Bob Goodlatte

About HR 3361, the NSA Surveillance Efficiency Act, AKA USA Freedom Act

The House Intelligence Committee passed a bill out of its committee Thursday, HR 3361, that will reportedly solve a problem (or problems) the NSA has been struggling with since 2009. The bill will now move to the full House for a vote.

The public — and surely a great majority of members of Congress — have no idea precisely what problem this bill will solve is: planted leaks suggest it has to do with difficulties dealing with cell phone records, perhaps because they include location data. If that is part of the problem, then it’s a fairly recent development, perhaps arising after US v. Jones raised new concerns about the legality of collecting location data without a warrant. There’s also the presumably-related issue of an automated query function; NSA has been struggling to resume that function since its alert function got shut down as a legal violation in 2009. The ability to tie multiple identities from the same person together as NSA runs those alerts may be a related issue.

The bill has not been reported as a fix for NSA’s long-term legal and technical struggles (though LAT’s Ken Dilanian has asked why civil liberties groups are so happy about this given that it will expose more data to NSA collection). Rather, it has been called the USA Freedom Act and reported as a reform of the phone dragnet program, a successful effort to “end” “bulk collection.”

The bill does have the critically important effect of ending the government’s practice of collecting and storing some significant portion of all US call records, beyond whatever US person call records it collects overseas. That, by itself, is the equivalent of defusing a nuclear bomb. It is a very important improvement on the status quo.

It remains entirely unclear — and unexamined, as far as I can tell — whether the bill will increase or decrease the number of entirely innocent Americans who will be subjected to the full range of NSA’s analytical tradecraft because they got swept up based on the guilt by association principle behind contact-chaining, or whether the bill will actually expose more kinds of US person records to the scrutiny of the NSA.

The bill the press is calling USA Freedom Act may also — though we don’t know this either — have the salutary benefit of changing the way the NSA currently collects data under other Section 215, Pen Register, and NSL collection efforts.  The bill requires that all Section 215 (both call record and otherwise), Pen Register, and NSL queries be based on a specific selection term that remains vaguely defined (a definition the House Intelligence Committee considered eliminating before Thursday’s hearing). But it remains unclear how much that rule — even ignoring questions about the definition — will limit any current practices. At Wednesday’s hearing Bob Goodlatte said the bill “preserves the individual use of Section 215 under the existing relevancy standard for all business records,” and at least for several NSL authorities, the new “restrictions” almost certainly present no change (and another NSL authority, the Right to Financial Privacy Act, uses the same “entity” language the bill definition does, suggesting it is unlikely to change either). Plus, at least according to DOJ’s public claims and court filings, it ended the bulk domestic collection under PRTT in 2011. So the language “ending” “bulk collection” may do no more than make it harder for FBI to construct its own phone books of phone company and ISP subscribers using NSLs, if it does even that.

What the bill doesn’t do — because this part of the bill was stripped as part of the compromise — is provide the Intelligence Community’s oversight committees detailed reports of what kind of records the government obtains under Section 215 (and for what agencies), and how many Americans are subject to all the FISA authorities, including Section 215. That is, the compromise eliminated the one thing that could measure whether the bill really did “end” “bulk collection” as you or I would understand it. In its stead, the bill largely codifies an existing reporting agreement that AT&T has already demonstrated to be completely deceptive. In Wednesday’s hearing, Zoe Lofgren called provider reporting “the canary in the coal mine” the committee would rely on to understand what collection occurred.

So this bill that “ends” “bulk collection” still prevents us, or even the oversight committees working in our name, from learning whether it does so.

It does, however, have some interesting features, given its other purpose of solving one or more challenges facing the NSA.

The first of those is immunity.

No cause of action shall lie in any court against a person who produces tangible things or provides information, facilities, or technical assistance pursuant to an  order issued or an emergency production required under this section. 

This is another part of the bill the underlying reasons for which the public, and probably much of Congress, doesn’t understand. At one level, it seems to immunize the process that may have telecoms playing a role the NSA previously did, analyzing the data; it may also pertain to providing NSA access to the telecoms’ physical facilities. But given the background to the move to telecoms — NSA’s legal-technical problems dealing with cell phone data because it ties to location — it is possible the immunity gives the telecoms protection if they use but don’t turn over data they have already, such as location data or even Internet metadata, to perform the interim analysis.

Consider how the bill describes the call record query process.

[T]he Government  may require the production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using the results of the production under subclause (I) as the basis for production;

So a 2-hop query goes from a “specific selection term” to “the results of the production” to the “call detail record” handed over to the government. While the definition of call detail records clearly prohibits the final production to the government of either content or cell location, nothing in this process description prevents the telecoms from using such things (most Internet metadata is legally content to the telecoms) in that interim hop; indeed, the “results of the production under subclause (I)” available to the telecoms almost certainly would include some of this information, particularly for smart phones. We know the Hemisphere program (the AT&T-specific program for the DEA) uses cell location in its analysis. Remember, too, how NSA is gobbling up smart phone data (including things like address books) in overseas programs; this may permit analysis of similar data — if not collection of it — domestically.  So at the very least, this scheme seems to give the NSA access to cell location and possibly a whole lot more data for analysis they otherwise couldn’t get (which David Sanger’s sources confirm).

And consider two more details from Wednesday’s House Judiciary hearing. At it, Lofgren repeated a list of business records the government might obtain under Section 215 she got Deputy Attorney General James Cole to confirm at an earlier hearing. It includes:

  • ATM photos
  • location where phone calls made
  • credit card transactions
  • cookies
  • Internet searches
  • pictures captured by CCTV cameras

So long as the word “entity” in the definition of specific selection term remains undefined, so long as FISC precedents permit the tapping of entire circuits in the name of collecting on an entity, the government may still be able to collect massive amounts of this data, not actually targeted at a suspect but rather something defined as an entity (in both the existing 215 program and the new call records one the bill retains the “relevant to” language that has been blown up beyond meaning).

Finally, consider what happened with Lofgren’s last attempted amendment. After having submitted a number of other failed amendments, Lofgren submitted an amendment to fix what she called an inadvertent error in the manager’s amendment specifically prohibiting the collection of content under Section 215.

I believe this amendment fixes — at least I hope — an error that was created in the manager’s amendment that I cannot believe was intended. As you know we have specified that the content is not included in business records. This amendment clarifies that business records do not include the content of communication. We specify that in the new section about call detail records, but but the specification that content was not included somehow got dropped out of the business records section. It was included in your original bill but it didn’t make it into the manager’s amendment. I think this amendment clarifies the ambiguity that could be created and I hope it was not intentional.

This is a problem I pointed out here.

Almost without missing a beat after she introduced this, Jim Sensenbrenner recessed the hearing, citing votes. While there were, in fact, votes, Luis Pierluisi (who cast the decisive vote in favor of an amendment to redefine counterintelligence) and possibly Lofgren got a lecture at the break about how any such amendments might blow up the deal the Committee had with Mike Rogers and HPSCI. After the break, Lofgren withdrew the amendment, expressing hope it could be treated as a clerical fix.

That purported error was not fixed before HPSCI (which explicitly permitted the collection of content under its bill) voted out the bill.

Perhaps it will be “fixed” before it comes to the floor.

But if it doesn’t, it may expand (or, given Lofgren’s stated concerns about what records Section 215 might cover, sustain) the use of Section 215 to collect content, not just metadata. Imagine the possibility this gets yoked to expanded analysis at telecoms under the new CDR program?

We don’t know. This bill has gotten past two committees of Congress (we didn’t get to see any of the debate at HPSCI) without these details becoming clear. But the questions raised by this bill when you consider it as the fix to one or more problems the NSA has been struggling with, it does raise real questions.

Again, I don’t want to make light of the one thing we know this bill will do — take a database showing all phone-based relationships in the country out of NSA’s hands. That eliminates an intolerably risky program. That is an important fix.

But that shouldn’t lead us to ignore the potential expansion of spying that may come with this bill.

USA Freedumb Act and RuppRoge Both Adopt Intelligence Community Definition of “Bulk Collection”

Update: An updated version of the Managers Amendment does define the term:

(2) SPECIFIC SELECTION TERM.—The term  ‘specific selection term’ means a term used to uniquely describe a person, entity, or account.

This is far better than nothing. Though I have concerns about “entity” and I suspect there will be some pushback here, since not even phone numbers “uniquely describe a person,” much less IPs. (Update: see my post on my concerns about the definition.)

As I noted in this post, USA Freedumb Act (what I’ve renamed the compromised USA Freedom Act) purports to limit bulk collection by tying all collection to specific selection terms. It does this for Section 215.

No order issued under this subsection may authorize the collection of tangible things without the use of a specific selection term that meets the requirements of subsection (b)(2).

It does it for Pen Register/Trap and Trace.

(3) a specific selection term to be used as the basis for selecting the telephone line or other facility to which the pen register or trap and trace device is to be attached or applied;

And it does for all four NSL types, as here with call records under ECPA.

COUNTERINTELLIGENCE ACCESS TO TELEPHONE TOLL AND TRANSACTIONAL RECORDS.—Section 2709(b) of title 18, United States Code, is amended in the matter preceding paragraph (1) by striking ‘‘may’’ and inserting ‘‘may, using a specific selection term as the basis for a request’’.

In fact, that’s the same mechanism RuppRoge (the House Intelligence Committee’s bill) uses to prevent bulk collection — though it limits bulk collection for fewer categories of things.

It does so for electronic communications records.

Notwithstanding any other provision of law, the Federal Government may not acquire under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) records of any electronic communications without the use of specific identifiers or selection terms.

And it does so for sensitive business records.

Notwithstanding any other provision of law, the Federal Government may not acquire under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) library circulation records, library patron lists, book sales records, book customer lists, firearm sales records, tax return records, education records, or medical records containing information that would identify a person without the use of specific identifiers or selection terms.

And this limitation, both bills proclaim, will prevent bulk collection.

Neither bill defines what they mean by selection term or specific identifier.

Before I consider whether these bills will, in fact, prevent what you and I might consider bulk collection, note what has happened: both of these bills — the crappy Intelligence Committee wish list bill and the allegedly less crappy “reform” bill — have adopted the definition of “bulk collection” used by the notoriously Orwellian Intelligence Community.

This is perhaps best explained in Obama’s President’s Policy Directive on surveillance.

References to signals intelligence collected in “bulk” mean the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).

Now, we’re at a huge disadvantage to be able to assess whether this definition of bulk collection bears any resemblance to what ordinary humans might understand bulk collection to mean, because the government is being very disingenuous about what they claim it to mean.

The government often publicly claims selectors are things “like telephone numbers or email addresses,” as they did repeatedly at the last PCLOB hearing.

I can assure you, however, that when they refer to “selectors like email or telephone,” they’re downplaying their use of things like other IDs (phone handset and SIM card IDs, credit card numbers, Internet IDs or even passwords, IP address, and site cookies). And nothing in the definition says selection terms have to have anything to do with actual people (as the evidence they use malware code as a selector would indicate). Plus, I could envision many things — such as “Area Code 202″ or “Western Union transfers over $100″  – that would seem to qualify as selection terms.

But we can measure whether limits to selectors or search terms prohibits bulk collection via another means — by looking at the program about which we’ve gotten most details on selector searches: upstream 702 collection.

While we can’t assess how many “innocent” Americans get sucked up in this purportedly non-bulk collection (and I doubt NSA can either!), we do have an idea how many American communications get sucked up who shouldn’t according to the one-end foreign rule on the collection.

Up to 56,000 American communications a year, according to FISC Judge John Bates’ estimate (because the NSA refused to provide him the real numbers).

56,000 American communications that should not, under the law, have been targeted, sucked up using “identifiers” and “selection terms.”

And the government doesn’t consider that bulk collection at all.

That, my friends, is the standard two different Committees in Congress have adapted as well, doing the intelligence community’s bidding, claiming they’ve solved the bulk collection problem.

USA Freedumb Act: The Timing

A number of people have expressed appreciation for this analysis: if you find this useful, please consider donating to support my work. 

I’m going to do a series of more finished posts on the “compromised” version of Jim Sensenbrenner’s USA Freedom Act, which I hereby dub the USA Freedumb Act (thanks to Fake John Schindler for the suggestion), because so many of the reforms have been gutted. Here’s the initially proposed bill. Here’s my working thread on USA Freedumb.

You will hear a great many respectable people making positive comments about this bill, comments they normally would not make. That’s because of the carefully crafted timing.

As you recall, Mike Rogers originally got the House Parliamentarian to rule that the bill could go through the House Intelligence Committee. And his bill, which I affectionately call “RuppRoge” after Rogers and Dutch Ruppersberger and Scooby Doo’s “Rut Roh” phase, is genuinely shitty. Not only does it put the NSA onsite at providers and extend call records collection beyond terrorism applications, but it also extends such collection beyond call records generally. It is likely an attempt to get the US back into the Internet dragnet business. Shitty bill.

That said, in key ways RuppRoge is very similar to USA Freedumb. Both “limit” bulk collection by limiting collection to selectors (Freedumb does so across the board, including for NSLs, whereas RuppRoge does so for sensitive Business Records, call records, and Internet metadata). Both propose a similarly (IMO) flimsy FISC advocate. Both propose laughably weak FISC transparency measures. Both will include compensation and immunity for providers they don’t currently have.

Aside from three areas where RuppRoge is better — it forces agencies to update their EO 12333 proposals, doesn’t extend the PATRIOT Act, and provides a (not very useful) way to challenge certificates, all the way up to SCOTUS — and three where it is far worse — it develops more Insider Threat measures, it applies for uses beyond terrorism and beyond call records, and doesn’t include new (but now circumscribed) IG reporting  – they’re not all that different. [Correction: USA Freedumb ALSO applies beyond terrorism.]

They’re differently shitty, but both are pretty shitty.

The reason why otherwise respectable people are welcoming the shitty Freedumb bill, however, is that it gives House Judiciary Committee — with a number of real reformers on it — first pass on this bill. It’s a jurisdictional issue. It puts the jurisdiction for surveillance bills back where it belongs, at the Judiciary Committee.

Oh, by the way, one of the more extensive (in terms of text) real changes in Freedumb is it finally includes the House Judiciary Committee, along with the House and Senate Intelligence Committees and Senate Judiciary Committee, among the committees that get certain kinds of reporting. Jurisdiction. (No, I can’t explain to you why it wasn’t included in the first place in 2008, and no, I can’t explain why that detail is not better known.) It gives everyone on HJC a tiny reason to support the bill, because they’ll finally get the reporting they should have gotten in 2008.

The House Intelligence Committee will consider RuppRoge the day after HJC considers Freedumb, Thursday. Which has elicited hasty (overly hasty, IMO) statements of support for Freedumb, as a way to head off the shitty RuppRoge.

Effectively, the National Security State has managed to put two differently shitty bills before Congress and forced reformers to choose. Freedumb is the better (as in less horrible) bill, and it might get better in Committee. But it’s not a runaway call. And the haste has prevented anyone from really figuring out what a central change to both programs means, which limits collection to selectors, which could be defined in very broad terms (and about which — you’ll have to take my word for now — the NSA has lied in public comments).

One more timing issue that I suspect explains the sudden activity surrounding “reform.” The Privacy and Civil Liberties Oversight Board is due to release a report on Section 702 in the next month or so (its comment period for the report closed on April 11). Given the comments of David Medine, James Dempsey, and Patricia Wald at hearings, I strongly suspect PCLOB will recommend reforms — at least — to back door searches, and possibly to upstream collection. Both are items which were gutted as USA Freedom became Freedumb. (In addition, two aspects that would have expanded PCLOB’s authorities — giving it a role in picking the FISC advocate and giving it subpoena power — have been removed.) So in the same way that President Obama rushed to reaffirm NSA’s unified structure, in which the Information Assurance Division and Cybercommand functions are unified with the more general NSA spying function, before his handpicked Review Group recommended they be split, this seems to be a rush to pre-empt any recommendations PCLOB makes.

Ultimately, these two shitty bills are destined to be merged in conference anyway, and reformers seem to have given up 75% of the field before we get started.

Which means just about the only “reform” we’ll get are actually tactical fixes to help the Security State deal with legal and technical issues they’ve been struggling with.

The USA Freedumb Act has become — with DiFi’s Fake FISA Fix and RuppRoge before it — the third fake reform since Edward Snowden’s leaks first got published. Wearing down the reformers seems to be working.

New “Freedom” Equals Less Protection for All But the Telecoms (Working Thread)

A number of people have expressed appreciation for this analysis: if you’re one of them, please consider donating to support my work. 

As a number of outlets are reporting, the House Judiciary Committee will mark-up a Manager’s Amendment to the USA Freedom Act on Wednesday.

This post will lay out what the changes are, as a working thread (updated as I read). But the short version is this: the Manager’s Amendment offers us mere shmoes less protection than the original bill did — particularly with regards to upstream and back door searches. But it does add “liability protection” and financial compensation to the providers that wasn’t in the original bill.

Call Records

The Manager’s Amendment  (MA) provides for 2-hop production from providers, akin to President Obama’s reform proposal. Such orders last for 180 days and can be extended. The Manager’s amendment explicitly limits such protection to international terrorism (which Obama’s reform was wishy-washy on). Correction: it has no such limitation. This would expand the use of the dragnet well beyond terrorism.

It includes really bizarre language on multiple hops:

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii)  as the basis for production;

(II) using the results of the production under subclause (I) as the  basis for production; and

(III) using the results of the  production under subclause (II) as the  basis for production;

The bill mandates 5 year destruction for call records — except for those that are relevant to an investigation.

(v) direct the Government to destroy all call detail records produced under the order not later than 5 years after the date of the production of such records, except for records that are relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to protect against international terrorism.

Remember, by FISC opinion, “relevant to” now means “anything even remotely possiby relevant to.” Given that meaning, pretty much all records turned over to the government can be kept forever; strictly by being turned over they’re already more relevant than the definition of relevant the NSA and DOJ currently use.

Other Section 215 Production

The MA tries to limit bulk production differently than USA Freedom did, by requiring the search on a specific selector. I’ll have to reflect on whether this will be more restrictive or open for abuse.

The MA takes out language permitting the FISC to review whether the government has complied with minimization procedures.

The MA provides immunity and compensation where the USA Freedom Act had not.

Inspector General Reports

The MA changes mandated Inspector General Reports from USA Freedom in two interesting ways. First, it only requires reports from 2012 through 2014, whereas the USA Freedom had required them throughout (that is, including 2010 and 2011). I’ll have more to say about this in the future. There’s good reason to believe, however, that there are things the government doesn’t want reviewed that happened in 2010, especially.

Furthermore, it doesn’t require these reports until December 31, 2015 — that is, after PATRIOT Act Reauthorization. The bill also extends the PATRIOT Reauthorization to 2017, so this report would come in before that, but would extend the authorities as a whole for 2 more years.

Finally, it takes out this language:

describe any noteworthy facts or circumstances relating to orders under such title

This would allow IGs to ignore details about the actual practice of these programs.

PRTT

As with business records, the MA limits bulk collection by requiring the use of a specific selector, not by prohibiting bulk collection.

Interestingly, it does permit the Judge to assess compliance with minimization procedures, unlike with call records.

Backdoor searches

Here’s the language USA Freedom used to limit back door searches.

(2) CLARIFICATION ON PROHIBITION ON SEARCHING OF COLLECTIONS OF COMMUNICATIONS
23 OF UNITED STATES PERSONS.—

(A) IN GENERAL.—Except as provided in subparagraph (B), no officer or employee of the United States may conduct a search of a collection of communications acquired under this section in an effort to find communications of a particular United States person (other than a corporation).

(B) CONCURRENT AUTHORIZATION AND EXCEPTION FOR EMERGENCY SITUATIONS.—

Subparagraph (A) shall not apply to a search for communications related to a particular
10 United States person if—

(i) such United States person is the subject of an order or emergency authorization authorizing electronic surveillance or physical search under section 105, 304, 703, 704, or 705, or title 18, United States Code, for the effective period of that order;

(ii) the entity carrying out the search has a reasonable belief that the life or safety of such United States person is
21 threatened and the information is sought for the purpose of assisting that person; or

(iii) such United States person has consented to the search.

Here’s the language the MA uses to prohibit back door searches (and I’m not even sure that’s what it does, as opposed to prevent the MCAT collection Bates declared illegal in 2011), which is part of the minimization procedures.

prohibit the use of any discrete, non-target communication that is determined to be to or from a United States person or a person who appears to be located in the United States, except to protect against an immediate threat to human life.

We know they use back door searches to identify which selectors to further investigate. Does this permit such a use?

In any case, I believe — though am not 100% certain — that the MA takes out any protection against back door searches (save for stronger language on reverse targeting that is similar to what USA Freedom had).

Section 702

The MA takes out language that would have prevented the use of upstream searches for cybersecurity, which I wrote about here.

Remember how RuppRoge had a clause prohibiting the government to store illegally collected data (which they lost in the drafting process).

The MA retains this to Section 702, which appears to prohibit the use of illegally collected data but actually newly permits it. [Update note: most of this was in the USA Freedom]

‘‘(i) IN GENERAL.—Except as provided in clause (ii), no information obtained or evidence derived from an acquisition pursuant to a certification or targeting or minimization procedures subject to an order under subparagraph (B) concerning any United States person shall be received in evidence or otherwise disclosed in any trial, hearing, or other proceeding in or before any court, grand jury, department, office, agency, regulatory body, legislative committee, or other authority of the United States, a State, or political subdivision thereof, and no information cocerning any United States person acquired from the acquisition shall subsequently be used or disclosed in any other manner by Federal officers or employees without the consent of the United States person, except with the approval of the Attorney General if the information indicates a threat of death or serious bodily harm to any person.

(ii) EXCEPTION.—If the Government corrects any deficiency identified by the order of the Court under subparagraph (B), the Court may permit the use or disclosure of information acquired before the date of the correction under such minimization procedures as the Court shall establish for purposes of this clause.’’.

Remember, first of all, that NSA has secretly rewritten “serious bodily harm” to include threats to property, so that clause is already fairly limited.

But then add in the ability to use illegally collected data once you’ve fixed the problems that made it illegal and it makes this pretty broad. At a minimum, this would permit the government to use all the upstream collection John Bates deemed illegal in 2011.

The MA takes out some other changes to FAA, including a new sunset that would have coincided with the PATRIOT Sunset. Actually, the bill just extends PATRIOT so it coincides with FAA.

Special Advocate

The MA changes how the FISC Special Advocate is chosen. It had been that PCLOB would pick candidates and the Chief Justice (John Roberts!) would pick who got to be the advocates. The MA changes that to letting the presiding judge pick no less than 5 people, including people with technical as well as civil liberties expertise. The Executive still gets to decide whether those people get access however. And the FISC gets to decide if the Special Advocate participates, in which case she’ll be treated like an amicus curiae.

The new scheme also does not provide for appellate review, suggesting that the Special Advocate would not be in a position to raise challenges to decisions the court had already made.

The whole thing seems like a Super Clerk position, not anything really new.

Declassification

The MA also waters down the declassification language in USA Freedom, essentially adopting the language the Obama Administration claims to be currently using (under which it only releases opinions if Edward Snowden comes along and leaks them). Though this language is, roughly, the language that Jeff Merkley tried to get them to adopt back in 2012.

NSLs

The NSLs section repeats the method of prohibiting bulk collection by limiting use to a specific selector.

However, it also takes out limits USA Freedom had put on financial NSLs.

(A) the name of a customer of the financial institution;

(B) the address of a customer of the financial institution;

(C) the length of time during which a person has been, or was, a customer of the financial institution (including the start date) and the type of service provided by the financial institution to the customer; and

(D) any account number or other unique identifier associated with a customer of the financial institution.

(2) LIMITATION.—A request issued under this subsection may not require the production of records  or information not listed in paragraph (1).

As well as a new definition of financial institution borrowed from the Bank Secrecy Act.

(c) DEFINITION OF FINANCIAL INSTITUTION.—For purposes of this section (and sections 1115 and 1117, insofar as the sections relate to the operation of this section), the term ‘financial institution’ has the same meaning as in subsections (a)(2) and (c)(1) of section 5312 of  title 31, United States Code, except that the term shall include only a financial institution any part of which is located inside any State or territory of the United States, the District of Columbia, Puerto Rico, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, or the United States Virgin Islands.’’.

In addition, whereas the USA Freedom Act had repealed the Counterterrorism NSL for credit reports which permits FBI to get a more extensive credit report in the name of terrorism (adjusting the counterintelligence one such that it targets agents of foreign power) the MA keeps it.

USA Freedom had also put new limits on NSL gags. The MA eliminates those limits.

US Freedom had included the same mandated IG Reports for NSLs as it had for business records. The MA eliminates them.

Reporting

215 Orders

The law providing reports to Congress on how the government uses Section 215 now mandates reports only for HPSCI, SSCI, and SJC. USA Freedom had added HJC to that. But the HJC MA eliminates that change! Update: I need to check–they may have retained this in another part of the bill.

USA Freedom had required detailed descriptions of what the government was doing with 215 orders, and which agencies were using them. The MA eliminates that requirement.

Most troubling, USA Freedom had this language trying to understand how many people are affected by 215 orders.

(C) a good faith estimate of the total number  of individuals whose tangible things were produced  under an order entered under section 501, rounded  to the nearest 100;

(D) a good faith estimate of the total number  of United States persons whose tangible things were  produced under an order entered under section 501, rounded to the nearest 100; and

(E) a good faith estimate of the total number of United States persons whose tangible things were produced under an order entered under section 501 and subsequently reviewed or accessed by a Federal officer, employee, or agent, rounded to the nearest 100.;

That language is gone.

That pattern is repeated through the rest of the reporting requirements. Where USA Freedom had tried to quantify the number of people and US persons who got sucked up in surveillance, and how many of those whose records got reviewed, the MA no longer does so. Shouldn’t they be more willing to provide this data if they were really getting rid of bulk surveillance?

PCLOB

In addition to taking PCLOB out of the FISC advocate role, the MA  eliminates provision giving PCLOB subpoena authority.

The RNC and the Dead-Enders

If you’ve spent much time in political party conventions, you likely know that the resolution process largely serves as an opportunity for active members to vent. While party resolutions might represent where the ideological base of the party is, nothing prevents the elected leaders of the party to blow off resolutions (though at times resolutions are deemed toxic enough for leaders to undermine by parliamentary stunts).

Which is why I find the response to the RNC’s resolution renouncing the NSA’s “Surveillance Prorgam” (it mentions PRISM and, implicitly, the phone dragnet) so interesting.

There are responses like this, from Kevin Drum, who spins it as pure politics.

I get that politics is politics, and the grass always looks browner when the other party occupies the Oval Office. And there are plenty of liberals who are less outraged by this program today than they were back when George Bush and Dick Cheney were in charge of it.

But holy cow! The RNC! Officially condemning a national security program that was designedby Republicans to fight terrorism!

Benjy Sarlin, in the account Drum linked, got the politics more clear, reading this, in part, as the influence of libertarians who largely gained ascendance as part of a backlash against Bush policies or at least failures.

But the resolution also is a sign of the increasing influence of the libertarian wing of the party, especially supporters of Ron Paul and his son, Rand Paul, who have made government overreach in pursuit of terrorists a top issue. Both Orrock and fellow Nevada Committeeman James Smack, who presented the resolution on her behalf, supported the elder Paul’s presidential campaign.

But I also think there’s more to it.

There is certainly a great deal of opportunism here (note, Democrats’ utter disdain for tech companies’ concerns about the dragnet make this a monetary, as well as political opportunity for the GOP, one already bearing fruit). And while the GOP establishment is still cautiously trying to regain control over the Tea Party forces that it once encouraged, there has also been a slow change in traditional conservatives’ stance, too, which I measure through Amash-Conyers opponent Bob Goodlatte’s changing position.

Goodlatte has issued three statements in recent weeks (January 9, January 17, and January 23) calling for reform (including more civil liberties protections and attention to tech companies’ concerns) and more transparency. In the most interesting of the statements, Goodlatte suggested that if Obama wanted to keep the dragnet he’d have to explain what purpose it was really serving and then argue that that purpose

Over the course of the past several months, I have urged President Obama to bring more transparency to the National Security Agency’s intelligence-gathering programs in order to regain the trust of the American people. In particular, if the President believes we need a bulk collection program of telephone data, then he needs to break his silence and clearly explain to the American people why it is needed for our national security. The President has unique information about the merits of these programs and the extent of their usefulness. This information is critical to informing Congress on how far to go in reforming the programs. Americans’ civil liberties are at stake in this debate. [my emphasis]

As I’ve been pointing out for some time, no dragnet defenders have yet to explain what purpose it really serves, and I’m struck that Goodlatte seems to suggest the same. Note, too, that Goodlatte was among the 6 Representatives who attended Bruce Schneier’s briefing on what NSA was really doing, along with leading GOP dragnet opponents Jim Sensenbrenner and Justin Amash and 3 Democrats.

I would suggest to Democrats who see this resolution exclusively as an overly cynical attack on Obama there may, in fact, be things that could explain why Republicans specifically or reasonable Americans more generally might have good reason to oppose the dragnet.

Now back to the resolution. As Sarlin notes, “Not a single member rose to object or call for further debate, as occurred for other resolutions.” (I like to think that had Michigan’s retrograde Dave Agema been able to participate rather than fending off calls for his resignation, he might have spoken up for authoritarianism.)

Instead of opposition from the Republican Party then, came first this quote to Sarlin,

“I think it probably does reflect the views of many of the people who really want to turn out the vote and who are viewing the world through the prism of the next election,” Stewart Baker, a former Bush-era Homeland Security official, told msnbc in an email. “It’s a widespread view among Republicans, but I think the ones that know this institution best and for whom national security is a high priority don’t share this view.”

Then what Eli Lake reports as a letter (Lake doesn’t say to whom) from just one elected official — KS Representative and House Intelligence Committee member Mike Pompeo — and 7 Bush officials (including Baker) blasting the resolution. Part of the letter, apparently, serves to waggle National Security seniority, as Baker already had.

Their letter says: “The Republican National Committee plays a vital role in political campaigns, but it has relatively little expertise in national security.”

And part of it serves to correct a technical inaccuracy that may not be one.

In particular the letter takes issue with the resolution’s claim that the NSA’s PRISM program “monitors searching habits of virtually every American on the internet.”

“In fact, there is no program that monitors the searches of all Americans,” the letter says. “And what has become known as the PRISM program is not aimed at collecting the communications of Americans. It is targeted at the international communications of foreign persons located outside the United States and is precisely the type of foreign-targeted surveillance that Congress approved in 2008 and 2012 when it enacted and reauthorized amendments to the Foreign Intelligence Surveillance Act.”

At issue is the language of the resolution, which starts by discussing PRISM, but then talks about what is clearly the phone (though it would encompass the Internet) dragnet, but then explicitly returns to both, by name of the authority that govern them.

WHEREAS, the secret surveillance program called PRISM targets, among other things, the surveillance of U.S. citizens on a vast scale and monitors searching habits of virtually every American on the internet;

WHEREAS, this dragnet program is, as far as we know, the largest surveillance effort ever launched by a democratic government against its own citizens, consisting of the mass acquisition of Americans’ call details encompassing all wireless and landline subscribers of the country’s three largest phone companies.

[snip]

RESOLVED, the Republican National Committee encourages Republican lawmakers to enact legislation to amend Section 215 of the USA Patriot Act, the state secrets privilege, and the FISA Amendments Act to make it clear that blanket surveillance of the Internet activity, phone records and correspondence — electronic, physical, and otherwise — of any person residing in the U.S. is prohibited by law and that violations can be reviewed in adversarial proceedings before a public court;

RESOLVED, the Republican National Committee encourages Republican lawmakers to call for a special committee to investigate, report, and reveal to the public the extent of this domestic spying and the committee should create specific recommendations for legal and regulatory reform ot end unconstitutional surveillance as well as hold accountable those public officials who are found to be responsible for this unconstitutional surveillance; [my emphasis]

7 Bush officials and 1 HPSCI member (but not, oddly enough, the always boisterous Mike Rogers) have weighed in to say that the NSA doesn’t monitor the searches of some Americans and then trots out the tired “targeted at foreign persons” line, without addressing the question of blanket surveillance of communications more generally.

Sarlin, in his piece, similarly retreats to “targeting” claptrap, claiming only that “lawmakers have accused the agency of overreaching.”

Somehow both the Bush dead-enders and Sarlin neglect to mention backdoor searches, which allow the NSA to use metadata collected under a range of dragnets to obtain US content without even Reasonable Articulable Suspicion.

And while it’s not all that surprising that Sarlin chose not to discuss how NSA can get domestic content, as I will show in a follow-up post the collection of dead-enders (Lake fleshed out the list here) who weighed in to deny that the NSA dragnet gets US person content is particularly instructive, as I’ll show in a follow-up post.

The Schneier Briefing: Some Observations

6 Congresspersons and a security researcher walk into an unsecure room. … And that’s the best briefing they can get on some of the things NSA might be doing.

This morning I spent an hour in a closed room with six Members of Congress: Rep. Logfren, Rep. Sensenbrenner, Rep. [Bobby] Scott, Rep. Goodlate, Rep [Mike] Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn’t forthcoming about their activities, and they wanted me — as someone with access to the Snowden documents — to explain to them what the NSA was doing. Of course I’m not going to give details on the meeting, except to say that it was candid and interesting. And that it’s extremely freaky that Congress has such a difficult time getting information out of the NSA that they have to ask me. I really want oversight to work better in this country.

I’m as intrigued by the make-up of the group as I am by the fact they needed to do this.

Schneier makes it clear that Lofgren — who is not only a strong supporter of civil liberties, but also happens to represent Silicon Valley — set up the briefing. In addition to her House Judiciary Committee colleagues Sensenbrenner, Scott, and Goodlatte, she invited Amash (who’s not on the Committee but a loud defender of civil liberties — thanks, my Rep!), and N and E Bay Area Republican Democratic colleague Mike Thompson, who’s not a member of the Committee either, but is a member of the Intelligence Committee.

As I’ve noted, Goodlatte is not a named sponsor of USA Freedom; neither is Thompson (though Schneier describes them as all people who want to “rein in the NSA”).

And yet these are the individuals whom Lofgren chose to bring to this briefing.

Schneier, of course, is not focused on the actual spying that NSA is doing, but on the corruption of encryption, a threat to the business model of Lofgren’s district. [See Saul's well-take correction here.]

Also note, while I’ve got real worries about some opponents to reining in the NSA in the Senate, I do think people are not considering the significance of the House Judiciary Chair, who voted against Amash-Conyers, increasingly complaining about the NSA.

I’m not sure what the best way to stop the NSA from making us all less safe (especially since NSA has apparently not even told HPSCI members what they’re doing). But I gather than Lofgren is trying to figure out a way to do so.

After Meeting with Obama, Bob Goodlatte Calls for Reform of Phone Dragnet

Bob Goodlatte, the Chair of the House Judiciary Committee, voted against the Amash-Conyers Amendment that would have defunded the phone dragnet. Nor is he a named cosponsor of the USA Freedom Act, the Leahy-Sensenbrenner bill that would reform the dragnet.

Which is why it is particularly notable that he’s the one member of Congress cited by name in a story reporting on skepticism that Obama will actually reform the NSA.

President Obama met with hand-picked lawmakers at the White House on Thursday to discuss the National Security Agency’s controversial spying programs, the main event of a week full of meetings at the White House focusing on potential reforms for the maligned federal agency.

[snip]

At least some of the lawmakers left the meeting unconvinced that the president is going to do enough to curtail the NSA’s activities. House Judiciary Committee Chairman Bob Goodlatte, R-Va., said “it’s increasingly clear that we need to take legislative action to reform” the NSA’s intelligence gathering.

“If the president believes we need a bulk collection program of telephone data, then he needs to break his silence and clearly explain to the American people why it is needed for our national security,” Goodlatte said in a statement. “Americans’ civil liberties are at stake in this debate.”

If the President has not yet been able to convince Goodlatte the phone dragnet is necessary, if Goodlatte walks out of meeting with the President calling to legislatively roll back the phone dragnet, it might just have a shot at passing.

Update: Here’s Goodlatte’s full statement.

Over the course of the past several months, I have urged President Obama to bring more transparency to the National Security Agency’s intelligence-gathering programs in order to regain the trust of the American people. In particular, if the President believes we need a bulk collection program of telephone data, then he needs to break his silence and clearly explain to the American people why it is needed for our national security. The President has unique information about the merits of these programs and the extent of their usefulness. This information is critical to informing Congress on how far to go in reforming the programs. Americans’ civil liberties are at stake in this debate.

With each new revelation of the scope of these programs, it’s increasingly clear that we need to take legislative action to reform some of our nation’s intelligence-gathering programs to ensure that they adequately protect Americans’ civil liberties and operate in a sensible manner. We also need to ensure the laws are clear so that the U.S. tech industry is not disadvantaged vis-à-vis their foreign competitors. The House Judiciary Committee, which has primary jurisdiction over the legal framework of these programs, has conducted aggressive oversight on this issue and will be instrumental to reforming the Foreign Intelligence Surveillance Act. I am committed to working with members of Congress and Senators from both political parties, House leaders, and President Obama to ensure our nation’s intelligence collection programs include real protections for Americans’ civil liberties, robust oversight, and additional transparency. [my emphasis]

 

Wyden: We Proved that “Unique” and “Vital” Information Wasn’t in 2011

I should have some analysis on the documents James Clapper released yesterday.

But it’s worth pointing to Ron Wyden’s analysis. He notes that the two documents on bulk collection programs — one from 2009 and one from 2011, both of which covered the Internet and phone metadata programs – both boasted of how unique and valuable the information was.

The briefing documents that were provided to Congress in December 2009 and February 2011 clearly stated that both the bulk email records and bulk phone records collection programs were “unique in that they can produce intelligence not otherwise available to NSA.” The 2009 briefing document went on to state that the two programs “provide a vital capability to the Intelligence Community,” and the 2011 briefing document stated that they provided “an important capability.”

The problem is, by the end of 2011, Wyden and Mark Udall had been able to prove that the Intelligence Community had oversold the value of the Internet metadata program, which led to its termination.

Senator Mark Udall and I have long been concerned about the impact of bulk collection on Americans’ privacy and civil liberties, and we spent a significant portion of 2011 pressing the Intelligence Community to provide evidence to support the claims that they had made about the bulk email records program. They were unable to do so, and the program was shut down due to a lack of operational value, as senior intelligence officials have now publicly confirmed.

This experience demonstrated that intelligence agencies’ assessments of the usefulness of particular collection programs – even significant ones – are not always accurate.

So while the government thought these documents would prove how controlled these programs are (aspects of them don’t), Wyden demonstrates that they show the IC lies about the usefulness of programs when they talk to Congress about them.

Which is, Patrick Leahy suggested in yesterday’s hearing, what the IC appears to be doing when invoking 54 plots to justify the 215 phone dragnet, which has only been tied to 12 plots.

Which is an interesting dynamic to proceed today’s meeting between Obama, Wyden, Udall, Dianne Feinstein, Saxby Chambliss, Bob Goodlatte, James Sensenbrenner, Dutch Ruppersberger, and Mike Rogers.

The presence of Sensenbrenner is key: to the extent they still exist, he’s a mainstream Republican. And he’s furious about the 215 program that he himself shepherded through Congress in 2006. So I would assume today’s meeting is an effort to develop the White House’s plan to phase out the dragnet.

All that said, Obama has clearly gamed the results, by inviting more of the surveillance champions than he did critics (and apparently House Democrats don’t count anymore).

Obama probably won’t see this through his bubble, but the day before this meeting Wyden demonstrated that the basis for the rosy tales DiFi and the other Gang of Four members are telling are claims from the IC that have since been discredited.

Journalists: Eric Holder Believes You’re Probably a Criminal But Won’t Charge You

As I noted the other day, Eric Holder seems intent on calling journalists whom he believes are co-conspirators in a criminal leak something else.

Which is why I think this detail, from Politico’s leaks-about-a-meeting-about-leaks story, is the most telling I’ve seen on the Holder meeting.

“The guidelines require a balance between law enforcement and freedom of the press, and we all argued that the balance was out of kilter, with the national security and law enforcement interests basically overwhelming the public’s right to get information,” one journalist at the meeting said. “The language concerning ‘aiding and abetting’ comes out of the Privacy [Protection] Act, and they discussed trying to revise that language so that reporters don’t need to be defined as co-conspirators in order to execute search warrants.”

This is a reference to part of the Privacy Act that prohibits the government from seizing media work product unless it is connected to a crime (see pages 5 ff for how it affected the James Rosen warrant application). After claiming Rosen was aiding and abetting a violation of the Espionage Act and therefore his emails could be seized, the FBI then said that since he was potentially criminally liable, he should not get notice. In other words, the aiding abetting was an investigative tactic DOJ used to get around protections put into place just for someone like Rosen.

And DOJ’s solution for abusing a protection meant to protect someone like Rosen is apparently to simply redefine the law, so it can overcome those protections without having to accuse Rosen of being a criminal.

The outcome would remain the same; DOJ would just avoid saying mean things about people associated with powerful media outlets.

But the letter Principal Assistant Deputy Attorney General Peter Kadzik sent to answer Bob Goodlatte and Jim Sensenbrenner’s questions about Eric Holder’s testimony about whether he ever prosecuted a journalist makes it clear he thinks James Rosen probably is a criminal, regardless of what he calls it.

When the Department has initiated a criminal investigation into the unauthorized disclosure of classified information, the Department must, as it does in all criminal investigations, conduct a thorough investigation and follow the facts where they lead. Seeking a search warrant is part of an investigation of potential criminal activity, which typically comes before any final decision about prosecution. Probable cause sufficient to justify a search warrant is different from a decision to bring charges for that crime; probable cause is a significantly lower burden of proof than beyond a reasonable doubt, which is required to obtain a conviction on criminal charges.

Note the slippage here: Kadzik says the standard for a probable cause warrant is different than the standard for charging, then says a probable cause warrant is different from the standard for convicting.

What Kadzik is implicitly suggesting is that while DOJ might think Rosen was a criminal co-conspirator, they’d never win their case against him. So they never considered charging him.

I joked some weeks ago that journalists should take solace in all this: Obviously, Eric Holder holds them in precisely the same category as banksters, those who are guilty of a crime but that DOJ chooses not to charge with one.

This letter seems to support this.

Obama’s Headlong Rush to Counterterrorism Transparency

By my count, Thursday will be the 100th day since Obama promised, in his State of the Union Adress delivered February 12, “to engage Congress to ensure not only that our targeting, detention and prosecution of terrorists remains consistent with our laws and system of checks and balances, but that our efforts are even more transparent to the American people and to the world.”

Back then there were, officially at least, just a handful of Gitmo detainees on hunger strike. And it’s possible — if DOJ used the two 45-day gags on subpoenas they permit themselves — a subpoena seizing the phone records for 21 AP phone lines had already been issued.

After Obama promised more transparency on drones and other counterterrorism programs, Members of Congress continued to have to demand minimal transparency. On February 20, Rand Paul sent his third request for that information. On February 27, House Judiciary Chairman Bob Goodlatte repeated that Committee’s request to see OLC’s drone targeting memos; he also expressed anger that the Administration had refused to send a witness to the hearing.

On March 7, Eric Holder hinted that we would “will hear from the President in a relatively short period of time” on drones and transparency and counterterrorism.  On March 8, guards at Gitmo shot non-lethal bullets at detainees. The following day US conducted a drone strike in Pakistan, one of two strikes that month.

On March 11, Progressive Members of Congress sent a letter asking for information on drone targeting.

On April 9, McClatchy reported that most drone strikes had hit low level militants, contrary to public claims; it also revealed the intelligence reports themselves were false.

On April 10, the House Judiciary Committee finally threatened to subpoena the OLC memos authorizing the killing of an American citizen; that was at least the 23rd request for such information from Congress. A week later the Committee would finally get a promise to see just those memos, memos squarely within the Committee’s oversight jurisdiction.

On April 13, the military locked down Gitmo, effectively depriving most detainees of the human company they had enjoyed for years. On that day, 43 men were hunger striking.

On April 14, Samir Haji al Hasan Moqbel described, in a NYT op-ed, “I’ve been on a hunger strike since Feb. 10 and have lost well over 30 pounds. I will not eat until they restore my dignity.” That same day, the US launched one of two drone strikes in Pakistan that month.

On April 15, the Tsarnaev brothers attacked the Boston Marathon, reportedly in retaliation for treatment of Muslims in Afghanistan and Iraq.

April 17, a US drone struck the Yemeni village of a Yemeni, Farea al-Muslimi, already scheduled to testify before the Senate Judiciary Committee about how drones turn Yemenis against the US.

On April 21, the number of hunger strikes at Gitmo reached 84 — over half the men there. Six days later, on April 27, that number reached 100. Three more men have since joined the hunger strike.

As those numbers were growing, on April 25, Dianne Feinstein called on Obama to transfer those detainees who have been cleared. On April 30, Obama renewed his promise to close Gitmo. The next day, the White House made clear that the moratorium preventing almost half the detainees, men who have been cleared for transfer, to return home to Yemen, remained in place.

On May 10, the AP learned that DOJ had seized phone records from 21 phone lines with no notice, potentially exposing the sources of up to 100 journalists.

On May 16, in a hearing querying whether Congress should eliminate or expand the September 18, 2001 Authorization to Use Military Force, Assistant Defense Secretary Michael Sheehan testified the war on terror would last at least 10-20 more years. He also said DOD won’t be taking over CIA’s side of the drone war anytime soon.

Saturday, a drone strike killed at least 4 thus far unidentified men in Yemen.

Which brings us to Thursday when, the WaPo details, Obama will give a speech telling us once again the drone strikes are legal, his desire to close Gitmo is real, and leaks his new CIA Director exacerbated are serious. He will, apparently, also tell us how he plans to make his counterterrorism plan look more like what he promised it would look like 4 years ago.

President Obama will deliver a speech Thursday at the National Defense University in which he will address how he intends to bring his counterterrorism policies, including the drone program and the military prison at Guantanamo Bay, Cuba, in line with the legal framework he promised after taking office.

In the interim between when he promised this transparency and when he’ll start to sort of deliver it (but not, apparently, any actions to close Gitmo), about 7% of his second term will have passed.

Some of the delay, apparently, comes from the need to address the issues that have been festering during the delay.

Obama was prepared to deliver the speech earlier this month, but it was put off amid mounting concerns over a prisoner hunger strike at Guantanamo Bay and more recently the Justice Department leaks investigation — both of which the revised speech may address.

But otherwise, it appears it has taken 100 days to be able to craft a speech good enough to make his paranoia about secrecy and lip service to human rights in counterterrorism look like something else.

Ah well, at least they’ve sharply curtailed drone strikes while they’ve been writing a speech.

Emptywheel Twitterverse
bmaz .@MonaHol No, it is not a sex crime, and that is an asinine headline for @Forbes to run. http://t.co/ecj9xtScVy
57sreplyretweetfavorite
JimWhiteGNV @cocktailhag Heh. And now that #Rays won, I'm putting another clear coat on door number two.
16mreplyretweetfavorite
JimWhiteGNV RT @cocktailhag: @JimWhiteGNV Not as satisfying as refinishing, I expect.
17mreplyretweetfavorite
JimWhiteGNV Heading outside to shovel horse shit in 93F heat. Much more pleasant than watching Balfour pitch 10th for #Rays.
35mreplyretweetfavorite
JimWhiteGNV RT @AntonioFrench: Organizers say today's planned protest involving halting highway traffic has been postponed at the request of the Brown …
1hreplyretweetfavorite
bmaz @kellyoxford @LegallyErin It is a crime, yes, absolutely. Sex crime...uh, no, it is not.
1hreplyretweetfavorite
bmaz RT @DanCBarr: @bmaz They will probably rule quickly. Reinhardt wrote Perry and Smith-Kline. Berzon joined in Smith-Kline. Gould wrote Witt.…
2hreplyretweetfavorite
JimWhiteGNV “@TBTimes_Rays: Good play by #Rays Longoria on bad throw by Hanigan to catch Bogaerts stealing 3B” Cartwheel tag.
2hreplyretweetfavorite
bmaz @etb714 @wellsbennett Okay, that is an awesomely cute picture.
3hreplyretweetfavorite
JimWhiteGNV RT @JohnHorneUK: This award winning pic was taken in #Bahrain in Feb 2011. In July 2014 the photographer was arrestd & tortured for it http…
3hreplyretweetfavorite
bmaz @DanCBarr Agree. I'm just still disappointed in Reinhardt's Romer based watered down Perry decision. Hope they get this decision out quickly
3hreplyretweetfavorite
September 2014
S M T W T F S
« Aug    
 123456
78910111213
14151617181920
21222324252627
282930