publication, current and former government officials who knew about the story in advance also told another news outlet that no FISA warrant had been obtained against Awad during the period cited. When The Intercept delayed publication to investigate further, the NSA and the Office of the Director of National Intelligence refused to confirm or deny the claim, or to address why any of the men’s names appear on the FISA spreadsheet.

Awad’s organization, CAIR, is a named plaintiff in the EFF’s suit challenging the phone dragnet. They are suing about the constitutionality of a program that — the EFF suit also happens to allege — illegally mapped out associational relations that should be protected by the Constitution.

CAIR now has very good reason to believe their allegations in the suit — that all their relationships have been mapped — are absolutely correct.

Update: EFF released this statement on the Intercept story, reading, in part,

Surveillance based on First Amendment-protected activity was a stain on our nation then and continues to be today. These disclosures yet again demonstrate the need for ongoing public attention to the government’s activities to ensure that its surveillance stays within the bounds of law and the Constitution. And they once again demonstrate the need for immediate and comprehensive surveillance law reform.

We look forward to continuing to represent CAIR in fighting for its rights, as well as the rights of all citizens, to be free from unconstitutional government surveillance.

EFF represents CAIR Foundation and two of its regional affiliates, CAIR-California and CAIR-Ohio, in a case challenging the NSA’s mass collection of Americans’ call records. More information about that case is available at: First Unitarian Church of Los Angeles v. NSA.

WaPo and PCLOB Agree: NSA Does Not Comply with Its Minimization Procedures

There are a number of issues with Marc Ambinder’s interpretation of the WaPo’s analysis of the content of NSA’s 702 collections as a “bust.” Ambinder:

  • Overstates the specificity of the certifications, particularly in light of the general “foreign government” one recently revealed by WaPo
  • Makes the same email rather than overwhelmingly IM mistake Stewart Baker made
  • Doesn’t deal with the fact that the bulk of US identifiers that got minimized — the largest category, constituting over 57,000 instances — is IP address, which presents different privacy concerns than what he addresses
  • Suggests this collection includes traditional FISA warrants; WaPo suggests it is all 702 collection, which ought to mean it includes less US person content (but apparently doesn’t)
  • Ignores how readily the NSA provides unaudited access to raw data for tech personnel and SIGDEV, and therefore how (in)secure we should expect this data to be in practice

But the most troublesome problem with it is Ambinder’s treatment of the NSA’s minimization obligations and practices. Here are some statements Ambinder makes about NSA’s minimization requirements.

Ok, so: having run the data through an automatic minimization system of some sort, the NSA analysts are required to minimize every U.S.-person communication that they see. Minimize does not “to get rid of.” It means to anonymize the U.S.-based non-target source.


Maybe I could be a customer service representative from the pizza place that got his order wrong, and I’m e-mailing him to apologize for it. The NSA and the FBI are required by statute to minimize the communication if they determine it has no intelligence value. (And why would the NSA waste time reading a conversation about pizza anyway?)


The analyst’s judgment can be subjective. On the first instance, the analyst has to figure out whether the communication is relevant to a foreign intelligence purpose.

First he states that minimization does not mean “get rid of,” then states NSA is required by statute to get rid of communications that have no intelligence value, then notes an analyst has to determine whether a communication has foreign intelligence value. Overall, though, Ambinder suggests that NSA does get rid of communications involving US persons without foreign intelligence value.

Ambinder is absolutely right the law requires the government to get rid of US person data that has no foreign intelligence value.

Here’s what one version of the minimization requirements say:

(1) specific procedures, which shall be adopted by the Attorney General, that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(2) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in subsection (e)(1) of this section, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance;

(3) notwithstanding paragraphs (1) and (2), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes; and

(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.

And here’s how that translates into the minimization procedures approved in 2011.

Personnel will exercise reasonable judgment in determining whether information acquired must be minimized and will destroy inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle at which such communication can be identified either: as clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information); or, as not containing evidence of a crime which may be disseminated under these procedures. Except as provided for in subsection 3(c)(2) below, such inadvertently acquired communications of or concerning a United States person may be retained no longer than five years from the expiration date of the certification authorizing the collection in any event.

Both the law and the minimization procedures approved by the FISC require NSA to get rid of US person communications that have no foreign intelligence purpose.

But here’s what the WaPo reveals about what NSA analysts do when they determine collection has no foreign intelligence value (note, however, these passages do not specify how many of these conversations include US person communications, though almost half of these communications involve US person identifiers).

Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless.


“None of the hits that were received were relevant,” two Navy cryptologic technicians write in one of many summaries of nonproductive surveillance. “No additional information,” writes a civilian analyst. [my emphasis]

While these passages are not quantifiable — both because WaPo didn’t say how many files NSA had determined to be “useless” and because WaPo didn’t identify how many of those include US persons — they do suggest that NSA is not complying with the legal requirement that they destroy communications involving US persons that don’t have foreign intelligence value. Not even for communications they describe as “useless” or “not relevant.”

That’s not surprising. As I noted the other day, PCLOB found that NSA “rarely” complies with this requirement and CIA and FBI never do.

[A]lthough a communication must be “destroyed upon recognition” when an NSA analyst recognizes that it involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,531 in reality this rarely happens. Nor does such purging occur at the FBI or CIA: although their minimization procedures contain age-off requirements, those procedures do not require the purging of communications upon recognition that they involve U.S. persons but contain no foreign intelligence information.

Ambinder is absolutely right that WaPo’s sample shows that NSA is pretty good, but not perfect, at masking US person identities in their data.

But both WaPo’s detailed analysis and PCLOB’s general review show that NSA does not comply with another key part of its legally required minimization obligations, to destroy communications involving US persons that have no foreign intelligence value. US person identifiers may be masked, but many of them shouldn’t be in the NSA’s databases at all. That needs to be acknowledged in any discussion of the NSA’s minimization procedures. The law requires them to get rid of US person communications with no intelligence value. But they don’t.

That’s why the sheer volume of very personal information in this sample is of concern (aside from the concern we should have for foreigners’ privacy; though again, WaPo doesn’t say how much of the US person data includes that personal information). Because the NSA and FBI and CIA can access this data without needing any suspicion of wrongdoing.

Keith Alexander Has Finance Worried about Being Zeroed Out, Just Like President’s Review Group

Keith Alexander’s clients in the finance industry are proposing what he proposed to them: a government-finance industry council to protect against cyberthreats.

Alexander had been pitching Sifma and other bank trade associations to purchase his services through his new consulting firm, IronNet Cybersecurity Inc., for as much as $1 million per month, according to two people briefed on the talks.

He has made much the same argument to Sifma as the association is now making to the government about the emergence of new kinds of software assaults.

How tidy.

I’ll have more to say about their plot in a follow-up. But for the moment, look at what the consider one of the threats to the industry.

The next wave of attacks “in the near-medium term” is likely to be more destructive and could result in “account balances and books and records being converted to zeros,” while recovering the lost information “would be difficult and slow,” according to the Sifma document.

“We are concerned that the industry may not have the capabilities that we would like to effectively defend against this newer form of potential attack, the capability that we would like to stop such an attack once commenced from spreading to other financial institutions, or the capability we would like of effectively recovering if an initial attack is followed by waves of follow-on attacks,” the document says.

This seems like tacit admission that the finance industry doesn’t create enough backups, but instead of doing that, they apparently prefer setting up this government-finance council.

It’s great to see Keith Alexander creating such a profitable panic among the richest industry.

But I can’t help but note that this fear mimics one the President’s Review Group raised in an oblique recommendation.

(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise  manipulate the financial systems;

Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

So are these seeming parallel worries based on classified information? If so, has Keith Alexander already started leaking classified information, as Alan Grayson raised concerns about?

Stewart Baker’s IM-y Numbers

Screen shot 2014-07-08 at 9.11.30 AMStewart Baker accuses Bart Gellman and colleagues of inventing a phony statistic when they note that 89% of the communications collected under Section 702 were non-targets. He does some math to prove why they’re wrong in their interpretation of the scope of this.

The story is built around the implied claim that 90% of NSA intercept data is about innocent people.  I think the statistic is a phony.  Especially in an article that later holds up US law enforcement practice as a superior model.

What’s wrong with the statistic?  Well, let’s take an example from law enforcement.  Suppose I become the target of a government investigation.  The government gets a warrant and seizes a year’s worth of my email.  Looking at my email patterns, that’s about 35,000 messages.  About twenty percent – say 7500 –are one-off messages that I can handle with a short reply (or by ignoring the message).  Either way, I’ll never hear from that person again.  And maybe a quarter are from about 500 people I hear from at least once a week.  The remainder are a mix — people I trade emails with for a while and then stop, or infrequent correspondents that can show up any time.  Conservatively, let’s say that about 25 people are responsible for the portion of my annual correspondence that falls into that category.  In sum, the total number of correspondents in my stored email is 7500+500+25 = 8000 or so.  So the criminal investigators who seized and stored my messages from me, their investigative target, and over 8000 people who aren’t targets.

Or, as the Washington Post might put it “7999 out of 8000 account holders found in a large cache of communications seized by law enforcement were not the intended surveillance target but were caught in a net the investigators had cast for somebody else.”

I agree that the numbers would be impressive — if they actually were what Baker claims they are.

But they aren’t.

First, remember that these are minimized communications. And while the NSA is keeping data that has no foreign intelligence value, it is almost certainly not keeping spam (we know this because other NSA documents talk about defeating spam). So eliminate that 20% — or likely higher — or so right off.

Furthermore, the 9/10 ratio does not reflect all the communications WaPo examined. It doesn’t include the minimized US person ones. Almost half of the communications NSA identified as US person communications — that’s somewhat clear from the graphics, but Gellman stated that on Twitter.

So the actual number is closer to 95% of communications not being targets, not 89%.

But Baker also doesn’t consider what he’s dealing with. For the most part it’s not email, it’s IMs.

Screen shot 2014-07-08 at 9.18.42 AM


76% of this sample is IMs. Just 14% are emails.

So while Baker’s email example is nifty, it’s largely off point. Because he’d need to look at his IM patterns (or those of a 25 year old, who is more likely to resemble a target), not his email patterns.

It would still be a low number, if you’re considering pre-processed communications. It makes more sense when you realize that’s not what you’re considering.

NYT Mischaracterizes PCLOB Report While Transcribing NSA Pushback to WaPo

The NYT has a story transcribing Administration efforts to “play down new disclosures” from the WaPo showing that the bulk of people whose communications were collected in a sample provided by Edward Snowden were not targets. The key claim NYT transcribes is that NSA “filters out” US person communications.

Administration officials said the agency routinely filters out the communications of Americans and information that is clearly of no intelligence value.

In addition, the NYT claims that PCLOB had no problems with the way the government minimized all this data.

Just days before the Post article, an independent federal privacy board had largely endorsed the N.S.A.’s execution of the program. The Privacy and Civil Liberties Oversight Board concluded last week that the “minimizing” of that data was largely successful, at least under the current law, which Congress passed six years ago.

Um, no.

I hope to explain this at more length, but the WaPo suggests that the government did not comply with targeting and minimization requirements in two ways: first, because the standards for foreignness were not as stringent as witnesses have claimed for a year (something which NYT’s sources apparently don’t even try to rebut). But also, WaPo showed the NSA was not destroying communications that — at least from their own and even some of the analysts’ own descriptions of it — had no foreign intelligence value. Here are some analysts judging the data collected irrelevant.

“None of the hits that were received were relevant,” two Navy cryptologic technicians write in one of many summaries of nonproductive surveillance. “No additional information,” writes a civilian analyst.

It’s this second detail NYT’s sources attempt to rebut.

But NYT’s claim that PCLOB concluded minimization “was largely successful” ignores a number of concerns they raised about it, a number of which pertain to back door searches and upstream collection.

In addition to those concerns (which about four of PCLOB’s recommendations address), PCLOB raised this issue:

Therefore, although a communication must be “destroyed upon recognition” when an NSA analyst recognizes that it involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,531 in reality this rarely happens. Nor does such purging occur at the FBI or CIA: although their minimization procedures contain age-off requirements, those procedures do not require the purging of communications upon recognition that they involve U.S. persons but contain no foreign intelligence information.

A communication must be destroyed upon recognition if it’s a US person communication with no intelligence value — PCLOB restates the standard that NYT’s sources claim is actually used. But after laying out that standard, PCLOB immediately says meeting that requirement “rarely happens.”

NYT’s sources say it routinely happens. PCLOB says it rarely happens at NSA, and not at all at CIA and FBI.

PCLOB, incidentally, recommends addressing this issue by having FISC review what tasking standards are actually used and then reviewing a subset of the data returned — precisely what the WaPo just did, though we have no way of knowing if WaPo had a representative sample.

But the story here should have been, “Administration’s rebuttal has already been refuted by PCLOB’s independent review.”

PCLOB and WaPo disagree about the tasking — PCLOB sides with past Administration witnesses on the assiduousness of NSA’s targeting.

But PCLOB entirely backs WaPo on how many worthless communications NSA is keeping and documenting.

1 2 3 122

Emptywheel Twitterverse
bmaz RT @JasonLeopold: Execution in Arizona Is Approved by Justices. Scheduled for Wednesday.
bmaz @cocktailhag Sounds like a fair addition to me.
bmaz Also in the totally awesome to meet at #NN2014 department: @StephanieKelton @NadiaKayyali and @alexisgoldstein
JimWhiteGNV RT @RaysBaseball: That moment when a pitcher who hasn't batted since high school executes a perfect safety squeeze. @JakeOdorizzi http://t.…
bmaz Despite their limited stay no two more fun+incredibly awesome people I finally personally met at #NN2014 than @astepanovich + @McElweeWhite
JimWhiteGNV RT @TBTimes_Rays: You can only hope to contain #Rays C Jose Molina, who swiped his 3rd bag of the season at the back end of a double steal.…
JimWhiteGNV RT @ArifCRafiq: Please also visit Gaza. MT @MikeBloomberg This evening I will be flying on El Al to Tel Aviv to demonstrate that it is safe…
bmaz @WilliamOckhamTx Pretty much that whole area of the world appears to be GohmertLand.
bmaz The only way in the world @John_Dingell could earn more love is to say he doesn't know similarly worthless chumps Kanye West, JayZ+Beyonce.
bmaz I have never been prouder of @John_Dingell in my life than him not knowing squat about the worthless Kardashian idiot clan.
JimWhiteGNV RT @onekade: The rockets are extremely dangerous and horrible but also Israel is open for business as usual, nothing to fear! Ok
bmaz It appears the Ukranian government has the combined credibility of Peter King and Steve Stockman. #GoodEnoughForJoshEarnestAndCNN
July 2014
« Jun