Christopher Wray and the Myth Created by Parallel Construction

At the Friday Heritage Foundation Section 702 event, FBI Director Christopher Wray argued that reforming Section 702 (he suggested, illogically, making any reforms) would rebuild the wall taken down after 9/11. (Here’s the transcript, which unfortunately doesn’t include the Q&A period.)

I think back to the time that I was in government before on 9/11, right before 9/11, right after 9/11. I think about how hard dedicated men and women throughout the intelligence community worked to try to tear down the walls that had prevented us from connecting all the information that might have been able to prevent those attacks. As I said at the beginning, listening to this debate right now, watching some of the potential ideas that are being floated strikes me as eerily similar to people, well-intentioned, starting to put bricks into a wall.

There are problems with that argument (which have as much to do with our national myopia about the risks we face and how we’ve combatted them as anything else). But I’m grateful Wray made an effort to avoid the ad hominem attacks some of Section 702’s other boosters have resorted to.

Still, Wray’s response to concerns about using Section 702 in criminal prosecutions got dangerously close to that. In response to a question from David Shedd, Wray said that concerns about the topic derive from a myth. Those of us with such concerns, Wray said, are just “confused.”

There’s been a little bit of myth development in that space. When we talk about the criminal side, I think it’s important to distinguish between the tip and lead kind of scenario that I’m describing, which is where Section 702 is so important, and the prosecution end of it, where the information of any sort is being used. Section 702 has not been used for any traditional criminal case as evidence in a trial or anything like that ever, except in about 10 terrorism prosecutions. So the notion that there are criminal agents using Section 702 to make garden variety criminal cases, that’s just myth. It is not happening.

I’m reluctant to try to guess as to how people who are confused get confused. My goal is to get them straight.

To claim this is a myth, of course, Wray has to rely on a bogus number of defendants who have gotten their legally required 702 notice — ten counterterrorism cases — thereby pretending that 702 hasn’t had a key role in far, far more criminal cases, and not just in counterterrorism cases, but also counterespionage (including nation-state hacking) and counterproliferation cases.  (Interestingly, defendants are only known to have gotten notice in eight cases, meaning Wray may have revealed two more where defendants got non-public notice.) Plus, as I’ve noted, FBI submitted notice about attorney-client violations to FISC in nine cases in the time since DOJ largely stopped giving defendants notice.

The numbers just don’t add up.

Which means, in significant part, what Wray calls a myth is, in reality, parallel construction, a myth of a different sort, the myth that law enforcement tells defendants about where their cases came from or why certain approaches were used with the case, the myth created by DOJ’s secret interpretations about how they deal with legally mandated FISA notice. The myth that decides Keith Gartenlaub is a counterintelligence threat because of the conversations he conducts on Skype, a PRISM provider, with his in-laws, only to scrub all mention of those Skype conversations (and, DOJ presumably maintains in its secret policies on the issue, the legal obligation to give notice) once you go to trial.

Wray goes on to blithely describe how content collected without a warrant comes to define the tips FBI Agents get, even before any evidence has been collected.

There’s the information over here, that the Agent is seeing in real time in the US. That’s the tip or the lead. And then there’s the information in the database. And it’s the connection that’s important. Let me talk about what’s in the database, first, and what isn’t. What’s in the database — that 4.3% [of the NSA’s targets] — that’s not evidence of garden variety criminal conduct. The only stuff that’s in that is information about foreigners, reasonably believed to be overseas, for foreign intelligence purposes. So that’s foreign intelligence information in there. That’s not evidence of … I don’t know, pick an example, you know, child porn, or something else. It could be very serious, but that’s not what’s in there. So the Agent over here, if he’s in national security investigator is connecting national sec–something that he thinks is national security information with foreign intelligence information. The criminal agent, who is not doing anything related to national security, he’s not looking to try to find some national security hook for his case. He’s just trying to make sure — let’s say he’s got a cigarette smuggling case — one of the things we know is that terrorist groups have used things like cigarette smuggling to finance their activities. There are cases that Department of Justice has brought over the years on that very thing. Cigarette smuggling is a crime. Well, it could be handled one way but if it turns out that cigarette smuggling that’s designed to support Hezballah, that’s different. It needs to be viewed differently. But we won’t know if we just build a wall between the Agent and the information that’s sitting right over here in the FBI database. [my emphasis]

Wray makes another error here, in claiming that “That’s not evidence of … I don’t know, pick an example, you know, child porn,” in the information FBI deems foreign intelligence information. Either that, or the government should very quickly inform the Ninth Circuit of that fact, because Keith Gartenlaub is as we speak challenging the use of a physical search FISA order to turn nine-year old child porn lying unaccessed on his hard drives into foreign intelligence information and thereafter into a criminal prosecution.

But it’s not just Gartenlaub and a traditional FISA search. Given that 702 PRISM collection obtains not only emails, but also attachments and data stored in the cloud, it will obtain a lot more than communications, including photos. Those photos may be garden variety sexy photos shared between adults (indeed, photos of that kind were also introduced in Gartenlaub’s case). But they also may be abusive photos of children. The Intelligence Community will use both kinds — as well as all the other kinds of non-email information obtained by targeting email accounts — for its foreign intelligence purposes.

It’s fairly unfortunate that, three years after FBI asked for and obtained a change in its Section 702 minimization procedures so as to be able to easily deal with child porn discovered using it, the FBI Director claimed publicly that Section 702  data doesn’t include child porn.

Of course it does.

Whether we should want the FBI to immediately prosecute child porn discovered in the name of foreign intelligence information or, first (as happened with Gartenlaub) use it to try to flip someone to become an informant, is a policy discussion we’re not having.

But the reason we’re not having that discussion is because of the other myth being told, the myths about prosecutions that have used parallel construction to hide the whys and wherefores of the case, in large part to sustain the myth Wray is telling here, that those tips and that warrantless collection have nothing to do with each other.

I appreciate Wray’s efforts to avoid dodging the key issues by attacking those of us who recognize the 702 needs reform. But what is really going on is that the myths the government tells about how intelligence is used serves to make a real policy discussion difficult (for people like me, who know the criminal cases) and impossible (for staffers and members of Congress, who don’t). Wray and others in the intelligence community have grown so accustomed to these myths (see this Bob Litt exchange for an example), that they don’t even seem to see the implications of parallel construction for our claims to due process anymore. If we’re confused about the use of 702 information in criminal proceedings, the government is confused about how metasticizing parallel construction rots the guarantees in our Constitution.

I imagine FBI would like to defer this discussion once again; pretending reformers are the ones inventing myths is a good way to do that. But it’s important, this time around, that we call the government on the myths they tell, even while they claim we’re the ones who’re confused.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Slow Death of Neoliberalism: Part 2

The Slow Death of Neoliberalism Part 1.

This post focuses on the failings of neoliberal economic theory. Neoliberalism arises out of positivist philosophy, defined in Part 1. Positivism is the theory that the only true knowledge comes from the scientific process.

There are five main principles behind Positivism:

1. The logic of inquiry is the same across all sciences (both social and natural).

2. The goal of inquiry is to explain and predict, and thereby to discover necessary and sufficient conditions for any phenomenon.

3. Research should be empirically observable with human senses, and should use inductive logic to develop statements that can be tested.

4. Science is not the same as common sense, and researchers must be careful not to let common sense bias their research.

5. Science should be judged by logic, and should be as value-free as possible. The ultimate goal of science is to produce knowledge, regardless of politics, morals, values, etc.

Economists created a group of sayings which they put in their introductory textbooks and teach as laws and principles to their students at all levels. For example, N. Gregory Mankiw, economics professor at Harvard, starts his introductory economics textbook Principles of Macroeconomics with a list of ten Principles he claims almost all economists agree are true. Any thoughtful person reading this list will see that these ten statements are either tautological (you can’t do two things at once) or are mere rules of thumb. The idea that you could build a positivist science on this foundation is absurd. But Mankiw disagrees, and so does everyone who took Econ 101 and stopped, and especially so do the elites from our top schools.

It’s not surprising, then, that this version of economics is failing. It cannot perform the basic goal of a scientific theory, making accurate predictions. Economic models have failed and will continue to fail to predict disasters; and there isn’t much hope that they will ever be able to predict anything of interest.

In Part 1 I pointed out that the positivist program can’t be easily adapted to the social sciences. David Andolfatto of the St. Louis Fed agrees, and tells us what we can expect from economics:

But seriously, the delivery of precise time-dated forecasts of events is a mug’s game. If this is your goal, then you probably can’t beat theory-free statistical forecasting techniques. But this is not what economics is about. The goal, instead, is to develop theories that can be used to organize our thinking about various aspects of the way an economy functions. Most of these theories are “partial” in nature, designed to address a specific set of phenomena (there is no “grand unifying theory” so many theories coexist). These theories can also be used to make conditional forecasts: IF a set of circumstances hold, THEN a number of events are likely to follow. The models based on these theories can be used as laboratories to test and measure the effect, and desirability, of alternative hypothetical policy interventions (something not possible with purely statistical forecasting models).

This obvious straw man at the beginning of this quote is typical of the arrogant economist described by Marion Fourcade. But let’s see how well the economist business does at the weak test of effectiveness offered by Andolfatto.

For decades economists taught the Kuznets Curve which they said shows that as industrialization proceeds, economic inequality first rises and then falls.
Thomas Piketty takes up this theory in Capital In The Twenty-First Century, and extends the data forwards and backwards from the early 1950s. Here’s a graph of top decile income share from 1910 to 2010 from Wikipedia.

Looking at that graph through the time Kuznets wrote, the early 50s, it might be read to support that hypothesis. The sudden rise, starting under Reagan and continuing ever since, completely contradicts the hypothesis. That didn’t stop people from teaching it.

The Phillips Curve asserts that there is a connection between inflation and unemployment: as the unemployment rate drops, inflation increases. It’s one of Mankiw’s 10 principles; and it’s deeply embedded in the models used by the Fed to decide interest rates. It’s mostly wrong. Here’s a recent debunking from the Philadelphia Fed, concluding that the Phillips Curve might help forecast inflation in a weak economy, but does not work in an expanding economy.

The Wikipedia Page for Phillips Curve says that:

The original Phillips curve literature was not based on the unaided application of economic theory. Instead, it was based on empirical generalizations. After that, economists tried to develop theories that fit the data.

A 2008 paper, The History of the Phillips Curve: Consensus and Bifurcation, Economica (2008), P. 10, lays out the history in detail. Roughly speaking, it begins with the observation by William Phillips that in the UK there was a stable relation between the rate of wage growth and inflation over a substantial period of time, and deviations could be explained reasonably. This paper was picked up by Paul Samuelson and Robert Solow and turned into the earliest mathematical formula in 1958. Since then there have been a number of occasions where the Phillips Curve failed, and each time economists just grab some more of their existing tools and try to fix it or explain the failure, in each case after policy-makers have gone on as if it were right and forced bad results on the economy and especially the wages of workers.

Here’s a third example. Economists say that the reason wages are stagnant is that productivity is flat, as if there were a relation between wages and productivity. Anyone who looks at this chart and reads this article from the Economic Policy Institute will have a huge question about that.

And that isn’t just the right-wing. Plenty of centrist Democrats make the same argument. And by the way, what does this say about the central theory of free market economics that supply and demand for labor set prices?

As I say here and here, neoliberal economists used their ideology of free markets to influence policy and to change the entire way we think about society without having the slightest idea of the consequences of their meddling because their models aren’t designed to deal with changes in societies or economies. As my examples show, they just keep on regardless of the success or failure of their predictions, and politicians and rich people ignore the failings and continue to follow their foolish advice.

Neoliberal economics obviously fails to measure up to the standards of positivism. It can’t predict anything useful, and it barely is able to explain itself coherently. That’s a problem with positivism too. People are slowly, slowly coming to grips with these failures and the damage they have done. It’s adherents are dying off, and their replacements are into it for the money and the power. Stupid ideas never die, but maybe they will lose their influence.

Updated to correct link to EPI article and chart.

Notre Dame undergrad (math); JD, Indiana University at Bloomington; 1st Lieutenant, US Army.; private practice in corporate and securities law; Assistant AG in Tennessee for consumer protection and securities; Blue Sky Securities Commissioner, Tennessee; private practice, bankruptcy and corporate law.

I have had a lifelong interest in economics. For most of my career, that interest was practical, focused on the problems in front of me. Lately I have been more interested in economics as a theory, especially its impact on the lives of people like those I met in my bankruptcy practice, and on the politics of money in the US. I also enjoy reading philosophers, starting in college and steadily expanding my reading ever since. I wrote at FireDogLake for a number of years.

Generally, I think the problem facing the US is the dominance of neoliberal discourse. I think it clouds the vision, and limits the kinds of problems that can be identified and solved. For example, the existence and danger of climate change can easily be identified in a scientific discussion. However, the problem does not fit the neoliberal discourse because science insists that the pursuit of individual and corporate self-interest will lead to devastation. In neoliberal discourse, the pursuit of self-interest always leads to Eden.

The neoliberal project has two prongs. One is the police function of crushing dissent and alternative views. The police function is provided by government agencies and private and institutional actors. The counterpart is the economic system , which is operated by government and by private and institutional actors. Some of these actors operate in both spheres. I focus on the second prong.

Section 702 Reauthorization Bill: The Very Narrowly Scoped Back Door Search Fix

This is my second post on the draft House Judiciary Committee version of the Section 702 reauthorization. In this post, I’ll look at how the bill tries to fix the back door search loophole. In two followup posts I’ll explain why this fix is inadequate legislatively, and why it is inadequate legally.

The back door fix:

  • Requires a court order to access content “for evidence of a crime”
  • Requires an AG relevance statement to access metadata-plus
  • Creates exceptions that swallow the rule
  • Prevents reverse targeting
  • Mandates simultaneous access to FBI databases
  • Permits broad delegation
  • Creates auditable records with big loopholes
  • Invites the government to define foreign intelligence information

Requires a court order to access content “for evidence of a crime”

Here’s the language that requires the government to obtain a court order when accessing Section 702 data.

(j) REQUIREMENTS FOR ACCESS AND DISSEMINATION OF COLLECTIONS OF COMMUNICATIONS.—

(1) COURT ORDERS AND OTHER REQUIREMENTS.—

(A) COURT ORDERS TO ACCESS CONTENTS.—Except as provided by subparagraph (C), in response to a query for evidence of a crime, the contents of queried communications acquired under subsection (a) may be accessed or disseminated only upon—

(i) an application by the Attorney General to a judge of the Foreign Intelligence Surveillance Court that describes the determination of the Attorney General that—

(I) there is probable cause to believe that such contents may provide evidence of a crime specified in section 2516 of title 18, United States Code (including crimes covered by paragraph (2) of such section);

(II) noncontents information accessed or disseminated pursuant to subparagraph (B) is not the sole basis for such probable cause;

(III) such queried communications are relevant to an authorized investigation or assessment, provided that such investigation or assessment is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States; and

(IV) any use of such queried communications pursuant to section 706 will be carried out in accordance with such section;

(ii) an order of the judge approving such application.

The requirement only applies to evidence of crime. It requires the crime to be one of the ones listed in the Wiretap Act, but includes state crimes, which in turn includes drug crimes (and child pornography, which of course is now in Section 702’s minimization procedures).

For some reason, it requires this application to go to FISC, rather than a regular magistrate, which is problematic both from a time management issue for FISC but also for reasons of standardization among magistrates. That’s all the more concerning given that the bill doesn’t explain what kind of review the FISC judge can do — whether the judge can actually review for probable cause, or whether she doesn’t have that authority. This is a big concern, because DOJ has repeatedly told FISC judges in secret that they don’t have authority specifically laid out in law, not even when they were asking judges to approve programmatic spying.

One good part of this language is that it requires something beyond metadata from a 702 search to support a probable cause review.

As I’ll write in a follow-up, though, the limitation of this to criminal purposes makes it absolutely meaningless — it simply misunderstands how FBI conducts these queries (and obviously doesn’t apply to how NSA and CIA do it).

Requires an AG relevance statement to access metadata-plus

In addition to the controls on content, this reauthorization also imposes new controls on access to metadata-plus.

(B) RELEVANCE AND SUPERVISORY APPROVAL TO ACCESS NONCONTENTS INFORMATION.—Except as provided by subparagraph (C), in response to a query for evidence of a crime, the information of queried communications acquired under subsection (a) relating to the dialing, routing, addressing, signaling, or other similar noncontents information may be accessed or disseminated only upon a determination by the Attorney General that—

(i) such queried communications are relevant to an authorized investigation or assessment, provided that such investigation or assessment is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States; and

(ii) any use of such queried communications pursuant to section 706 will be carried out in accordance with such section.

This imposes an Attorney General certification of relevance for access to 702-derived “metadata-plus.” I’m using that term to refer to the broadened definition of metadata that presumably invokes John Bates’ definition adopted in a series of opinions, but which remains entirely redacted.

Consider the absurdity of the proposition that the government can search “just metadata” but metadata is so sensitive it can’t be publicly defined. And Congress chooses not to define it here either.

If we need to revisit the definition of metadata, then Congress should do it here, not just nod blindly to redacted opinions at FISC.

And, again, this applies only to crimes.

Creates exceptions that swallow the rule

As I keep saying, the back door search fix only applies to criminal searches. Here’s what is not included.

(C) EXCEPTIONS.—The requirement for an order of a judge pursuant to subparagraph (A) and the requirement for a determination by the Attorney General under subparagraph (B), respectively, shall not apply to accessing or disseminating queried communications acquired under subsection (a) if one or more of the following conditions are met:

(i) Such query is reasonably designed for the primary purpose of returning foreign intelligence information.

(ii) The Attorney General makes the determination described in subparagraph (A)(i) and

(I) the person related to the queried term is the subject of an order or emergency authorization that authorizes electronic surveillance or physical search under this Act or title 18 United States Code; or

(II) the Attorney General has a reasonable belief that the life or safety of a person is threatened and such contents are sought for the purpose of assisting that person.

(iii) Pursuant to paragraph (5), the person related to the queried term consents to such access or dissemination.

First, the bill exempts emergency or threat to life queries.

But before it does that, it exempts all requests “designed for the primary purpose of returning foreign intelligence information.” In a different section, HJC punts on the issue of defining what “foreign intelligence information” means, directing the government to do that in minimization procedures.

It punts on more than that. How can you have one category for “primary purpose” FI information, but then not treat criminal searches as primary? Where does that line end? Especially given that this is permitted, for both criminal and intelligence purposes, at the assessment level, which is before the government has any evidence.

In short, even where it is writing exceptions, the bill does it in such a way as to let the split swallow the rule.

Prevents reverse targeting

I think this language prohibits reverse targeting.

(D) LIMITATION ON ELECTRONIC SURVEILLANCE OF UNITED STATES PERSONS.—If the Attorney General determines that it is necessary to conduct electronic surveillance on a known United States person who is related to a term used in a query of communications acquired under subsection (a), the Attorney General may only conduct such electronic surveillance using authority provided under other provisions of law.

As I read it, if the FBI queries 702 data and finds evidence of a crime, they cannot then develop that evidence using already collected (or newly targeted) 702 data. They have to get a criminal warrant to do it.

Mind you, this is the kind of authorities laundering they do anyway, but this prohibition is worthwhile.

Mandates simultaneous access to FBI databases

The most interesting — and potentially dangerous — language in this section mandates that when the FBI does queries, all the data they have be accessible.

(E) SIMULTANEOUS ACCESS OF FBI DATABASES.—The Director of the Federal Bureau of Investigation shall ensure that all available investigative or intelligence databases of the Federal Bureau of Investigation are simultaneously accessed when the Bureau properly uses an information system of the Bureau to determine whether information exists in such a database. Regardless of any positive result that may be returned pursuant to such access, the requirements of this subsection shall apply.

I say it’s dangerous, because it might require very compartmented data to be more broadly accessible.

But the other thing that’s interesting about it is it will ensure that if there’s any multiplicitous data in the databases, FBI will have options to bypass the intent of the back door fix.

Consider: a great deal of individually targeted FISA data will replicate data obtained using 702 (which may in fact be the data the government used to obtain a targeted FISA order). A search on such data will return both the traditional FISA data and the 702 data. In cases where the FBI can use the former, they don’t have to bother with a “warrant” from FISC. As FBI obtains more and more raw EO 12333 data, that will be even more true there.

So while there may be an interesting operational reason for this — perhaps FBI even missed information in some sensitive investigation because not all data was accessible? — there are also clear downsides and the likelihood this will turn into a workaround to make the back door search even less meaningful.

Permits broad delegation

Another thing HJC doesn’t bother to specify is how broadly the Attorney General can delegate the authority for these various declarations.

(F) DELEGATION.—The Attorney General shall delegate the authority under this paragraph to the fewest number of officials that the Attorney General determines practicable.

(2) AUTHORIZED PURPOSES FOR QUERIES.—A collection of communications acquired under subsection (a) may only be queried for legitimate national security purposes or legitimate law enforcement purposes.

This was a significant problem behind the early NSL abuses. Letting the AG decide how much authority he wants to delegate invites similar abuses and is not why we’re paying Congress.

Creates auditable records with big loopholes

As always with transparency provisions, the loopholes are far more interesting than the provisions themselves, because they reveal where the interesting stuff is hiding. This requirement applies to all four agencies that get raw 702 traffic: NSA, CIA, NCTC, and FBI.

NSA is already doing this kind of record-keeping (sort of, though given the violations discovered last year, there’s reason to doubt it). But once they set the requirement, they create big problematic loopholes.

(3) RETENTION OF AUDITABLE RECORDS.— The Attorney General and each Director concerned shall retain records of queries that return a positive result from a collection of communications acquired under subsection (a). Such records shall—

(A) include such queries for not less than 5 years after the date on which the query is made; and

(B) be maintained in a manner that is auditable and available for congressional oversight.

With this language, HJC exempts Congressional queries (which I’m fine with), but also tech queries.

(4) COMPLIANCE AND MAINTENANCE.—The requirements of this subsection do not apply with respect to queries made for the purpose of—

(A) submitting to Congress information required by this Act or otherwise ensuring compliance with the requirements of this section; or

(B) performing maintenance or testing of information systems.

Until at least 2010, NSA was using tech queries to do metadata searches that weren’t authorized by the phone dragnet (which was facilitated by having tech people co-located with analysts, which made it easy for the analysts to as for help). If you exempt tech people, you will have abuses on any restriction.

In addition, the auditable record requirement doesn’t count for those who’ve given consent, which includes informants.

(5) CONSENT.—The requirements of this subsection do not apply with respect to—

(A) queries made using a term relating to a person who consents to such queries; or

(B) the accessing or the dissemination of the contents of queried communications of a person who consents to such access or dissemination.

From this I assume that a great many of these queries (especially those at CIA that aren’t now being counted) are being done for Insider Threat detection, which tracks a bunch of people who, by obtaining a clearance, have given consent for this kind of searching. I assume there are a great many of them too, since they need to be hidden.

(6) DIRECTOR CONCERNED.—In this subsection, the term ‘Director concerned’ means the following:

(A) The Director of the National Security Agency, with respect to matters concerning the National Security Agency.

(B) The Director of the Federal Bureau of Investigation, with respect to matters concerning the Federal Bureau of Investigation.

(C) The Director of the Central Intelligence Agency, with respect to matters concerning the Central Intelligence Agency.

(D) The Director of the National Counterterrorism Center, with respect to matters concerning the National Counterterrorism Center.

Invites the government to define foreign intelligence information

Finally, the bill requires the government to adopt a meaning for “query reasonably designed for the primary purpose of returning foreign intelligence information” in yearly certifications, rather than doing it themselves.

(b) PROCEDURES.—Subsection (e) of such section 6 (50 U.S.C. 1881a(e)) is amended by adding at the end the following new paragraph:

(3) CERTAIN PROCEDURES FOR QUERYING.— The minimization procedures adopted in accordance with paragraph (1) shall describe a query reasonably designed for the primary purpose of returning foreign intelligence information pursuant to subsection (j)(1)(C)(i).’’.

Again, it is the job of Congress to do this. Once the IC defines this in such a way that will further swallow up the rule, what then? We wait until 2023 (which is when this law would next get reauthorized) to define the term meaningfully? At some point we need to have an explicit discussion about the foreign intelligence purposes that drive a lot of these queries, and talk about whether they’re permissible under the Fourth Amendment. Now would be a good time, but this language just punts the question.

Other 702 posts

702 Reauthorization Bill: The “About” Fix (What Is A Person?)

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Kaspersky and the Third Major Breach of NSA’s Hacking Tools

The WSJ has a huge scoop that many are taking to explain why the US has banned Kaspersky software.

Some NSA contractor took some files home in (the story says) 2015 and put them on his home computer, where he was running Kaspersky AV. That led Kaspersky to discover the files. That somehow (the story doesn’t say) led hackers working for the Russian state to identify and steal the documents.

Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

The theft, which hasn’t been disclosed, is considered by experts to be one of the most significant security breaches in recent years. It offers a rare glimpse into how the intelligence community thinks Russian intelligence exploits a widely available commercial software product to spy on the U.S.

The incident occurred in 2015 but wasn’t discovered until spring of last year, said the people familiar with the matter.

The stolen material included details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S., these people said.

Having such information could give the Russian government information on how to protect its own networks, making it more difficult for the NSA to conduct its work. It also could give the Russians methods to infiltrate the networks of the U.S. and other nations, these people said.

Way down in the story, however, is this disclosure: US investigators believe Kaspersky’s AV identified the files, but isn’t sure whether Kaspersky told the Russian government.

U.S. investigators believe the contractor’s use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

Given the timing, it’s worth considering several other details about the dispute between the US and Kaspersky. (This was all written for another post that I’ll return to.)

The roots of Kaspersky’s troubles in 2015

Amid the reporting on Eugene Kaspersky’s potential visit to testify to Congress, Reuters reported the visit would be Kaspersky’s first visit to the US since spring 2015.

Kaspersky told NBC News in July that he was not currently traveling to the United States because he was “worried about some unexpected problems” if he did, citing the “ruined relationship” between Moscow and Washington.

Kaspersky Lab did not immediately respond when asked when its chief executive was last in the United States. A source familiar with U.S. inquiries into the company said he had not been to the United States since spring of 2015.

A link in that Reuters piece suggests Kaspersky’s concern dates back to August 2015 Reuters reporting, based off leaked emails and interviews with former Kaspersky employees, that suggests the anti-virus firm used fake files to trick its competitors into blocking legitimate files, all in an effort to expose their theft of Kaspersky’s work. A more recent reporting strand, again based on leaked emails, dates to the same 2009 time period and accuses Kaspersky of working with FSB (which in Russia, handles both spying and cybersecurity — though ostensibly again, that’s how the FBI works here).

But two events precede that reporting. In June 2015, Kaspersky revealed that it (and a bunch of locales where negotiations over the Iran deal took place) had been infected by Duqu 2.0, a thread related to StuxNet.

Kaspersky says the attackers became entrenched in its networks some time last year. For what purpose? To siphon intelligence about nation-state attacks the company is investigating—a case of the watchers watching the watchers who are watching them. They also wanted to learn how Kaspersky’s detection software works so they could devise ways to avoid getting caught. Too late, however: Kaspersky found them recently while testing a new product designed to uncover exactly the kind of attack the intruders had launched.

[snip]

Kaspersky is still trying to determine how much data the attackers stole. The thieves, as with the previous Duqu 2011 attack, embedded the purloined data inside blank image files to slip it out, which Raiu says “makes it difficult to estimate the volume of information that was actually transferred.” But at least, he says, it doesn’t appear that the attackers were out to infect Kaspersky customers through its networks or products. Kaspersky claims to have more than 400 million users worldwide.

Which brings us to what the presumed NSA hackers were looking for:

The attackers were primarily interested in Kaspersky’s work on APT nation-state attacks–especially with the Equation Group and Regin campaigns. Regin was a sophisticated spy tool Kaspersky found in the wild last year that was used to hack the Belgian telecom Belgacom and the European Commission. It’s believed to have been developed by the UK’s intelligence agency GCHQ.

The Equation Group is the name Kaspersky gave an attack team behind a suite of different surveillance tools it exposed earlier this year. These tools are believed to be the same ones disclosed in the so-called NSA ANT catalogue published in 2013 by journalists in Germany. The interest in attacks attributed to the NSA and GCHQ is not surprising if indeed the nation behind Duqu 2.0 is Israel.

Kaspersky released its Equation Group whitepaper in February 2015. It released its Regin whitepaper in November 2014.

One thing that I found particularly interesting in the Equation Group whitepaper — in re-reading it after ShadowBrokers released a bunch of Equation Group tools — is that the report offers very little explanation of how Kaspersky was able to find so many samples of the NSA malware that the report makes clear is almost impossible to find. The only explanation is this CD attack.

One such incident involved targeting participants at a scientific conference in Houston. Upon returning home, some of the participants received by mail a copy of the conference proceedings, together with a slideshow including various conference materials. The compromised CD-ROM used “autorun.inf” to execute an installer that began by attempting to escalate privileges using two known EQUATION group exploits. Next, it attempted to run the group’s DOUBLEFANTASY implant and install it onto the victim’s machine. The exact method by which these CDs were interdicted is unknown. We do not believe the conference organizers did this on purpose. At the same time, the super-rare DOUBLEFANTASY malware, together with its installer with two zero-day exploits, don’t end up on a CD by accident.

But none of the rest of the report explains how Kaspersky could have learned so much about NSA’s tools.

We now may have our answer: initial discovery of NSA tools led to further discovery using its AV tools to do precisely what they’re supposed to. If some NSA contractor delivered all that up to Kaspersky, it would explain the breadth of Kaspersky’s knowledge.

It would also explain why NSA would counter-hack Kaspersky using Duqu 2.0, which led to Kaspersky learning more about NSA’s tools.

So to sum up, Eugene Kaspersky’s reluctance to visit the US dates back to a period when 1) Kaspersky’s researchers released detailed analysis of some of NSA and GCHQ’s key tools, which seems to have led to 2) an NSA hack of Kaspersky, which in turn shortly preceded 3) some reporting based off unexplained emails floating accusations of unfair competition dating back to 2009 and earlier.

We now know all that came after Kaspersky found at least some of these tools sitting on some NSA contractor’s home laptop.

This still doesn’t explain how Russian hackers figured out precisely where Kaspersky was getting this information from — which is a real question, but not one the WSJ piece answers.

But reading those reports again, especially the Equation Group one, should make it clear how the Russian government could have discovered that Kaspersky had discovered these tools.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

How Keith Gartenlaub Turned Child Porn into Foreign Intelligence

As I mentioned in this post on FISA and the space-time continuum, I’m going to be focusing closely on the FISA implications of Keith Gartenlaub’s child porn prosecution.

Gartenlaub was a Boeing engineer in 2013 when the FBI started investigating him for sharing information with China (see this and this story for background). He was suspected, in significant part, because of relationships and communications tied to his wife, who is a naturalized Chinese-American and whose family appears well-connected in China. The case is interesting for the way the government used both FISA and criminal searches to prosecute him for a non-national security related crime.

The case is currently being appealed to the 9th Circuit; it will be heard on December 4. His defense is challenging several things about his conviction, including that there was insufficient evidence to deem him an Agent of a Foreign Power (and therefore to obtain the ability to conduct a broader search than might be permitted under a criminal warrant), as well as that there was insufficient evidence offered at trial that he knowingly possessed the 9-year old child porn on which his conviction rests. I think there’s some merit to the latter claim, but I’m going to bracket it for my discussion, both because I think the FISA issues would remain important even if the government’s case on the child porn charge were far stronger than it is, and because I think the government may be sitting on potentially inculpatory evidence.

In this post, I’m going to show that it is almost certain that the government changed FISA minimization procedures to facilitate using FISA to prosecute him for child porn.

Timeline

The public timeline around the case looks like this (and as I said, I believe the government is hiding some bits):

Around January 28, 2013: Agent Wesley Harris reads article that leads him to start searching for Chinese spies at Boeing

February 7, 8, and 22, 2013: Harris interviews Gartenlaub

June 18, 2013: Agent Harris obtains search warrant for Gartenlaub and his wife, Tess Yi’s, Google and Yahoo accounts

Unknown date: Harris obtains a FISA order

January 29, 2014: Using FISA physical search order, FBI searches Gartenlaub’s home, images three hard drives

June 3, 2014: Harris sends files to National Center for Missing and Exploited Children, which confirms some files display known victims

August 22, 2014: Criminal search warrant obtained for Gartenlaub’s premises

August 27, 2014: FBI searches Gartenlaub’s properties, seizing computers used as evidence in trial, arrests him

August 29, 2014: Government reportedly says it will dismiss charges if Gartenlaub will cooperate on spying

October 23, 2014: Grand jury indicts

December 10, 2015: Guilty verdict

FBI used a criminal search warrant to obtain evidence, then obtained a FISA order

As you can see from the timeline, the government first obtained a criminal search warrant for access to Gartenlaub and his wife’s email accounts (Gartenlaub also got an 1806 notice, meaning they used a FISA wiretap on him at some point). Only after that did they execute a FISA physical search order to search his house and image his computers. Which means — unless they had a FISA order and a criminal warrant simultaneously — they had already convinced a judge it was likely Gartenlaub’s emails would provide evidence he was “remov[ing ] information, including export controlled technical data, from Boeing’s computer networks to China.” In his affidavit, Agent Harris cited violations of the Arms Export Control Act and Computer Fraud and Abuse Act.

Then, after probably months of reviewing emails later, having already shown probable cause that could have enabled them to get a search warrant to search Gartenlaub’s computer for those specific crimes — that is, proof that he had exploited his network access at Boeing in order to obtain data he could share with his wife’s Chinese associates — the government then went to FISA and convinced a judge they had probable cause Gartenlaub (or perhaps his wife) was acting as an agent of a foreign power for what are assumed to be the same underlying activities.

The government insists it still had adequate evidence Gartenlaub or his wife was an agent of a foreign power under FISA

The government’s response to Gartenlaub’s appeal predictably redacts much of the discussion to support its claim that it had sufficient probable cause, after months of reading his emails, to claim he or his wife was an agent of China. But the structure of it — with an unredacted paragraph addressing weaknesses with the criminal affidavit, followed by a redacted passage of unknown length, as well as a redacted footnote modifying the idea that the criminal affidavit “merely ‘recycled’ details that were found in the Harris affidavit” (see page 38-39) — suggests they raised evidence beyond what got included in the criminal affidavit. That’s surely true; it presumably explains what was so interesting about Yi’s family and associates in China as to sustain suspicion that they would be soliciting Boeing technology.

In any case, in a filing in which the government admits that “the [District] court expressed ‘some personal questions regarding the propriety of the FISA court proceeding even though that certainly seems to be legally authorized’,” the government pushed the Ninth Circuit to adopt a deferential standard on probable cause for FISA orders, in which only clear error can overturn the probable cause standard.

The Court has not previously articulated the standard of review applicable to an underlying finding of probable cause in a FISA case. In the analogous context of search warrants, this Court gives “great deference” to an issuing magistrate judge’s findings of probable cause, reviewing such findings only for “clear error.” Krupa, 658 F.3d at 1177; United States v. Hill, 459 F.3d 966, 970 (9th Cir. 2006) (same); United States v. Clark, 31 F.3d 831, 834 (9th Cir. 1994) (same). “In borderline cases, preference will be accorded to warrants and to the decision of the magistrate issuing it.” United States v. Terry, 911 F.2d 272, 275 (9th Cir. 1990). The same standard applies to this Court’s review of the findings in Title III wiretap applications. United States v. Brown, 761 F.2d 1272, 1275 (9th Cir. 2002).

Consistent with these standards and with FISA itself, the Second and Fifth Circuits have held that the “established standard of judicial review applicable to FISA warrants is deferential,” particularly given that “FISA warrant applications are subject to ‘minimal scrutiny by the courts,’ both upon initial presentation and subsequent challenge.” United States v. Abu-Jihaad, 630 F.3d 102, 130 (2d Cir. 2010); accord United States v. El-Mezain, 664 F.3d 467, 567 (5th Cir. 2011) (noting that representations and certifications in FISA application should be “presumed valid”). Other courts, reviewing district court orders de novo, have not discussed what deference applies to the FISC. See, e.g., Demeisi, 424 F.3d at 578; Squillacote, 221 F.3d at 553-54.

The government submits that the appropriate standard should be deferential. Consistent with findings of probable cause in other cases, the Court should review only for “clear error,” giving “great deference” to the initial conclusion that a FISA application established probable cause.

And, of course, the government argues that even if it didn’t meet the standards required under FISA, it still operated in good faith.

By using a FISA rather than a criminal search warrant, the FBI had more leeway to search for unrelated items

Nevertheless, having read Gartenlaub’s email for months and presumably having had the opportunity to obtain a warrant to search his computers for those specific crimes, the government instead obtained a FISA order that allowed the FBI to search his devices far more broadly, opening up decades old files named with sexually explicit names in the guise of finding intelligence on stealing Boeing’s secrets. Here’s how Gartenlaub’s lawyers describe the search in his appeal, a description the government largely endorses in their response:

The FISC can only authorize the government to search for and seize “foreign intelligence information.” 50 U.S.C. §§ 1822(b), 1823(a)(6)(A), 1824(a)(4). The order authorizing the January 2014 search of Gartenlaub’s home and computers presumably complied with this restriction. “Foreign intelligence information” (defined at 50 U.S.C. §§ 1801(e) and 1821(1)) does not include child pornography. Nonetheless, as detailed in the government’s application for the August 2014 search warrant, the agents imaged Gartenlaub’s computers in their entirety, reviewed every file, and–upon discovering that some of the files contained possible child pornography–subjected those and related files to detailed scrutiny, including sending them to the National Center for Exploited Children for analysis. ER248-56, 262-68. In an effort to establish that Gartenlaub had downloaded the child pornography, the agents also examined and analyzed a number of other files on the computers, none of which had anything to do with “foreign intelligence information.” ER255-62, 268-70.

As far as the record shows, the agents conducted this detailed, far-ranging analysis without obtaining any court authorization beyond the initial FISC order. In other words, after encountering suspected child pornography files, the agents did not stop their search and seek a warrant authorizing them to open and review those files and other potentially related files. Instead, they opened, examined, and analyzed the suspected child pornography files and a number of other files having nothing to do with foreign intelligence information. They then incorporated the results of that analysis into the August 2014 search warrant application. ER248- 49. That application, in turn, produced the warrant that gave the agents authority to search for and seize the very materials that they had already seized and searched under the purported authority of the January 2014 FISC order.

How did agents authorized to search for “foreign intelligence information” end up opening, examining, and analyzing suspected child pornography files and a number of other files that had nothing to do with the only authorized object of the search? The agents apparently relied on the following argument: To determine whether Gartenlaub’s computers contained foreign intelligence information, it was necessary to open and review every file; after all, a foreign spy might cleverly conceal such information in .jpg files with sex-themed names or in other non-obvious locations. And after opening the files, the child pornography and other information was in “plain view” and thus could be lawfully seized under the Fourth Amendment.

As a result of these broad standards, and of Gartenlaub’s habit of retaining disk drives from computers he no longer owned, the FBI found files dating back to 2005, from a computer Gartenlaub no longer owned.

Upon finding that those files included apparent child porn, the FBI sent them off to the National Center for Missing and Exploited Children, which confirmed some of the images included known victims. Almost two months later, FBI conducted further (criminal) searches, and arrested Gartenlaub for child porn.

In December 2015, Gartenlaub was found guilty on two counts of child porn, though one count was vacated by the judge after the verdict.

FBI changed standard minimization procedures to permit sharing with NCMEC

The timeline above is what would have been available to Gartenlaub’s defense team.

But in 2015 and 2017, two new details were added to the timeline.

First, on April 11, 2017, two months after Gartenlaub submitted his opening brief in the appeal on February 8, the government released an August 11, 2014 opinion approving the sharing of FISA-obtained data with NCMEC.

Congress established NCMEC in 1984 as a non-governmental organization and it is funded through grants administered by the Department of Justice. One of its purposes is to assist law enforcement in identifying victims of child pornography and other sexual crimes. Indeed, Congress has mandated Department of Justice coordination with NCMEC on these and related issues. See Mot. at 5-8. Furthermore, this Court has approved modifications to these SMPs in individual cases to permit the Government to disseminate information to NCMEC. See Docket Nos. [redacted]. Because of its unique role as a non-governmental organization with a law enforcement function, and because it will be receiving what reasonably appears to be evidence of specific types of crimes for law enforcement purposes, the Government’s amendment to the SMPs comply with FISA under Section 180l(h)(3).1

As noted, in the past the FISC had approved sharing FISA-collected data with NCMEC on a case-by-case basis. But in 2014, in the weeks while  it prepared to arrest Gartenlaub on child porn charges tied to a search that only found the child porn because it used the broader FISA search standard, the government finally made NCMEC sharing part of the standard minimization procedures.

Even on top of this coincidental timing, there are reasons to suspect DOJ codified the NCMEC sharing because of Gartenlaub’s case. For example, in the government’s response there’s a passage that clearly addresses how NCMEC got involved in the case that bridges the discussion of use of child porn evidence discovered in plain view in the criminal context and the discussion of its use here.

Non-FISA precedents also foreclose defendant’s claims. Analyzing a Rule 41 search warrant, this Court has held that using child pornography inadvertently discovered during a lawful search is consistent with the Fourth Amendment. Giberson, 527 F.3d at 889-90 (ruling that “the pornographic material [the agent] inadvertently discovered while searching for the documents enumerated in the warrant [related to document identification fraud] was properly used as a basis for the third warrant authorizing the search for child pornography”);

[additional precedents excluded]

[CLASSIFIED INFORMATION REMOVED] With the benefit of NCMEC’s assistance, the government then sought and obtained the August 2014 search warrants, authorizing the search of defendant’s residence and storage units for child pornography. (CR 73; GER 901-53). The fruits of this warrant were then used in defendant’s prosecution. The use of information discovered during the prior lawful January 2014 search in the subsequent search warrant application was proper. Giberson, 527 F.3d at 890.

The redacted discussion must include not only a description of how NCMEC was permitted to get involved, but in the approval approving this as part of the minimization procedures, which (after all) are designed to protect Americans under the Fourth Amendment.

Of particular interest, the government argued that one of the precedents Gartenlaub cited was not binding generally, and especially not binding on the FISC.

The concurring opinion in CDT, upon which defendant relies, does not aid him. That concurrence is not “binding circuit precedent” or a “constitutional requirement,” much less one binding on the FISC. Schesso, 730 F.3d at 1049 (the “search protocol” set forth in the CDT concurrence is not “binding circuit precedent,” not a[] constitutional requirement[],” and provides “no clear-cut rule”); see CDT, 621 F.3d at 1178 (observing that “[d]istrict and magistrate judges must exercise their independent judgment in every case”); Nessland, 601 Fed. Appx. at 576 (holding that “no special protocol was required” for a computer search). Defendant thus cannot demonstrate any error relating to any FISC-authorized search.

The FISC had, by the time of the search relying on the FISA-obtained child porn as evidence, already approved the use of child porn obtained in a FISA search. So the government could say the CDT case was not binding precedent, because it already had a precedent in hand from the FISC. Of course, it didn’t tell Gartenlaub that.

Of course, that’s not proof that the government codified the NCMEC sharing just for the Gartenlaub case. But there’s a lot of circumstantial evidence that that’s what happened.

The government still has not formally noticed this change to Gartenlaub

As I noted above, the government released the FISC order approving the change in the standard minimization procedures too late to be of use for Gartenlaub’s opening brief. That’s a point EFF and ACLU made in their worthwhile amicus submitted in the appeal.

For example, in this case, the government apparently refused to disclose the relevant FBI minimization procedures to Gartenlaub’s counsel even though other versions of those minimization procedures are publicly available. See Standard Minimization Procedures for FBI Electronic Surveillance and Physical Search Conducted Under FISA (2008). 8

We can debate whether the standard approval for NCMEC sharing is a good thing or whether it invites abuse, offering the FBI an opportunity to use more expansive searches to “find” evidence of child porn that it can then use as leverage in a foreign intelligence context (which I’ll return to). I suspect it is wiser to approve such sharing on a case-by-case basis, as had been the case before Gartenlaub.

But from this point forward, I would assume the FBI will routinely use this provision as an excuse to conduct particularly thorough searches for child porn, on the logic that obtaining any would provide great leverage against an intelligence target.

The timing of the approval of NCMEC sharing under Section 702

I have said repeatedly, I think the government is withholding some details.

One reason I think that is because of another remarkable coincidence of timing.

As I first reported here, the first notice that the government had approved the sharing with NCMEC in standard minimization procedures came in September 2015, when the government released the 2014 Thomas Hogan Section 702 opinion that approved such sharing under Section 702. The opinion relied on the earlier approval (by Rosemary Collyer), but redacted all reference to the timing and context of it, as well as a footnote relating to it.

I find the timing of both the release and the opinion itself to be of immense interest.

First, the government had no problem releasing this opinion back in 2015, while Gartenlaub was still awaiting trial (though it waited until almost two months after the District judge in his case, Christina Snyder, rejected his FISA challenge on August 6, 2015). So it was fine revealing to potential intelligence targets that it had standardized the approval of using FISA information to pursue child porn cases, just not revealing the dates that might have made it useful for Gartenlaub.

I’m even more interested in the timing of the order: August 26. The day before the FBI got its complaint approved and arrested Gartenlaub.

The FBI had long ago submitted FISA information to NCMEC. But it waited until both the standard minimization procedures for traditional FISA and for Section 702 had approved the sharing of data with NCMEC before they arrested Gartenlaub.

That’s one of several pieces of data that suggests they may have used Section 702 against Gartenlaub, on top of the other mix of criminal and FISA authorizations.

To be continued.

Updated timeline

Around January 28, 2013: Agent Wesley Harris reads article that leads him to start searching for Chinese spies at Boeing

February 7, 8, and 22, 2013: Harris interviews Gartenlaub

June 18, 2013: Agent Harris obtains search warrant for Gartenlaub and his wife, Tess Yi’s, Google and Yahoo accounts

Unknown date: Harris obtains a FISA order

January 29, 2014: FBI searches Gartenlaub’s home, images three hard drives

June 3, 2014: Harris sends files to National Center for Missing and Exploited Children, which confirms some files display known victims

August 11, 2014: Rosemary Collyer approves NCMEC sharing for traditional FISA standard minimization procedures

August 22, 2014: Search warrant obtained for Gartenlaub’s premises

August 26, 2014: Thomas Hogan approves NCMEC sharing for FISA 702

August 27, 2014: FBI searches Gartenlaub’s properties, seizing computers used as evidence in trial, arrests him

August 29, 2014: Government reportedly says it will dismiss charges if Gartenlaub will cooperate on spying

October 23, 2014: Grand jury indicts

August 6, 2015: Christina Snyder rejects Gartenlaub FISA challenge

September 29, 2015: ODNI releases 702 NCMEC sharing opinion

December 10, 2015: Guilty verdict

February 8, 2017: Gartenlaub submits opening brief

April 11, 2017: Government releases traditional FISA NCMEC sharing opinion

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

In Reality Winner Case, Government Warns of Recruitment by Media Outlets that “Procure the Unauthorized Disclosure of Classified Info”

As I’ve reported recently Reality Winner has claimed both that her interview with the FBI was not consensual and that she should be released on bail like people who’ve leaked more sensitive documents, including David Petraeus. Significantly, Winner made claims about her interview and DOJ’s lack of related accusations to suggest the leak of the single document to the Intercept is all they’ve got on her.

The government responded to Winner’s claims — in their response to her request for bail — with a whole new set of claims not included in other documents (on top of making fairly ridiculous claims to suggest Winner should be detained when those who had access — and in the case of David Petraeus, leaked — far more classified information were not).

In the response itself, they raise issues that are fair and significant. But they all seem designed to suggest that Winner must be treated more harshly than Petraeus because she’s more likely to be “recruited” by “non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information.”

At the same time, the Defendant is an attractive candidate for recruitment by well-funded foreign intelligence services and non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information.

Consider how the government treats different media outlets.

The Washington Post

First, the government’s description of Winner’s phone searches suggest Winner sent the document to a “print news outlet” in addition to the Intercept, and kept looking at both to see if they published the document.

  • On May 9, the Defendant searched for the secure mailing address of a Print News Outlet, viewed a document called “How to Share Documents and News Tips with [Print News Outlet] Journalists” on the Print News Outlet’s website, searched for an Online News Outlet and “secure drop,” and viewed the Online News Outlet’s page containing instructions for the anonymous transmission of leaked information.
  • On May 12, a few days after she mailed the leaked document, the Defendant searched online for the Print News Outlet referenced on May 9, as well as the Online News Outlet to which she transmitted the leaked document, and viewed the homepages of both publications.
  • On May 13, the Defendant searched for the Print News Outlet, viewed its homepage, and then searched “[IC component] leak” and “[IC component] leak [Foreign Country]” on multiple occasions.
  • On May 14, the Defendant searched for and viewed the Print News Outlet’s homepage, and then searched within the Print News Outlet’s website for the name of the relevant IC component. She also searched for and viewed the Online News Outlet’s homepage.
  • On May 22, the Defendant viewed both the Print News and Online News Outlets’ websites, and she searched for the name of the relevant IC component within both websites.

The Washington Post’s “confidential tips” page comes up on a search for “How to Share Documents and News Tips” (though the page does not now have that name). That suggests Winner shared a copy of this document with the WaPo as well as the Intercept. But the focus in these materials on a completed crime is exclusively focused on the Intercept (which also is not named).

The interview transcript released with this filing does not, apparently, discuss Winner’s leak to what appears to be the WaPo, aside from asking if she sent the leaked document anywhere else, to which she said “no.” The agents interviewing her tipped her that the document had been sent to an online news source that she “subscribes” to. So FBI may not have mentioned WaPo because WaPo did nothing with the story — or at least nothing with a source who then informed the government, which is how the Intercept got exposed — meaning the FBI did not yet know about it. Or perhaps the FBI was just far more interested in the fact that Winner leaked to the Intercept.

Wikileaks and Anonymous

The filing does its most significant damage in repeating Winner’s support for WikiLeaks, Edward Snowden, and Anonymous. According to the filing, at the same time she was looking for clearance jobs in November 2016 (at the end of her deployment), she was researching anonymous and Wikileaks.

The Defendant’s duplicity is starkly illustrated by the fact that she researched opportunities to access classified information (multiple searches for jobs requiring a security clearance on ClearanceJobs.com) at the same time in November 2016 that she searched for information about anti-secrecy organizations (Anonymous and Wikileaks).

And in March, she told her sister she was “on Assange’s [and Snowden’s] side.”

On March 7, 2017, the Defendant searched for online information about Vault 7, Wikileaks’s alleged compromise of classified government information. Later on March 7, 2017, the Defendant engaged in the following Facebook chat with her sister in which she expressed her delight at the impact of the alleged compromise reported by Wikileaks:

SISTER: OMG that Vault 7 stuff is scary too

WINNER: It’s so awesome though. They just crippled the program.

SISTER: So you’re on Assange’s side

WINNER: Yes. And Snowden

It’s not just that Winner is reading Wikileaks and Snowden-leaked documents (which the government would be happy to use to villainize a leaker in any case). She’s cheering the destruction of CIA (and by association, NSA) capabilities. Which is not something the more prolific leaker David Petraeus did.

The curious declassification of an FBI interview about leaking

Before I get into how these materials treat the Intercept, let me take a detour to talk about the declassification of Winner’s interview which, because it discusses her work at NSA, includes a lot of information that must be classified.

As a number of outlets noted (I believe Politico reported it first), when the transcript of her FBI interview was first released, it included Winner’s social security number and date of birth — a no-no for PACER documents. It included her home computer password. It also revealed Winner worked on collection targeting Iranian Aerospace Forces Group, a remarkable disclosure given that the government says Winner can’t be released because she’ll be targeted by foreign governments (in addition to “non-governmental organizations and media outlets that advocate and procure the unauthorized disclosure of classified information”); they’ve just put a bullseye on her back for Iran. It also reveals she used to work for a drone mission. It includes the code name and the street name of her NSA location.

For either privacy and security reasons, those are remarkable disclosures.

Now consider what they did redact.

There’s a reference to Russian hacking (or the election), and Winner’s description of something akin to that. There’s a few more references, perhaps on the election, again redacted.

Perhaps the most interesting (and understandable) redaction is her explanation for why she thought the collection points on Russian hackers were already compromised.

[sigh] I had figured that, uhm, [half line redacted] that it didn’t matter anyway. Uhm honestly, uh, I just figured that whatever we were using had already been compromised, and this report was just going to be like a – one drop in the bucket.

All of which is to say the classification decisions here are pretty random.

Which is all the more interesting given the fact that the document has no declassification notes, describing who declassified it and for what purpose. If I’m Winner’s lawyers, I’m on the phone with former ISOO head Bill Leonard (who has served as an expert witness in past leak cases), asking him to testify that in a case about mishandling classified information, the government didn’t handle this document in rigorous fashion.

The Intercept: hiding the name, the motive, and a few more details

Which brings me to the decisions about redactions on parts of the transcript that pertain to the Intercept.

It hides the Intercept’s name, but also several references to her motive, including one very long description (on PDF 69)

More interesting, it redacts details about how she mailed it to the Intercept.

And redacts another passage where she describes how she found the address to send it to the Intercept — the actual details of which are included in the passage on her phone searches, above.

It redacts another passage asking whether she included anything in the envelope to the Intercept.

All of which is to say that in submissions that claim Winner is a particular risk because she might be “recruited” by NGOs and “media outlets that advocate and procure the unauthorized disclosure of classified information,” it is still hiding key details about Winner’s descriptions of her actions with respect to the Intercept.

After reading this transcript, I’m actually surprised the government hasn’t (yet) taken a harsher approach, perhaps charging her for a leak to the WaPo or for lying, initially, to the FBI (not charging her for lying to the FBI is one way, I guess, where she is getting the treatment David Petraeus got).

That may suggest they’re entertaining going after the Intercept here, for “recruiting” Reality Winner — a replay of the tactic they tried with Chelsea Manning years ago, only this time with an Attorney General and a Congress rushing to invent new categories of non-state hostile intelligence services to criminalize some kinds of publishing.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Government Decides Reality Winner Leaked Just One Document After All

Back in June, I noted that one of the reasons the government convinced a judge to deny Reality Winner bail was that she had leaked documents, plural.

There’s no written record for this yet, but it appears from one of the less-shitty reports on the hearing that the claim is based on three things: First, Winner stuck a thumb drive in a Top Secret computer last year.

Winner inserted a portable hard drive in a top-secret Air Force computer before she left the military last year. She said authorities don’t know what happened to the drive or what was on it.

Second, because Solari portrayed the 25-year old translator’s knowledge as a danger unto itself (more ridiculously, she painted Winner’s knowledge of Tor — which Winner didn’t use to look up sensitive information — as a means by which she might flee).

“We don’t know how much more she knows and how much more she remembers,” Solari said. “But we do know she’s very intelligent. So she’s got a lot of valuable information in her head.”

And finally, because Winner told her mother, in a conversation from jail that was recorded, that she was sorry about the documents, plural.

Solari said Winner also confessed to her mother during a recorded jailhouse phone call, saying: “Mom, those documents. I screwed up.”

Solari apparently emphasized the latter point as a way to suggest Winter might still have documents to leak.

Solari stressed that Winner referred to “documents” in the plural, and that federal agents were looking to see whether she may have stolen other classified information.

The idea is that because Winner used the plural and she only leaked one document, there must be more she’s planning on leaking.

Except that doesn’t appear right.

It appears Winner actually already leaked two documents. [my emphasis]

I showed that Winner actually leaked two documents to the Intercept.

Curiously, it appears the prosecutor in this case, Jennifer Solari, has changed her mind. Attached to a motion to reconsider bail, Winner’s lawyers have noted that weeks after claiming Winner had to be jailed because she told her mom she had stolen multiple documents, Solari listened to the transcript and decided Winner only referred to a document, singular.

The following is new evidence that was not available at the time of the initial detention hearing (and could not have reasonably been available given the mere three days between the initial appearance and detention hearing), all of which have a material bearing on the issue of release. • While repeatedly alleging that Ms. Winner disclosed numerous “documents” at the initial detention hearing—a fact that the Court specifically noted in its findings to support detention the Government has, via email to this Court, retracted those assertions. The Government now alleges there was only one document, rather than numerous documents, at issue. [See Exhibit A (email correspondence from Assistant United States Attorney Jennifer Solari to defense counsel and the Court dated June 29, 2017); Doc. 29 p. 105; see also Doc. 72].

In her email informing the defense of this, Solari explained,

Before the hearing, I had only heard a portion of the call in which the defendant asked her mother to “play that angle” regarding the alleged circumstances of her FBI interview. I proffered information about the other jail calls based upon verbal summaries I was provided by the FBI just before the hearing. Now that I’ve heard the recordings myself, I’d like to clarify some of the information for the court and counsel.

Solari goes on to suggest that another correction — regarding why Winner had her mom transfer money — came from an inference the FBI agent made.

I’m glad Solari corrected these issues — prosecutors often double down in such instances. I’d certainly scrutinize the other claims made by the FBI agents in the case after this.

Apparently, the government also left other details out of its story when painting Winter as an opsec genius to deny her bail. For example, in addition to pointing out how many people use Tor, her lawyers revealed that she had used it to access Wikileaks once.

The Government failed to explain, however, that Ms. Winner told the Government during her interrogation on June 3, 2017, that she used Tor once for looking at WikiLeaks.

It also notes that the superseding indictment still just charges Winner for the one document.

Finally, it compares her treatment with all of the other alleged leakers who got bail (including David Petraeus).

It’s unclear whether this will win her release. But it certainly suggests the government overstated her threat in her bail hearing.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Mark Zaid Materials from the Jeffrey Sterling Trial

Because he just formed a new whistleblower group with John Napier Tye, there as been renewed interest in allegations an FBI Agent made during the Jeffrey Sterling case about attorney Mark Zaid. But there was actually a second detail regarding Zaid released just after the trial that has not been publicly reported: Zaid was interviewed by the FBI, twice, and was even interviewed before Sterling himself was.

I asked Zaid whether he was obligated to do the FBI interviews on Twitter but got no response. I think it’s possible FBI asked to interview him as much because the Senate Intelligence Committee was refusing to cooperate in the investigation as anything else; at the time, FBI considered SSCI staffer Bill Duhnke a more likely suspect than Sterling (and it’s not clear they ever ruled him out).

Let me be clear: I’m posting these materials to make the full context of them accessible. Zaid has not explained these, but he has promised repeatedly there is an explanation for them. As noted, there may be a perfectly logical explanation that has as much to do with Senate privileges as it does with attorney-client.

In any case, these materials are just what was directly related to the criminal case. The criminal investigation actually interacted with events in Sterling’s EEO lawsuit — which is what Zaid was primarily representing Sterling on in 2003 — in even more interesting ways I may return to.

Special Agent Ashley Hunt’s accusations

The following accusation came in prosecutor Eric Olshan’s redirect of Ashley Hunt, the FBI witness in the trial, after Sterling’s lawyers had demonstrated that the investigation was narrowly focused on Sterling without questioning some of the other possible witnesses in the case.

Q. When you initiated the investigation, I believe you testified it was in April of 2003?

A. That’s correct.

Q. At the time when you initiated your investigation concerning unauthorized disclosure of classified information to James Risen, did you learn any information regarding Mark Zaid and Mr. Krieger that, that directed your investigation?

A. I did.

MR. MAC MAHON: Your Honor, objection. That door was not opened as to Mr. Sterling’s prior lawyers.

MR. OLSHAN: Your Honor, this is about why —

THE COURT: Again, the scope of the investigation, what was done and not done, was clearly part of the cross. I’m going to allow it, excuse me, on redirect; and if there needs to be recross on that, you’ll be allowed to. Go ahead.

MR. MAC MAHON: Thank you, Your Honor.

BY MR. OLSHAN: Q. What did you learn at the outset of your investigation about information from Mr. Krieger and Zaid that helped you direct your investigation and focus it?

A. When I opened my investigation on April 8, 2003, my investigation was based on a report I received from the CIA dated April 7, 2003. In that report, the CIA provided information about the fact —

MR. MAC MAHON: Your Honor, that’s hearsay.

THE COURT: Wait.

MR. OLSHAN: Your Honor, this is not for the truth. It’s why she took the actions.

THE COURT: It explains why she is acting, takes the investigative tacks that she does, so I’m going to overrule the objection. It’s not hearsay.

BY MR. OLSHAN: Q. You may continue, Special Agent Hunt.

A. The CIA advised that on February 24, 2003, it was contacted by Mark Zaid and Roy Krieger. They told the CIA on February 24 that a client of theirs had contacted them on February 21, 2003, and that that client, that unnamed client at the time voiced his concerns about an operation that was nuclear in nature, and he threatened to go to the media.

Q. Did you later learn who that client was from Mr. Zaid and Mr. Krieger in the course of your investigation?

A. I did.

Q. Did those facts help you focus the direction of your investigation?

A. They did.

Q. And who did you learn was the client of Mr. Krieger and Mr. Zaid?

A. Jeffrey Sterling.

On recross, Sterling lawyer Edward McMahon worked to undercut the revelation by having Hunt describe how, when she wrote up a memo on the case on April 12, 2003, she believed it unlikely he was the leaker.

Q. Okay. And you had written about Mr. Sterling in 2003, hadn’t you, the same time you’re telling in answer to Mr. Olshan’s questions that you were hearing some hearsay about Mr. Sterling’s lawyers?

A. I’m sorry, what’s the question?

Q. You said you had heard some hearsay that Mr. Sterling’s lawyers were talking about him at the CIA, correct?

A. What I said is that his attorneys went to the CIA on February 24. At that time, they did not name Jeffrey Sterling.

Q. All right. But on April 12 of 2003, you wrote a memo about Mr. Sterling, and you said that it was unlikely that it was Mr. Sterling who was the leak, correct?

A. If I wrote that at that time, then that was based on the information I had at that time.

Q. Right. You said that it’s unlikely that someone who has already attempted to settle an EEO lawsuit for a few hundred thousand dollars would choose to attack and enrage the organization from which he seeks but has not yet received a settlement. That’s your writing, isn’t it?

A. I don’t know. You haven’t shown me the document.

Q. And you also in the same document dismiss your concerns about Mr. Zaid and Krieger, correct? You don’t remember that?

A. I don’t know. It was 12 years ago.

Q. And in the last 12 years, you still haven’t come up with any proof that Mr. Sterling ever talked to Mr. Risen about Classified Program No. 1 or Merlin, right?

A. Correct.

Thus far, the timeline looks like this:

February 21: Alleged contact between Sterling and Zaid (not stated whether this is phone call or email, which would show up in call records available with a relevance standard)

February 24: Alleged call from Zaid and his partner warning that one of their clients would leak

April 7: CIA referral includes their claim about Zaid call

April 8: Hunt opens investigation

April 12: Hunt writes memo dismissing likelihood that Sterling is leaker

The FBI Interview Dates

Now consider the dates of the 2003 FBI 302s included in these two CIPA letters (the names with the first initial last name are CIA witnesses; it’s unclear whether that’s true of the entirely redacted names).

April 12: Redacted name

April 12: Robert J. E

April 12: Bob S

April 13: Redacted name

April 13: Redacted name

April 14: Bill H (almost certainly Bill Harlow, CIA’s then spox)

April 18: Mark Zaid (three page 302)

April 28: Bill H (again, almost certain Harlow)

May 7: Redacted name

May 9: Redacted name

June 19: Sterling

June 26: Bob S (Sterling’s supervisor)

July 18: Redacted name

July 21: Thomas H

August 1: David C

August 13: Redacted name

August 14: Diane F

That is, the memo where Hunt said she didn’t think Sterling was the leaker was written either before she had done any interviews, or after she had done just the first CIA ones (including with Sterling’s boss, who definitely blamed Sterling). The first round of interviews appear to be primarily or all CIA witnesses.

And the next interview — at least among those that Sterling’s defense thought they might use at trial — was Zaid. Zaid’s interview, in fact, was months before Sterling’s. The second letter shows a second Zaid interview on September 2, 2010.

To emphasize: Sterling’s lawyers requested these FBI interviews be available for trial, not the prosecution. It’s unclear whether they did that because the interviews would have helped them, or because (as was the case with virtually all the other witnesses) they thought they might need to draw on those interviews for cross-examination.

But unless there’s some wildly egregious error in these files, Mark Zaid did two interviews with the FBI before he — obligated by subpoena, he said repeatedly — testified before the grand jury on September 22, 2010.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Not Mentioned in Roger Stone’s Straw Rat-Fucker Statement: the Peter Smith Rat-Fuck

Earlier today, legendary rat-fucker Roger Stone had a three hour interview before the House Intelligence Committee. Before the interview, he leaked his testimony, as all of the most implicated Trump officials — save Paul Manafort — have.

The testimony is telling for multiple reasons. Given the recent trouble I got in for saying “rat-fucker” on TV, I’m particularly invested in the way he avoided calling himself one.

As to the substance of the report, it is delightfully, tellingly, squirrelly in two different ways. First, his generalized denial is very specific to colluding with the Russian state to affect the outcome of the 2016 election; this is a point Renato Mariotti makes here.

I have no involvement in the alleged activities that are within the publicly stated scope of this Committee’s investigation  — collusion with the Russian state to affect the outcome of the 2016 election.

I’m even more interested in how he depicts what he claims are the three allegations made against him.

Members of this Committee have made three basic assertions against me which bust be rebutted her today. The charge that I knew in advance about, and predicted, the hacking of the Clinton campaign chairman John Podesta’s email, that I had advanced knowledge of the source or actual content of the WikiLeaks disclosures regarding Hillary Clinton or that, my now public exchange with a persona that our intelligence agencies claim, but cannot prove, is a Russian asset, is anything but innocuous and are entirely false.

In point of fact, this tripartite accusation is actually a misstatement of the allegations against him (though in his rebuttal of them, he is helped immensely by the sloppiness of public statements made by Democrats, especially those on the panel, which I’ve criticized myself). Generally, the accusation is more direct: that in conversing with both Julian Assange (though a cut-out) and Guccifer 2.0, Stone was facilitating or in some way helping the Trump campaign maximally exploit the Russian releases that were coming.

Which is why I find one other silence quite interesting: Stone makes no mention of the Peter Smith operation to find the emails, purportedly related to the Clinton Foundation, deleted from Hillary’s server. As I noted here, along with reaching out to multiple suspected Russian hackers and advising those with emails that might be Foundation emails to share them with WikiLeaks, rat-fucker Smith also pushed GOP operatives like rat-fucker Stone to reach out to Guccifer 2.0.

Instead, Johnson said, he put the word out to a “hidden oppo network” of right-leaning opposition researchers to notify them of the effort. Johnson declined to provide the names of any of the members of this “network,” but he praised Smith’s ambition.

“The magnitude of what he was trying to do was kind of impressive,” Johnson said. “He had people running around Europe, had people talking to Guccifer.” (U.S. intelligence agencies have linked the materials provided by “Guccifer 2.0”—an alias that has taken credit for hacking the Democratic National Committee and communicated with Republicanoperatives, including Trump confidant Roger Stone—to Russian government hackers.)

As I noted, there is much about the events from August to October that suggest Republicans may have believed WikiLeaks had obtained, and might be leaking, the Clinton Foundation emails, only to have the John Podesta ones released in their stead.

If I’m right, it would mean that by pitching everything as pertaining to Podesta, and not to other emails, Stone can more successfully deny his involvement.

And Stone’s timeline obscures some of the key details here, notably leaving out his incorrect predictions not just of an October 5 release, but that they’d be the Foundation emails.

Also note: Stone describes his exchange with Guccifer as starting on August 14. That’s actually not right. It started on August 13 (actually, August 12 East Coast time), with this tweet, which puts it in the context of two offers for files.

It’s definitely true (in the DMs that Stone includes) that Stone ultimately doesn’t response to Guccifer 2.0’s offers of data.

But that timeline also extends matters just to where things were heating up on Smith’s hunt for Clinton Foundation documents.

As noted above, Stone has denied colluding with the Russian state to affect the outcome of the election. But that’s not a denial of colluding with Russian hackers or Russian assets (the latter a rather curious term Stone uses twice to refer to Guccifer 2.0 in his statement, but not in the Breitbart piece in which he claims to have refuted claims he was an “asset”) to “prove Hillary’s corruption” or some such excuse for digging up more dirt on Hillary.

And that’s precisely the kind of thing we know a rat-fucker like Stone would do, and precisely the kind of thing we know other rat-fuckers were doing.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

One Thing Not Mentioned in Mueller Requests from the White House: The Putin Phone Call

Yesterday, three different outlets published versions of the list of stuff Robert Mueller has requested of the White House. The NYT describes Mueller asking for details of the in-person meeting with Russians after Comey’s firing, as well as details of Comey and Flynn’s firing,

Mueller’s office sent a document to the White House that detailed 13 different areas that investigators want more information about. Since then, administration lawyers have been scouring White House emails and asking officials whether they have other documents or notes that may pertain to Mr. Mueller’s requests.

One of the requests is about a meeting Mr. Trump had in May with Russian officials in the Oval Office the day after James B. Comey, the F.B. I director, was fired. That day, Mr. Trump met with the Russian foreign minister, Sergey V. Lavrov, and the Russian ambassador to the United States, Sergey I. Kislyak, along with other Russian officials. The New York Times reported that in the meeting Mr. Trump said that firing Mr. Comey relieved “great pressure” on him.

Mr. Mueller has also requested documents about the circumstances of the firing of Michael T. Flynn, who was Mr. Trump’s first national security adviser. Additionally, the special counsel has asked for documents about how the White House responded to questions from The Times about a June 2016 meeting at Trump Tower. That meeting was set up by Donald Trump Jr., the president’s eldest son, to get derogatory information from Russians about Hillary Clinton.

WaPo adds communications with Paul Manafort to the list and fleshes out the nature of the requests on Flynn and Comey.

Mueller has requested that the White House turn over all internal communications and documents related to the FBI interview of Flynn in January, days after he took office, as well as any document that discusses Flynn’s conversations with then­-Russian Ambassador Sergey Kislyak in December. Mueller has also asked for records about meetings then-Deputy Attorney General Sally Yates held with White House counsel Don McGahn in late January to alert him to Justice Department concerns about Flynn, as well as all documents related to Flynn’s subsequent ouster by the White House.

Regarding Comey, Mueller has asked for all documents related to meetings between Trump and Comey while Comey served at the FBI, records of any discussions regarding Comey’s firing and any documents related to a statement by then-press secretary Sean Spicer made on the night Comey was fired.

Here’s CNN’s mostly derivative version.

There’s one thing that’s not explicitly on this list (though it might be included in the larger request for details on Flynn’s firing): details surrounding the January 28th phone conversation between Trump and Putin, which included a bunch of people who happen to no longer be at the White House.

As a number of Democrats noted in the Sally Yates hearing before Senate Judiciary Committee, the call took place in the immediate wake of Yates’ two conversations with Don McGahn about Flynn’s potential for compromise by the Russians because of his lies about his conversation with Sergey Kislyak.

HIRONO: Others of my colleagues have mentioned, and you yourself, Mr. Clapper, said that RT is a Russian mouthpiece to spread propaganda. And, of course, we know that General Flynn attended a gala hosted by — or a 10th anniversary gala for RT in December, 2015, where he sat next President Putin and got paid over $33,000 for that.

Mr. Clapper, given the conversation that Ms. Yates provided to the White House regarding — and this is during the January 26th and 27th timeframe — regarding General Flynn, should he have sat in on the following discussions?

On January 28th, he participated in an hour-long call, along with President Trump, to President Putin. And on February 11th, he participated in a discussion with Prime Minister Abe and the president at Mar-a-Lago to discuss North Korea’s missile tests.

Should he — given the — the information that had already been provided by Ms. Yates, should he have participated in these two very specific instances?

In comments on Yates’ testimony when it got canceled on March 28, Adam Schiff focused on the possible explanation for why Flynn was kept on, through that meeting and for 18 days total after Yates’ warning to the White House.

In other words, the big question surrounding Flynn’s firing seems to have as much to do with why he wasn’t fired as why he was, eventually, 18 days after getting notice he was in trouble with DOJ. And the import of including him in that phone call with Putin seems to be a part of that.

Again, that may well be included in the universe of documents on Flynn’s firing (I’d love to see Yates’ firing in there as well, as the Muslim ban was used as an excuse to fire her just as she was raising concerns about Flynn). But it seems important to learn why Trump felt the need to keep Flynn on even after his communications with the Russians had gotten him in legal trouble.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.