Is Robert Mueller, a Purported Hero of the Hospital Confrontation, Responsible for Section 215 Use?

On March 23, 2004 at noon, less than two weeks after the dramatic hospital confrontation and threats to quit reportedly got the Administration to agree to stop data mining Americans, FBI Director Robert Mueller had a meeting with Dick Cheney, at the Vice President’s request, in the Vice President’s office. In his notes, Mueller doesn’t describe what the VIce President wanted, nor am I aware that it has even been reported in the press.

The next day, the Chief Division Counsel of some Division of the FBI wrote a memo to the FBI General Counsel noting that FBI was using a “new standard” with Section 215 of the PATRIOT Act and indicating that a “recent decision” had been made to bypass the review of the Office of Intelligence Policy and Review on Section 215 applications.

In part, the apparent decision to bypass OIPR, which had rejected the premise of the previous Section 215 orders FBI had submitted in the past, reflected no more than a concerted effort on FBI’s part to make sure it could start using all the PATRIOT authorities it had been granted in 2001 in anticipation of renewal discussions that would take place the following year. Yet the timing of this change is particularly curious, given that we now know Section 215 has been used to collect data that could be used for data mining Americans, precisely the problem that had caused the hospital confrontation 12 days earlier.

At the very least, however, it shows that sometime around the same time as Jim Comey and others at DOJ tried to stop the data mining of Americans under NSA’s illegal program, FBI claimed to have eliminated one review step for Section 215 orders and changed the standard used for them. That reference notwithstanding, DOJ Inspector General at least reported that OIPR continued to have a role. (Note, the office that got cut out of the process, OIPR, is where one of the key whistleblowers on the illegal program, Thomas Tamm worked, though I have asked him if he knew whether they used Section 215 to accomplish the same program and he didn’t know anything about it.)

On May 21, 2004, just as the the confrontation was settling down, FBI got its first Section 215 order approved. MIRACLES! the memo subject line read. “We got our first business record order signed today. It only took two and a half years.”

Now, at least some of the people commenting publicly on the confirmation that Section 215 has been used to compile a database recording details on all calls Americans make say Section 215 has supported that purpose only since 2006. Dianne Feinstein, for example, says the practice has gone on for 7 years.

As far as I know, this is the exact three month renewal of what has been the case for the past seven years. This renewal is carried out by the FISA Court under the business records section of the Patriot Act. Therefore, it is lawful.

Seven years would put its start almost exactly at the March 9, 2006 renewal of the PATRIOT Act, which added new language on Section 215 in the wake of the December 15, 2005 exposure of Bush’s illegal wiretap program. In discussions of this collection program since last week, it has generally been accepted that’s when it all started.

Curiously (particularly given his insistence that PRISM only started in 2008, slides to the contrary notwithstanding), James Clapper made no claims about precisely when this practice started.

The Patriot Act was signed into law in October 2001 and included authority to compel production of business records and other tangible things relevant to an authorized national security investigation with the approval of the FISC. This provision has subsequently been reauthorized over the course of two Administrations – in 2006 and in 2011. It has been an important investigative tool that has been used over the course of two Administrations, with the authorization and oversight of the FISC and the Congress.

It is possible that this program was conducted under a different PATRIOT provision (such as the Pen Register ones) prior to 2006; in fact, Clapper never mentions the term “Section 215” in his purported clarification of the program.

Now, consider one more detail. In a statement before the 2009 debate on PATRIOT Act reauthorization focusing closely on Section 215, Russ Feingold suggested that the debate over reauthorization in 2005, which led to purported initial use of Section 215 to conduct this dragnet, had been stymied by classification of how the PATRIOT had been implemented.

I remain concerned that critical information about the implementation of the Patriot Act has not been made public – information that I believe would have a significant impact on the debate. During the debate on the Protect America Act and the FISA Amendments Acts in 2007 and 2008, critical legal and factual information remained unknown to the public and to most members of Congress – information that was certainly relevant to the debate and might even have made a difference in votes. And during the last Patriot Act reauthorization debate in 2005, a great deal of implementation information remained classified.

[snip]

But there also is information about the use of Section 215 orders that I believe Congress and the American people deserve to know. I do not underestimate the importance of protecting our national security secrets. But before we decide whether and in what form to extend these authorities, Congress and the American people deserve to know at least basic information about how they have been used. So I hope that the administration will consider seriously making public some additional basic information, particularly with respect to the use of Section 215 orders.

There can be no question that statutory changes to our surveillance laws are necessary. Since the Patriot Act was first passed in 2001, we have learned important lessons, and perhaps the most important of all is that Congress cannot grant the government overly broad authorities and just keep its fingers crossed that they won’t be misused, or interpreted by aggressive executive branch lawyers in as broad a way as possible. [my emphasis]

This suggests the plan to use Section 215 may have been explicit in those classified debates.

Read more

Are Guardian’s Sources Responding to a New Use of Surveillance, Post-Boston?

boundless heatmap

Update: The Guardian source, Edward Snowden, has revealed himself. Stunning.

Little mentioned as we talk about the massive amounts of spying Obama’s Administration undertakes is this passage from the President’s recent speech on counterterrorism.

That’s why, in the years to come, we will have to keep working hard to strike the appropriate balance between our need for security and preserving those freedoms that make us who we are. That means reviewing the authorities of law enforcement, so we can intercept new types of communication, and build in privacy protections to prevent abuse. [my emphasis]

As massive as the surveillance collection currently is, Obama recently called to expand it.

Most people have assumed that’s a reference to FBI’s persistent call for CALEA II, newly proposed to be a law imposing fines on companies that don’t comply with “wiretap” orders.

The F.B.I. director, Robert S. Mueller III, has argued that the bureau’s ability to carry out court-approved eavesdropping on suspects is “going dark” as communications technology evolves, and since 2010 has pushed for a legal mandate requiring companies like Facebook and Google to build into their instant-messaging and other such systems a capacity to comply with wiretap orders. That proposal, however, bogged down amid concerns by other agencies, like the Commerce Department, about quashing Silicon Valley innovation.

While the F.B.I.’s original proposal would have required Internet communications services to each build in a wiretapping capacity, the revised one, which must now be reviewed by the White House, focuses on fining companies that do not comply with wiretap orders. The difference, officials say, means that start-ups with a small number of users would have fewer worries about wiretapping issues unless the companies became popular enough to come to the Justice Department’s attention.

That is certainly at least part of what Obama’s seeking (though the ill-considered plan presents as many security issues as it does privacy ones).

But I note that Mike Rogers said this on ABC this morning.

And so each one of these programs — and I think the Zazi case is so important, because that’s one you can specifically show that this was the key piece that allowed us to stop a bombing in the New York Subway system.

But these programs, that authorized by the court by the way, only focused on non-United States persons overseas, that gets lost in this debate, are pieces of the puzzle. And you have to have all of the pieces of the puzzle to try to put it together. That’s what we found went wrong in 9/11.

And we didn’t have all of the pieces of the puzzle, we found out subsequently, to the Boston bombings, either. And so had we had more pieces of the puzzle you can stop these things before they happen. [my emphasis]

Mike Rogers asserted, with no evidence given, that had we had more information on Tamerlan Tsarnaev, we might have been able to prevent the Boston attack.

Rogers has, in the past, suggested that if we had gotten the texts between Tsarnaev’s mother and a relative in Russia discussing Tamerlan’s interest in fighting jihad. But it’s not clear that anything prevented us from collecting the relative’s communications, and if the discussion of fighting is as obvious as reporting claims (I suspect it is not), there would have been adequate probable cause to ID the mother.

In fact, one of the Guardian’s other scoops makes it clear that we don’t collect all that much SIGINT from Russia in the first place, so the fact we missed the text may say more about our intelligence focus than the technologies available to us.

Nevertheless, Rogers at least suggests that we might have been able to prevent the attack had we had more data.

In part of an interview with Andrea Mitchell that has not yet (AFAIK) been shown, James Clapper whined that the intelligence community was accused of not being intrusive enough following the Boston attack.

DNI Clapper @TodayShow: I find it a little ironic that after the Boston bombings we were accused of not being intrusive enough

Which makes me wonder whether Obama is calling for more than just CALEA II, but has floated using all this data in new ways because two guys were able to conduct a very low-tech attack together.

Glenn Greenwald said somewhere (I haven’t been able to find it) that he had been working on the PRISM story for around 2 months. If so, that would put it close to the Boston attack (though if it were two full months, it’d make it before the attack).

Given that timing, I’m wondering if the final straw that motivated this presumably high level NSA person to start leaking was a proposed new use of all this data hoovered up. Clapper et al insist that the FISA Court does not currently allow the NSA to data mine the data collected in its dragnet.

But have then been thinking about changing that?

Dianne Feinstein: We Need to Collect Data on Every Single American Because We Can’t Control Our Informants

I will have far, far more to say about the claims about the various surveillance programs aired on the Sunday shows today.

But this is absolutely batshit crazy.

FEINSTEIN: Well, of course, balance is a difficult thing to actually identify what it is, but I can tell you this: These programs are within the law. The [Section 215] business records section is reviewed by a federal judge every 90 days. It should be noted that the document that was released that was under seal, which reauthorized the program for another 90 days, came along with a second document that placed and discussed the strictures on the program. That document was not released.

So here’s what happens with that program. The program is essentially walled off within the NSA. There are limited numbers of people who have access to it. The only thing taken, as has been correctly expressed, is not content of a conversation, but the information that is generally on your telephone bill, which has been held not to be private personal property by the Supreme Court.

If there is strong suspicion that a terrorist outside of the country is trying to reach someone on the inside of the country, those numbers then can be obtained. If you want to collect content on the American, then a court order is issued.

So, the program has been used. Two cases have been declassified. One of them is the case of David Headley, who went to Mumbai, to the Taj hotel, and scoped it out for the terrorist attack. [my emphasis]

Dianne Feinstein says that one of the two plots where Section 215 prevented an attack was used (the other, about Najibullah Zazi, is equally batshit crazy, but I’ll return to that) is the Mumbai attack.

What’s she referring to is tracking our own informant, David Headley.

And it didn’t prevent any attack. The Mumbai attack was successful.

Our own informant. A successful attack. That’s her celebration of success 215’s use.

So her assertion is we need to collect metadata on every single American because DEA can’t keep control of its informants.

Update: Technically DiFi didn’t say this was a success, just that it had been used. I’ve edited the post accordingly.

Once Upon a Time the PRISM Companies Fought Retroactive Immunity

Screen shot 2013-06-09 at 8.30.08 AMSince the disclosure of the PRISM program, I have thought about a letter the industry group for some of the biggest and earliest PRISM participants — Google, Microsoft, and Yahoo — wrote to then House Judiciary Chair John Conyers during the 2008 debate on FISA Amendments Act. (The screen capture reflects a partial list of members from 2009.)

Remarkably, the letter strongly condemned the effort to grant companies that had broke the law under Bush’s illegal wiretap program immunity.

The Computer & Communications Industry Association (CCIA) strongly opposes S. 2248, the “FISA Amendments Act of 2007,” as passed by the Senate on February 12, 2008. CCIA believes that this bill should not provide retroactive immunity to corporations that may have participated in violations of federal law. CCIA represents an industry that is called upon for cooperation and assistance in law enforcement. To act with speed in times of crisis, our industry needs clear rules, not vague promises that the U.S. Government can be relied upon to paper over Constitutional transgressions after the fact.

CCIA dismisses with contempt the manufactured hysteria that industry will not aid the United States Government when the law is clear. As a representative of industry, I find that suggestion insulting. To imply that our industry would refuse assistance under established law is an affront to the civic integrity of businesses that have consistently cooperated unquestioningly with legal requests for information. This also conflates the separate questions of blanket retroactive immunity for violations of law, and prospective immunity, the latter of which we strongly support.

Therefore, CCIA urges you to reject S. 2248. America will be safer if the lines are bright. The perpetual promise of bestowing amnesty for any and all misdeeds committed in the name of security will condemn us to the uncertainty and dubious legalities of the past. Let that not be our future as well. [my emphasis]

Microsoft, Yahoo, and Google all joined PRISM within a year of the date of the February 29, 2008 letter (Microsoft had joined almost six months before, Google would join in January 2009).

Screen shot 2013-06-07 at 11.08.29 AMClearly, the demand that the companies that broke the law not receive retroactive immunity suggests none of the members had done so. It further suggests that those companies that did break the law — the telecoms, at a minimum — had done something the email providers wanted them held accountable for. This suggests, though doesn’t prove, that before PRISM, the government may have accessed emails from these providers by taking packets from telecom switches, rather than obtaining the data from the providers themselves.

Google had also fought a DOJ subpoena in 2006 for a million URLs and search terms, purportedly in the name of hunting child pornographers.

And those of us who follow this subject have always speculated (with some support from sources) that the plaintiff in a 2007 FISA Court challenge to a Protect America Act (the precursor to FISA Amendments Act) was an email provider.

All of those details suggest, at the very least, that email providers (unlike telecoms, which we know were voluntarily giving over data shortly after 9/11) fought government efforts to access their data.

But it also suggests that the email providers may have treated PRISM as a less worse alternative than the government accessing their data via other means (which is a threat the government used to get banks to turn over SWIFT data, too).

It seems likely the way the government “negotiates” getting data companies to willingly turn over their data is to steal it first.

What Obama’s Presidential Policy Directive on Cyberwar Says about NSA’s Relationship with Corporations

The Guardian has had three big scoops this week: revealing that Section 215 has, indeed, been used for dragnet collection of US person data, describing PRISM, a means of accessing provider data in real-time that was authorized by the FISA Amendments Act, and publishing Obama’s Presidential Directive on offensive cyberwar.

The latter revelation has received a lot less coverage than the first two, perhaps because it doesn’t affect most people directly (until our rivals retaliate). “Of course Obama would have a list of cybertargets to hit,” I heard from a number of people, with disinterest.

But I thought several passages from Obama’s PPD-20 are of particular interest for the discussion on the other two scoops — particularly what degree of access PRISM has to corporate networks real-time data. First, consider the way definitions of several key terms  pivot on whether or not network owners know about a particular cyber action.

Network Defense: Programs, activities, and the use of tools necessary to facilitate them (including those governed by NSPD-54/HSPD-23 and NSD-42) conducted on a computer network, or information or communications system by the owner or with the consent of the owner and, as appropriate, the users for the primary purpose of protecting (1) that computer, network, or system; (2) data stored on, processed on, or transiting that computer, network, or system; or (3) physical and virtual infrastructure controlled by that computer, network, or system. Network defense does not involve or require accessing or conducting activities on computers, networks, or information or communications systems without authorization from the owners or exceeding access authorized by the owners. (u)

[snip]

Cyber Collection: Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence — including from information that can be used for future operations — from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of the computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects. (C/NF)

Defensive Cyber Effects Operations (DCEO): Operations and related programs or activities — other than network defense or cyber collection — conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States Government networks for the purpose of defending or protecting against imminent threats or ongoing attacks or malicious cyber activity against U.S. national interests from inside or outside cyberspace. (C/NF)

Nonintrusive Defensive Countermeasures (NDCM): The subset of DCEO that does not require accessing computers, information or communications systems, or networks without authorization from the owners or operators of the targeted computers, information or communications systems, or networks exceeding authorized access and only creates the minimum cyber effects needed to mitigate the threat activity. (C/NF)

So you’ve got:

  • Network defense, which is what network owners do or USG (or contractors) do at their behest to protect key networks. I assume this like anti-virus software on steroids.
  • Cyber collection that, regardless of where it occurs, is done in secret. This is basically intelligence gathering about networks.
  • Nonintrusive Defensive Countermeausres, which is more active defensive attacks, but ones that can or are done with the permission of the network owners. This appears to be the subset of Defensive Cybereffects Operations that, because they don’t require non-consensual network access, present fewer concerns about blowback and legality.
  • Defensive Cybereffects Operations, which are the entire category of more active defensive attacks, though the use of the acronym DCEO appears to be limited to those defensive attacks that require non-consensual access to networks and therefore might cause problems. The implication is they’re generally targeted outside of the US, but if there is an imminent threat (that phrase again!) they can be targeted in the US.

In other words, this schema (there are a few more categories, including strictly offensive attacks) seems to be about ensuring there is additional review for defensive attacks (but not strictly data collection) intended to use non-consensual network access.

As I suggested, these attacks based on nonconsensual access is all supposed to be primarily focused externally, unless the President approves.

The United States Government shall conduct neither DCEO nor OCEO that are intended or likely to produce cyber effects within the United States unless approved by the President. A department or agency, however, with appropriate authority may conduct a particular case of DCEO that is intended or likely to produce cyber effects within the United States if it qualifies as an Emergency Cyber Action as set forth in this directive and otherwise complies with applicable laws and policies, including Presidential orders and directives. (C/NF)

Of course, a lot of the networks or software outside of the US are still owned by US corporations (and the implication seems to be that these categories remain even if they’re not). Consider, for example, how central Microsoft exploits have been to US offensive attacks on Iran. How much notice has MS gotten that we planned to use the insecurity of their software?

Nevertheless, a big chunk of this PPD — the part that has received endless discussion publicly — pertains to that network defense, getting corporations to either defend their own networks properly or agree to let the government do it for them. (Does the USG bill for that, I wonder?)

Which partly explains the language in the PPD on partnerships with industry, treated as akin to partnerships with states or cities.

The United States Government shall seek partnerships with industry, other levels of government as appropriate, and other nations and organizations to promote cooperative defensive capabilities, including, as appropriate, through the use of DCEO as governed by the provisions in this directive; and

Partnerships with industry and other levels of government for the protection of critical infrastructure shall be coordinated with the Department of Homeland Security (DHS), working with the relevant sector-specific agencies and, as appropriate, the Department of Commerce (DOC). (S/NF)

[snip]

The United States Government shall work with private industry — through DHS, DOC, and relevant sector-specific agencies — to protect critical infrastructure in a manner that minimizes the need for DCEO against malicious cyber activity; however, the United States Government shall retain DCEO, including anticipatory action taken against imminent threats, as governed by the provisions in this directive, as an option to protect such infrastructure. (S/NF)

The United States Government shall — in coordination, as appropriate, with DHS, law enforcement, and other relevant departments and agencies, to include sector-specific agencies — obtain the consent of network or computer owners for United States Government use of DCEO to protect against malicious cyber activity on their behalf, unless the activity implicates the United States’ inherent right of self-defense as recognized in international law or the policy review processes established in this directive and appropriate legal reviews determine that such consent is not required. (S/NF)

One thing I’m most curious about this PPD is the treatment of the Department of Commerce. Why is DOC treated differently than sector-specific agencies? Do they have some kind of unseen leverage — a carrot or a stick — to entice cooperation that we don’t know about?

Aside from that, though, there are two possibilities (which probably amounts to just one) when the government will go in and defend a company’s networks without their consent.

Imminent threat, inherent right to self-defense.

Ultimately, this seems to suggest that the government will negotiate access, but if it deems your networks sufficiently important (Too Big To Hack) and you’re not doing the job, it’ll come in and do it without telling you.

And of course, nothing in this PPD explicitly limits cyber collection — that is, the non-consensual access of networks to collect information. I will wait to assume that suggests what it seems to, but it does at least seem a giant hole permitting the government to access networks so long as it only takes intelligence about the network.

Which brings us to these two categories included among the policy criteria.

Transparency: The need for consent or notification of network or computer owners or host countries, the potential for impact on U.S. persons and U.S. private sector networks, and the need for any public or private communications strategies after an operation; and

Authorities and Civil Liberties: The available authorities and procedures and the potential for cyber effects inside the United States or against U.S. persons. (S/NF)

Neither is terrifically well-developed. Indeed, it doesn’t seem to consider civil liberties, as such, at all. Which may be why the Most Transparent Administration Evah™ considers transparency to consist of:

  • Informing corporations that own networks
  • Accounting for the impact on US persons (but not informing them, apparently, though Network Defense allows users to be informed “as appropriate”)
  • Prepping propaganda for use after an operation

The entire PPD lays out potential relationships with corporations as negotiated, potentially leveraged, but coerced if need be. But at least corporations are assumed be entitled to some “transparency.”

Mike Rogers: As Confused about Telecom Surveillance as He Is about Drone Strikes

Congressman Mike Rogers, like most members of the ranking Gang of Four members of the Intelligence Committees, has long made obviously false claims about the drone program, such as that public reports of civilian casualties (which were being misreported in intelligence reports) were overstated.

That’s just one of the many reasons I was dubious about this report, claiming that, well … it’s not entirely clear what it claimed. Here’s the lead two paragraphs:

A secret U.S. intelligence program to collect emails that is at the heart of an uproar over government surveillance helped foil an Islamist militant plot to bomb the New York City subway system in 2009, U.S. government sources said on Friday.

The sources said Representative Mike Rogers, chairman of the House of Representatives Intelligence Committee, was talking about a plot hatched by Najibullah Zazi, an Afghan-born U.S. resident, when he said on Thursday that such surveillance had helped thwart a significant terrorist plot in recent years.

These paragraphs suggest that we found Najibullah Zazi — pretty clearly the most successful effort to prevent a known terrorist attack since 9/11 — because of one of the programs the Guardian (and WaPo) broke over the last few days.

Some paragraphs down, the piece explains the program in question was the “one that collected email data on foreign intelligence suspects.” Which is weird, because we’ve learned about a program to collect email data on everyone in the United States, not “foreign intelligence suspects.” And a program to collect a range of telecom content on known foreign intelligence suspects and their associates. Already, Reuters’ sources seemed confused.

The next paragraph describes the PRISM program by name.

The Washington Post and Britain’s Guardian newspaper on Thursday published top-secret information from inside NSA that described how the agency gathered masses of email data from prominent Internet firms, including Google, Facebook and Apple under the PRISM program.

And the rest of the report traces what former Agent and now FBI mouthpiece CBS pundit John Miller had to say.

All of that might lead you to believe this is a story reporting that we had foiled Zazi’s plot using PRISM, the program that involves the NSA accessing bulk data on everything these foreign targets were doing. But even that is problematic, since Zazi is a US person, whose communications are supposedly excluded from this program.

Then there are the problems with the actual content of this.

Read more

Meet 3 PATRIOT Act False Positives Investigated for Buying Beauty Supplies

Both Mike Rogers and Ron Wyden made claims about the efficacy of the surveillance scoops of the last few days, especially the use of Section 215 to collect the phone data — and other tangible stuff, including credit card records — of every American.

The assessment of efficacy ought to consider a number of factors: Whether this surveillance has prevented any attacks (Rogers says it has, but mentions only one in the entire 7 year span of the program). Why it didn’t prevent an attack like the Boston Marathon bombing, which was carried out by two guys whose lives and extremist interests were splashed all over social media, and one of whom was discussed in international texts  that would have been fair game for collection under PRISM.

But an efficacy assessment also needs to find a way to quantify the costs such surveillance has on false positives.

So let’s consider what may have happened to three probable false positives who had their lives thoroughly investigated in 2009 after being — wrongly, apparently — tied to Najibullah Zazi’s plot to bomb the NYC subway.

We first learned of these three people when they appeared in the detention motion the FBI used to keep him in custody in Brooklyn. As part of the proof offered that Zazi was a real threat, FBI described 3 people in Aurora, CO, who bought large amounts of beauty supplies.

Evidence that “individuals associated with Zazi purchased unusual quantities of hydrogen and acetone products in July, August, and September 2009 from three different beauty supply stores in and around Aurora;” these purchases include:

  • Person one: a one-gallon container of a product containing 20% hydrogen peroxide and an 8-oz bottle of acetone
  • Person two: an acetone product
  • Person three: 32-oz bottles of Ion Sensitive Scalp Developer three different times

Unlike just about everything else cited in the detention motion, there was no obvious means by which these individuals were identified.

During the debate on PATRIOT Act reauthorization later that fall, Dianne Feinstein used the Zazi investigation to insist that Section 215 retain its broad “relevant to” standard. Given her insistence Section 215 had been important to the investigation, and given that the identification of these beauty supply buying subjects appeared to work backwards from their purchase of beauty supplies, I guessed at the time that the FBI used Section 215 to cross reference all the people who had bought these beauty supplies in Aurora, CO — which are precursors for the TATP explosive Zazi made — with possible associations with Zazi.

Just days later, as part of the debate, Ben Cardin discussed using National Security Letters to track people who buy “cleaning products that could be used to make explosive device.” And John Kyl discussed wanting to “know about Joe Blow buying hydogen peroxide.” Acetone and hydrogen peroxide, the same precursors used to implicate these three people.

In February 2011, Robert Mueller confirmed explicitly that Section 215 had been used to collect “records relating to the purchase of hydrogen peroxide.”

That seems to suggest that the government used Section 215 or NSLs to search on all the people who bought acetone and hydrogen peroxide in Aurora (by all public reporting, Zazi kept to himself the entire time he lived in CO).

But here’s the thing: these three people never appeared again in the legal case against Zazi and his co-conspirators. The only one from CO ever implicated in the plot was Zazi’s father, who had lied to protect his son.

Poof!

They were three known associates buying dangerous explosives precursors one day, and apparently became either cleared innocents or recruited confidential informants the next day.

In other words, they appear to be false positives identified by the Section 215 dragnet celebrated by Obama and DiFi and everyone else implicated in it now as a great way to prevent terrorism (Zazi, remember, was discovered through legal FISA intercepts obtained after we got a tip from Pakistan).

Now, no one, as far as I know, has ever found these three probable false positives to ask them what they went through during the period when they were suspected of being co-conspirators in the biggest terrorist attack since 9/11. But given the likelihood that the association with Zazi went through his mosque (the other likely possibility is another driver from the airport), I imagine that their neighbors and employers got awfully suspicious when the FBI showed up and started asking questions. How badly does being actively — and, apparently, falsely — investigated for being a terrorist ruin your life if you’re an American Muslim? Do you lose job security? Do other kids’ parents refuse to let their kids play with yours? Does your homeowners association try to cause you trouble?

That’s what this debate about efficacy needs to quantify. Data mining is never completely accurate, and given the small number of terrorists and therefore the high degree of guessworks that goes into what counts as an association, you’re going to have false positives, as appears to have happened here.

Lots of apologists are saying they never do anything wrong, and therefore they don’t have to worry. But it appears that doing something as innocent as buying hair bleach can get you sucked into this dragnet.

James Clapper’s Tip for Avoiding Lies: Don’t Do Talking Points

[youtube]QwiUVUJmGjs[/youtube]

For a guy who warned for years about an abuse of the FISA Amendments Act and Section 215 of the PATRIOT Act, I have to admit Ron Wyden was pretty circumspect  yesterday. He issued a statement, partly to reiterate his call to make this public, partly to suggest the program isn’t worth much.

The administration has an obligation to give a substantive and timely response to the American people and I hope this story will force a real debate about the government’s domestic surveillance authorities. The American people have a right to know whether their government thinks that the sweeping, dragnet surveillance that has been alleged in this story is allowed under the law and whether it is actually being conducted. Furthermore, they have a right to know whether the program that has been described is actually of value in preventing attacks. Based on several years of oversight, I believe that its value and effectiveness remain unclear.

And he sent out three tweets:

Of course, it’s the second tweet — showing the Director of National Intelligence lying in testimony to Congress about whether the NSA collects “any data at all on millions or hundreds of millions of Americans” — I found most interesting.

Wyden always has had a knack for exposing people as liars.

By the end of the day the National Journal had contacted Clapper to provide him an opportunity to explain why this lie to Congress wasn’t a lie. He offered a nonsensical explanation.

Director of National Intelligence James Clapper said Thursday that he stood by what he told Sen. Ron Wyden, D-Ore., in March when he said that the National Security Agency does not “wittingly” collect data on millions of Americans.

What I said was, the NSA does not voyeuristically pore through U.S. citizens’ e-mails. I stand by that,” Clapper told National Journal in a telephone interview.

On March 12, at a hearing of the Senate Intelligence Committee, Wyden asked Clapper: “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?” Clapper responded: “No, sir.” When Wyden followed up by asking, “It does not?” Clapper said: “Not wittingly. There are cases where they could, inadvertently perhaps, collect—but not wittingly.” Clapper did not specify at the time that he was referring to e-mail. [my emphasis]

Clapper’s lie — that he took Wyden’s “collected any type of data at all” to mean “voyeuristically pore through emails” — is all the worse for how bad a non-sequitur it is. Caught in a lie, the head of our Intelligence Community responded with word salad.

Given that abysmal attempt to explain away his lie, I find it all the more curious the Administration decided Clapper, newly exposed as a liar, would be the guy to head pushback to the revelations of the last few days. Late in the day Clapper issued first one, then another “statement” on the revelations.

Both, of course, issued stern condemnations of leaks revealing that he had lied (and that Americans have no privacy).

The unauthorized disclosure of a top secret U.S. court document threatens potentially long-lasting and irreversible harm to our ability to identify and respond to the many threats facing our nation.

[snip]

The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.

Those are hollow warnings, of course, for the reasons I laid out here.

Clapper then goes on to claim that both stories misrepresent the programs.

The article omits key information regarding how a classified intelligence collection program is used to prevent terrorist attacks and the numerous safeguards that protect privacy and civil liberties.

[snip]

The Guardian and The Washington Post articles refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act.  They contain numerous inaccuracies.

Worlds tiniest violin! After refusing urgent requests from members of Congress who had been briefed on this to be transparent for years, the Intelligence Community has lost its ability to spin this!

Perhaps the most interesting part of Clapper’s two statements, however, is the way Clapper purportedly clarified a detail about the WaPo/Guardian stories on PRISM.

Clapper — and an anonymous statement from a Senior Administration Official issued minutes before Clapper’s — made explicitly clear PRISM operates under Section 702 of the FISA Amendments Act.

Section 702 is a provision of FISA that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States. It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States.

Activities authorized by Section 702 are subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch, and Congress. They involve extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons.

Section 702 was recently reauthorized by Congress after extensive hearings and debate.

Section 702, Section 702, Section 702.

This claim had only been implicit in the reporting in the WaPo and Guardian.

Read more

Jim Sensenbrenner’s Horseshit Claims of Innocence

The reaction from members of Congress to the revelation that the Section 215 surveillance was just as bad as some of us have been warning has varied, with Dianne Feinstein and Saxby Chambliss reiterating claims about the value and oversight of the program (though not having any idea, according to DiFi, whether it has prevented any attacks), and Ron Wyden and Mark Udall effectively saying “I told you so.” John Boehner dodged aggressively, suggesting even though he had approved this surveillance President Obama had to explain it.

Asked whether lawmakers should answer for an order that fell under the Patriot Act they passed, Boehner disagreed. “The tools were given to the administration, and it’s the administration’s responsibility to explain how these tools are used,” he said. ”I’ll leave it to them to explain.”

By far the most disingenuous, however, was Jim Sensenbrenner, who (as he has emphasized to the credulous journalists who served as his stenographers today) wrote the PATRIOT Act, who has remained in a senior position on House Judiciary Committee since that day, and who now claims to be shocked — shocked! — there is dragnet collection going on in the casino he built.

Predictably, he wrote a letter demanding to know how a law he has fought to retain its current form could be used to do what the law authorizes.

In the letter, Sensenbrenner de-emphasizes the role of the relevance standard to the collection.

To obtain a business records order from the court, the Patriot Act requires the government to show that: (1) it is seeking the information in certain authorized national security investigations pursuant to guidelines approved by the Attorney General; (2) if the investigative target is a U.S. person, the investigation is not based solely on activities protected by the First Amendment; and (3) the information sought is relevant to the authorized investigation.

Compare that to the letter of the law, which requires the government to show,

(A) a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, such things being presumptively relevant to an authorized investigation if the applicant shows in the statement of the facts that they pertain to—

(i) a foreign power or an agent of a foreign power;

(ii) the activities of a suspected agent of a foreign power who is the subject of such authorized investigation; or

(iii) an individual in contact with, or known to, a suspected agent of a foreign power who is the subject of such authorized investigation;

That is, the emphasis is not on the investigation, as Sensenbrenner’s interpretation would have it, but on the relevance of the information sought, which Sensenbrenner adds third. More importantly, Sensenbrenner omits all mention of the presumptively relevant conditions — basically something pertaining to a foreign power.

With his interpretation, Sensenbrenner has omitted something baked into Section 215, which is that so long as the government says this pertains to foreign spies or terrorists, the judge has almost no discretion on whether information is relevant to an investigation.

Then Sensenbrenner points to 2011 testimony from Acting Assistant Attorney General Todd Hinnen, who he claims said the following:

Section 215 has been used to obtain driver’s license records, hotel records, car rental records, apartment leasing records, credit card records, and the like. It has never been used against a library to obtain circulation records. . . On average, we seek and obtain section 215 ordersless than 40 times per year

Which Sensenbrenner uses to claim the Department never told the Committee about this dragnet.

The Department’s testimony left the Committee with the impression that the Administration was using the business records provision sparingly and for specific materials. The recently released FISA order, however, could not have been drafted more broadly.

As it happens, Hinnen has been testifying since at least 2009 that Section 215 authorizes other secret programs. So I checked Sensenbrenner’s work. Here’s what that precise passage of Hinnen’s testimony says, without the deceitful ellipsis.

Section 215 has been used to obtain driver’s license records, hotel records, car rental records, apartment leasing records, credit card records, and the like. It has never been used against a library to obtain circulation records. Some orders have also been used to support important and highly sensitive intelligence collection operations, on which this committee and others have been separately briefed. On average, we seek and obtain section 215 ordersless than 40 times per year. [my emphasis]

In other words, Sensenbrenner points to doctored proof he has been briefed on this secret program, but doctors it in such a way as to support his claim he never knew about this.

Not to mention that a series of DOJ Inspector General reports included classified appendices describing these secret collection operations.

Read more

Section 215: The White House’s Bullshit Talking Points

Here’s what the White House has offered as talking points to defend collecting (DiFi has confirmed) all the call data from all Americans since 2006. Interspersed is my commentary.

The article discusses what purports to be an order issued by the Foreign Intelligence Surveillance Court under a provision of the Foreign Intelligence Surveillance Act that authorizes the production of business records. Orders of the FISA Court are classified.

As they’ve done with drone strikes and, especially, WikiLeaks cables before, the Administration refuses to confirm that this is, in fact, what several members of Congress have made it clear it is: an authentic FISA Order that (as Dianne Feinstein revealed) is just the quarterly renewal of a program that goes back to the PATRIOT Act renewal in March 2006.

In other words, with its “talking points,” the Administration is recommitting to keeping this program legally secret, even though it’s not secret.

Everything that say after they set up that information asymmetry should be regarded with the knowledge that the White House refuses to permit you to check its claims.

The talking points go on.

On its face, the order reprinted in the article does not allow the Government to listen in on anyone’s telephone calls. The information acquired does not include the content of any communications or the name of any subscriber. It relates exclusively to metadata, such as a telephone number or the length of a call.

Here, the White House does two things. With its “exclusively metadata” comment, it tries to minimize how much metadata really provides. Here’s how Shane Harris, in a superb explainer, describes what metadata can really provide.

What can you learn with metadata but no content?

A lot. In fact, telephone metadata can be more useful than the words spoken on the phone call. Starting with just one target’s phone number, analysts construct a social network. They can see who the target talks to most often. They can discern if he’s trying to obscure who he knows in the way he makes a call; the target calls one number, say, hangs up, and then within second someone calls the target from a different number. With metadata, you can also determine someone’s location, both through physical landlines or, more often, by collecting cell phone tower data to locate and track him. Metadata is also useful for trying to track suspects that use multiple phones or disposable phones. For more on how instructive metadata can be, read this.

Note the White House fails to mention the forms of some metadata, such as geolocation, that are particularly invasive.

But the other thing this White House bullshit talking point does is precisely the same thing the Bush White House did when, in 2005 after James Risen and Eric Lichtblau exposed the illegal wiretap program, it dubbed a subpart of the program the Terrorist Surveillance Program and talked about how innocuous it was taken in solitary. The White House is segregating one part of the government’s interdependent surveillance system and preening about how harmless that isolated part is in isolation.

What the White House doesn’t mention is how the government uses this data, among other ways, to identify possible terrorists who they can conduct more investigation of, including accessing their content using this data mining to establish probable cause.

What the White House is trying to hide, in other words, is that this collection is part of a massive collection program that uses algorithms and other data analysis to invent people to investigate as terrorists.

And then the bullshit White House talking points contradict themselves.

Information of the sort described in the Guardian article has been a critical tool in protecting the nation from terrorist threats to the United States, as it allows counterterrorism personnel to discover whether known or suspected terrorists have been in contact with other persons who may be engaged in terrorist activities, particularly people located inside the United States.

Wait, what? Just one talking point ago, the White House told us that, “The information acquired does not include the content of any communications or the name of any subscriber.” But here we are, a mere talking point later, and the White House is claiming that it is used to discover whether known terrorists are in contact with other persons? Uh, so it does involve the known identities of both existing suspects and those gleaned from this massive collection of data, huh?

But don’t worry. Because a court has rubber stamped this.

As we have publicly stated before, all three branches of government are involved in reviewing and authorizing intelligence collection under the Foreign Intelligence Surveillance Act. Congress passed that act and is regularly and fully briefed on how it is used, and the Foreign Intelligence Surveillance Court authorizes such collection.

How does the separation of powers work again? Congress passes the law, the Executive enforces the law, and Courts review the law?

Only, in its bold claim that all three branches of government support this, the Court’s role is to “authorize such collection.” There’s a reason for that word, authorize. The only thing the courts are permitted to review are whether the government has provided,

(A) a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, such things being presumptively relevant to an authorized investigation if the applicant shows in the statement of the facts that they pertain to—
(i) a foreign power or an agent of a foreign power;

(ii) the activities of a suspected agent of a foreign power who is the subject of such authorized investigation; or

(iii) an individual in contact with, or known to, a suspected agent of a foreign power who is the subject of such authorized investigation; and

(B) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

That is, the government just has to make a “reasonable” argument that this stuff is “relevant” to an investigation geared toward protecting against international terror or foreign clandestine activities. And if they can point to any number of foreign types (a foreign power, a suspected agent of a foreign power, or someone in contact with a suspected agent of a foreign power), the judge is instructed to presume it is related even if that seems like a stretch.

This is not a robust review of the claims the government is making. On the contrary, it is designed not to be a robust review of those claims.

Which brings us to Congress, that other branch the White House touts. It is utterly and embarrassingly true that they have repeatedly bought off on this, even if James Sensenbrenner, among others, is suckering journalists claiming that he didn’t. Indeed, oversight committees shot down efforts to limit Section 215 orders to people who actually had a tie to a suspected terrorist or foreign spy in 2006, 2009, and 2011. Such language was shot down each time. So, too, were efforts in 2011 and 2012 to reveal what was really going on in Section 215 collection; oversight committees shot that down too.

So here, in a rarity for national security overreach, the White House is absolutely right. Congress repeatedly bought off on this program, including its unbelievably broad standard for “relevance.”

Except … except … when Ron Wyden tried to get the government to tell him how many Americans’ records had been reviewed (by using this front-end collection to identify the back-end collection) the Inspectors General in question professed to be helpless to do that (later hints suggested they had done that study, but refused to share it with the Intelligence Committees).

So while it is true that Congress, with a few exceptions, have been completely complicit in this, it is also true that the Executive Branch has withheld the information Congress needs to understand what is happening with US person data.

I wonder why?

Never you worry, though, because it’s all constitutional.

There is a robust legal regime in place governing all activities conducted pursuant to the Foreign Intelligence Surveillance Act. That regime has been briefed to and approved by the Court.

Activities authorized under the Act are subject to strict controls and procedures under oversight of the Department of Justice, the Office of the Director of National Intelligence and the FISA Court, to ensure that they comply with the Constitution and laws of the United States and appropriately protect privacy and civil liberties.

Don’t worry, the White House concludes. The legal review designed not to be robust is robust.

And to be fair, the FISA Court has, on at least one occasion, told the Administration they were violating the Fourth Amendment. Though apparently DOJ and ODNI thought this Fourth Amendment violative collection was kosher, as they had to be slapped down by the court, so I’m not sure what purpose their purported oversight serves.

But as I pointed out this morning, there’s a flaw to this argument that is grounded in the Administration’s refusal to admit this is a real FISA Court order.

Standing.

The government, over and over and over and over, assures us this is all very Constitutional. Even while the government, over and over and over and over, goes to great lengths to ensure citizens don’t learn how they’re being surveilled, which would (in addition to pissing them off) give them the ability to sue.

Until the Americans who have been surveilled are permitted to challenge this in a court — precisely what the government has gone to great lengths to prevent — White House claims to constitutionality ring hollow.

The government doesn’t have the confidence to let us test these claims in court. That ought to tell you what they really think about its constitutionality.

image_print