David Kris

David Barron’s ECPA Memo

Last week, I laid out the amazing coinkydink that DOJ provided Sprint a bunch of FISA opinions — including the December 12, 2008 Reggie Walton opinion finding that the phone dragnet did not violate ECPA — on the same day, January 8, 2010, that OLC issued a memo finding that providers could voluntarily turn over phone records in some circumstances without violating ECPA.

Looking more closely at what we know about the opinion, I’m increasingly convinced it was not a coinkydink at all. I suspect that the memo not only addresses FBI’s exigent letter program, but also the non-Section 215 phone dragnet.

As a reminder, we first learned of this memo when, in January 2010, DOJ’s Inspector General issued a report on FBI’s practice of getting phone records from telecom provider employees cohabiting at FBI with little or no legal service. The report was fairly unique in that it was released in 3 versions: the public unclassified but heavily redacted version, a Secret version, and a Top Secret/SCI version. Given how closely parallel the onsite telecom provider program was with the phone dragnet, that always hinted the report may have touched on other issues.

Roughly a year after the IG Report came out, EFF FOIAed the memo (see page 30). Over the course of the FOIA litigation — the DC Circuit rejected their appeal for the memo in January — DOJ provided further detail about the memo.

Here’s how OLC Special Counsel Paul Colborn described the memo (starting at 25):

The document at issue in this case is a January 8, 2010 Memorandum for Valerie Caproni, General Counsel of the Federal Bureau of Investigation (the “FBI”), from David J. Barron, Acting Assistant Attorney General for the Office of Legal Counsel (the “Opinion”). The OLC Opinion was prepared in response to a November 27, 2009 opinion request from the FBI’s General Counsel and a supplemental request from Ms. Caproni dated December 11, 2009. These two requests were made in order to obtain OLC advice that would assist FBI’s evaluation of how it should respond to a draft Report by the Office of Inspector General at the Department of Justice (the “OIG”) in the course of a review by the OIG of the FBI’s use of certain investigatory procedures.In the context of preparing the Opinion, OLC, as is common, also sought and obtained the views of other interested agencies and components of the Department. OIG was aware that the FBI was seeking legal advice on the question from OLC, but it did not submit its views on the question.

The factual information contained in the FBI’s requests to OLC for legal advice concerned certain sensitive techniques used in the context of national security and law enforcement investigations — in particular, significant information about intelligence activities, sources, and methodology.

Later in his declaration, Colborn makes it clear the memo addressed not just FBI, but also other agencies.

The Opinion was requested by the FBI and reflects confidential communications to OLC from the FBI and other agencies. In providing the Opinion, OLC was serving an advisory role as legal counsel to the Executive Branch. In the context of the FBI’s evaluation of its procedures, the general counsel at the FBI sought OLC advice regarding the proper interpretation of the law with respect to information-gathering procedures employed by the FBI and other Executive Branch agencies. Having been requested to provide counsel on the law, OLC stood in a special relationship of trust with the FBI and other affected agencies.

And FBI Record/Information Dissemination Section Chief David Hardy’s declaration revealed that an Other Government Agency relied on the memo too. (starting at 46)

This information was not examined in isolation. Instead, each piece of information contained in the FBI’s letters of November 27, 2009 and December 11, 2009, and OLC’s memorandum of January 8, 2010, was evaluated with careful consideration given to the impact that disclosure of this information will have on other sensitive information contained elsewhere in the United States intelligence community’s files, including the secrecy of that other information.


As part of its classification review of the OLC Memorandum, the FBI identified potential equities and interests of other government agencies (“OGAs”) with regard to the OLC memo. … FBI referred the OLC Memo for consultation with those OGAs. One OGA, which has requested non-attribution, affirmatively responded to our consultation and concurs in all of the classification markings.

Perhaps most remarkably, the government’s response to EFF’s appeal even seems to suggest that what we’ve always referred to as the Exigent Letters IG Report is not the Exigent Letters IG Report!

Comparing EFF’s claims (see pages 11-12) with the government’s response to those claims (see pages 17-18), the government appears to deny the following:

  • The Exigent Letters IG Report was the 3rd report in response to reporting requirements of the USA PATRIOT reauthorization
  • FBI responded to a draft of the IG Report by asserting a new legal theory defending the way it had obtained certain phone records in national security investigations, which resulted in the January 8, 2010 memo
  • The report didn’t describe the exception to the statute involved and IG Glenn Fine didn’t recommend referring the memo to Congress
  • In response to a Marisa Taylor FOIA, FBI indicated that USC 2511(2)(f) was the exception relied on by the FBI to say it didn’t need legal process to obtain voluntary disclosure of phone records

Along with these denials, the government reminded that the report “contained significant redactions to protect classified information and other sensitive information.” And with each denial (or non-response to EFF’s characterizations) it “respectfully refer[red] the Court to the January 2010 OIG report itself.”

The Exigent Letters IG Report is not what it seems, apparently.

With all that in mind, consider two more details. First, as David Kris (who was the Assistant Attorney General during this period) made clear in his paper on the phone (and Internet) dragnet, in addition to Section 215, the government obtained phone records from the telecoms under USC 2511(2)(f), the clause in question.

And look at how the chronology maps.

November 5, 2008: OLC releases opinion ruling sneak peak and hot number requests (among other things) impermissible under NSLs

December 12, 2008: Reggie Walton rules that the phone dragnet does not violate ECPA

Throughout 2009: DOJ confesses to multiple violations of Section 215 program, including:

  • An alert function that serves the same purpose as sneak peaks and also violates Section 215 minimization requirements
  • NSA treated Section 215 derived data with same procedures as EO 12333 data; that EO 12333 data included significant US person data
  • One provider’s (which I originally thought was Sprint, then believed was Verizon, but could still be Sprint) production got shut down because it included foreign-to-foreign data (the kind that, according to the OLC, could be obtained under USC 2511(2)(f)

Summer and Fall, 2009: Sprint meets with government to learn how Section 215 can be used to require delivery of “all” customer records

July 9, 2009: Sprint raises legal issues regarding the order it was under; Walton halts production from provider which had included foreign-to-foreign production

October 30, 2009: Still unreleased primary order BR 09-15

November 27, 2009: Valerie Caproni makes first request for opinion

December 11, 2009: Caproni supplements her request for a memo

December 16, 2009: Application and approval of BR 09-19

December 30, 2009: Sprint served with secondary order

January 7, 2010: Motion to unseal records

January 8, 2010: FISC declassifies earlier opinions; DOJ and Sprint jointly move to extend time when Sprint can challenge order; and OLC releases OLC opinion; FISC grants motion (John Bates approves all these motions)

January 11, 2010: DOJ moves (in a motion dated January 8) to amend secondary order to incorporate language on legality; this request is granted the following day (though we don’t get that order)

January 20, 2010: IG Report released, making existence of OLC memo public

This memo is looking less and less like a coinkydink after all, and more and more a legal justification for the provision of foreign-to-foreign records to accompany the Section 215 provision. And while FBI said it wasn’t going to rely on the memo, it’s not clear whether NSA said the same.

Golly. It’d sure be nice if we got to see that memo before David Barron got to be a lifetime appointed judge.

Crimes against Secrecy, Crimes against the Constitution

I’m not all that interested in the debate about offering Edward Snowden some kind of amnesty, as I think he could never accept the terms being offered, it arises in part out of NSA’s PR effort, and distracts from the ongoing revelations.

But I am interested in this. Amy Davidson wrote a column refuting Fred Kaplan’s assertion that because Snowden “signed an oath, as a condition of his employment as an NSA contractor, not to disclose classified information,” comparisons with Jimmy Carter’s pardon for draft dodgers are inapt. She notes (as a number of people have already) that the only “oath” that Snowden made was to the Constitution.

To begin with, did Snowden sign “an oath…not to disclose classified information”? He says that he did not, and that does not appear to have been contradicted. Snowden told the Washington Posts Barton Gellman that the document he signed, as what Kaplan calls “a condition of his employment,” was Standard Form 312, a contract in which the signatory says he will “accept” the terms, rather than swearing to them. By signing it, Snowden agreed that he was aware that there were federal laws against disclosing classified information. But the penalties for violating agreement alone are civil: for example, the government can go after any book royalties he might get for publishing secrets.

Snowden did take an oath—the Oath of Office, or appointment affidavit, given to all federal employees:

I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; that I take this obligation freely, without any mental reservation or purpose of evasion; and that I will well and faithfully discharge the duties of the office on which I am about to enter. So help me God.

Now, some would argue—and it would have to be an argument, not an elision—that he violated this oath in revealing what he did; Snowden told Gellman that the revelations were how he kept it—protecting the Constitution from the officials at the N.S.A., which was assaulting it. Either way this is just not an oath, on the face of it, about disclosing classified information. [my emphasis]

Former Obama DOD official Phil Carter then attempted to refute Davidson on Twitter. He did so by pointing to the “solemnity” of the forms Snowden did sign, and then noting such “promises are far more legally enforceable than an ‘oath’ of office.”

Screen shot 2014-01-06 at 8.16.52 AM

I don’t dispute Carter’s point that nondisclosure agreements are easier to enforce legally than an oath to the Constitution. And, as noted above, in her original piece Davidson admitted that Snowden had acknowledged there were laws against leaking classified information. No one is arguing Snowden didn’t break any laws (though if our whistleblower laws covered contractors, there’d be a debate about whether that excuses Snowden’s leaks).

Nevertheless, Carter’s comment gets to the crux of the point (and betrays how thoroughly DC insiders have internalized it).

We have an ever-growing side of our government covered by a blanket of secrecy. Much of what that secrecy serves to cover up involves abuse or crime. Much of it involves practices that gut the core precepts of the Constitution (and separation of powers are as much at risk as the Bill of Rights).

Yet we not only have evolved a legal system (by reinforcing the clearance system, expanding the Espionage Act, and gutting most means to challenge Constitutional violations) that treats crimes against secrecy with much greater seriousness than crimes against the Constitution, but DC folks (even lawyers, like Carter) simply point to it as the way things are, not a fundamental threat to our country’s government.

That plight — where our legal system guards this country’s “secrets” more greedily than it guards the Constitution — is the entire point underlying calls for amnesty for Snowden. He has pointed to a system that not only poses a grave threat to the Bill of Rights, but just as surely, to separation of powers and our claim to be a democracy.

Moreover, those who (like Carter) point to our failed branches of government as better arbiters of the Constitution than Snowden ignore many of the details in the public record. Just as one example, David Kris has suggested that the entire reason Colleen Kollar-Kotelly wrote a badly flawed opinion authorizing the Internet dragnet was because George Bush had created a constitutional problem by ignoring Congress’ laws and the courts.

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch. [my emphasis]

And while Kris argued Congress’ subsequent approval of the dragnets cures this original sin, the record in fact shows it did so only under flawed conditions of partial knowledge. Of course, these attempts to paper over a constitutional problem only succeed so long as they remain shrouded in secrecy.

That the first response of many is to resort to legalistic attempts to prioritize the underlying secrecy over the Constitution raises questions about what they believe they are protecting. The next torture scandal? Covert ops that might serve the interest of certain autocratic allies but actually make Americans less secure? The financial hemorrhage that is our military industrial complex? The sheer ignorance our bloated intelligence community has about subjects of great importance? Petty turf wars? Past failures of the national security system we’re encouraged to trust implicitly?

At some point, we need to attend to protecting our Constitution again. If Article I and III have gotten so scared of their own impotence (or so compromised) that they can no longer do so, then by all means lets make that clear by revealing more of the problems.

But we need to stop chanting that our Constitution is not a suicide pact and instead insist that our secrecy oaths non-disclosure agreements should not be suicide bombs.

In Which Ben Wittes Proves Ben Wittes Is NAKED

160 days ago, Jim Sensenbrenner released a letter to Eric Holder expressing concern about the way DOJ had interpreted Section 215. In it, he did some creative editing to hide that he had had an opportunity to learn about that interpretation before he voted to reauthorize the PATRIOT Act.

160 days ago, I was (I believe) the first person to point out that obfuscation.

In those 160 days, I have also documented the serial lies and obfuscations of people like Keith Alexander, James Clapper, Robert Mueller, Mike Rogers, Valerie Caproni, Dianne Feinstein, Raj De, and Robert Litt. (one, two, three, four, five, six, seven, eight, nine, ten, eleven, twelve, thirteen, fourteen, fifteen, sixteen, seventeen, eighteen, nineteen, twenty, twenty-one, twenty-two, twenty-three, twenty-four, twenty-five, twenty-six, twenty-seven, twenty-eight, twenty-nine, thirty, thirty-one, thirty-two, thirty-three; trust me, this is just a quick survey). The most recent of these lies came last week when Raj De and Robert Litt claimed Congress had been fully informed about the authorities they were voting on, a claim which the Executive Branch’s own record proves to be false.

In spite of the clear imbalance between the lies NSA critics have told and those NSA apologists have told, Ben Wittes has made it a bit of a hobby to use Sensenbrenner’s single (egregious) lie to try to discredit NSA critics (without, of course, pointing out the serial, at times even more egregious, lies NSA apologists were telling). Of late, Wittes has harangued that, because he told a lie 160 days ago, Sensenbrenner is operating in bad faith when he criticizes NSA’s programs now. (See also this post.)

I have never questioned the good faith of Senators Patrick Leahy, Ron Wyden, or Rand Paul. They are legislators with a perspective. That’s how Congress works.

Rep. James Sensenbrenner is a different matter.

Since the bulk metadata program broke, the former chairman of the House Judiciary Committee has been on a campaign of denunciation of both agency activity under the Patriot Act—the law he helped write. And he has been denouncing the administration for having misled him about how Section 215 is being used too. He has done so with a breathtaking dishonesty that puts him in a different category from those members who have a policy dispute with the administration. [my emphasis]

Mind you, Wittes did not examine the content of Sensenbrenner’s more recent claims. Had he done so, he might have realized that the record supports Sensenbrenner’s complaints, even if the messenger for those complaints might be less than perfect.

It ignored restrictions painstakingly crafted by lawmakers and assumed a plenary authority never imagined by Congress. Worse, the NSA has cloaked its operations behind such a thick cloud of secrecy that, even if our trust was restored, Congress and the American people would lack the ability to verify it.

Note, we’re still learning the full extent of how the Executive Branch blew off limits placed on the PATRIOT authorities.

Wittes might even have noted Sensenbrenner’s apparent commitment to do his own job better.

“I hope that we have learned our lesson and that oversight will be a lot more vigorous,” Sensenbrenner said.

Even ignoring Wittes’ remarkable double standard, in which he suggests Sensenbrenner’s one lie should disqualify him from speaking on this topic forever while Clapper and Alexander’s seeming addiction to lies apparently shouldn’t even be mentioned in polite company, a highly regarded expert recently laid out new evidence for why Sensenbrenner has good reason to be angry, regardless of his role in passing PATRIOT in 2001 or 2006 or 2010 or even 2011.

The expert?

Ben Wittes.

Continue reading

Three Theories Why the Section 215 Phone Dragnet May Have Been “Erroneous” from the Start

Update, 1/6/14: I just reviewed this post and realize it’s based on the misunderstanding that the February 24 OLC opinion is from last year, not 2006. That said, the analysis of the underlying tensions that probably led to the use of Section 215 for the phone dragnet are, I think, still valid. 

According to ACLU lawyer Alex Abdo, the government may provide more documents in response to their FOIA asking for documents relating to Section 215 on November 18. Among those documents is a February 24, 2006 FISA Court opinion, which the government says it is processing for release.

That release — assuming the government releases the opinion in any legible form — should solve a riddle that has been puzzling me for several weeks: whether the FISA Court wrote any opinion authorizing the phone dragnet collection before its May 24, 2006 order at all.

The release may also provide some insight on why former Assistant Attorney General David Kris concedes the initial authorization for the program may have been “erroneous.”

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch.


The briefings and other historical evidence raise the question whether Congress’s repeated reauthorization of the tangible things provision effectively incorporates the FISC’s interpretation of the law, at least as to the authorized scope of collection, such that even if it had been erroneous when first issued, it is now—by definition—correct. [my emphasis]

That “erroneous” language comes not from me, but from David Kris, one of the best lawyers on these issues in the entire country.

And the date of the opinion — February 24, 2006, 6 days before the Senate would vote to reauthorize the PATRIOT Act having received no apparent notice the Administration planned to use it to authorize a dragnet of every American’s phone records — suggests several possible reasons why the original approval is erroneous.

Possibility one: There is no opinion

The first possibility, of course, is that my earlier guess was correct: that the FISC court never considered the new application of bulk collection, and simply authorized the new collection based on the 2004 Colleen Kollar-Kotelly opinion authorizing the Internet dragnet. In this possible scenario, that February 2006 opinion deals with some other use of Section 215 (though I doubt it, because in that case DOJ would withhold it, as they are doing with two other Section 215 opinions dated August 20, 2008 and November 23, 2010).

So one possibility is the FISA Court simply never considered whether the phone dragnet really fit the definition of relevant, and just took the application for the first May 24, 2006 opinion with no questions. This, it seems to me, would be erroneous on the part of FISC.

Possibility two: FISC approved the dragnet based on old PATRIOT knowing new “relevant to” PATRIOT was coming

Another possibility is that the FISA Court rushed through approval of the phone dragnet knowing that the reauthorization that would be imminently approved would slightly different language on the “relevance” standard (though that new language was in most ways more permissive). Thus, the government would already have an approval for the dragnet in hand at the time when they applied to use it in May, and would just address the “relevance” language in their application, which we know they did.

In this case, the opinion would seem to be erroneous because of the way it deliberately sidestepped known and very active actions of Congress pertaining to the law in question.

Possibility three: FISC approved the dragnet based on new PATRIOT language even before it passed

Another possibility is that FISC approved the phone dragnet before the new PATRIOT language became law. That seems nonsensical, but we do know that DOJ’s Office of Intelligence Policy Review briefed FISC on something pertaining to Section 215 in February 2006.

After passage of the Reauthorization Act on March 9, 2006, combination orders became unnecessary for subscriber information and [one line redacted]. Section 128 of the Reauthorization Act amended the FISA statute to authorize subscriber information to be provided in response to a pen register/trap and trace order. Therefore, combination orders for subscriber information were no longer necessary. In addition, OIPR determined that substantive amendments to the statute undermined the legal basis for which OIPR had received authorization [half line redacted] from the FISA Court. Therefore, OIPR decided not to request [several words redacted] pursuant to Section 215 until it re-briefed the issue for the FISA Court. 24

24 OIPR first briefed the issue to the FISA Court in February 2006, prior to the Reauthorization Act. [two lines redacted] [my emphasis]

Still, this passage seems to reflect an understanding, at the time DOJ briefed FISC and at the time that the FISC opinion was written that the law was changing in significant ways (some of which made it easier for the government to get IDs along with the Internet metadata it was collecting using a Pen Register).

This would seem to be erroneous for timing reasons, in that the judge issued an opinion based on a law that had not yet been signed into law, effectively anticipating Congress.

The looming threat of Hepting v. AT&T and Mark Klein’s testimony

Which brings me to why. The 2009 Draft NSA IG Report describes some of what went on in this period.

After the New York Times article was published in December 2005, Mr. Potenza stated that one of the PSP providers expressed concern about providing telephone metadata to NSA under Presidential Authority without being compelled. Although OLC’s May 2004 opinion states that NSA collection of telephony metadata as business records under the Authorization was legally supportable, the provider preferred to be compelled to do so by a court order.

As with the PR/TT Order, DOJ and NSA collaboratively designed the application, prepared declarations, and responded to questions from court advisors. Their previous experience in drafting the PRTT Order made this process more efficient.

The FISC signed the first Business Records Order on 24 May 2006. The order essentially gave NSA the same authority to collect bulk telephony metadata from business records that it had under the PSP. And, unlike the PRTT, there was no break in collection at transition.

But the IG Report doesn’t explain why the telecom(s) started getting squeamish after the NYT scoop.

It doesn’t mention, for example, that on January 17, 2006, the ACLU sued the NSA in Detroit. A week after that suit was filed, Attorney General Alberto Gonzales wrote the telecoms a letter giving them cover for their cooperation.

On 24 January 2006, the Attorney General sent letters to COMPANIES A, B, and C, certifying under 18 U.S.C. 2511 (2)( a)(ii)(B) that “no warrant or court order was or is required by law for the assistance, that all statutory requirements have been met, and that the assistance has been and is required.”

Note, this wiretap language pertains largely to the collection of content (that is, the telecoms had far more reason to worry about sharing content). Except that two issues made the collection of metadata particularly sensitive: the data mining of it, and the way it was used to decide who to wiretap.

More troubling still to the telecoms, probably, came when EFF filed a lawsuit, Hepting, on January 31 naming AT&T as defendant, largely based on an LAT story of AT&T giving access to the its stored call records.

But I’m far more interested in the threat that Mark Klein, the AT&T technician who would ultimately reveal the direct taps on AT&T switches at Folsom Street, posed. Continue reading

DOJ Did Not Fulfill Legally Required Disclosure on Section 215 to Congress Until After PATRIOT Reauthorization

In the Guardian’s superb summary of the importance of the NSA leaks, Zoe Lofgren challenges the claims that Congress has received all the documents NSA claims it has gotten.

I do serve on the Judiciary Committee and various statements have been made that the Judiciary Committee members were told about all of this and those statements are untrue, not the facts, we have not been provided the documents that the Agency said that we were.

In a Privacy and Civil Liberties Oversight Board today, NSA General Counsel Raj De and ODNI General Counsel Robert Litt both repeated such claims (these are from my notes on twitter; I’ll check my transcription later). De said that Section 215 “had all indicia of official legitimacy” which in part came because it was “twice reauthorized by Congress with full information from exec.” And Litt said they are “by statute required to provide copies [of FISC documents] to both houses. They got materials relating to this [Section 215] program.”

Obviously, we know De is wrong, and he must know it, because a sufficiently large block of Congressmen never had the opportunity to read the Executive’s official notice to make the difference in the 2011 reauthorization. His statement is a clear lie.

But I’m just as interested in Litt’s claim (which would rely on notice to the Judiciary and Intelligence Committees).

This most recent I Con dump provides some evidence that illuminates Lofgen’s implicit dispute of Litt’s claims. Remember this paragraph, which is one of the most specific claims about what notice the Administration gave to Congress about using Section 215 to authorize the phone dragnet.

Moreover, in early 2007, the Department of Justice began providing all significant FISC pleadings and orders related to this [Section 215] program to the Senate and House Intelligence and Judiciary committees. By December 2008, all four committees had received the initial application and primary order authorizing the telephony metadata collection. Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees.

As I noted in this post, the specific language (in bold) regarding the first, May 2006, authorization of the phone dragnet at least suggested, in this context, there wasn’t an opinion at all, as did a lot more evidence. But recent reporting strongly suggests there was (see this post where I argue this is likely the phone dragnet opinion).

Government lawyers have told the ACLU that they are withholding at least two significant FISC opinions — one from 2008 and one from 2010 — relating to the Patriot Act’s Section 215, or “business records” provision.

This would seem to indicate that Congress was not provided the original 2006 opinion (as distinct from the application and primary order) “by December 2008.”

With that mind, consider this document released by the I Con, an August 16, 2010 memo from Office of Legislative Affairs Assistant Attorney General Ronald Weich to the Chairs of the Judiciary and Intelligence Committees.

Pursuant to section 1871 of United States Code Title 50, we are providing the Committees with copies of the remaining decisions, orders, or opinions issued by the Foreign Intelligence Surveillance Court, and pleadings, applications, or memoranda of law associated therewith, that contain significant constructions or interpretations of any provision of FISA during the five-year period ending July 10, 2008. See 50 U.S.C. § 1871(c)(2). We have provided similar materials for the same time period. 

Now remember, while ODNI made a big show of releasing these documents, they released them as part of the ACLU’s FOIA for documents on Section 215 and all the documents released pertain to Section 215. I Con describes the memo as referring to “several documents to the Congressional Intelligence and Judiciary Committees relating to NSA collection of bulk telephony metadata under Section 501 of the FISA, as amended by Section 215 of the USA PATRIOT Act,” confirming they pertain to Section 215.

The Patriot Act was reauthorized in February 2010.

At a minimum, this suggests the White Paper provided in August may have been highly misleading. When it said “Thereafter, all pleadings and orders reflecting significant legal developments regarding the program were produced to all four committees,” it did not mean that by December 2008, the four oversight committees had all the significant opinions in hand. Even assuming the Weich brief was correct, which Lofgren’s comment suggests it might not be, they didn’t get around to handing over opinions pertaining to Section 215 going back to July 10, 2003 until August 2010. That period — July 10, 2003 to July 10, 2008 — would cover both the July 2004 Colleen Kollar-Kotelly opinion authorizing using the Pen Register/Trap and Trace to collect Internet metadata, and the May 2006 opinion authorizing the phone dragnet. While we don’t know that the Kollar-Kotelly opinion was withheld until 2010, the language of the White Paper (which suggests the opinion itself was not provided) strongly suggests the May 2006 one was.

The law requiring such disclosure, 50 U.S.C. § 1871(c)(2), was part of the FISA Amendments Act, so had been in place for a full year by the time the PATRIOT Act reauthorization got started, yet DOJ didn’t get around to complying with it until 2 years after the law passed. And the law specifically requires disclosure of both the PR/T&T and the Section 215 authorities.

The possibility that DOJ did not turn over the original phone dragnet opinion is utterly damning given David Kris’ suggestion that the initial approval of the phone dragnet — the 2006 opinion — may have been erroneous.

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch.


The briefings and other historical evidence raise the question whether Congress’s repeated reauthorization of the tangible things provision effectively incorporates the FISC’s interpretation of the law, at least as to the authorized scope of collection, such that even if it had been erroneous when first issued, it is now—by definition—correct.

David Kris at least entertains the possibility that the original May 2006 opinion was “erroneous,” but points to Congress’ reauthorization of the PATRIOT Act to claim it had incorporated FISC’s interpretation of the law.

But now we know that DOJ did not provide all of FISC’s significant opinions pertaining to Section 215 to the key oversight committees until August 16, 2010, over two years after they were obligated to do so — and the plain language of the White Paper strongly suggests that DOJ did not provide the key May 2006 opinion to the oversight committees.

This doesn’t yet prove that DOJ withheld the May 2006 opinion that Kris suggests might be “erroneous” until after Congress reauthorized the PATRIOT Act. But it strongly suggests that is the case.

Update: PATRIOT Act Reauthorization line moved per Anonster’s suggestion.

Update: Added the language I Con used to describe the documents handed over in August 2010.

The FISC Opinion Dance

Andrea Peterson calls attention to this cryptic Ron Wyden quote in WaPo’s story on extant FISA Court opinions on bulk collection.

“The original legal interpretation that said that the Patriot Act could be used to collect Americans’ records in bulk should never have been kept secret and should be declassified and released,” Sen. Ron Wyden (D-Ore) said in a statement to The Washington Post. “This collection has been ongoing for years and the public should be able to compare the legal interpretation under which it was originally authorized with more recent documents.”

Before I speculate about what Wyden might be suggesting, let’s review what opinions the article says exist.

There’s the original Colleen Kollar-Kotelly opinion.

In the recent stream of disclosures about National Security Agency surveillance programs, one document, sources say, has been conspicuously absent: the original — and still classified — judicial interpretation that held that the bulk collection of Americans’ data was lawful.

That document, written by Colleen Kollar-Kotelly, then chief judge of the Foreign Intelligence Surveillance Court (FISC), provided the legal foundation for the NSA amassing a database of all Americans’ phone records, say current and former officials who have read it.


Kollar-Kotelly’s interpretation served as the legal basis for a court authorization in May 2006 that allowed the NSA to gather on a daily basis the phone records of tens of millions of Americans, sources say. Her analysis, more than 80 pages long, was “painstakingly thorough,” said one person who read it. The date of the analysis has not been disclosed.


There’s a 2006 one pertaining to Section 215 not written by Kollar-Kotelly.

The Justice Department also is reviewing a 2006 court opinion related to the Section 215 provision to determine whether it can be released, said Alex Abdo, an ACLU staff lawyer. (A senior department official told The Post that no 2006 Kollar-Kotelly opinion is based on that provision.)

There are two more on Section 215 the government has disclosed the existence of to ACLU.

Government lawyers have told the ACLU that they are withholding at least two significant FISC opinions — one from 2008 and one from 2010 — relating to the Patriot Act’s Section 215, or “business records” provision.

Now compare how these map up with the two opinions referenced by Claire Eagan in her recent opinion.

This Court had reason to analyze this distinction in a similar context in [redacted]. In that case, this Court found that “regarding the breadth of the proposed surveillance, it is noteworthy that the application of the Fourth Amendment depends on the government’s intruding into some individual’s reasonable expectation of privacy.” Id. at 62. The Court noted that Fourth Amendment rights are personal and individual, see id. (citing Steagald v. United States, 451 U.S. 204, 219 (1981); Rakas v. Illinois, 439 U.S. 128, 133 (1978) (“‘Fourth Amendment rights are personal rights which … may not be vicariously asserted.,) (quoting Alderman v. United States, 394 U.S. 165, 174 (1969))), and that “[s]o long as no individual has a reasonable expectation of privacy in meta data, the large number of persons whose communications will be subjected to the … surveillance is irrelevant to the issue of whether a Fourth Amendment search or seizure will occur.” Id. at 63. Put another way, where one individual does not have a Fourth Amendment interest, grouping together a large number of similarly-situated individuals cannot result in a Fourth Amendment interest springing into existence ex nihilo.


This Court has previously examined the issue of relevance for bulk collections. See [6 lines redacted]

While those involved different collections from the one at issue here, the relevance standard was similar. See 50 U.S.C. § 1842(c)(2) (“[R]elevant to an ongoing investigation to protect against international terrorism …. “). In both cases, there were facts demonstrating that information concerning known and unknown affiliates of international terrorist organizations was contained within the non-content metadata the government sought to obtain.  Continue reading

Findings versus Law: “The Intelligence Community Does Not Task Itself”

Predictably, Ben Wittes adopted the Shane Harris piece airing NSA gripes about the White House’s flaccid defense of them as part of Lawfare’s Empathy for Wiretappers series (brought to you in part by NSA contractor Northrop Grumman!).

In his commentary on the piece, Wittes compares Bush’s defense of torture (which Wittes calls coercive interrogation) and warrantless wiretapping (I assume he means the illegal warrantless wiretapping, as distinct from the warrantless wiretapping permitted under the existing legally sanctioned program) with Obama’s relative silence on NSA’s programs.

Another comparison would be to the way President Bush handled the firestorms over NSA’s warrantless wiretapping program and the CIA’s coercive interrogation program. Whatever one thinks of the programs in question, in my view the comparison does not flatter Obama.

Say what you will about Bush and the CIA’s interrogation program; there’s no question that he owned it. Nobody in the public ever thought that the program belonged to then-CIA Director George Tenet—though Tenet certainly was an enthusiastic executor. It was Bush’s program, and the reason it came off this way was that Bush publicly, repeatedly, and personally defended it. He made speeches about it. He wrote about it in his book. He never ran away from it. Nor, notably, did his attorney general. Similarly, Bush never ran away from warrantless wiretapping program. We associate him so personally with these programs, because he stoutly stood by them.

Obama has a lot on his plate right now. But he and his White House should not be leaving defense of intelligence programs he believes in to the intelligence community. Nor should Eric Holder, whose department convinced the FISA Court of the legal views currently at issue and oversees day-to-day FISA collection activity at NSA.

The intelligence community does not task itself. And when the political leadership tasks it to do something that then engulfs it in controversy, it should be a matter of honor not to let it dangle in the breeze.

As a threshold matter, who in their right mind would ask Eric Holder to defend a program? For better or worse, he has no more credibility right now than James Clapper or Keith Alexander, particularly among conservatives who believe he’s responsible for Fast and Furious. That may make him ineffective as an AG, but that is the AG Obama has chosen to retain.

Furthermore, which Attorney General does Ben have in mind that also defended these programs (or does he mean just torture?). Not only did John Ashcroft refuse to reauthorize parts of the illegal wiretap program, but Alberto Gonzales lied about it to get confirmed as Attorney General. Or does he mean Michael Mukasey, who by all appearances sold his soul at a meeting with David Addington, promising he wouldn’t oppose torture, in order to become Attorney General in the first place?

But I’m more interested, generally, in what I consider an inapt comparison.

One can argue that the President should aggressively defend whatever intelligence activities take place under his watch. But there is a big difference between the illegal wiretap and torture programs — which were authorized by a Presidential Directive and Finding, respectively — and the surveillance programs being exposed as a result of the Snowden  leaks — which were authorized by law.

In the former case, the intelligence agencies are all the more reliant on the President’s vocal defense, because without it they are entirely illegal. And for better and worse, the President should (but didn’t, at least not in the case of torture) pay close attention to the execution of those programs because he’s on the hook for them himself. That makes it much harder for the President to criticize any violations of the programs he authorized (like torture contractors James Mitchell and Bruce Jessen exceeding the terms of the program).

To the extent that the Intelligence Committees operate within the terms of the law, the same could be said of congressionally sanctioned programs.

That’s not what we’re talking about here. We’re talking about phone dragnet, Internet dragnet, and upstream collection, all of which violated the laws and/or Court ordered procedures authorizing them. When the government moved the phone dragnet under Section 215, it retained access for other agencies, performed contact chaining on unapproved selectors, and allowed access to the database from other NSA interfaces, old features of the illegal program that should have been turned off in 2006. We don’t know what the Internet dragnet violations were, but they’re likely also continuations of the illegal program. And NSA used FISA to intentionally target (according to John Bates) US person communications, in violation of the law and the Fourth Amendment, but also a practice that continued from the illegal program.

And the phone dragnet and (presuming they were discovered as part of the end-to-end review, though if they weren’t it’d be even more damning) Internet dragnet violations were admitted, after having persisted for 3 years, just as Obama entered the White House. The phone dragnet violations, at least, did not operate unchecked under the Obama Administration.

Further, as I noted yesterday, the woman now being criticized for her silence, Lisa Monaco, is one of the handful of people who had to ride herd on NSA as DOJ’s National Security Division brought NSA practices into compliance with the actual letter of the law.

I’d like to learn more about the tensions between Agencies as the Administration tried to bring the NSA programs into line with the letter of the law and FISC orders. Perhaps NSA worked proactively to reveal and fix everything (though the record seems to suggest the opposite). Perhaps it didn’t, and David Kris and Lisa Monaco had to push to force them to comply. But under Keith Alexander, the NSA failed to stay within the letter of the law (which ought to be reason enough to fire him). That makes the problems now being revealed substantively different from the torture and illegal wiretap programs, where the Executive only had to comply with what the President personally bought off on.

It may well be that Obama has approved all of what we’re seeing (he certainly approved an expanded StuxNet so should be held responsible for much of the hacking we’re doing; note that our offensive attacks actually are parallel to the covert programs raised by Wittes), though he couldn’t have approved the phone dragnet violations. It may well be that his Administration instead reined them in as soon as they discovered them, with whatever cooperation or resistance from NSA. We simply don’t know.

But an Agency violating the letter of the law and court orders affirmatively authorizing their actions is qualitatively different than an Agency violating the law based on direct orders from the President.

Upstream US Person Collection: EO 12333 and/or FISA?

Screen shot 2013-10-04 at 2.42.00 AMKeith Alexander had a really bizarre response to a question from Mazie Hirono in Tuesday’s hearing.

SEN. HIRONO: I have one more question, Mr. Chairman. General Alexander, is PRISM the only intelligence program NSA runs under FISA Section 702?

GEN. ALEXANDER: Well, PRISM was (the statement ?), but, yes. Essentially, the only program was that — that, you know, is PRISM under 702, which under — operates under that authority for the court. But we also have programs under 703, 704 and 705.

Perhaps he was confused by her question (which came in the context of questions about the NYT’s report on the construction of dossiers, potentially on Americans). But he seems to have claimed that PRISM — the collection of Internet content from Internet providers under Section 702 — is the only way the NSA uses FISA Amendments Act to collect content.

Not only does the PRISM slide above belie that (and there’s also phone content that is not covered under PRISM).

But the government itself released the October 3, 2011 John Bates FISC opinion (and other related documents) which describes the government’s collection of Internet transactions directly from the phone company switches (see footnote 24 where Bates distinguishes between the two kinds of Section 702 Internet collection). In an attempt to spin this collection as a big mistake last week, Dianne Feinstein even confirmed that this “upstream” collection comes from the backbone operated by the phone companies.

In mid 2011, NSA notified the DOJ, the DNI, and the FISA court, and House and Senate Intelligence Committees, of a series of compliance incidents impacting a subset of NSA collection under Section 702 of FISA, known as upstream collection.

This comprises about 10 percent of all collection that takes place under 702, and occurs when NSA obtains Internet communications, such as e-mails, from certain U.S. companies that operate the Internet background;[sic] i.e., the companies that own and operate the domestic telecommunication lines over which Internet traffic flows.

So there’s PRISM, there’s phone content collection, and there’s the upstream Internet collection from the phone companies’ switches. All operated, per the 2011 Bates memo, under Section 702 (and therefore overseen by the FISA Court and Congress).

Which is why I’ve been pondering this chart and related explanation, from NSA’s internal review of compliance incidents for the first quarter of 2012.

Screen shot 2013-10-04 at 2.18.15 AM

The chart shows all the violation incidents NSA discovered under programs authorized under Executive Order 12333 — the EO that covers entirely foreign collection, over which FISC and Congress exercise much less oversight than FISA. And what NSA calls “Transit Program” violations appear in the EO 12333, not the FISA, chart. In the first quarter of 2012 (the first quarter after the government started to resolve the 702 upstream collection problems laid out in the Bates memo), Transit Program violations went up from 7 in a quarter to 27.

NSA describes Transit Program violations this way.

(TS//SI//REL TO USA, FVEY) International Transit Switch Collection*: International Transit switches, FAIRVIEW (US-990), STORMBREW (US-983), ORANGEBLOSSOM (US-3251), and SILVERZEPHYR (US-3273), are Special Source Operations (SSO) programs authorized to collect cable transit traffic passing through U.S. gateways with both ends of the communication being foreign. When collection occurs with one or both communicants inside the U.S., this constitutes inadvertent collection. From 4QCY11 to 1QCY12, there was an increase of transit program incidents submitted from 7 to 27, due to the change in our methodology for reporting and counting of these types of incidents,

That is, these “Transit Program” violations reflect the collection of US person data in upstream collection, the very same problem described in the Bates opinion.

As I’ve been puzzling through why Transit Program violations would appear under EO 12333 rather than FISA, I wondered whether NSA collects off switches under both authorities — some content that the telecoms provide after doing an initial screening (as described in this WSJ article and backhandedly confirmed by the DNI), and some programs that the NSA collects and sorts off undersea cables itself. Both FAIRVIEW and STORMBREW show up — seemingly as Section 702 collection — on the PRISM slide above, but ORANGEBLOSSOM and SILVERZEPHYR don’t (WSJ also lists OAKSTAR and LITHIUM).

If so, though, you’d expect NSA to be finding violations under both authorities, because we know the government collects US person data under the 702 authorized upstream collection (they call this unintentional but Bates deemed it intentional).

This is all the more confusing given the way former Assistant Attorney General David Kris discusses “vacuum cleaner” collection taking place under EO 12333. His paper is on metadata collection, not content, but the vacuum cleaner (that is, dragnet) collection collects content as well (and the distinction may get distorted in discussions of Internet packets).

I don’t, yet, know the answer to this question, but the question itself raises several others:

  • Given that there’s not a 702-authorized Transit Program violation category, does that mean NSA wasn’t and may still not be tracking it? That doesn’t make sense, because there are greater mandates to track these things under 702.
  • If there wasn’t a 702-authorized Transit Program violation category before the revelations to John Bates, is it possible NSA instead treated upstream collection as authorized by 12333 so as not to have to report these violations?
  • Are these known violations being reported now? Are they getting reported to Congress and the Court? Or has the NSA simply decided they’re not violations since Bates has okayed them, sort of, as intentional collection?
  • If some of the upstream collection yielding US person content operates under 12333, does it have to be treated under any minimization rules?
  • What do the 7 and 27 violation numbers reflect in relation to the figures of 10,000 SCT and 46,000 MCT estimates involving US persons provided to Bates?
  • Did these violations ever get reported to Congress and the FISC?

In short, either all this upstream collection falls under 702, in which case there’s a big question why NSA tracks it as 12333 collection. Or the NSA’s ability to operate upstream collection under both authorities raises real questions about the protections it accords US person data collected under the 12333 collection.

Update: Two more things on this.

First, remember back in 2001, John Yoo pixie dusted EO 12333, basically holding the President could change the content of it without changing the language of it publicly. That was done, according to Sheldon Whitehouse, to permit the government to “wiretap Americans traveling abroad.” But I suspect it was done to permit the government to “wiretap Americans’ communications traveling abroad” — that is, American Internet traffic that transits foreign switches.

That said, I suspect the 2010 OLC memo on using 2511(2)(f) for collection was meant to clean up some of that (and also Yoo’s reliance on claiming the Fourth Amendment didn’t apply in DOD searches of entire apartment buildings if they were searching for terrorists).

Also, remember that the language of the 2008 Yahoo opinion makes it clear that the Protect America Act — Section 702′s predecessor — relied on 12333 for particularity. While we should soon learn more (FISC is releasing much more of this opinion and underlying documents), it seems that PAA was treated as a nested program within 12333.

David Kris: I’m Not Saying CIA Shoots Drones, Assassinates Americans, and Influences Media, But …

In the passage of David Kris’ paper that address more public transparency, he included on paragraph on covert action.

For example, the covert action statute 221 could be interpreted and applied in ways that may be extraordinarily important, but about which very, very few Members of Congress, let alone the American People, ever learn.222 The statute defines covert action to exclude “traditional” military and law-enforcement activities,223 provides that a covert action finding “may not authorize any action that would violate the Constitution or any statute of the United States,”224 and specifically warns that “No covert action may be conducted which is intended to influence United States political processes, public opinion, policies, or media.”225 Without making any comment, express or implied, on any actual or hypothetical covert action, or even acknowledging that any covert action of any kind has ever actually taken place, it is quite obvious that each of those elements of the statute could raise enormously difficult and complex interpretive questions, some of which might affect many Americans.226 Yet it might be impossible, in many cases, to explain those interpretations without revealing the most sensitive classified information. 227 [60]

In other words, in a passage explaining the challenges and limits to making information available to the public, he implies (“without making any comment, express or implied, on any actual or hypothetical covert action, or even acknowledging that any covert action of any kind has ever actually taken place”) that CIA may have:

And while he very studiously avoids confirming these things that have all been confirmed elsewhere, his argument about the transparency of the matter has more to do with our treatment of covert ops than with transparency per se.

That is, it’s not so much that the US doesn’t and can’t know about the drone strikes, US person assassinations, and really bad propaganda the CIA has been involved in. It’s just that the government keeps the law on covert operations on the book, pretending it abides by it, while telling just the Gang of Four it doesn’t.

That is, it’s not about transparency, it’s about the legal sanction to lie about actions that everyone knows the Executive undertakes.

None of that is shocking (though it’s an interesting argument). But it’d be nice if Kris wanted to hint whether these covert actions included more politicized spying on American people.

David Kris Outlines the Internet Dragnet Elephant

Way back on page 64 (of 67) of former Assistant Attorney General for National Security David Kris’ paper “On the Bulk Collection of Tangible Things,” he invokes the elephant metaphor the President used to promise more NSA disclosures on multiple programs.

What I’m going to be pushing the IC to do is rather than have a trunk come out here and leg come out there and a tail come out there, let’s just put the whole elephant out there so people know exactly what they’re looking at.

In keeping with the President’s direction, the Intelligence Community has released many new details about the bulk telephony metadata collection program, as described above. In addition, as also noted above, the FISC itself has released significant new information. The key remaining question is whether there will be additional, authorized releases concerning intelligence activity that has not been subject to prior, unauthorized releases. [my emphasis]

Kris uses the President’s elephant to ask whether they really will disclose their intelligence programs. He mentions just the phone dragnet (even though the Administration, in response to two FOIAs, also released information about their Section 702 upstream collection programs), even as he suggests the Administration might do well to admit to other programs before they are exposed by an Edward Snowden leak.

Which is interesting, because Kris’ paper — in spite of his title and in spite of that reference to the phone dragnet — is really about what the government has declassified (the phone dragnet) as well as what the government has left partly hidden (the Internet dragnet and broader phone dragnet).

Kris discusses the PATRIOT-authorized Internet dragnet along with the phone dragnet

Kris, after all, provides the following facts about the PATRIOT-authorized Internet dragnet, citing the named sources:

  • Internet and telephony metadata was collected starting in 2001, until the 2004 hospital disagreement led to the former being moved to Pen Register/Trap & Trace authority in 2004, which was the first bulk order (“purported” NSA IG Report)
  • One company — which the “purported” IG report makes clear was an Internet one and is probably Yahoo — did not participate in the illegal wiretap program (“purported” NSA IG Report)
  • The Internet metadata collection ended in 2011 (an ODNI spokesperson in a Charlie Savage story)

Kris also points to four different Administration acknowledgements of the Internet metadata program. He refers to the 2009 and 2011 notice letters to Congress (though he focuses on the phone dragnet language in them), and the James Clapper response to Wyden and 25 other Senators. Perhaps most interestingly, Kris notes that government witness(es) have confirmed the program and the use of PR/TT to authorize it…

At a July 17, 2013 hearing of the House Judiciary Committee, government witnesses confirmed the pen-trap bulk collection.

But unlike just about every other comment in a hearing cited in his paper, Kris doesn’t quote the exchange, which went like this.

SUZAN DELBENE: The public also now knows that the telephone metadata collection is under Section 215, the Business Records provision of FISA, and that allows for the collection of tangible things. But we’ve also seen reports of a now-defunct program collecting email metadata. With regard to the email metadata program that is no longer being operated, can you confirm that the authority used to collect that data was also Section 215?

GEN. COLE: It was not. It was the Pen Register Trap and Trace Authority under FISA, which is slightly different, but it amounts to the same kind of thing. It does not involve any content. It is, again, only to and from. It doesn’t involve, I believe, information about identity. It’s just email addresses. So it’s very similar, but not under the same provision.

REP. DELBENE: And could you have used Section 215 to collect that information?

GEN. COLE: It’s hard to tell. I’d have to take a look at that.

The transcript from this hearing is up at the I Con the Record site, so it’s unclear why Kris didn’t quote it.  Continue reading

Emptywheel Twitterverse
JimWhiteGNV RT @GregMitch: @jaketapper Jake, why not try "U.S. jets meant for defense of Israel now export death to Gaza"?
JimWhiteGNV RT @onekade: Israel pummels Gaza with bombs and meanwhile @jaketapper defends his trash hasbara piece on tunnels. What a disgusting display.
JimWhiteGNV RT @onekade: Israel is deliberating targeting civilians with bombs that we US taxpayers purchased. Detroit needs water, but we pay for slau…
emptywheel @sarahjeong Um. Maybe @xor is trying to trick you into unfollowing mid-Bar. That would not be good.
emptywheel @sarahjeong Still, nothing you can't kick the shit out of.
emptywheel @sarahjeong Wait. You can't bring your multidecals into a test for 3 days? Nutty.
emptywheel This time tomorrow (or thereabouts) @sarahjeong will have nothing left to do before she can sue your ass but practice trolling--good luck!
JimWhiteGNV RT @RaysBaseball: Lead: acquired. @jamesloney_7 puts #RaysUp 2-1 on @Brewers with a bases-loaded single! Stretches his streak to 17 games r…
bmaz @JimWhiteGNV That's just.......wrong.
JimWhiteGNV RT @WinWithoutWar: Empowering speech from @barbaraslavin1 at @BerimOrg's advocacy dinner! #letdiplomacywork #IranDeal @plough_shares http:/…
JimWhiteGNV Attention @bmaz: This #Rays fan is demonstrating the only proper use of cheese. http://t.co/B4N3bounOp
bmaz @howellsacto @emptywheel Excellent point.
July 2014
« Jun