20 Questions: Mike Rogers’ Vaunted Section 215 Briefings

/1 Comment/in , /by

Comment — Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

A — To the FBI’s knowledge, those authorities have not been abused.

That exchange is, according to DOJ’s Congressional Affairs Office, the level of detail offered up at a May 13, 2011 briefing of the House Republican Caucus regarding the PATRIOT Act provisions the House would vote to reauthorize less than two weeks later.

The questioner — who is not identified — may have been talking about comments Russ Feingold made way back on October 1, 2009, as part of the previous reauthorization of the PATRIOT Act (remember, by this point, Feingold was no longer in the Senate). Here are the things Feingold said about Section 215 in that Senate Judiciary Committee markup.

I remain concerned that critical information about the implementation of the Patriot Act remains classified. Information that I believe, would have a significant impact on the debate….. There is also information about the use of Section 215 orders that I believe Congress and the American People deserve to know. It is unfortunate that we cannot discuss this information today.

Mr Chairman, I am also a member of the intelligence Committee. I recall during the debate in 2005 that proponents of Section 215 argued that these authorities had never been misused. They cannot make that statement now. They have been misused. I cannot elaborate here. But I recommend that my colleagues seek more information in a classified setting.

I want to specifically disagree with Senator Kyle’s [sic] statement that just the fact that there haven’t been abuses of the other provisions which are Sunsetted. That is not my view of Section 215. I believe section 215 has been misused as well.

Given the context, it is unclear whether Feingold referred to use of Section 215 for things they shouldn’t have, use of it to authorize bulk collection generally, or in the compliance issues identified in 2009 on which the Administration had recently briefed the Intelligence Committee. But his suggestion that the Senate Judiciary Committee was getting less detailed briefings than the Senate Intelligence Committee at that point is consistent with DOJ’s 2009 notice to Congress on the dragnet, which said, “The [compliance] incidents, and the Court’s responses, were also reported to the Intelligence Committees in great detail,” with no mention of similarly detailed briefings to SJC (the 2011 letter indicates that by that point SJC was getting detailed briefings as well). This, in turn, suggests he was referring to dragnet-related violations.

Regardless of what Feingold meant, though, he tied misuse very closely to the secret use of Section 215 to conduct dragnet collection of all Americans’ phone records. Feingold’s other public statements about Section 215 focus even more closely on the secret dragnet application of it.

In other words, this appears to have been a question attempting to get at the secret application of the PATRIOT Act that Feingold, along with Ron Wyden and people like Jerry Nadler, had been warning about. This appears to have been an attempt to learn about a topic that — in 2009, at least — DOJ had “agree[d] that it is important that all Members of Congress have access to information about this program” (DOJ didn’t include such blather in its 2011 notice).

Exactly 100 days before the briefing at which this question was asked, DOJ had sent House Intelligence Chair Mike Rogers (who appears to have convened this briefing) a letter noting, “In 2009, a number of technical compliance problems and human implementation errors in these two bulk collection programs were discovered as a result of Department of Justice (DOJ) reviews and internal NSA oversight.”

Yet in response to a query clearly designed to elicit both the existence of the dragnet program and details on problems associated with it, FBI Director Robert Mueller and then-General Counsel Valerie Caproni (and/or whatever staffers were with them) said, to the Bureau’s knowledge, there had been no abuses. Perhaps, then, as now, they’re relying on the claim that none of these compliance issues were willful — the letter said they weren’t intentional or bad-faith — to avoid telling members of Congress about problems with the program.

Remember, this is one of the (and may have been the only) briefings that Mike Rogers now claims provided adequate substitute for letting House members know about the letter describing the dragnet and the compliance problems associated with it. Rogers’ House Intelligence spokesperson, Susan Phalen, has claimed those briefings “not only covered all of the material in the letter but also provided much more detail.” (As far as I’ve been able to tell from the FOIA production to the ACLU, there was no similar briefing for the Democratic caucus, though FOIA production tends to be incomplete; one Democratic Congressman, Hansen Clarke, attended the Republican briefing.)

And DOJ’s own records of the briefing make it clear that when someone tried, however inartfully, to learn about the program, Mueller and Caproni obfuscated about the compliance issues and possibly the existence of the dragnet itself.

This is a concrete example of what both Justin Amash and Ron Wyden have described as a game of 20 questions briefers play in these briefings. The questioner raised one of the few public hints about the dragnet program to ask the FBI about it, and the FBI responded in a manner very similar to the way James Clapper did in March, when he lied to the SSCI.

Now, we don’t know what remains behind the redactions in the briefing, but there is one other piece of evidence that this briefing, at least, didn’t even touch on the dragnet. If you look at all 5 closed briefings turned over in production to ACLU, two — a February 28, 2011 briefing for SJC and a March 17, 2011 briefing for the House Intelligence Committee — were deemed classified “per OGA letter dated 4/26/2012.” The acronym “Other Government Agency” is usually used to refer to CIA, but in this context, where we now know NSA played a central role but revealing that role last year would have disclosed significant new details about the secret application of Section 215, it may well refer to NSA. Those briefings also redacted the identities of some briefers which, again, may be classified to hide the NSA’s role in this program.

If all this speculation is correct, then it means there was no mention of the NSA in the briefing for the Republican caucus. If there was no mention of NSA, then they really couldn’t have explained the program (both the 2009 and 2011 notices make extensive reference to the NSA).

In any case, what remains unredacted is quite clear. Someone at that briefing — the briefing that Mike Rogers’ staffer claims offered more information than had been provided in the DOJ letter — tried to learn about problems with the secret program. And they got stonewalled in response.

Was the person who asked this question and got an incomplete answer one of the 65 people who would go on to reauthorize the PATRIOT Act having had no way of learning about the program and its compliance problems?

Mike Rogers’ Excuses for Withholding Dragnet Notice Get Stupider

/7 Comments/in , /by

Congratulations to the WaPo which is catching up to what I first reported here, that Mike Rogers didn’t tell House Members about a notice of the PATRIOT Act dragnet programs before the vote. (Note: WaPo makes an error when it claims Congress got the previous notice in 2009; Silvestre Reyes and Dianne Feinstein sat on that letter for 2 months after they got it.)

Sadly for Mike Rogers, his excuses are getting stupider.

Admittedly, his past excuses were pretty stupid. In that version, the House Intelligence Committee suggested that having four briefings (for Republicans! only?!) in the last several months made up for not providing notice back in 2011.

The House Intelligence Committee makes it a top priority to inform Members about the intelligence issues on which Members must vote.  This process is always conducted consistent with the Committee’s legal obligation to carefully protect the sensitive intelligence sources and methods our intelligence agencies use to do their important work.  Prior to voting on the PATRIOT Act reauthorization and the FAA reauthorization, Chairman Rogers hosted classified briefings to which all Members were invited to have their questions about these authorities answered.  Additionally, over the past two months, Chairman Rogers has hosted four classified briefings, with officials from the NSA and other agencies, on the Section 215 and Section 702 programs and has invited all Republican Members to attend and receive additional classified briefings on the use of these tools from Committee staff.  The Committee has provided many opportunities for Members to have their questions answered by both the HPSCI and the NSA. And Chairman Rogers has encouraged members to attend those classified briefings to better understand how the authorities are used to protect the country.

But in this version, House Intelligence Committee spokesperson Susan Phalen claims providing notice of the need to be informed is a side issue.

A spokeswoman for the House committee, Susan Phalen, declined to say whether the panel had voted to withhold the letter or if the decision was made by Chairman Mike Rogers (R-Mich.).

“Because the letter by itself did not fully explain the programs, the Committee offered classified briefings, open to all Members of Congress, that not only covered all of the material in the letter but also provided much more detail in an interactive format with briefers available to fully answer any Members’ questions,” Phalen wrote in an e-mail. “The discussion of the letter not being distributed is a side issue intended to give the false impression that Congress was denied information. That is not the case.” [my emphasis]

Remember, what (according to the White Paper) Rogers did not do was write a letter telling Members of Congress there was an issue they might want to learn about. Dianne Feinstein sent a letter, dated February 8, 2011, telling colleagues they could come read the letter from the Administration, dated February 2, 2011. According to the White Paper, Mike Rogers sent no such letter — not to tell Congressmen there was a letter, not to tell them what the briefings they held instead were about. So the briefings were pointless, because without notice of them, no one would attend.

That’s not a “side issue.” That goes to the central issue of whether 65 of the yes votes for the PATRIOT Act had had adequate notice what they were voting for.

At this point, the House Intelligence Committee is not even trying to deny that. The only question remaining is whether Rogers provided no notice on his own, with the consent of the committee, or at the behest of the Administration that gave them the letter in the first place.

Did Congress Remain Ignorant of the Fourth Amendment Violation?

/6 Comments/in /by

As soon as Dianne Feinstein said she didn’t receive notice of 12333 violations …

By law, the Intelligence Committee receives roughly a dozen reports every year on FISA activities, which include information about compliance issues. Some of these reports provide independent analysis by the offices of the inspectors general in the intelligence community. The committee does not receive the same number of official reports on other NSA surveillance activities directed abroad that are conducted pursuant to legal authorities outside of FISA (specifically Executive Order 12333), but I intend to add to the committee’s focus on those activities.

… I recognized something Marc Ambinder laid out here: the Intelligence Committees wouldn’t get notice of collection of US person content off switches.

NSA gives Congress detailed narratives of violations of the FISA-authorized data sets, like when metadata about American phone records was stored too long, when a wrong set of records was searched by an analyst or when names or “selectors” not previously cleared by FISA were used to acquire information from the databases. In these cases, the NSA’s compliance staff sends incident reports to the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence for each “significant” FISA violation, and those reports include “significant details,” the official said.

But privacy violations of this sort comprise just one third of those analyzed by the inspector general. Of the 2,776 violations reported by the NSA from May 2011 to May 2012, more than two-thirds were counted as E.O. 12333 incidents. And the agency doesn’t provide Congress detailed reports on E.O. 12333 violations.

In some ways, it’s a distinction without a difference: it does not matter to U.S. citizens whether their phone call was accidentally intercepted by an analyst focusing on U.S.-based activities or those involving a foreign country. But the difference is relevant as it keeps Congress uninformed and unable to perform its oversight duties because the NSA doesn’t provide the intelligence committees with a detailed narrative about the latter type of transgressions.

For example, if someone’s e-mails were inadvertently obtained by the NSA’s International Transit Switch Collection programs, it would count as 12333 error and not a FISA error, even though the data was taken from U.S. communication gateways, and NSA would not notify Congress. The document specifies four such programs: ORANGEBLOSSOM, FAIRVIEW, STORMVIEW and SILVERZEPHYR.

That’s important because the violation the FISA Court ruled illegal on October 3, 2011 involved some kind of upstream collection. Here’s how Barton Gellman described it.

In what appears to be one of the most serious violations, the NSA diverted large volumes of international data passing through fiber-optic cables in the United States into a repository where the material could be stored temporarily for processing and selection.

The operation to obtain what the agency called “multiple communications transactions” collected and commingled U.S. and foreign e-mails, according to an article in SSO News, a top-secret internal newsletter of the NSA’s Special Source Operations unit. NSA lawyers told the court that the agency could not practicably filter out the communications of Americans.

In October 2011, months after the program got underway, the Foreign Intelligence Surveillance Court ruled that the collection effort was unconstitutional. The court said that the methods used were “deficient on statutory and constitutional grounds,” according to a top-secret summary of the opinion, and it ordered the NSA to comply with standard privacy protections or stop the program.

Now, that collection should have been briefed to Congress, because it counts as Section 702 collection (which is why the FISC got to review it). But maybe it didn’t, until the FISC ruled it.

But what if it wasn’t?

As I noted earlier, the NSA started counting violations of US person collection differently in the first quarter of 2012 which (they claim) resulted in a significant increase of those violations. Which suggests there may be a tie between the 702 collection and the 12333 collection.

But I do wonder whether Congress didn’t see the illegal practice because it was hidden under 12333 collection?

Lack of Due Diligence: The NSA’s “the Analyst Didn’t Give a Fuck” Violation

/12 Comments/in , /by

The NSA claims there have been no willful violations the law relating to the NSA databases. For example, NSA’s Director of Compliance John DeLong just said “NSA has a zero tolerance policy for willful misconduct. None of the incidents were willful.” House Intelligence Chair Mike Rogers just said the documents show “no intentional or willful violations.”

Which is why I want to look more closely at the user error categories included in the May 3, 2012 audit.

The report doesn’t actually break down the root cause of errors across all violations. But it does for 3 different types of overlapping incident types (the 195 FISA authority incidents, the 115 database query ones, and the 772 S2 Directorate violations).

It says the root cause for FISA authority incidents breaks down this way:

  • 60 resource (31% of all FISA authority violations)
  • 39 lack of due diligence (20% of all FISA authority violations)
  • 21 human error (11% of all FISA authority violations)
  • 3 training (1.5% of all FISA authority violations)
  • 67 system limitations (34% of all FISA authority violations, mostly on the roamer problem)
  • 4 system engineering (2% of all FISA authority violations)
  • 1 system disruption (.5% of all FISA authority violations)

It says the root cause of all database query incidents breaks down this way:

  • 85 human error (74% of all database query incidents)
  • 13 lack of due diligence (11% of all database query incidents)
  • 9 training (8% of all database query incidents)
  • 7 resources (6% of all database query incidents)
  • 1 system disruption (~1% of all database query incidents)

And it breaks down the errors in its worst performing (in terms of violations) Deputy Directorate organization, S2, this way:

  • 71 human error (9% of all S2 violations)
  • 80 resources (10% of all S2 violations)
  • 68 lack of due diligence (9% of all S2 violations)
  • 2 resources
  • 9 training (1% of all S2 violations)
  • 541 system limitations (70% of all S2 violations)
  • 1 system engineering

What I’m interested in are the three main types of operator error: human error, resources, and lack of due diligence.

Human error is, from the descriptions, an honest mistake. It includes broad syntax errors, typographical errors, Boolean operator errors, misapplied query technique, incorrect option, unfamiliarity with tool, selector mistypes, incorrect realm, or improper queries. Let’s assume, improbably, that none of the violations listed as human error were anything but honest mistakes. These honest mistakes account for anywhere from 9% to 74% of the violations broken out by root cause.

Then there’s resource violations. Those are described as “inaccurate of insufficient research information and/or workload issues.” So partly, resource violations stem from someone having too much analysis to do. But given that “inaccurate or insufficient research information” always appears first, it seems that resource violations arise when an analyst targets someone based on a faulty understanding about this person. Given how prominent this problem is for FISA violations, I suspect it includes, in part, target location. It may also pertain to targets erroneously believed to have a tie to terror or Chinese military or Iranian nukes. These appear to mistakes based on the analyst not having enough or accurate information before she starts the collection. These may or may not be honest mistakes. The description of them as resource errors suggests they may in part by people taking research short cuts. Resource problems account for anywhere from 6% to 31% of the violations broken out by root cause.

But then there’s a third category: lack of due diligence. The report defines lack of due diligence as “a failure to follow standard operating procedures.” But some failure to follow standard operating procedure is accounted for in other categories, like training, the misapplied query techniques, and the apparent inadequate research violations. This category appears to be something different than the “honest mistake” errors categorized under human error. In fact, by the very exclusion of these violations from the “human error” category, NSA seems to be admitting these violations aren’t errors. These violations of standard operating procedures, it seems, are intentional. Not errors. Willful violations.

At the very least, this category seems to count the violations on behalf of analysts who just don’t give a fuck what he rules are, they’re going to ignore the rules.

This category, what consider the “Analyst didn’t give a fuck” category, accounts for 9% to 20% of all the violations broken out by root cause.

In aggregate, these violations may not amount to all that many given the thousands of queries run every year — they make up just 68 of the violations in S2, for example. Those 68 due diligence violations make up almost 8% of the violations in the quarter, not counting due diligence violations that may have happened in other Directorates.

John DeLong, who is in charge of compliance at NSA, says the Agency has zero tolerance for willful misconduct. But the NSA appears to have a good deal more tolerance for a lack of due diligence.

Verizon: Get Exposed for Spying, Win $1 Billion!

/6 Comments/in , /by

Congratulations to Verizon!

Just a few months after being exposed for providing all its American customer records to the government, it just won part of a $10 billion contract to provide cloud storage for the Department of Interior that may be worth as much as $1 billion.

The U.S. Department of the Interior has selected Verizon to participate in a $10 billion, 10-year contract to provide cloud and hosting services. This is potentially one of Verizon’s largest federal cloud contracts to date.

Verizon is one of 10 companies that will compete to offer cloud-based storage, secure file transfer, virtual machine, and database, Web, and development and test environment hosting services. The company is also one of four selected to offer SAP application hosting services.

Each of the 10 agreements awarded under the Foundation Cloud Hosting Services contract has a potential maximum value of $1 billion.

Don’t worry. I’m sure the spying had nothing to do with Verizon winning this huge contract.

But I’m sure it will make Verizon much less interested in pushing the government to roll back the spying.

21% of the Database Query Errors in NSA Report Involved the Phone Internet Dragnet Database

/12 Comments/in , /by

Screen shot 2013-08-16 at 12.39.09 PMUpdate: as Mindrayge notes, Marina appears in NSA slides as Internet, not phone metadata (and that’s how Ambinder refers to it here). There are some oddities, then, but I am changing this post accordingly.

As I noted in this post, the May 3, 2012 audit of NSA’s violations falsely suggests “roamer” problems were the cause of an increase in incidents, rather than database query errors, transit collection, and detask problems.

Database query errors are basically when an analyst collects too much data because she doesn’t exclude data that should be excluded, she ran a query believing it was appropriate because she had too little information on it, or she ignored standard operating procedures.

In addition to telling us how many database query problems there were, the report tells us which NSA databases they involved. As the figure above notes, 24 of those errors involved the MARINA database. There were actually 115 total query errors — 4 involved multiple databases — which means 21% of the database query errors involve MARINA.

As Marc Ambinder and others have reported, MARINA is the name of the Section 215 phone records dragnet database.

The telephone metadata is stored in a database called MARINA, which keeps these records for at least five years.

In other words, a fifth of the database query errors in the first quarter of 2012 were on the US phone Internet record dragnet database — the one the government has been claiming is so carefully guarded.

[If Mainway is just Internet metadata, then we don’t know the number of queries.]

Not only that, but we have a rough idea of how common query errors on this database are. The government has told us that queries were made on fewer than 300 identifiers in 2012. While it’s not a one-to-one comparison (some identifiers would have been run more than once), that means perhaps as many as 8% of the queries on the dragnet database involved some kind of error, including errors like not following procedures. And that’s assuming analysts didn’t keep making errors with the database at the same rate they did in the first quarter: if they kept up the same error pace, the error rate might be closer to 32%

But don’t worry, the government tells us, our phone record data are safe, even with a potential error rate of 32% accessing that data.

Update: LAT’s Ken Dilanian, who listened to a conference call NSA just had, just tweeted this:

NSA’s DeLong will not say how often NSA makes privacy errors when it queries US phone records database. But less than 30%, he says.

I asked is the rate between 8 and 30%, and he said 30% isn’t right. So, you may be on to something.

Less than 30%?!?!? That suggests it is probably far higher than even I imagined. Even if it was 8% it would be unacceptably high. But if it’s at the higher end of the possible range, it is unbelievably high.

Update: Ron Wyden and Mark Udall have issued a statement on this. Among other statements, they emphasize that Americans need to know about the phone and Internet dragnet violations.

Americans should know that this confirmation is just the tip of a larger iceberg.

[snip]

In particular, we believe the public deserves to know more about the violations of the secret court orders that have authorized the bulk collection of Americans’ phone and email records under the USA PATRIOT Act.

Given the potential numbers of phone dragnet violations, I should say so.

Update: Fixed “a fifth” for “a quarter.” Now I’m making NSA type simple math errors!

The Biggest Math Organization in the World Has a Simple Arithmetic Problem

/7 Comments/in , /by

In this post, I’m going to examine a claim made in the May 3, 2012 audit report of NSA violations. Through the magic of simple arithmetic, I’m going to show that the report misleads readers about why the number of incidents rose in the first quarter of 2012, wrongly suggesting it was an unpreventable seasonal problem, rather than pointing to the human error and fault that really explained the increase.

On page two, the report shows how many Signals Intelligence Directorate-reported incidents there are across both kinds of authorities: EO 12333 (strictly foreign) and FISA (involving US persons).

Screen shot 2013-08-16 at 10.30.37 AM

As the report acknowledges, there was an 11% increase in incidents for both kinds of authority.

But don’t worry, the report says, the increase is due to Chinese New Year, sort of.

The increase in incidents reported for 1QCY12 was due to an increase in the number of reported Global System for Mobile Communications (GSM) roamer1 incidents, which may be attributed to an increase in Chinese travel to visit friends and family for the Chinese Lunar New Year holiday.

1Roaming incidents occur when a selector associated with a valid foreign target becomes active in the U.S.

On the following page, a section provides further explanation on the roamer problem.

The largest number of incidents in the System Limitations category account for roamers where there was no previous indications of the planned travel. These incidents are largely unpreventable. Consistent discovery through the Visitor Location Register (VLR) occurs every quarter and provides analysts with timely information to place selectors into candidate status or detask. Analysis identified that these incidents could be reduced if analysts removed/detasked selectors more quickly upon learning that the status of the selector had changed and more regularly monitored target activity. This analysis indicates that continued research on ways to exploit new technologies and researching the various aspects of personal communications systems to include GSM, are an important step for NSA analysts to track the travel of valid foreign targets.

On page 6, we get a more comprehensible explanation.

Roamers: Roaming incidents occur when valid foreign target selector(s) are active in the U.S. Roamer incidents continue to constitute the larges category of collection incidents across E.O. 12333 and FAA authorities. Roamer incidents are largely unpreventable, even with good target awareness and traffic review, since target travel activities are often unannounced and not easily predicted.

In other words, the roamer problem stems from the fact that when valid foreign targets travel to the US with their GSM phones, analysts don’t know that and therefore don’t act accordingly. I think (though am not positive) the presence of the target in the US would shift a 12333 intercept into a FISA one (we’d be tracking calls to foreigners with one end in the US), and a FISA Amendments Act target into an illegal one (we’d be tracking calls with both ends in the US, one potentially involving a US person). Since this involves primarily valid foreign targets, it is not the most urgent problem identified in the report.

And, the NSA claims, it is largely unavoidable, so readers of this report should expect the relatively large numbers of roamer problems to continue.

Up to this point — far beyond where most readers will be paying attention, I’d imagine — we might believe (because the report said so explicitly) that the 11% increase in incidents stems from a problem involving valid foreign targets and reflecting an unavoidable technical problem.

It’s only when you get to page 5 and 6 that this narrative falls apart. Here’s how many roamer incidents occurred under EO 12333 for the four quarters reported.

Screen shot 2013-08-16 at 10.52.25 AM

 

And here’s how many roamer incidents occurred under FISA for the four quarters presented.

Screen shot 2013-08-16 at 10.53.06 AM

Adding the roamer incidents for each kind of authority together, we discover the total roaming incidents, across both authorities, look like this in the last quarter of 2011 and first quarter of 2012:

4QCY11: 582 + 87 = 669

1QCY12: 491 + 95 = 586

In fact, the roaming problem doesn’t explain the 11% overall increase in incidents at all, because the number of roaming incidents under EO12333 actually went down 19%, meaning roaming incidents across the two authorities went down 14%.

Read more

All Three Branches Conduct Vaunted NSA Oversight!

/17 Comments/in , /by

Today, we learned this is what the vaunted Congressional oversight of NSA spying looks like.

Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.), who did not receive a copy of the 2012 audit [showing thousands of violations] until The Post asked her staff about it, said in a statement late Thursday that the committee “can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate.”

We learned this is what the vaunted FISA Court oversight of NSA spying looks like.

The chief judge of the Foreign Intelligence Surveillance Court said the court lacks the tools to independently verify how often the government’s surveillance breaks the court’s rules that aim to protect Americans’ privacy. Without taking drastic steps, it also cannot check the veracity of the government’s assertions that the violations its staff members report are unintentional mistakes.

“The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” its chief, U.S. District Judge Reggie Walton, said in a written statement to The Washington Post. “The FISC does not have the capacity to investigate issues of noncompliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders.”

We learned this is what the vaunted internal NSA oversight of NSA spying looks like.

The NSA uses the term “incidental” when it sweeps up the records of an American while targeting a foreigner or a U.S. person who is believed to be involved in terrorism. Official guidelines for NSA personnel say that kind of incident, pervasive under current practices, “does not constitute a . . . violation” and “does not have to be reported” to the NSA inspector general for inclusion in quarterly reports to Congress. Once added to its databases, absent other restrictions, the communications of Americans may be searched freely.

In one required tutorial, NSA collectors and analysts are taught to fill out oversight forms without giving “extraneous information” to “our FAA overseers.” FAA is a reference to the FISA Amendments Act of 2008, which granted broad new authorities to the NSA in exchange for regular audits from the Justice Department and the office of the Director of National Intelligence and periodic reports to Congress and the surveillance court.

Using real-world examples, the “Target Analyst Rationale Instructions” explain how NSA employees should strip out details and substitute generic descriptions of the evidence and analysis behind their targeting choices.

Vaunted. For well over 2 months. This is what they’ve been hailing.

As WaPo Was Letting Pincus Transcribe, They Were Fighting Administration on Gellman Story

/11 Comments/in , /by

On Friday, the President promised us more transparency on NSA issues.

Meanwhile, the WaPo was preparing this story on NSA issues from Barton Gellman.

Along the way, the Administration gave Gellman a 90-minute interview of unspecified date (it may have been Saturday, the day after Obama’s promise to be more transparent) with NSA’s Director of Compliance John DeLong only to, after the fact, ask for quote approval.

The Obama administration referred all questions for this article to John DeLong, the NSA’s director of compliance, who answered questions freely in a 90-minute interview. DeLong and members of the NSA communications staff said he could be quoted “by name and title” on some of his answers after an unspecified internal review. The Post said it would not permit the editing of quotes. Two days later, White House and NSA spokesmen said that none of DeLong’s comments could be quoted on the record and sent instead a prepared statement in his name. The Post declines to accept the substitute language as quotations from DeLong.

On August 12, the government refused to answer specific questions about compliance issues, even though Gellman had a report on them in hand.

The NSA communications office, in coordination with the White House and Director of National Intelligence, declined to answer questions about the number of violations of the rules, regulations and court-imposed standards for protecting the privacy of Americans, including whether the trends are up or down. Spokesmen provided the following prepared statement.

Then, on August 14, it offered this statement in response to specific questions about the FISA Court finding NSA to have violated the Fourth Amendment in October 2011.

In July 2012, Director of National Intelligence [James R.] Clapper declassified certain statements about the government’s implementation of Section 702 in order to inform the public and congressional debate relating to reauthorization of the FISA Amendments Act (FAA). Those statements acknowledged that the Foreign Intelligence Surveillance Court (FISC) had determined that “some collection carried out pursuant to the Section 702 minimization procedures used by the government was unreasonable under the Fourth Amendment.”

The FISC’s finding was with respect to a very specific and highly technical aspect of the National Security Agency’s 702 collection. Once the issue was identified and fully understood, it was reported immediately to the FISC and Congress. In consultation with the FISC, the Department of Justice, NSA, and the Office of the Director of National Intelligence worked to address the concerns identified by the FISC by strengthening the NSA minimization procedures, thereby enhancing privacy protections for U.S. persons. The FISC has continued to approve the collection as consistent with the statute and reasonable under the Fourth Amendment.

I’m so old I remember when President Obama promised us more transparency.

But even as the WaPo was having these ridiculous conversations with the IC about data that Gellman had in hand, Walter Pincus was writing this story.

It’s time for the intelligence community to have its side of the debate over the National Security Agency’s collection programs explained.

[snip]

Such transparency is useless if the news media do not pass it on to the public. Few, if any, major news outlets carried any of the details from the Justice and NSA papers.

[snip]

Intelligence officials say that if the U.S. media do not provide what the government claims are the facts underlying what critics and supporters say, the public cannot understand the issue.

[snip]

There are two more issues intelligence officials want noted.

That is, even while IC officials were whining to Pincus that no one was spewing their propaganda, they were playing games with Gellman to try to influence his piece while not admitting he had a handful of documents on violations that proved them wrong.

Though none of that explains what this is, from Gellman’s story.

a senior NSA official said in an interview, speaking with White House permission on the condition of anonymity.

I’m going to guess that’s DeLong. But still: why give the government their shot at rebuttal if they refuse to let their officials be accountable for their comments?

More Notice Problems in the 215 Dragnet White Paper

/4 Comments/in , /by

According to the 2009 Draft NSA IG Report, the telecoms asked for some kind of order for the telecom dragnet collection in 2005, just after the NYT revealed the illegal wiretap program.

After the New York Times article was published in December 2005, Mr. Potenza stated that one of the PSP providers expressed concern about providing telephone metadata to NSA under Presidential Authority without being compelled. Although OLC’s May 2004 opinion states that NSA collection of telephony metadata as business records under the Authorization was legally supportable, the provider preferred to be compelled to do so by a court order.

At least for the beginning of 2006, the government responded to these concerns with a letter from Alberto Gonzales.

On 24 January 2006, the Attorney General sent letters to COMPANIES A, B, and C, [AT&T, Verizon, and MCI] certifying under 18 U.S.C. 2511 (2)(a)(ii)(B) that “no warrant or court order was or is required by law for the assistance, that all statutory requirements have been met, and that the assistance has been and is required.

The court first signed an order authorizing the collection of phone metadata on May 24, 2006 — 76 days after Congress had passed the reauthorization of the PATRIOT Act with the new “relevant to” language.

The FISC signed the first Business Records Order on 24 May 2006. The order essentially gave NSA the same authority to collect bulk telephony metadata from business records that it had under the PSP. And, unlike the PRTT, there was no break in collection at transition.

But according to the March 2008 DOJ IG Report on Section 215 use, DOJ’s Office of Intelligence Policy and Review was briefing changes to at least some of the use of the use of Section 215 that would be implemented by the reauthorization before PATRIOT was reauthorized.

OIPR determined that substantive amendments to the statute undermined the legal basis for which OIPR had received authorization [redacted] from the FISA Court. Therefore, OIPR decided not to request [redacted] pursuant to Section 215 until it re-briefed the issue for the FISA Court.24

24 OIPR first briefed the issue to the FISA Court in February 2006, prior to the Reauthorization Act.

The import of the new “relevant to” may well have been the substantive change in question; so this February briefing may have been the start of stripping “relevant to” of all meaning.

Ron Wyden seems to want the government to admit this first court authorization just approved dragnet collection already going on.

When he and 25 other Senators sent James Clapper some questions about Section 215, they asked how long the NSA was conducting dragnet collection under the PATRIOT Act (which remember also includes the PW/TT statute used for the Internet dragnet).

How long has the the NSA used PATRIOT Act authorities to engage in bulk collection of Americans’ records? Was this collection under way when the law was reauthorized in 2006?

And Wyden called out Clapper when he refused to answer.

In addition, the intelligence community’s response fails to indicate when the PATRIOT Act was first used for bulk collection, or whether this collection was underway when the law was renewed in 2006.

Was the government using National Security Letters to collect this information between the NYT scoop and the FISC authorization, I wonder?

In any case, we know the government was collecting phone metadata going back years, we know the government was discussing changes instituted by PATRIOT reauthorization in February 2006, and we know the FISC approved using Section 215 for a phone dragnet in May 2006.

In an interview published yesterday, Ron Wyden (who had already been on the Senate Intelligence Committee for several years in 2006) revealed when he first learned about the phone dragnet.

You went from supporting the Patriot Act in 2001 to pushing relentlessly for its de-authorization. What was the tipping point?
My concerns obviously deepened when I first learned that the Patriot Act was being used to justify the bulk collection of Americans’ records, which was in late 2006 or early 2007.

In other words, the government didn’t get around to briefing all of the Intelligence Committee about this collection until months after it started, and possibly up to a year after they first briefed related issues to the FISC.

Here’s how the White Paper turns that unforgivable delay into a boast.

Moreover, in early 2007, the Department of Justice began providing all significant FISC pleadings and orders related to this program to the Senate and House Intelligence and Judiciary committees. By December 2008, all four committees had received the initial application and primary order authorizing the telephony metadata collection. Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees.

Translation: The Executive Branch stalled for an impermissibly long period of time after this dragnet started before briefing even the Intelligence Committee. And while we might blame the Bush Administration, remember that Keith Alexander was already running the dragnet by this period.

So not only didn’t the government tell Congress it was using PATRIOT to conduct dragnet collection of Internet metadata when it reauthorized it in 2006, but it didn’t even tell all members of SSCI until well after the phone dragnet moved under PATRIOT as well.

image_print