Last week, Dustin Slaughter published a story using a new deck of slides on the Hemisphere program, the Drug Czar program that permits agencies to access additional telecommunications analytical services to identify phones, which then gets laundered through parallel construction to hide both how those phones were found, as well as the existence of the program itself.
It has some significant differences from the deck released by the New York Times last year. I’ve tried to capture the key differences here:
The biggest difference is that the NYT deck — which must date to no earlier than June 2013 — draws only from AT&T data, whereas the Declaration deck draws from other providers as well (or rather, from switches used by other providers).
In addition, the Declaration deck seems to reflect approval for use in fewer states (given the mention of CA court orders and the recent authorization to use Hemisphere in Washington in the AT&T deck), and seems to offer fewer analytical bells and whistles.
Thus, I agree with Slaughter that his deck predates — perhaps by some time — the NYT/AT&T deck released last year. That would mean Hemisphere has lost coverage, even while it has gained new bells and whistles offered by AT&T.
While I’m not yet sure this is my theory of the origin of Hemisphere, some dates are worth noting:
From 2002 to 2006, the FBI had telecoms onsite to provide CDRs directly from their systems (the FBI submitted a great number of its requests without any paperwork). One of the services provided — by AT&T — was community of interest tracking. Presumably they were able to track burner phones (described as dropped phones in these decks) as well.
In 2006, FBI shut down the onsite access, but retained contracts with all 3 providers (AT&T, Verizon, and probably Sprint). In 2009, one telecom — probably Verizon – declined to renew its contract for whatever the contract required.
AT&T definitely still has a contract with FBI, and in recent years, it has added more services to what it offers the FBI.
It’s possible the FBI multi-provider access moved under ONCDP (the Drug Czar) in 2007 as a way to retain its authorities without attracting the attention of DOJ’s excellent Inspector General (who is now investigating this in any case). Though I’m not sure that program provided the local call records the deck at least claims it could have offered. I’m not sure that program got to the telecom switches the way the deck seems to reflect. It’s possible, however, that the phone dragnet in place before it was moved to Section 215 in 2006 did have that direct access to switches, and the program retained this data for some years.
The phone dragnet prior to 2006 and NSL compliance (which is what the contracts with AT&T and one other carrier purportedly provide now) are both authorized in significant part (and entirely, before 2006) through voluntary compliance, per David Kris, the NSA IG Report, and the most recent NSL report. That’s a big reason why the government tried to keep this secret — to avoid any blowback on the providers.
In any case, if I’m right that the program has lost coverage (though gained AT&T’s bells and whistles) in the interim, then it’s probably because providers became unwilling, for a variety of reasons (and various legal decisions on location data are surely one of them) to voluntarily provide such information anymore. I suspect that voluntary compliance got even more circumscribed with the release of the first Horizon deck last year.
Which means the government is surely scrambling to find additional authorities to coerce this continued service.
On February 19, 2013, John Bates approved a Section 215 order targeting an alleged American citizen terrorist. He hesitated over the approval because the target’s actions consisted of protected First Amendment speech.
A more difficult question is whether the application shows reasonable grounds to believe that the investigation of [redacted] is not being conducted solely upon the basis of activities protected by the first amendment. None of the conduct of speech that the application attributes to [4 lines redacted] appears to fall outside the ambit of the first amendment. Even [redacted] — in particular, his statement that [redacted] — seems to fall well short of the sort of incitement to imminent violence or “true threat” that would take it outside the protection of the first amendment. Indeed, the government’s own assessment of [redacted] points to the conclusion that it is protected speech. [redacted] Under the circumstances, the Court is doubtful that the facts regarding [redacted] own words and conduct alone establish reasonable grounds to believe that the investigation is not being conducted solely on the basis of first amendment.
He alleviated his concerns by apparently relying on the activities of others to authorize the order.
The Court is satisfied, however, that Section 1861 also permits consideration of the related conduct of [redacted] in determining whether the first amendment requirement is satisfied. The text of Section 1861 does not restrict the Court to considering only the activities of the subject of the investigation in determining whether the investigation is “not conducted solely on the basis of activities protected by the first amendment.” Rather, the pertinent statutory text focuses on the character (protected by the first amendment or not) of the “activities” that are the “basis” of the investigation.
Later in the opinion, Bates made it clear these are activities of someone besides the US citizen target of this order, because the activities in question were not being done by US persons.
Such activities, of course, would not be protected by the first amendment even if they were carried out by a United States person.
If I’m right that behind the redactions Bates is saying the activities of associates were enough to get beyond the First Amendment bar for someone only expressing support, then it would seem to require Association analysis. But then, Bates, the big fan of not having any help on his FISC opinions, wouldn’t consider that because the government never does.
Ah well. At least we can finally clarify about whether or not the FISC is a rubber stamp for Administration spying. No. It’s a Bates stamp — in which judges engage in flaccid legal analysis in secret before approving fairly troubling applications. Which is just as pathetic.
I’ll have a more substantive post about what we learn about NSA’s broader dragnet from the Intercept’s ICREACH story.
But for the moment I want to reiterate a point I made the other day. ICREACH is important not just because it makes NSA data available to CIA and FBI. But also because it makes CIA and FBI data available for the metadata analysis the NSA conducts.
The documents describe that to include things like clandestine intelligence and flight information.
But there’s one other program that ought to be of particular concern with regards to NSA’s programs. As I laid out here, FBI had a Pen Register/Trap and Trace “program” that shared information with the NSA at least until February 2012, several months after NSA had ended its PRTT Internet dragnet program.
The secrecy behind the FBI’s PRTT orders on behalf of NSA
Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.
These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.
But that the FBI PR/TT program – which seems different than these individual orders — was considered TS/SI/NOFORN.
If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level) – is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.
This is considered one of the most sensitive secrets in the whole FISA package.
Even minimized PRTT data is considered TS/SCI.
Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.
So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.
Except there’s the date.
This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)
That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.
I have no idea what this program entailed — and no one else has even picked up on this detail. It’s possible NSA’s Internet dragnet just moved under the FBI’s control. It’s possible (this is my current operative wildarseguess) that FBI’s PRTT program collects location data; the Bureau uses PRTT orders to get individualized location data, after all.
Whatever it is, though, the existence of ICREACH would make that data available to NSA in a form it could use to include it in contact chaining of metadata (which may be why it figures so prominently in NSA’s classification guide). And note: FBI’s minimization procedures are far more lenient than NSA’s, so whatever this data is, NSA may be able to do more with it given that FBI collected it.
And as with a number of other things, even the Pat Leahy version of USA Freedom would weaken protections for PRTT data.
At some point (perhaps at the end of 2009, but sometime before this application), the government tried to reapply, but withdrew their application. The three letters below were sent in response to that. But they were submitted with the reapplication.
(15/27) In addition to tagging data itself, the source now gets noted in reports.
(16/27) NSA wanted all analysts to be able to query.
(16/27) COntrary to what redaction seemed to indicate elsewhere, only contact chaining will be permitted.
(17/27) This implies that even technical access creates a record, though not about what they access, just when and who did it.
(17/27) NSA asked for the same RAS timelines as in BRFISA — I think this ends up keeping RAS longer than an initial PRTT order.
(18/27) “Virtually every PR/TT record contains some metadata that was authorized for collection, and some metadata that was not authorized for collection … virtually every PR/TT record contains some data that was not authorized by prior orders and some that was not.”
(21/27) No additional training for internal sharing of emails.
(21/27) Proof they argue everything that comes out of a query is relevant to terrorism:
Results of queries of PR/TT-sourced metadata are inherently germane to the analysis of counterterrorism-related foreign intelligence targets. This is because of NSA’s adherence to the RAS standard as a standard prerequisite for querying PR/TT metadata.
(22/27) Note “relevance” creep used to justify sharing everywhere. I really suspect this was built to authorize the SPCMA dragnet as well.
(23/27) Curious language about the 2nd stage marking: I think it’s meant to suggest that there will be no additional protection once it circulates within the NSA.
(24/27) NSA has claimed they changed to the 5 year age-off in December 2009. Given the question about it I wonder if that’s when these letters were sent?
(24/27) Their logic for switching to USSID-18:
these procedures form the very backbone for virtually all of NSA’s dissemination practices. For this reason, NSA believes a weekly dissemination report is no longer necessary.
(24-5/27) The explanation for getting rid of compliance meetings is not really compelling. Also note that they don’t mention ODNI’s involvement here.
(25/27) “effective compliance and oversight are not performed simply through meetings or spot checks.”
(27/27) “See the attached word and pdf documents provided by OIG on an intended audit of PR/TT prior to the last Order expiring as an example.” Guess this means the audit documents are from that shutdown period.
(2) DNI adopted new serial numbers for reports, so as to be able to recall requests.
(3) THey’re tracking the query reports to see if they can withdraw everything.
(3) THis is another of the places they make it clear they can disseminate law enforcement information without the USSID requirements.
(4) It appears the initial application was longer than the July 2010, given the reference to pages 78-79.
There are some very interesting comparisons with the early 2009 application, document AA.
(1) Holder applied directly this time rather than a designee (Holder may not have been confirmed yet for the early 2009 one).
(2) The redacted definition of foreign power in AA was longer.
(3) “collect” w/footnote 3 was redacted in AA.
(3) Takes out reference to “email” metadata.
(3) FN 4 both focuses on “Internet communication” rather than “email [redacted]” as AA did, but it also scopes out content in a nifty way.
I give up. I’m going to have to do a working thread on the IG Report on FBI’s use of NSLs. Here goes. References are to page numbers, not PDF numbers (PDF numbers are page+15).
ix: The report noted that NSL numbers dropped off what they had been 2007 to 2009. It speculates that may have been because of heightened scrutiny. I wonder it wasn’t because they were misusing the phone and Internet dragnet programs and getting the information that way. In 2009, after which the NSL numbers grew again, Reggie Walton shut that option down.
x: About half of NSLs during this period were used to investigate USPs.
x: “certain Internet providers refused to provide electronic communication transactional records in response to ECPA NSLs.”
xii: They’re hiding the current status of permitting the use of NSLs to get journo contacts. Which would seem to confirm they are doing so.
xiii: They’re also hiding the status of the OLC memo they used to say they could get phone records voluntarily (see this post for why). They don’t hide things very well.
2: It just makes me nuts we’re only now reviewing NSL use from 2009. Know what has happened in the interim, for example? A key player in this stuff, Valerie Caproni, has become a lifetime appointed judge.
11: Report notes that FBI tends to always use “overproduction” whether or not it was unauthorized or simply too broad.
17: Footnote 35 seems to suggest they have exceptions to the mandatory reporting requirements. What could go wrong?
39: So as recently as 2009, the tracking system did not alert OGC of manual NSLs in some percentage of the cases.
57 The numbers reported to Congress are off from the numbers shown to IG by as much as 2,800.
58: Love footnote 73, which aims to explain why the NSL numbers reported to Congress are significantly lower than those reported to OIG.
After reviewing the draft of this report, the FBI told the OIG for the first time that the NSL data provided to Congress would almost never match the NSL data provided to the OIG because the NSL data provided to Congress includes NSLs issued from case files marked “sensitive,” whereas the NSL data provided to the OIG does not. According to the FBI, the unit that provided NSL data to the OIG does not have access to the case files marked “sensitive” and was therefore unable to provide complete NSL data to the OIG. The assertion that the FBI provided more NSL data to Congress than to the OIG does not explain the disparities we found in this review, however, because the disparities we found reflected that the FBI reported fewer NSL requests to Congress than the aggregate totals.
The FBI just gives up on 100% accuracy in its NSL numbers.
After reviewing the draft of this report, the FBI told the OIG that while 100 percent accuracy can be a helpful goal, attempting to obtain 100 percent accuracy in the NSL subsystem would create an undue burden without providing corresponding benefits. The FBI also stated that it has taken steps to minimize error to the greatest extent possible.
59: On the discrepancies, OIG points out the obvious:
[T]he total number of manually generated NSLs that the FBI inspectors identified is relatively small compared to the total number of 30,442 NSL requests issued by the FBI that year. What remains unknown, however is, whether the FBI inspectors identified all the manually identified generally NSLs issued by the FBI or whether a significant number remains unaccounted for and unreported.
61: The database tracking 2007 requests — a year where there were discrepancies for 215 orders too — “is retired and unavailable.”
62: The report doesn’t have subscriber only data, which I suspect is obtained in bulk.
63: There is a significant change in the make-up of what FBI is getting in 2009, from subscriber records and toll and financial records in 2008 to toll records, then subscriber and electronic communication records in 2009. I strongly suspect that says some of the 214 and 215 collection moved to NSLs.
71: Apparently it was the release of an earlier OLC memo that led at least 2 Internet companies to refuse NSLs.
The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.
Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electornic communication transactional records because that term does not appear in subsection (b).
Today’s Inspector General Report on FBI’s use of National Security Letters has set off a bunch of alarm bells in my head.
At issue are two unexplained problems.
First, the Inspector General identified a huge drop in NSL use for the years covering this report: FBI obtained 49,425 NSLs in 2006, the year before this report. It obtained 54,935 afterwards. The years in-between — the 3 years covered by this report — NSLs dropped off a relative cliff, with 20% fewer in 2007 and even fewer in 2009.
The IG wasn’t able to offer any explanation for this, besides the possibility that increased scrutiny on NSL use led people to use other methods to get this information.
However, two supervisors and a division counsel told us that they believe agents use NSLs less often now than they did five years ago. These individuals told us that because of increased scrutiny on NSL use agents employ alternative investigative tools when possible.
In testimony last year, Jim Comey said FBI agents would just use grand jury subpoenas rather than NSLs if the NSLs became too onerous, so that may be where the activity disappeared to.
Hey, if 20% of FBI NSLs could be grand jury subpoenas without any problem, let’s make them do that!
It’s FBI’s other counting problems — and its non-answers — that have me even worried.
According to the IG, the FBI is not reporting as much as 7.3% of its NSL use to Congress. For example, when the IG tried to pull NSLs by NSL type (that is, toll billing, financial records, electronic transaction records), it found a significant discrepancy between what had been reported to Congress and what FBI’s internal spreadsheets showed.
[T]he NSL data in the itemized spreadsheets does not exactly match the NSL data reported to Congress in 2008 and 2009. The total number of requests reported for each year [by transaction type] is more than the total number of NSL requests reported to Congress by 2,894 and 2,231 requests, respectively. (63)
So for 2009, where FBI requested just 30,442 NSLs, FBI did not report 7.3% of the NSLs it requested.
(I can’t double check my math here because FBI redacted some of these tables, but I guess that’s one of the hazards of overclassifying things.)
That’s troubling enough, as is FBI’s lackadaisical attitude towards correcting the disparity.
After reviewing the draft of this report, the FBI told the OIG that while 100 percent accuracy can be a helpful goal, attempting to obtain 100 percent accuracy in the NSL subsystem would create an undue burden without providing corresponding benefits. The FBI also stated that it has taken steps to minimize error to the greatest extent possible.
Ho hum, we’re just the FBI, why expect us to be able to police ourselves?
But it gets weirder.
First, the one theory the IG came up with to explain the discrepancy is that FBI is not counting all the manual NSLs that bypass their automatic counting system implemented in response to the first IG Reports on NSLs.
In fact, they’re not: FBI’s Inspection Division found they’re not counting some significant (not single digit) percentage number of their manual NSLs (they redact how much they’re not counting on page 39).
But the IG seems to suspect there may be even more manual requests that are not being counted at all.
[T]he total number of manually generated NSLs that the FBI inspectors identified is relatively small compared to the total number of 30,442 NSL requests issued by the FBI that year. What remains unknown, however is, whether the FBI inspectors identified all the manually identified generally NSLs issued by the FBI or whether a significant number remains unaccounted for and unreported.(58)
If you guessed that FBI redacted under what circumstances FBI permits agents to bypass this automatic counting system, you’d be right. That discussion is in footnote 35 on page 17, and again on pages 113-115.
But I worry, given one observation from the IG, that they’re bypassing the automatic system in cases of “sensitive” investigations. Some apparent moron tried to explain why the IG found higher numbers for NSLs than Congress because the NSLs related to sensitive investigations were being reported to Congress but not the IG.
After reviewing the draft of this report, the FBI told the OIG for the first time that the NSL data provided to Congress would almost never match the NSL data provided to the OIG because the NSL data provided to Congress includes NSLs issued from case files marked “sensitive,” whereas the NSL data provided to the OIG does not. According to the FBI, the unit that provided NSL data to the OIG does not have access to the case files marked “sensitive” and was therefore unable to provide complete NSL data to the OIG. The assertion that the FBI provided more NSL data to Congress than to the OIG does not explain the disparities we found in this review, however, because the disparities we found reflected that the FBI reported fewer NSL requests to Congress than the aggregate totals. (58)
Aside from the revelation that FBI doesn’t understand how numbers work — that if Congressional reporting reflected a larger universe of NSLs than what the IG got to see, Congressional numbers should be higher, now lower — this also seems to mean that the IG is not being permitted to review the NSLs relating to sensitive investigations.
Now, it’s not entirely clear what FBI means by “sensitive” in this circumstance. But generally, “sensitive” investigations at FBI are those that investigate reporters, faith leaders, and politicians.
So it seems possible the FBI is not permitting the IG to review precisely the practices he should review.
Which brings me to another matter that is almost entirely redacted.
As I’ve reported repeatedly, one thing the last IG report on Exigent Letters showed is that a number of journalists have had their phone records collected by FBI. In addition, the 2011 DIOG made it acceptable to use NSLs to do so. Here’s the section of the executive summary of this report that describes whether FBI has resolved this issue.
From which I can only assume that FBI is continuing to use NSLs to collect journalist records (if FBI would like to declassify this language to prove me wrong, I welcome their transparency!).
So to sum up:
All that could be badly wrong — much of this information is redacted from both me, and in some cases, from Congress.
But doesn’t it raise some awfully big questions?
Recently I have started blogging occasionally over at Expose Facts — an entity serving whistleblowers and transparency. There’s even a SecureDrop, if you want to drop me secret documents to read!
Things will remain the same over here; I just hope to broaden my readership and support an important cause. I post links here to the more interesting posts over there.
Today, I’ve got a second post on the DOJ IG Report on FBI’s use of National Security Letters. It examines the extent to which FBI and the President’s Intelligence Oversight Board, which reviews legal violations of intelligence agencies, have classified information about FBI’s use of NSLs, even information that had been public in prior DOJ IG reports.
That is, both in the unclassified and the classified reports, FBI and President’ Obama’s oversight board demanded Horowitz hide information that had been released in some form in the 3 earlier reports DOJ’s IG did on NSLs.
FBI or PIAB are hiding:
- What kind of information FBI collects using NSLs
- What kind of violations FBI reports (or doesn’t report) to its overseers
- PIAB’s judgements about FBI’s compliance with NSL statute
This information is, of course, central to Congress and the public’s understanding of whether FBI continues to abuse the NSL statute, as it did for the first 5 years after 9/11 (this report only covers NSL use until 2009; FBI’s more current use remains unexamined).
FBI’s suppression of this information is all the more troublesome given that the USA Freedom Act currently being debated in the Senate addresses some of the FBI’s use of NSLs.
I’m reading this DOJ IG report on NSLs — about which I’ll have far more later.
But given everything we’ve learned about NSA’s dragnet, I’m rather interested in footnote 156:
Company A, Company B, and Company C are the three telephone carriers described in our Exigent Letters Report that provided telephone records to the TCAU in response to exigent letters and other informal requests between 2003 and 2006. As described in our Exigent Letters Report, the FBI entered into contracts with these carriers in 2003 and 2004, which required that the communication service providers place their employees in the TACU’s office space and give these employees access to their companies’ databases so they could immediately service FBI requests for telephone records. Exigent Letters Report, 20. As described in the next chapter, TCAU no longer shares office space with the telephone providers. Companies A and C continue to serve FBI requests for telephone records and provide the records electronically to the TCAU. Company B did not renew its contract with the FBI in 2009 and is no longer providing telephone records directly to the TCAU. Company B continues to provide telephone records in response to NSL requests issued directly by the field without TCAU’s assistance.
I’m guessing Company B is Verizon, because it always comes second! Though it could also be Sprint.
Recall that Reggie Walton shut down Verizon production for part of 2009 (I’ll have posts reinforcing this claim sometime in the near future). Verizon may have started being a jerk about providing foreign calls records at that point which — at least technically were provided voluntarily. So that’s why it might be Verizon.
At the same time. Sprint is a good candidate because, at the end of the year, it demanded legal process from the phone dragnet. Also, it has challenged DOJ’s reimbursements, which has gotten it sued.
Given ongoing discussions about whether NSA gets all the phone records it’d like under Section 215 — and the explanation they’re missing cell records — I’m particularly interested in this development.
The three surveillance critics from the Senate Intelligence Committee — Ron Wyden, Mark Udall, and Martin Heinrich — wrote a letter to Obama on the developments in the NSA reform. Generally, they repeat exhortations that Wyden and Udall have already made in hearings to end the dragnet right now, as Obama has already claimed he wants to do.
I’m not entirely sure what to make of it, but I find some of the details in it to be of particular interest.
The Senators point out, for example, that several bills accomplish the goals Obama has publicly stated he’d support. Those bills include the original USA Freedom Act, and separate proposals advanced by both Udall and Wyden.
But they also include the original PATRIOT Reauthorization from 2005, which Dianne Feinstein once supported, as did a young Senator named Barack Obama (though the Senators don’t mention either of those details). Wyden has long pointed obliquely to when the Executive first started using PATRIOT to conduct dragnets, and the record shows the Executive withheld information about how it was using the PRTT authority from even the Intelligence Committees during the 2005 reauthorization. So the Senators may be nodding towards Executive refusal to respect the will of Congress with this mention.
The Senators then both question claims from Administration officials that “in the absence of new legislation, there is no plan to suspend the bulk collection of Americans’ phone records,” and express their doubts “that the version of the USA Freedom Act that recently passed the House of Representatives would actually ban the bulk collection of Americans’ records.”
While they repeatedly reiterate their support for legislative reform, they also lay out a plan by which the President can immediately end the dragnet. Here’s the part I find particularly interesting.
First, they say it is “highly likely” FISC would let them get 2-degrees of phone records, unless FISC has already prohibited that.
Unless the FISC has already rejected such a request from the government, it does not seem necessary for the executive branch to wait for Congress before taking action.
Isn’t this already included in current orders? Shouldn’t the Senators know if FISC has rejected such a request (especially Wyden, who has been on the committee through all this period)? Is Wyden saying it’s possible there’s something else limiting the dragnet? Is he pointing to a ruling he knows about?
Just as interesting, the Senators argue the Pen Register Authority — not Section 215 — could serve to carry out the prospective collection the bill claims to want to do.
FISC would likely approve the defined and limited prospective searches for records envisioned under your proposal pursuant to current USA PATRIOT Act Section 214 pen register authorities, given how broadly it has previous interpreted these authorities.
Finally, although we have seen no evidence that the government has needed the bulk phone records collection program to attain any time-sensitive objectives, we agree that new legislation should provide clear emergency authorities to allow the government to obtain court approval of individual queries after the fact under specific circumstances. The law currently allows prospective emergency acquisitions of call records under Section 403 of the Foreign Intelligence Surveillance Act (FISA), and the acquisition of past records without judicial review under national security letter authorities.
Of course, the PRTT authority (cited twice here) should always have been the appropriate authority for this collection; we’ve just never learned why the government didn’t use that.
Basically, the Senators are laying out how the Executive could do precisely what it says it wants to do with existing authorities (indeed, with the PRTT authority that are actually targeted to the kind of record in question).
The Executive has all the authorities it needs, the Senators lay out, so why doesn’t it end the dragnet — achieve the reform it claims it wants — immediately?
We believe the way to restore Americans’ constitutional rights and their trust in our intelligence community is to immediately end the practice of vacuuming up the phone records of huge numbers of innocent Americans every day and permit the government to obtain only the phone records of people actually connected to terrorism or other nefarious activity. We support your March 27, 2014, proposal to achieve these goals, but we also view ending bulk collection as an imperative that cannot wait.
Damn! That’s a very good question! Obama moved immediately to implement his first reform proposal — advance FISC approval and limits to two hops — back in February. So why isn’t he moving immediately to implement the plan he says he wants now, as the Senators lay out he could well do under existing authorities?
It may be the Senators are just pressuring Obama to implement changes now, and nothing here is meant to point to some underlying issue.
But I wildarseguess that they’re trying to point out the differences between what they could do — under the PRTT orders they should have been using from the start — and what they want to do.
There’s one difference we can point to right away, after all: immunity. If all the government wanted to do was to obtain call detail records, then they wouldn’t need to give the telecoms immunity. That’s something they do every day. But there’s something they will do that has led the telecoms to demand immunity. That’s the stuff that goes beyond traditional PRTT activity.
Then there’s the stuff we don’t know about: the “connections” based chaining. As I’ve said, I don’t know what that entails. But it is an obvious explanation for why the telecoms need immunity — and for why a simple PRTT order won’t suffice.
One way or another, the Senators are calling Obama’s bluff. Obama says he wants nothing more than to obtain specific phone records going forward. If that’s true, he could make the change today. Yet the Executive is clear they can’t do that.
Update: One more detail. As Wyden’s release on this makes clear, today’s the day the March 28, 2014 phone dragnet order expires, so presumably the government got another one today. We’ve never seen that March 28 order, by the way.
Back in January, I noted that both the President’s Review Group and those behind the Leahy-Sensenbrenner USA Freedom Act seemed very concerned that the government is using NSLs to conduct bulk collection (which is the term I used, based off the fact that both made parallel changes to Section 215 and NSL collection). Both required (recommended, in the case of PRG) that the government fix that by requiring that NSL’s including language asserting that the particular information sought has a tie to the investigation in question, and some limits on the amount of information collected.
Here’s how the PRG phrased it.
Recommendation 2 We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that:
(1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and
(2) like a subpoena, the order is reasonable in focus, scope, and breadth.
The thing is, because NSLs haven’t shown up in any troves of leaked documents, we don’t know why USA Freedom original backers and PRG are so concerned NSLs today collect data beyond reasonable breadth (though IG reports done years ago raised big concerns, many of them about whether FBI was meeting the legal standards required).
We don’t know what kind of bulk collection they’re engaging in.
Because FBI — not NSA — primarily uses NSLs, we don’t know what the problem is.
I raise this now because – in addition to having planned on writing this post since January — of questions about whether the HjC HJC and HPSCI “reform” bills will really end what you and I (as distinct from the Intelligence Community) would consider bulk collection.
And NSL reporting — unlike that for Section 215 — provides some hints on where the bulk collection might be.
Here’s what the most recent FISA report to Congress says about (most) NSLs issued last year.
Requests Made for Certain Information Concerning Different United States Persons Pursuant to National Security Letter Authorities During Calendar Year 2013 (USA PATRIOT Improvement and Reauthorization Act of 2005, Pub. L. No. 109-177 (2006))
Pursuant to Section 118 of the USA PATRIOT Improvement and Reauthorization Act, Pub. L. 109-177 (2006), the Department of Justice provides Congress with annual reports regarding requests made by the Federal Bureau of Investigation (FBI) pursuant to the National Security Letter (NSL) authorities provided in 12 U.S.C. § 3414, 15 U.S.C. § 1681u, 15 U.S.C. § 1681v, 18 U.S.C § 2709, and 50 U.S.C. § 436.
In 2013, the FBI made 14,219 requests (excluding requests for subscriber information only) for information concerning United States persons. These sought information pertaining to 5,334 different United States persons.2
2 In the course of compiling its National Security Letter statistics, the FBI may over-report the number of United States persons about whom it obtained information using National Security Letters. For example, NSLs that are issued concerning the same U.S. person and that include different spellings of the U.S. person’s name would be counted as separate U.S. persons, and NSLs issued under two different types of NSL authorities concerning the same U.S. person would be counted as two U.S. persons.
The report would seem to say that the 14,219 requests were based off requests about 5,334 US persons. That’s not really bulk collection, at least on its face! So where is the bulk collection PRG and USAF seem worried about?
It’s possible this report hides some bulk collection in a different Agency. The law requiring this report only requires DOJ to report on the number of requests DOJ made in the previous year.
In April of each year, the Attorney General shall submit to Congress an aggregate report setting forth with respect to the preceding year the total number of requests made by the Department of Justice for information concerning different United States persons under–
(A) section 2709 of title 18, United States Code (to access certain communication service provider records), excluding the number of requests for subscriber information;
[the law goes on to list the other NSL provisions]
While DOJ’s report should cover both FBI and DEA, I suppose it’s possible that some other entities — not just NSA but also Treasury, NCTC, and CIA — are submitting NSLs themselves, particularly in the case of financial records (though I think Treasury doesn’t have to use NSLs to do this).
The other obvious place the language of the report hides bulk collection is in subscriber records. The law exempts subscriber information requests from the reporting pertaining to US persons. The FBI could be applying for what amount to phone books of all the subscribers of all the phone companies and Internet service providers in the United States and it wouldn’t show up in this report, even though those requests might pertain to hundreds of millions of US persons.
I assume to some extent it is doing this, because there must be a reason subscriber records were excluded from this law. And this would count as bulk collection even according to the Intelligence Community definition of the term.
Via the PRG, we can get a sense of how many such subscriber requests there are. It says FBI issued 21,000 NSLs in FY 2012.
FBI issued 21,000 NSLs in Fiscal Year 2012, primarily for subscriber information.
While the reporting period is different, DOJ reported that FBI obtained 15,229 NSLs in 2012. Which means the balance — so around 5,500 NSLs — would be for subscriber data. Even if only a significant fraction of those are for all of companies’ subscribers, that’s still a fairly comprehensive list of subscriber information across a broad range of providers.
Those 5,500 requests could each be 50 US persons or 120 million US persons; we don’t know. That would be pretty significant bulk collection. But not the same kind of privacy risk PRG seems to have in mind (and if that were the only problem, why change all 4 NSL statutes, as USA Freedom Act did and to the extent it makes a difference still does)?
Still, we know that even the other NSLs — the ones for which we have real data about how many US persons the NSLs “pertained to” — affected far more US persons. That’s because the Exigent Letters IG Report made it clear that two providers (one of these is AT&T, which did it routinely; see page 75ff) provided community of interest information — multiple hops of call records — in response to NSLs. In discovering that, DOJ’s IG complained that FBI was routinely getting information — the derivative call records — that it had not done a relevancy determination for, but it didn’t object across the board.
That concern about ensuring that records obtained via a national security request are “relevant” according to the plain meaning of the term sure seems quaint right now, doesn’t it?
But the potential that FBI is using NSLs to obtain derivative records off of the original selector would sure explain why PRG and Pat Leahy and others are concerned about NSLs (and what we would call — but IC wouldn’t — “bulk collection”).
I assume they can only do this with complicit providers (and I suspect this explains the rise of Section 215 orders with attached minimization requirements in recent years).
But if it happens in significant number at all, it would explain why Leahy and PRG consider it an equivalent problem to Section 215. Because it would mean FBI was using NSLs — not just with telecom and Internet records, but possibly with other things (though I don’t see how you could do this on credit reports) — to get data on associations several levels removed from the target of the NSL.
Here’s the immediate takeaway, though.
Aside from the phone book application (which is significant and I think would be curtailed given the HJC bill, unless FBI were to make requests of AT&T using “AT&T” as the selection term) and financial records (which I’m still thinking through), NSLs appear to include a great deal of “bulk” collection (that is, collection of innocent persons’ data based on association). But they appear to do so from specific identifiers.
And that will not be curtailed by the HJC bill, not at all. It is clear these requests for NSLs are already currently based off selectors — it shows in this reporting.
So at least for two uses of NSLs — credit reports and call details (but not subscriber records) — the House bill simply codifies the status quo.
Update: Here’s the financial records language on NSLs:
Financial institutions, and officers, employees, and agents thereof, shall comply with a request for a customer’s or entity’s financial records made pursuant to this subsection by the Federal Bureau of Investigation when the Director of the Federal Bureau of Investigation (or the Director’s designee in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director) certifies in writing to the financial institution that such records are sought for foreign counter intelligence  purposes to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution of the United States.
It’s clearly intended to work for things that would be a selection term — “customer” or “entity” (which in this context would seem to be different from a customer!) — but I’m not sure it requires that the collection be based off the customer selection term.