Keith Alexander is testifying before the Senate Armed Services Committee, ostensibly about CyberCommand.
He has gotten a number of questions about the solutions they’ve offered the President to resolve the phone dragnet issue. He responded it would be possible to keep the data with the telecoms.
Then, in response to a Cyber question, Alexander said the problem is that the NSA can’t share classified information about malicious code with industry, because if it does so in a non-classified setting, attackers will learn how NSA obtained the information. (There’s a lot that’s problematic with that claim, but just ignore all that for now.)
So we need legislation that allows NSA to share classified information back and forth with industry.
He then returned to the phone dragnet. He suggested that the industry retention solution would require legislation allowing NSA to share terrorist identifiers with industry. (Note, this premise is absolutely absurd, as DEA apparently has no problem with sharing drug target identifiers with AT&T in the Hemisphere program in an explicitly unclassified program.)
Finally, he said this legislation — allowing the NSA to share classified identifiers with industry — would serve as the precedent for the Cyber legislation he has long sought but not obtained legislatively.
In other words, on his way out the door, Keith Alexander is now sacrificing his beloved phone dragnet to get cyber legislation in the guise of something else.
[T]he Government requests that Section (3)E of the Court’s Primary Order be amended to authorize the preservation and/or storage of certain call detail records or “telephony metadata” (hereinafter “BR metadata”) beyond five years (60 months) after its initial collection under strict conditions and for the limited purpose of allowing the Government to comply with its preservation obligations, described below, arising as a result of the filing of several civil lawsuits challenging the legality of the National Security Agency (NSA) Section 215 bulk telephony metadata collection program.
It provides this introduction to a list of the suits in question.
The following matters, currently pending either before a United States District Court, or United States Court of Appeals, are among those in which a challenge to the lawfulness of the Section 215 program have been raised:
It goes on to say,
The duty to preserve typically arises from the common-law duty to avoid spoilation of relevant evidence for use at trial;
A party may be exposed to a range of sanctions not only for violating a preservation order,3 but also for failing to produce relevant evidence when ordered to do so because it destroyed information that it had a duty to preserve.
3 To date, no District Court or Court of Appeals has entered a specific preservation order in any of the civil lawsuits referenced in paragraph 4 but a party’s duty to preserve arises apart from any specific court order.
When preservation of information is required, the duty to preserve supersedes statutory or regulatory requirements or records-management policies that would otherwise result in the destruction of the information.
Based upon the claims raised and the relief sought, a more limited retention of the BR metadata is not possible as there is no way for the Government to know in advance and then segregate and retain only that BR metadata specifically relevant to the identified lawsuits.
Congress did not intend FISA or the minimization procedures adopted pursuant to section 1801(h) to abrogate the rights afforded to defendants in criminal proceedings.4 For example, in discussing section 1806, Congress stated,
[a]t the outset, the committee recognizes that nothing in these subsections abrogates the rights afforded a criminal defendant under Brady v. Maryland, and the Jencks Act. These legal principles inhere in any such proceeding and are wholly consistent with the procedures detailed here.
Although the legislative history discussed above focuses on the use of evidence against a person in criminal proceedings, the Government respectfully submits that the preservation of evidence in civil proceedings is likewise consistent with FISA.
4 By extension, this should also apply to section 1861(g) which, with respect to retention is entirely consistent with section 1801(h).
Now, if you’re not already peeing your pants in laughter, consider the following.
First, as EFF’s Cindy Cohn pointed out to the WSJ, Judge Vaughn Walker issued a retention order in EFF’s 2008 suit against the dragnet.
Ms. Cohn also questioned why the government was only now considering this move, even though the EFF filed a lawsuit over NSA data collection in 2008.
In that case, a judge ordered evidence preserved related to claims brought by AT&T customers. What the government is considering now is far broader.
So, at least in her interpretation, it should already be retaining it.
Then, consider DOJ’s very serious citation of Congress’ intention that FISA not impair any defendant’s criminal rights. It basically says that that principle, laid out during debates about traditional FISA in 1978, should apply to other parts of FISA like the phone dragnet.
Of course, it was only 24 hours ago when DOJ was last caught violating that principle in Section 702, abrogating a defendant’s right to know where the evidence against him came from. And there are a whole slew of criminal defendants — most now imprisoned — whose 702 notice DOJ is still sitting on, whose rights DOJ felt perfectly entitled to similarly abrogate (we know this because back in June FBI was bragging about how many of them there were). So I am … surprised to hear DOJ suggest it gives a goddamn about criminal defendants’ rights, because for at least the last 7 years it has been shirking precisely that duty as it pertains to FISA.
Also, did you notice what pending case pertaining to the legality of the phone dragnet DOJ didn’t mention? Basaaly Moalin’s appeal of his conviction based off evidence collected pursuant to Section 215. What do you want to bet that NSA hasn’t retained the original phone records that busted him, which would have aged off NSA’s servers back in October 2012, well before DOJ told Moalin it had used Section 215 to nab him. That’s relevant because, according to recent reporting, NSA should not have been able to find Moalin’s call records given claims about limits on collection; if they did, they probably only did because AT&T was turning over other providers phone records. Moreover, we know that NSA was in violation of the dragnet minimization requirements in a slew of different ways at the time. Notably, that includes queries using selectors that had not been RAS-approved, as required, and dissemination using EO 12333′s weaker dissemination rules. Now that we know of these problems, a court might need that original data to determine whether the search that netted Moalin was proper (I presume NSA has the original query results and finished intelligence reports on it, but it’s not clear that would explain precisely how NSA obtained that data). Significantly, it was not until after 2009 that NSA even marked incoming data to show where it had been obtained.
So show us (or rather, Moalin’s lawyers) the data, NSA.
Ah well. If nothing else, this laughable motion should prove useful for defendants challenging their conviction because DOJ abrogated their rights!
I’ve been tracking the sudden effort on the part of NSA to minimize how much of the call data in the US it collects (under “this program,” Section 215).
That effort has, unsurprisingly, carried over to its sworn declarations in lawsuits.
Along with the response in the First Unitarian Church of Los Angeles v. NSA suit the government filed last Friday (this is the EFF-backed suit that challenges the phone dragnet on Freedom of Association as well as other grounds), NSA’s Signals Intelligence Director Theresa Shea submitted a new declaration about the scope of the program.
Ostensibly, Shea’s declaration serves to explain the “new” “changes” Obama announced last month, which the FISA Court approved on February 4. As I have noted, in one case the “change” simply formalized NSA”s existing practice and in the other it’s probably not a big change either.
In addition to her explanation of those “changes,” Shea included this language about the scope of the dragnet.
Although there has been speculation that the NSA, under this program, acquires metadata relating to all telephone calls to, from, or within the United States, that is not the case. The Government has acknowledged that the program is broad in scope and involves the collection and aggregation of a large volume of data from multiple telecommunications service providers, but as the FISC observed in a decision last year, it has never captured information on all (or virtually all) calls made and/or received in the U.S. See In re Application of the FBI for an Order Requiring the Production of Tangible Things from [Redacted], Dkt. No. BR13-109 Amended Mem. Op. at 4 n.5 (F.I.S.C. Aug. 29, 2013) (publicly released, unclassified version) (“The production of all call detail records of all persons in the States has never occurred under under this program.“) And while the Government has also acknowledged that one provider was the recipient of a now-expired April 23, 2013, Secondary Order from the FISC (Exhibit B to my earlier declaration), the identities of the carriers participating in the program (either now, or at any time in the past) otherwise remain classified. [my emphasis]
Shea appears to be presenting as partial a picture of the dragnet as she did in her prior declaration, where she used expansive language that — if you looked closely — actually referred to the entire dragnet, not just the Section 215 part of it.
Here, she’s selectively citing the declassified August 29, 2013 version of Claire Eagan’s July 19, 2013 opinion. The latter date is significant, given that the day the government submitted the application tied to that order, NSA General Counsel Raj De made it clear there were 3 providers in the program (see after 18:00 in the third video). These are understood to be AT&T, Sprint, and Verizon.
Shea selectively focuses on language that describes some limits on the dragnet. She could also note that Eagan’s opinion quoted language suggesting the dragnet (at least in 2011) collected “substantially all” of the phone records from the providers in question, but she doesn’t, perhaps because it would present problems for her “virtually all” claim.
Moreover, Shea’s reference to “production of all call detail records” appears to have a different meaning than she suggests it has when read in context. Here’s what the actual language of the opinion says.
Specifically, the government requested Orders from this Court to obtain certain business records of specified telephone service providers. Those telephone company business records consist of a very large volume of each company’s call detail records or telephony metadata, but expressly exclude the contents of any communication; the name, address, or financial information of any subscriber or customer; or any cell site location information (CSLI). Primary Ord. at 3 n.l.5
5 In the event that the government seeks the production of CSLI as part of the bulk production of call detail records in the future, the government would be required to provide notice and briefing to this Court pursuant to FISC Rule 11. The production of all call detail records of all persons in the United States has never occurred under this program. For example, the government [redacted][my emphasis]
In context, the reference discusses not just whether the records of all the calls from all US telecom providers (AT&T, Sprint, and Verizon, which participated in this program on the date Eagan wrote the opinion, but also T-Mobile and Cricket, plus VOIP providers like Microsoft, owner of Skype, which did not) are turned over, but also whether each provider that does participate (AT&T, Sprint, and Verizon) turns over all the records on each call. The passage makes clear they don’t do the latter; AT&T, Sprint, and Verizon don’t turn over financial data, name, or cell location, for example! And since we know that at the time Eagan wrote this opinion, there were just those 3 providers participating, clearly the records of providers that didn’t use the backbone of those 3 providers or, in the case of Skype, would be inaccessible, would be missed. So not all call detail records from the providers that do provide records, nor records covering all the people in the US. But still a “very large volume” from AT&T, Sprint, and Verizon, the providers that happen to be covered by the suit.
And in this declaration, instead of using the number De used last July, Shea instead refers to “multiple telecommunications service providers,” which could be 50, 4, 3, or 2, or anywhere in between. Particularly given her “either now, or at any time in the past” language, this suggests the number of providers participating may have changed since July.
Which brings me to the two other implicit caveats in her statement.
First, she suggests (ignoring the time ODNI revealed Verizon’s name a second time) that the only thing we can be sure of is that Verizon provided all its domestic data for the 3 months following April 23, 2013.
Actually, we can be fairly sure that at least until January 3, Verizon still participated. That’s because the Primary Order approved on that date still includes a paragraph that — thanks to ODNI’s earlier redaction fail — we know was written to ensure that Verizon didn’t start handing over its foreign call records along with its domestic ones.
Though curiously, the way in which DOJ implemented the Obama-directed changes — the ones that Shea’s declaration supposedly serves to explain — involved providing substitute language affecting a huge section of the Primary Order, without providing a new Primary Order itself. So we don’t know whether ¶1(B) — what I think of as the Verizon paragraph — still exists, or even whether it still existed on February 4, when Reggie Walton approved the change.
Which is particularly interesting given that Shea’s declaration just happened to be submitted on the date, February 21, when a significant change in Verizon’s structure may have affected how NSA gets its data. (That date was set in December by a joint scheduling change.)
One way or another, Shea’s claim that the dragnet doesn’t collect all or even virtually all phone records is very time delimited, certainly allowing the possibility that the scope of the dragnet has changed since the plaintiffs filed this suit on July 16, 3 days before Eagan explicitly excluded cell location data from the dragnet collection, which is the reason NSA’s leak recipients now give for limits on the scope of the program.
The claim is also — as claims about the Section 215 always are — very program delimited. In her statement claiming limits on how much data the NSA collects, Shea makes 2 references to “this program” and quotes Eagan making a third. She’s not saying the NSA doesn’t collect all the phone data in the US (I don’t think they quite do that either, but I think they collect more US phone data than they collect under this program). She’s saying only that it doesn’t collect “virtually all” the phone data in the US “under this program.”
Given her previously expansive declaration (which implicitly included all the other dragnet collection methods), I take this declaration as a rather interesting indicator of the limits to the claims about limits to the dragnet.
Office of Director of National Intelligence General Counsel Robert Litt, 45 days ago:
Senator Ron Wyden asked about collection of information on Americans during a lengthy and wide-ranging hearing on an entirely different subject. While his staff provided the question the day before, Mr. Clapper had not seen it. As a result, as Mr. Clapper has explained, he was surprised by the question and focused his mind on the collection of the content of Americans’ communications. In that context, his answer was and is accurate.
When we pointed out Mr. Clapper’s mistake to him, he was surprised and distressed. I spoke with a staffer for Senator Wyden several days later and told him that although Mr. Clapper recognized that his testimony was inaccurate, it could not be corrected publicly because the program involved was classified.
This incident shows the difficulty of discussing classified information in an unclassified setting and the danger of inferring a person’s state of mind from extemporaneous answers given under pressure.
Director of National Intelligence James Clapper, today:
But Clapper told The Daily Beast that he simply misunderstood Wyden’s question. At the time of the hearing last March, Congress had just finished consideration of a bill to renew the Foreign Intelligence Surveillance Act (FISA). Section 702 of that legislation gives the National Security Agency the authority to collect the electronic communications of non-U.S. persons. In his question, Wyden asked initially if the United States had collected “dossiers” on American citizens and referred to an answer to this question by then NSA director, Keith Alexander.
“I was not even thinking of what he was asking about, which is of course we now all know as section 215 of the Patriot Act governing the acquisition and storage of telephony business records metadata,” Clapper said. “Wasn’t even thinking of that.” The director of national intelligence said he thought Wyden’s question was actually about section 702 of FISA.
“The allegation about my lying and committing perjury I think are disproven by my labored amplification when I said, ‘if there is, it’s inadvertent collection,’ meaning when we’re collecting overseas under section 702, and if we inadvertently collect which we may not know at the time, U.S. persons data, that’s what I meant by inadvertent. That comment would make absolutely no sense whatsoever in the context of section 215.”
At the time of the Mitchell interview, the U.S. government was still in the process of declassifying elements of the FISA 702 program. “There is only one person on the planet who actually knows what I was thinking,” Clapper said of his testimony from last March. “Not the media, and not certain members of Congress, only I know what I was thinking.”
If only one person knows what he was thinking, then how was Robert Litt in any position to tell us Clapper was “surprised”?
And has Clapper decided he wasn’t “surprised” (perhaps because he had been briefed, not to mention had received months and months of letters, about the question), but instead simply “misunderstood” the intent of a question he had received months of letters about?
In December, I wrote a post noting that NSA personnel performing analysis on PATRIOT-authorized metadata (both phone or Internet) can choose to contact chain on just that US-collected data, or — in what’s call a “federated query” — on foreign collected data, collected under Executive Order 12333, as well. It also appears (though I’m less certain of this) that analysts can do contact chains that mix phone and Internet data, which presumably is made easier by the rise of smart phones.
Section 215 is just a small part of the dragnet
This is one reason I keep complaining that journalists reporting the claim that NSA only collects 20-30% of US phone data need to specify they’re talking about just Section 215 collection. Because we know, in part because Richard Clarke said this explicitly at a Senate Judiciary Committee hearing last month, that Section “215 produces a small percentage of the overall data that’s collected.” At the very least, the EO 12333 data will include the domestic end of any foreign-to-domestic calls it collects, whether made via land line or cell. And that doesn’t account for any metadata acquired from GCHQ, which might include far more US person data.
The Section 215 phone dragnet is just a small part of a larger largely-integrated global dragnet, and even the records of US person calls and emails in that dragnet may derive from multiple different authorities, in addition to the PATRIOT Act ones.
SPCMA provided NSA a second way to contact chain on US person identifiers
With that background, I want to look at one part of that dragnet: “SPCMA,” which stands for “Special Procedures Governing Communications Metadata Analysis,” and which (the screen capture above shows) is one way to access the dragnet of US-collected (“1st person”) data. SPCMA provides a way for NSA to include US person data in its analysis of foreign-collected intelligence.
According to what is currently in the public record, SPCMA dates to Ken Wainstein and Steven Bradbury’s efforts in 2007 to end some limits on NSA’s non-PATRIOT authority metadata analysis involving US persons. (They don’t call it SPCMA, but the name of their special procedures match the name used in later years; the word, “governing,” is for some reason not included in the acronym)
Wainstein and Bradbury were effectively adding a second way to contact chain on US person data.
They were proposing this change 3 years after Collen Kollar-Kotelly permitted the collection and analysis of domestic Internet metadata and 1 year after Malcolm Howard permitted the collection and analysis of domestic phone metadata under PATRIOT authorities, both with some restrictions, By that point, the NSA’s FISC-authorized Internet metadata program had already violated — indeed, was still in violation — of Kollar-Kotelly’s category restrictions on Internet metadata collection; in fact, the program never came into compliance until it was restarted in 2010.
By treating data as already-collected, SPCMA got around legal problems with Internet metadata
Against that background, Wainstein and Bradbury requested newly confirmed Attorney General Michael Mukasey to approve a change in how NSA treated metadata collected under a range of other authorities (Defense Secretary Bob Gates had already approved the change). They argued the change would serve to make available foreign intelligence information that had been unavailable because of what they described as an “over-identification” of US persons in the data set.
NSA’s present practice is to “stop” when a chain hits a telephone number or address believed to be used by a United States person. NSA believes that it is over-identifying numbers and addresses that belong to United States persons and that modifying its practice to chain through all telephone numbers and addresses, including those reasonably believed to be used by a United States person, will yield valuable foreign intelligence information primarily concerning non-United States persons outside the United States. It is not clear, however, whether NSA’s current procedures permit chaining through a United States telephone number, IP address or e-mail address.
They also argued making the change would pave the way for sharing more metadata analysis with CIA and other parts of DOD.
The proposal appears to have aimed to do two things. First, to permit the same kind of contact chaining — including US person data — authorized under the phone and Internet dragnets, but using data collected under other authorities (in 2007, Wainstein and Bradbury said some of the data would be collected under traditional FISA). But also to do so without the dissemination restrictions imposed by FISC on those PATRIOT-authorized dragnets.
In addition (whether this was one of the goals or not), SPCMA defined metadata in a way that almost certainly permitted contact chaining on metadata not permitted under Kollar-Kotelly’s order.
“Metadata” also means (1) information about the Internet-protocol (IP) address of the computer from which an e-mail or other electronic communication was sent and, depending on the circumstances, the IP address of routers and servers on the Internet that have handled the communication during transmission; (2) the exchange of an IP address and e-mail address that occurs when a user logs into a web-based e-mail service; and (3) for certain logins to web-based e-mail accounts, inbox metadata that is transmitted to the user upon accessing the account.
Some of this information — such as the web-based email exchange — almost certainly would have been excluded from Kollar-Kotelly’s permitted categories because it would constitute content, not metadata, to the telecoms collecting it under PATRIOT Authorities.
Wainstein and Bradbury appear to have gotten around that legal problem — which was almost certainly the legal problem behind the 2004 hospital confrontation — by just assuming the data was already collected, giving it a sort of legal virgin birth.
Doing so allowed them to distinguish this data from Pen Register data (ironically, precisely the authority Kollar-Kotelly relied on to authorize PATRIOT-authorized Internet metadata collection) because it was no longer in motion.
First, for the purpose of these provisions, “pen register” is defined as “a device or process which records or decodes dialing, routing, addressing or signaling information.” 18 U.S.C. § 3127(3); 50 U.S.C. § 1841 (2). When NSA will conduct the analysis it proposes, however, the dialing and other information will have been already recorded and decoded. Second, a “trap and trace device” is defined as “a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing and signaling information.” 18 U.S.C. § 3127(4); 50 U.S.C. § 1841(2). Again, those impulses will already have been captured at the point that NSA conducts chaining. Thus, NSA’s communications metadata analysis falls outside the coverage of these provisions.
And it allowed them to distinguish it from “electronic surveillance.”
The fourth definition of electronic surveillance involves “the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication …. ” 50 U.S.C. § 1802(f)(2). “Wire communication” is, in turn, defined as “any communication while it is being carried by a wire, cable, or other like com1ection furnished or operated by any person engaged as a common carrier …. ” !d. § 1801 (1). The data that the NSA wishes to analyze already resides in its databases. The proposed analysis thus does not involve the acquisition of a communication “while it is being carried” by a connection furnished or operated by a common carrier.
This legal argument, it seems, provided them a way to carve out metadata analysis under DOD’s secret rules on electronic surveillance, distinguishing the treatment of this data from “interception” and “selection.”
For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto, contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”
This approach reversed an earlier interpretation made by then Counsel of DOJ’s Office of Intelligence and Policy Review James A Baker.
Baker may play an interesting role in the timing of SPCMA. He had just left in 2007 when Bradbury and Wainstein proposed the change. After a stint in academics, Baker served as Verizon’s Assistant General Counsel for National Security (!) until 2009, when he returned to DOJ as an Associate Deputy Attorney General. Baker, incidentally, got named FBI General Counsel last month.
NSA implemented SPCMA as a pilot in 2009 and more broadly in 2011
It wasn’t until 2009, amid NSA’s long investigation into NSA’s phone and Internet dragnet violations that NSA first started rolling out this new contact chaining approach. I’ve noted that the rollout of this new contact-chaining approach occurred in that time frame.
Comparing the name …
SIGINT Management Directive 424 (“SIGINT Development-Communications Metadata Analysis”) provides guidance on the NSA/ CSS implementation of the “Department of Defense Supplemental Procedures Governing Communications Metadata Analysis” (SPCMA), as approved by the U.S. Attorney General and the Secretary of Defense. [my emphasis]
And the description of the change …
Specifically, these new procedures permit contact chaining, and other analysis, from and through any selector, irrespective of nationality or location, in order to follow or discover valid foreign intelligence targets. (Formerly analysts were required to determine whether or not selectors were associated with US communicants.) [emphasis origina]
,,, Make it clear it is the same program.
NSA appears to have made a few changes in the interim. Continue reading
Eight days ago, the country’s four major newspapers reported a claim that the NSA collected 33% or less of US phone records (under the Section 215 program, they should have specified, but did not) because it couldn’t collect most cell phone metadata:
Since that time, I have pointed to a number of pieces of evidence that suggest these claims are only narrowly true:
Now you don’t have to take my word for it. Here’s what Keith Alexander had to say about the claim Friday:
Responding to a question about recent reports that the NSA collects data on only 20% to 30% of calls involving U.S. numbers, Alexander acknowledged that the agency doesn’t have full coverage of those calls. He wouldn’t say what fraction of the calls NSA gets information on, but specifically denied that the agency is completely missing data on calls made with cell phones.
“That part is not true,” he said. “We don’t get it all. We don’t get 100% of the data. It’s not where we want it to be, but it has been sufficient to go after the key targets that we’re going after.” [my emphasis]
Admittedly, Alexander is not always entirely honest, so it’s possible he’s just trying to dissuade terrorists from using cellphones while the NSA isn’t tracking them. But he points to the same evidence I did — that NSA has gotten key targets who use cell phones.
There’s something else Alexander said that might better explain the slew of claims that it can’t collect cell phone data.
The NSA director, who is expected to retire within weeks, indicated that some of the gaps in coverage are due to the fact that the NSA “paused any changes to the program” during the recent controversy and discussions about restructuring the effort.
The NSA has paused changes to the program.
This echoes WaPo and WSJ reports that crises (they cited both the 2009 and current crisis) delayed some work on integrating cell data, but suggests that NSA was already making changes when the Snowden leaks started.
There is evidence the pause — or at least part of it — extends back to before the Snowden leak. As I reported last week, even though the NSA has had authority to conduct a new auto-alert on the phone dragnet since November 2012, they’ve never been able to use it because of technical reasons.
The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes.
This description actually came from DOJ, not the FISC, and I suspect the issue is rather that NSA has not solved some technical issues that would allow it to perform the auto-alert within the legal limits laid out by the FISC (we don’t know what those limits are because the Administration is withholding the Primary Order Supplement that would describe it, and redacting the description of the search itself in all subsequent orders).
That said, there are plenty of reasons to believe there are new reasons why NSA is having problems collecting cell phone data because it includes cell location, which is far different than claiming (abundant evidence to the contrary) they haven’t been collecting cell data all this time. In addition to whatever reason NSA decided to stop its cell location pilot in 2011 and the evolving understanding of how the US v. Jones decision might affect NSA’s phone dragnet program, 3 more things have happened since the beginning of the Snowden leaks:
Remember, too, there’s a February 2013 FISC Section 215 opinion the Administration is also still withholding, which also might explain some of the “technical-meaning-legal” problems they’re having.
Underlying this all (and assuredly underlying the problems with collecting VOIP calls, which are far easier to understand and has been mentioned in some of this reporting, including the LAT story) is a restriction arising from using an ill-suited law like Section 215 to collect a phone dragnet: telecoms can only be obligated to turn over records they actually “already generate,” as described by NSA’s SID Director Theresa Shea.
[P]ursuant to the FISC’s orders, telecommunications service providers turn over to the NSA business records that the companies already generate and maintain for their own pre-existing business purposes (such as billing and fraud prevention).
To the extent telecoms use SS7 data, which includes cell location, to fulfill their Section 215 obligation (after all, what telecoms need billing records on a daily basis?), it probably does introduce problems.
Which, I suspect, will mean that Alexander and the rest of the dragnet defenders will recommend that a third party collate and store all this data, the worst of all solutions. They need to have a comprehensive source (like Hemisphere apparently plays for the DEA), one that will shield the government from necessarily having collected cell location data that is increasingly legally suspect to obtain. And they’ll celebrate it as a great sop to the civil libertarians, too, when in fact, they’ve probably reached the point where it is clear Section 215 can’t legally authorize what it is they want it to do.
The issue, more and more evidence suggests, is that they can’t collect the dragnet data without a law designed to construct the dragnet. Which is another way of saying the dragnet, as intended to function, is illegal.
Effective immediately, we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization instead of three. And I have directed the Attorney General to work with the Foreign Intelligence Surveillance Court so that during this transition period, the database can be queried only after a judicial finding, or in a true emergency.
These promises have been taken to limit all queries to two hops (which was NSA”s practice in any case) and, except in an emergency, to require FISC to approve the Reasonable Articulable Suspicion determination an identifier before it is used to query the database.
That’s not exactly how the modification implements the change. Rather, it lays out 3 ways to access the database:
Access under the terms of the last bullet, which has actually been part of dragnet orders since the second order, is accomplished in the supplement with this language:
For any selection term that is subject to ongoing Court-authorized electronic surveillance, pursuant to 50 U.S.C. § 1805, based on this Court’s finding of probable cause to believe that the selection term is being used or is about to be used by [redacted--describes a tie to a foreign terrorist organization], including those used by U.S. persons, the government may use such selection terms as “seeds” during any period of ongoing Court-authorized electronic surveillance without first seeking authorization from this Court as described herein. Except in the case of emergency, NSA will first notify the Department of Justice, National Security Division of its proposed use as a seed any selection term subject to Court-authorized electronic surveillance.
Now, with one minor caveat, I actually have no problem with this. As I said in this post, it makes sense that NSA should have access to the metadata of calls it already has access to content of. And this third access still complies with the language of Obama’s promise: rather than a judicial finding regarding RAS, such queries would have been justified by a judicial finding regarding probable cause, a much higher standard.
I’m mostly interested in this detail for what it might suggest about the way the NSA is currently using the dragnet. I have repeatedly focused on Theresa Shea’s description of how NSA uses the dragnet to prioritize which content they read.
Section 215 bulk telephony metadata complements other counterterrorist-related collection sources by serving as a significant enabler for NSA intelligence analysis. It assists the NSA in applying limited linguistic resources available to the counterterrorism mission against links that have the highest probability of connection to terrorist targets. Put another way, while Section 215 does not contain content, analysis of the Section 215 metadata can help the NSA prioritize for content analysis communications of non-U.S. persons which it acquires under other authorities. Such persons are of heightened interest if they are in a communication network with persons located in the U.S. Thus, Section 215 metadata can provide the means for steering and applying content analysis so that the U.S. Government gains the best possible understanding of terrorist target actions and intentions.
If this is primarily how the dragnet is currently being used — to tell NSA which call content that it has collected it should listen to or translate first — then it would explain why the FISC didn’t complain about having to approve a bunch of new query identifiers: because it wouldn’t really have to do much pre-approval beyond the traditional FISC warrant review it has already done.
And given that NSA ran queries on 288 identifiers in 2012, a year when FISC approved 1,788 FISA warrants (though some were for physical searches), it is feasible that many or even most of the dragnet queries were tied to FISC warrant targets.
If that’s right, it suggests the dragnet no longer serves primarily as the alert function it has been sold as, but instead serves an indexing function (which is, after all, what James Clapper said months ago).
So here’s my one caveat to my assertion that I have no problem with this.
In making this modification, DOJ actually changed the way they refer to what FISC-approved targets automatically qualify as RAS-approved. In the order itself, it describes it this way:
Selection terms that are currently the subject of electronic surveillance authorized by the Foreign Intelligence Surveillance Court (FISC) based on the FISC’s finding of probable cause to believe that they are used by [redacted description of tie to terrorism] including those used by U.S. persons, may be deemed approved for querying for the period of FISC-authorized electronic surveillance without review and approval by a designated approving official. The preceding sentence shall not apply to selection terms under surveillance pursuant to any certification of the Director of National Intelligence and the Attorney General pursuant to Section 702 of FISA, as added by the FISA Amendments Act of 2008, or pursuant to an Order of the FISC issued under Section 703 or Section 704 of FISA, as added by the FISA Amendments Act of 2008.
I think this works out to be a distinction without a difference, or even an improvement. The language of the order says targets of FISA orders — except those targeted under Section 702 (bulk collection targeted at foreigners outside the US), Sections 703 and 704 (US person target outside the US) — are pre-approved as dragnet identifiers. The language of the modification says targets only of traditional FISA orders (authorizing electronic surveillance of either US persons or foreign individuals in the US) are pre-approved for dragnet identifiers. If anything, the modification language is more narrow, as it would also exclude those against whom FISC has approved physical search warrants from automatic RAS approval. If this reading is correct, it would seem to support my supposition that the dragnet is increasingly serving primarily as an index to already-collected content.
But given the way they’ve expanded the intent of traditional FISA in the past, I do wonder whether something else is going on.
All that said, I mostly intend with this post to point to yet more evidence suggesting that the dragnet increasingly serves as an index rather than the early warning system it gets billed as.
I’ve been obsessing on when and whether telecoms turn over cell phone data under Section 215 and EO 12333 for the last several days. So I want to point out a change in the FISC orders for the Section 215 phone dragnet starting in 2008.
Here’s how the April 3, 2008 Section 215 FISC order describes the metadata to be turned over to NSA:
Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, communications device identifier, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]
Here’s how the August 19, 2008 order and (I believe) all subsequent orders describe the metadata to be turned over to the NSA.
Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) numbers, International Mobile Station Equipment Identity (IMEI) etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]
In both cases, these paragraphs end with a footnote that starts, “The Court understands that the,” followed by redacted language that would probably be very instructive in explaining where and how the telecoms got their data.
Amid claims the NSA doesn’t collect cell phone data, I find it notable that NSA started asking for cell phone identifiers back in 2008. (I find it equally notable that they started asking for IMSI and IMEI on the second docket after NSA put a copy of the Section 215 data onto the same server as the EO 12333 data). That was also the year that Tempora — under which GCHQ accessed huge amounts of Internet and phone data off Transatlantic cables, including from Verizon — was first piloted.
I don’t think that proves definitively that NSA was collecting cell phone data (though the WSJ reported last June that it was collecting cell data directly from AT&T and Sprint, with T-Mobile and Verizon data coming from another source). Depending on where providers got the data (on a daily basis, remember) to provide to NSA, they would have the IMSI and IMEI data on phones in contact with their land lines.
But the NSA has been collecting data about cell phones at least since 2008.
Which raises real questions about claims they don’t know how to integrate cell phone data into their database.
Update: To answer Dr. Pitchfork’s question, 4 national journalists reported on Friday that the NSA only “gets” 20 to 30% of US phone data because they don’t get cell data. Even ignoring details like the explicit mention of cell data in the 215 orders, their story doesn’t make any sense. I think the real problem may arise from a recent FISC order and Verizon’s split from Vodaphone.
Maybe I have a sick sense of humor.
But I laughed at the irony of this NYT story about how Edward Snowden used a web-crawler to scrape data from the NSA’s servers.
In paragraphs 28 and 29 (of 29), Defense Intelligence Agency head Michael Flynn admits what he has avoided admitting in public hearings: he has no fucking clue what Snowden took.
The head of the Defense Intelligence Agency, Lt. Gen. Michael T. Flynn, told lawmakers last week that Mr. Snowden’s disclosures could tip off adversaries to American military tactics and operations, and force the Pentagon to spend vast sums to safeguard against that. But he admitted a great deal of uncertainty about what Mr. Snowden possessed.
“Everything that he touched, we assume that he took,” said General Flynn, including details of how the military tracks terrorists, of enemies’ vulnerabilities and of American defenses against improvised explosive devices. He added, “We assume the worst case.”
DOD doesn’t actually know what Snowden took. They know he had access to a bunch of files on military operations.
But that leaves open the question of how Mr. Snowden chose the search terms to obtain his trove of documents, and why, according to James R. Clapper Jr., the director of national intelligence, they yielded a disproportionately large number of documents detailing American military movements, preparations and abilities around the world.
But DOD doesn’t know whether he just touched them, or took them with him. It doesn’t know whether he deleted any he took before turning them over to journalists.
For his part, Snowden says DOD’s claims he deliberately took military information are unfounded.
In his statement, Mr. Snowden denied any deliberate effort to gain access to any military information. “They rely on a baseless premise, which is that I was after military information,” Mr. Snowden said.
Snowden suggests any military information he got, he got incidentally. DOD will just have to trust him.
Nevertheless, DOD will assume the worst because that’s the only way to protect DOD equities — and indeed, the lives of our military service members (that is, if Flynn’s claims are true; given his track record I don’t necessarily believe they are).
The necessity of protecting people and secret plans because of a potential risk is actually not funny at all. Indeed, it points to the problem inherent with bulk collection conducted in secret: Those potentially targeted by it have to assume the worst to protect themselves.
Mind you, if Sam Alito were a fair and balanced kind of guy, he’d tell DOD to suck it up. The risk of this bulk collection inflicting harm on military operations is speculative.
Respondents’ claim of future injury is too speculative to establish the well-established requirement that certain injury must be “certainly impending.”
But I think Alito is wrong. I definitely don’t fault DOD for adjusting to potential risks given the lack of certainty over which of their most sensitive secrets bulk collection has compromised.
If it is a problem that Snowden touched or maybe even incidentally collected data that could cause DOD great harm — if it is understandable that DOD would assume and prepare for the worst — then NSA needs to shut down its own indiscriminate scraping of data from all over the world. Because it is imposing the same kinds of risk and costs and worries to private individuals all over the world.
Update: Eli Lake got sources who received DIA’s briefing on their Snowden report to distinguish between what DIA knows and what they’re just assuming.
– FBI search warrant affidavit seeking (among other things) additional cell phones, October 29, 2010
Yesterday, Siobhan Gorman reported that NSA’s “phone-data program” collects 20% or less of the phone data in the US. She explains that the program doesn’t collect cell phone data, and so has covered a decreasing percentage of US calls over the last several years.
The National Security Agency’s phone-data program, which has been at the center of controversy over the NSA’s surveillance operations, collects information from about 20% or less of all U.S. calls—much less than previously described by lawmakers.
The program had been described as collecting records on virtually every phone call placed in the U.S., but in fact, it doesn’t cover records for most cellphones, the fastest-growing sector in telephony and an area where the agency has struggled to keep pace, according to several people familiar with the program.
Ellen Nakashima’s report places the percentage between 20 and 30%, echoing Gorman’s claim about limits on cell data.
The actual percentage of records gathered is somewhere between 20 and 30 percent and reflects Americans’ increasing turn away from the use of land lines to cellphones. Officials also have faced technical challenges in preparing the NSA database to handle large amounts of new records without taking in data such as cell tower locations that are not authorized for collection.
The bulk collection began largely as a land-line program, focusing on carriers such as AT&T and Verizon Business Network Services. At least two large wireless companies are not covered — Verizon Wireless and T-Mobile U.S., which was first reported by the Wall Street Journal.
Industry officials have speculated that partial foreign ownership has made the NSA reluctant to issue orders to those carriers. But U.S. officials said that was not a reason.
“They’re doing business in the United States; they’re required to comply with U.S. law,” said one senior U.S. official. “A court order is a court order.”
Rather, the official said, the drop in collection stems from several factors.
Apart from the decline in land-line use, the agency has struggled to prepare its database to handle vast amounts of cellphone data, current and former officials say. For instance, cellphone records may contain geolocation data, which the NSA is not permitted to receive.
These reports offer a more credible explanation than Geoffrey Stone’s multiple claims to this effect about why the program misses data. So they may be true.
But I think they instead point to the legal range of authorities NSA uses to collect phone records, not to what records they actually have in their possession.
These reports are commenting (though without specifying, or even seeming to be aware they need to specify) on what the government claims it collects under Section 215. These reports are not commenting on what NSA collects under all authorities.
In this post I will show why I believe these reports to be credible only in a very narrow sense. In a follow-up post I will point to the legal issues that underlie the Administration’s conflicting claims about what it collects.