Dutch Ruppersberger

More Clarity and Lack Thereof in the Obama Dragnet Reform

A Senior Administration Official has clarified two remaining questions I had about the President’s plan to reform the dragnet.

First and very importantly, the conference call left unclear (and most subsequent reporting often didn’t directly address) whether Obama’s plan would apply just to counterterrorism purposes (as the current phone dragnet does) or more broadly (as the House Intelligence Committee RuppRoge proposal does). But SAO is clear: Obama’s plan focuses on specific terrorist groups.

The existing program only allows for queries of numbers associated with specified terrorist groups. Our operational focus is to make sure we preserve that counterterrorism authority in any new legislation. We will continue consulting with Congress on these issues.

This, then, is another way in which the President’s plan is significantly better than the RuppRoge plan — that it sets out to only cover CT, whereas RuppRoge sets out to cover foreign intelligence purposes broadly. Though that “consult with Congress” bit seems to allow the possibility that the White House will move towards broader use for the query system.

I also wondered — particularly given Verizon’s quick statement arguing it should not have to perform analysis for the government — who would do the data integrity analysis required to narrow the query results to those genuinely in contact with a selector, rather than ordering from the same pizza joint. Here, SAO was less clear, in part, punting the issue to Congress and “stakeholders” like Verizon.

Under the President’s proposal, the government would seek court orders compelling the companies to provide technical assistance to ensure the information can be queried, to run the queries, and to give the records back to the government in a usable format and on a timely basis. As additional questions arise with respect to the proposal, we look forward to working through them with Congress and relevant stakeholders to craft legislation that embodies the key attributes of this new approach. [my emphasis]

As a reminder, here’s Verizon General Counsel Randal Milch’s full statement:

This week Congressmen Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) released the “End Bulk Collection Act of 2014”, which would end bulk collection of data related to electronic communications. The White House also announced that it is proposing an approach to end bulk collection. We applaud these proposals to end Section 215 bulk collection, but feel that it is critical to get the details of this important effort right. So at this early point in the process, we propose this basic principle that should guide the effort: the reformed collection process should not require companies to store data for longer than, or in formats that differ from, what they already do for business purposes. If Verizon receives a valid request for business records, we will respond in a timely way, but companies should not be required to create, analyze or retain records for reasons other than business purposes. [my emphasis]

Verizon — probably the most important provider for this to work (because AT&T already gives the government what it wants and because it’s got the most upside growth) — doesn’t want to be forced to change the format in which they keep their data, and it doesn’t want to do analysis. But this response seems to say it wants to receive sound query results from Verizon, which would require that analysis first.

RuppRoge, as you’ll recall, offers NSA assistance (presumably including Booz NSA contractors working onsite at Verizon) to providers to do this work. As written, the White House proposal does not.

While this is an obscure issue (I may be the only one writing on it!), it has a direct impact on how many completely Americans get sucked into the NSA and subjected to the full range of its analytical tools. And it seems to be a key point of disagreement between the White House and perhaps the most important telecom provider.

The Reason Obama Capitulated on the (Phone) Dragnet

This will be a bit of a contrary take on what I believe to be the reasons for President Obama’s capitulation on the dragnet, announcing support today for a plan to outsource the first query in the dragnetting process to the telecoms.

It goes back to the claims — rolled out in February — that the NSA has only been getting 20 to 30% of the call data in the US. Those reports were always silent or sketchy on several items:

  • The claims were always silent that they applied only to Section 215, and did not account for the vast amount of data, including US person cell data, collected under EO 12333.
  • The claims were sketchy about the timing of the claim, especially in light of known collection of cell data in 2010 and 2011, showing that at that point NSA had no legal restrictions on accepting such data.
  • The claims were silent about why, in both sworn court declarations and statements to Congress, Administration officials said the collection (sometimes modified by Section 215, often, especially in court declarations, not) was comprehensive.

Here’s what I think lies behind those claims.

We know that as recently as September 1, 2011, the NSA believed it had the legal authority to collect cell location data under Section 215, because they were doing just that. Congress apparently did not respond well to learning, belatedly, that the government was collecting location data in a secret interpretation of a secret interpretation. Nevertheless, it appears the government still believed it had that authority — though was reevaluating it — on January 31, 2012, when Ron Wyden asked James Clapper about it — invoking the “secret law” we know to be Section 215 — during his yearly grilling of Clapper in the Global Threat hearing.

Wyden: Director Clapper, as you know the Supreme Court ruled last week that it was unconstitutional for federal agents to attach a GPS tracking device to an individual’s car and monitor their movements 24/7 without a warrant. Because the Chair was being very gracious, I want to do this briefly. Can you tell me as of now what you believe this means for the intelligence community, number 1, and 2, would you be willing to commit this morning to giving me an unclassified response with respect to what you believe the law authorizes. This goes to the point that you and I have talked, Sir, about in the past, the question of secret law, I strongly feel that the laws and their interpretations must be public. And then of course the important work that all of you’re doing we very often have to keep that classified in order to protect secrets and the well-being of your capable staff. So just two parts, 1, what you think the law means as of now, and will you commit to giving me an unclassified answer on the point of what you believe the law actually authorizes.

Clapper: Sir, the judgment rendered was, as you stated, was in a law enforcement context. We are now examining, and the lawyers are, what are the potential implications for intelligence, you know, foreign or domestic. So, that reading is of great interest to us. And I’m sure we can share it with you. [looks around for confirmation] One more point I need to make, though. In all of this, we will–we have and will continue to abide by the Fourth Amendment. [my emphasis]

Unsurprisingly, as far as I know, Clapper never gave Wyden an unclassified answer.

Nevertheless, since then the government has come to believe it cannot accept cell data under Section 215. Perhaps in 2012 as part of the review Clapper said was ongoing, the government decided the Jones decision made their collection of the cell location of every cell phone in the US illegal or at least problematic. Maybe, in one of the 7 Primary orders DOJ is still withholding from 2011 to 2013, the FISC decided Jones made it illegal to accept data that included cell location. It may be that a February 24, 2013 FISC opinion — not a primary order but one that significantly reinterpreted Section 215 — did so. Certainly, by July 19, 2013, when Claire Eagan prohibited it explicitly in a primary order, it became illegal for the government to accept cell location data.

That much is clear, though: until at least 2011, DOJ believed accepting cell location under Section 215 was legal. At least by July 19, 2013, FISC made it clear that would not be legal.

That, I believe, is where the problems accepting cell phone data as part of Section 215 come from (though this doesn’t affect EO 12333 data at all, and NSA surely still gets much of what it wants via EO 12333). Theresa Shea has explicitly said in sworn declarations that the NSA only gets existing business records. As William Ockham and Mindrayge have helped me understand, unless a telecom makes it own daily record of all the calls carried on its network — which we know AT&T does in the Hemisphere program, funded by the White House Drug Czar — then the business ecords the phone company will have are its SS7 routing records. And that’s going to include cell phone records. And those include location data for cell phones.

Now, it may be that the telecoms chose not to scan out this information for the government. It may be that after the program got exposed they chose to do the bare minimum, and the cell restrictions allowed them to limit what they turned over (something similar may have happened with VOIP calls carried across their networks). It may be that Verizon and even AT&T chose to only provide that kind of data via EO 12333 program that, because they are voluntary, get paid at a much higher rate. In any case, I have very little doubt that NSA got the phone records from Verizon, just not via Section 215.

But I’m increasingly sure the conflict between Section 215′s limit to existing business record and the limits imposed on Section 215 via whatever means was the source of the “problem” that led NSA to only get 30% of phone records [via the Section 215 program, which is different than saying they only got 30% of all records from US calls].

And a key feature of both the President’s sketchy program…

  • the companies would be compelled by court order to provide technical assistance to ensure that the records can be queried and that results are transmitted to the government in a usable format and in a timely manner.

And the RuppRoge Fake Fix…

(h)(1)(A) immediately provide the Government with records, whether existing or created in the future, in the format specified by the Government

[snip]

(h)(2) The Government may provide any information, facilities, or assistance necessary to aid an electronic communications service provider in complying with a directive issued pursuant to paragraph (1).

Is that the government gets to dictate what format they get records in here, which they couldn’t do under Section 215. That means, among other things, they can dictate that the telecoms strip out any location data before it gets to NSA, meaning NSA would remain compliant with whatever secret orders have made the collection of cell location in bulk illegal.

Remember, too, that both of these programs will have an alert feature. In spite of getting an alert system to replace the one deemed illegal in 2009 approved on November 8 2012, the government has not yet gotten that alert function working for what are described as technical reasons.

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes. Accordingly, this amendment to the Primary Order authorizes the use of this automated query process for development and testing purposes only. No query results from such testing shall be made available for analytic purposes. Use of this automated query process for analytical purposes requires further order of this Court.

It’s possible that, simply doing the alert on exclusively legally authorized data (as opposed to data mixing EO 12333 and FISC data) solves the technical problems that had stymied NSA from rolling out the alert system they have been trying to replace for 5 years. It’s possible that because NSA was getting its comprehensive coverage of US calls via different authorities, it could not comply with the FISC’s legal limits on the alert system. But we know there will be an alert function if either of these bills are passed.

The point is, here, too, outsourcing the initial query process solves a legal-technical problem the government has been struggling with for years.

The Obama plan is an improvement over the status quo (though I do have grave concerns about its applicability in non-terrorist contexts, and my concerns about what the government does with the data of tens to hundreds of thousands of innocent Americans remain).

But don’t be fooled. Obama’s doing this as much because it’s the easiest way to solve legal and technical problems that have long existed because the government chose to apply a law that was entirely inapt to the function they wanted to use it for.

Shockers! A more privacy protective solution also happens to provide the best technical and legal solution to the problem at hand.

Update: Forgot to add that, assuming I’m right, this will be a pressure point that Members of Congress will know about but we won’t get to talk about. That is, a significant subset of Congress will know that unless they do something drastic, like threatening legal penalties or specifically defunding any dragnetting, the Executive will continue to do this one way or another, whether it’s under a hybrid of Section 215 and EO 12333 collection, or under this new program. That is, it will be a selling point to people like Adam Schiff (who advocated taking the call records out of government hands but who has also backed these proposals) that this could bring all US intelligence collection under the oversight of the FISC (it won’t, really, especially without a very strong exclusivity provision that prohibits using other means, which the Administration will refuse because it would make a lot of what it does overseas illegal). This is the same tension that won the support of moderates during the FISA Amendments Act, a hope to resolve real separation of powers concerns with an imperfect law. So long as the Leahy-Sensenbrenner supporters remain firm on their demands for more reforms, we may be able to make this a less imperfect law. But understand that some members of Congress will view passing this law as a way to impose oversight over a practice (the EO 12333 collection of US phone records) that has none.

Update: Verizon has released this telling statement.

This week Congressmen Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) released the “End Bulk Collection Act of 2014”, which would end bulk collection of data related to electronic communications. The White House also announced that it is proposing an approach to end bulk collection. We applaud these proposals to end Section 215 bulk collection, but feel that it is critical to get the details of this important effort right. So at this early point in the process, we propose this basic principle that should guide the effort: the reformed collection process should not require companies to store data for longer than, or in formats that differ from, what they already do for business purposes. If Verizon receives a valid request for business records, we will respond in a timely way, but companies should not be required to create, analyze or retain records for reasons other than business purposes. [my emphasis]

It’s telling, first of all, because Verizon still doesn’t want to have to fuss with anything but their business records. That says it has been unwilling to do so, in the past, which, in my schema, totally explains why the government couldn’t get Verizon cell records using Section 215. (I have wondered whether this was a newfound complaint, since they got exposed whereas AT&T did not; and even in spite of Randal Milch’s denial, I still do wonder whether the Verizon-Vodaphone split hasn’t freed them of some data compliance obligations.)

Just as importantly, Verizon doesn’t want to analyze any of this data. As I have pointed out, someone is going to have to do high volume number analysis, because otherwise the number of US person records turned over will be inappropriately large but small enough it will be a significant privacy violation to do it at that point (for some things, it requires access to the raw data).

I’m unclear whether the RuppRuge Fake Fix plan of offering assistance (that is, having NSA onsite) fixes this, because NSA could do this analysis at Verizon.

The RuppRoge Fake Dragnet Fix, As Introduced: Does It Include Keith Alexander’s Quid Pro Quo?

This post is going to be a general review on the contents of the actual records collection part of the RuppRoge Fake Dragnet Fix, which starts on page 15, though I confess I’m particularly interested in what other uses — besides the phone dragnet — it will be put to.

First, note that this bill applies to “electronic communication service providers,” not telecoms. In addition, it uses neither the language of Toll Records from National Security Letters nor Dialing, Addressing, Routing, or Signalling from Pen Registers. Instead, it uses “records created as a result of communications of an individual or facility.” Also remember that FISC has, in the past, interpreted “facility” to mean “entire telecom switch.” This language might permit a lot of things, but I suspect that one of them is another attempt to end run content collection restrictions on Internet metadata — the same problem behind the hospital confrontation and the Internet dragnet shutdown in 2009. I look forward to legal analysis on whether this successfully provides an out.

The facility language is also troubling in association with the foreign power language of the bill (which already is a vast expansion beyond the terrorism-only targeting of the phone dragnet). Because you could have a telecom switch in contact with a suspected agent of a foreign power and still get a great deal of data, much of it on innocent people. The limitation (at b1B) to querying with “specific identifiers or selection terms’ then becomes far less meaningful.

Then add two details from section h, covering the directives the government gives the providers. The government requires the data in the format they want. Section 215 required existing business records, which may have provided providers a way to be obstinate about how they delivered the data (and this may have led to the government’s problems with the cell phone data). But it also says this (in the paragraph providing for compensation I wrote about here):

The Government may provide any information, facilities, or assistance necessary to aid an electronic communications service provider in complying with a directive

Remember, one month ago, Keith Alexander said he’d be willing to trade a phone dragnet fix for what amounts to the ability to partner with industry on cybersecurity. The limits on this bill to electronic communication service providers means it’s not precisely what Alexander wanted (I understand him to want that kind of broad partnership across industries). Still, the endorsement of the government basically going to camp out at a provider makes me wonder if there isn’t some of that. Note, that also may answer my question about when and where NSA would conduct the pizza joint analysis, which would mean there’d still be NSA techs (or contractors) rifling through raw data, but they’d be doing it at the telecoms’ location.

The First Amendment restriction appears more limited than it is in the Section 215 context, though I suspect RuppRoge simply reflects the reality of what NSA is doing now. Both say you can’t investigate an American solely for First Amendment views, but RuppRoge says you can’t get the information for an investigation of an American. Given that RuppRoge eliminates any requirement that this collection be tied to an investigation, it would make it very easy to query a US person selector based on First Amendment issues in the guise of collecting information for another reason. But again, I suspect that’s what the NSA is doing in practice in any case.

Note, too, that RuppRoge borrows the “significant purpose” language from FISA, meaning the government can have a domestic law enforcement goal to getting these records.

RuppRoge then lays out an elaborate certification/directive system that is (as I guessed) modeled on the FISA Amendments Act, but written to be even more Byzantine in the bill. It works the same, though: the Attorney General and the Director of National Intelligence submit broad certifications to the FISC, which reviews whether they comply with the general requirements in the bill. It can also get emergency orders (though for some reason here, as elsewhere, RuppRoge have decided to invent new words from the standard ones), though the language is less about emergency and more about timely acquisition of data. Ultimately, there is judicial review, after the fact, except that like FAA, the review is programmatic, not identifier specific. Significantly, the records the government has to keep only need to comply with selection procedures (which are the new name for targeting procedures) “at the time the directive was issued,” which would seem to eliminate any need to detask over a year if you discover the target isn’t actually in contact with an agent of a foreign power. Also, in the clause permitting the FISC to order data be destroyed if the directives were improper, the description talks about halting production of “records,” but destruction of “information.” That might be more protective (including the destruction of reports based on data) or it might not (requiring only the finished reports be destroyed). Interestingly, this section includes no language affirmatively permitting alert systems, though RuppRoge have made it clear that’s what they intend with the year long certifications. In addition, those year long certifications might be used in conjunction with a year long PRISM order to first search a provider for metadata, then immediately task on content (which would be useful in a cybersecurity context).

The bill also changed the language of minimization procedures, which they call “civil liberties and privacy protection procedures.” Interestingly, the procedures differ from the standard in Section 215, including both a generalized privacy protection and one limiting receipt and dissmenation of “records associated with a specific person.” These might actually be more protective than those in Section 215, or they might not, given that the identifying information (at b1D) excludes things like phone number or email which clearly identify a specific person, but get no protection (this identifying information hearkens back, at least in part, to debates about whether the dragnet minimization procedures complied with requirement for them in law on this point). In other words, it may provide people more protection, but given the NSA’s claim that they can’t get identify from a phone number, they likely don’t consider that data to be protected at all.

I can’t help believing much of this bill was written with cases like Lavabit and the presumed Credo NSL challenges in mind, as it uses language disdainful of legal challenges.

If the judge determines that such petition consists of claims, defenses, or other legal contentions that are not warranted by existing law or consists of a frivolous argument for extending, modifying, or reversing existing law or for establishing new law, the judge shall immediately deny such petition and affirm the directive or any part of the directive that is the subject of the such petition and order the recipient to comply with the directive or any part of it.

This seems to completely rule out any constitutional challenge to this law from providers.  Though the bill even allows for emergency acquisition while FISC is reviewing a certification, suggesting RuppRoge don’t want the FISC to make any through either. So if this bill were to pass, you can be sure it will remain in place indefinitely.

RuppRoge Fake Dragnet Fix Requires Intel Community to Update 30 Year Old EO 12333 Procedures

One good aspect of the RuppRoge Fake Dragnet Fix is its measure requiring all elements of the Intelligence Community to comply with the EO that governs them.

At issue is this clause in EO 12333 requiring that any element of the Intelligence Community collecting data on US persons have Attorney General approved procedures for handling that data.

2.3 Collection of information. Elements of the Intelligence Community are authorized to collect, retain, or disseminate information concerning United States persons only in accordance with procedures established by the head of the Intelligence Community element concerned or by the head of a department containing such element and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order, after consultation with the Director.

This is something PCLOB asked Eric Holder and James Clapper to make sure got done back in August. In their letter, they disclosed some agencies in the IC have been stalling on these updates almost 3 decades.

The Privacy and Civil Liberties Oversight Board just sent a letter to Eric Holder and James Clapper requesting that they have all the Intelligence Committee agencies update what are minimization procedures (though the letter doesn’t call them that), “to take into account new developments including technological developments.”

As you know, Executive Order 12333 establishes the overall framework for the conduct of intelligence activities by U.S. intelligence agencies. Under section 2.3 of the Executive Order, intelligence agencies can only collect, retain, and disseminate information about U.S. persons if the information fits within one of the enumerated categories under the Order and if it is permitted under that agency’s implementing guidelines approved by the Attorney General after consultation with the Director of National Intelligence.

The Privacy and Civil Liberties Oversight Board has learned that key procedures that form the guidelines to protect “information concerning United States person” have not comprehensively been updated, in some cases in almost three decades, despite dramatic changes in information use and technology. [my update]

In other words, these procedures haven’t been updated, in some cases, since not long after Ronald Reagan issued this EO in 1981.

RuppRoge aims to require the IC elements to comply.

(1) REQUIREMENT FOR IMMEDIATE REVIEW.–Each head of an element of the intelligence community that has not obtained the approval of the Attorney General for the procedures, in their entirety, required by section 2.3 of Executive Order 12333 (50 U.S.C. 3001 note) within 5 years prior to the data of the enactment of the End Bulk Collection Act of 2014, shall initiate, not later than 180 days after such enactment, a review of the procedures for such element.

Mind you, asking agencies to initiate a review 6 months after passage of a bill to update procedures that are 30 years old isn’t exactly lighting a fire under IC arse. But then, the delay probably stems from some agencies hoarding agency records on US persons that are even older than the EO.

A Key Part of RuppRoge’s Fake Dragnet Fix Reform: Pay the Telecoms

Here’s an interesting “reform” in the RuppRoge’s Fake Dragnet Fix. It pays the telecoms.

COMPENSATION AND ASSISTANCE.–The Government shall compensate, at the prevailing rate, an electronic communications service provider for providing records in accordance with directives issued pursuant to [their bill].

Section 215 does not include such a payment provision. And while the first two phone dragnet orders included provision for such payments, that was probably illegal.

Don’t get me wrong. I’m sure the government has found some way to pay the telecoms, either through added payments for AT&T’s Hemisphere program or gifts in kind. (Though given the timing of DOJ’s suit against Sprint for over-billing, I do wonder whether the government is retaliating for something.) Telecoms don’t spy for free, so I’m sure they’ve been getting paid, illegally, for the last 8 years of dragnet spying they’ve been doing.

But the lack of such provision in Section 215 should have limited the scope of the dragnet. It should have required that requests be so narrow no telecom was going to send big bills to the government every month. And it presumably made the telecoms (well, except for AT&T, which never met a spying request it didn’t love) less willing to interpret orders from the government expansively.

The inclusion of such a compensation clause in the RuppRoge “reform” makes it even more likely this dragnet will expand with the now well-oiled willingness of the telecoms to go above and beyond the letter of the request.

Which is presumably just how the NSA wants it to be.

NSA Bids to Expand Spying in Guise of “Fixing” Phone Dragnet

Dutch Ruppersberger has provided Siobhan Gorman with details of his plan to “fix” the dragnet — including repeating the laughable claim that the “dragnet” (which she again doesn’t distinguish as solely the Section 215 data that makes up a small part of the larger dragnet) doesn’t include cell data.

Only, predictably, it’s not a “fix” of the phone dragnet at all, except insofar as NSA appears to be bidding to use it to do all the things they want to do with domestic dragnets but haven’t been able to do legally. Rather, it appears to be an attempt to outsource to telecoms some of the things the NSA hasn’t been able to do legally since 2009.

For example, there’s the alert system that Reggie Walton shut down in 2009.

As I reported back in February, the NSA reportedly has never succeeded in replacing that alert system, either for technical or legal reasons or both.

NSA reportedly can’t get its automated chaining program to work. In the motion to amend, footnote 12 — which modifies part of some entirely redacted paragraphs describing its new automated alert approved back in 2012 — reads:

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes. Accordingly, this amendment to the Primary Order authorizes the use of this automated query process for development and testing purposes only. No query results from such testing shall be made available for analytic purposes. Use of this automated query process for analytical purposes requires further order of this Court.

PCLOB describes this automated alert this way.

In 2012, the FISA court approved a new and automated method of performing queries, one that is associated with a new infrastructure implemented by the NSA to process its calling records.68 The essence of this new process is that, instead of waiting for individual analysts to perform manual queries of particular selection terms that have been RAS approved, the NSA’s database periodically performs queries on all RAS-approved seed terms, up to three hops away from the approved seeds. The database places the results of these queries together in a repository called the “corporate store.”

It has been 15 months since FISC approved this alert, but NSA still can’t get it working.

I suspect this is the root of the stories claiming NSA can only access 30% of US phone records.

As described by WSJ, this automated system will be built into the orders NSA provides telecoms; once a selector has been provided to the telecoms, they will keep automatically alerting on it.

Under the new bill, a phone company would search its databases for a phone number under an individual “directive” it would receive from the government. It would send the NSA a list of numbers called from that phone number, and possibly lists of phone numbers those numbers had called. A directive also could order a phone company to search its database for such calls as future records come in. [my emphasis]

This would, presumably, mean NSA still ends up with a corporate store, a collection of people against whom the NSA has absolutely not a shred of non-contact evidence, against whom they can use all their analytical toys, including searching of content.

Note, too, that this program uses the word “directive,” not query. Directive comes from the PRISM program, where the NSA gives providers generalized descriptions and from there have broad leeway to add new selectors. Until I hear differently, I’ll assume the same is true here: that this actually involves less individualized review before engaging in 2 degrees of Osama bin Laden.

The legislation seems ripe for inclusion of querying of Internet data (another area where the NSA could never do what it wanted to legally after 2009), given that it ties this program to “banning” (US collection of, but Gorman doesn’t say that either, maintaining her consistency in totally ignoring that EO 12333 collection makes up the greater part of bulk programs) Internet bulk data collection.

The bill from Intelligence Committee Chairman Mike Rogers (R., Mich.) and his Democratic counterpart, Rep. C.A. “Dutch” Ruppersberger (D., Md.), would ban so-called bulk collection of phone, email and Internet records by the government, according to congressional aides familiar with the negotiations. [my emphasis]

Call me crazy, but I’m betting there’s a way they’ll spin this to add in Internet chaining with this “fix.”

Note, too, Gorman makes no mention of location data, in spite of having tied that to her claims that NSA only collects 20% of data. Particularly given that AT&T’s Hemisphere program provides location data, we should assume this program could too, which would present a very broad expansion on the status quo.

And finally, note that neither the passage I quoted above on directives to providers, nor this passage specifies what kind of investigations this would be tied to (though they are honest that they want to do away with the fig leaf of this being tied to investigations at all).

The House intelligence committee bill doesn’t require a request be part of an ongoing investigation, Mr. Ruppersberger said, because intelligence probes aim to uncover what should be investigated, not what already is under investigation.

Again, the word “directive” in the PRISM context also provides the government the ability to secretly pass new areas of queries — having expanded at least from counterterrorism to counterproliferation and cybersecurity uses. So absent some very restrictive language, I would assume that’s what would happen here: NSA would pass it in the name of terrorism, but then use it primarily for cybersecurity and counterintelligence, which the NSA considers bigger threats these days.

And that last suspicion? That’s precisely what Keith Alexander said he planned to do with this “fix,” presumably during the period when he was crafting this “fix” with NSA’s local Congressman: throw civil libertarians a sop but getting instead an expansion of his cybersecurity authorities.

Update: Here’s Spencer on HPSCI, confirming it’s as shitty as I expected.

And here’s Charlie Savage on Obama’s alternative.

It would:

  • Keep Section 215 in place, though perhaps with limits on whether it can be used in this narrow application
  • Enact the same alert-based system and feed into the corporate store, just as the HPSCI proposal would
  • Include judicial review like they have now (presumably including automatic approval for FISA targets)

Obama’s is far better than HPSCI (though this seems to be part of a bad cop-good cop plan, and the devil remains in the details). But there are still some very serious concerns.

Obama Approves Releasing Classified Information to Attack Snowden for Leaking Classified Information

Kudos to Shane Harris who, unlike a number of other reporters, brought the appropriate skepticism to Mike Rogers and Dutch Ruppersberger’s attempt to fearmonger Edward Snowden’s leaks. Not only did Harris use the correct verb tense — “could” as opposed to “has” — to describe documents describing the activities of the Armed Services that have not yet been released (and note, implicitly Rogers and Rupp are saying the risk is to forces in the field but not within the domestic US). But he repeatedly noted Rogers and Rupp’s complete failure to provide any evidence:

But the lawmakers — who are working in coordination with the Obama administration and are trying to counter the narrative that Snowden is a heroic whistleblower — offered no specific examples to substantiate their claims.

[snip]

The lawmakers cited no articles or specific documents to support that claim.

[snip]

But the spokesman did not say what, if any, conclusions the task force had reached about actual damage caused by documents Snowden took, regardless of whether they’ve been disclosed or not.

My favorite part of Harris’ piece, however, is the way he makes clear that Rogers and Rupp are selectively releasing classified information — with the Administration’s approval — to complain about Snowden releasing classified information.

A congressional staffer who is familiar with the report’s findings said that the lawmakers chose to make some of its contents public in order to counter what they see as a false impression of Snowden as a principled whistleblower who disclosed abuses of power.

“Snowden has been made out by some people to be a hero. What we need to do is really look at the effect of his leaks and see that what he’s done is really harm our country and put citizens at risk. The purpose [of releasing some findings] is to clear the record and show that he’s not a hero,” the staffer told Foreign Policy.

The staffer said that the administration approved the information that the lawmakers disclosed in advance.

Because some leaky pigs are more equal than other leaky pigs.

Keith Alexander: The One General Obama Didn’t Fire

Obama has developed a reputation for firing Generals (so much so the wingnuts have developed some conspiracy theories about it).

Most famously, of course, he fired Stanley McChrystal for insubordination. He ousted CENTCOM Commander James Mattis early because of dissent on Iran policy (what on retrospect, with the distance and this AP report, might have been opposition to the back channel discussions that led to this weekend’s interim nuclear deal). A slew of Generals have been fired for offenses including drinking, fucking (including sexual abuse), swearing, and cheating at poker, as well as abusing their positions (Hamm, Gaouette, Baker, Roberts, Sinclair, Giardina, CarryHuntoon). Obama accepted then CIA Director David Petraeus’s resignation, ostensibly for fucking, too, but even before that kept refusing Petraeus the promotions he thought he deserved. Generals Gurganus and Sturdevant got fired for not sufficiently defending a big base in Afghanistan.

It’s that background that makes the premise of this WSJ piece on NSA so unconvincing. It presents the fact that General Keith Alexander offered — but Obama did not accept — his resignation as proof of how significantly the Snowden leaks have affected NSA.

Shortly after former government contractor Edward Snowden revealed himself in June as the source of leaked National Security Agency documents, the agency’s director, Gen. Keith Alexander, offered to resign, according to a senior U.S. official.

The offer, which hasn’t previously been reported, was declined by the Obama administration. But it shows the degree to which Mr. Snowden’s revelations have shaken the NSA’s foundations—unlike any event in its six-decade history, including the blowback against domestic spying in the 1970s.

[snip]

When the leaks began, some top administration officials found their confidence in Gen. Alexander shaken because he presided over a grave security lapse, a former senior defense official said. But the officials also didn’t think his resignation would solve the security problem and were concerned that letting him leave would wrongly hand Mr. Snowden a win, the former defense official said.

Even before Edward Snowden started working for the NSA via Booz, Alexander had presided over — by his own provably exaggerated admission — the plunder of America via cybertheft.

Then, on top of that purportedly catastrophic failure, Snowden served to demonstrate how easy it was to walk away with details on some of NSA’s most sensitive ops.

And yet the guy who left the entire US Internet as well as NSA’s codebreaking exposed — as compared to a single base in Afghanistan — did not get fired for his failures.

Because that might wrongly hand Snowden a win, apparently.

That’s the real tell. The article provides new details on an effort to weigh the value of wiretapping elite targets. But the rest of the article quotes hawks like Dutch Ruppersberger and Mike Rogers complaining about the risk of big new controls that might end the Golden Age of SIGINT while — again — focusing almost exclusively on the wiretapping of elites (the article includes one paragraph predicting a compromise on the dragnet programs, not noting, of course, how much of the dragnet has already moved overseas).

Broad new controls, though, run the risk of overcorrecting, leaving the agency unable to respond to a future crisis, critics of the expected changes warn.

[snip]

Another change under consideration is placing a civilian in charge of the NSA for the first time after Gen. Alexander leaves next spring, as he has been planning to do. Deputy Defense Secretary Ashton Carter is advocating internally for the change, according to current and former officials. Mr. Carter declined to comment.

“We’re getting clobbered, and we want a better story to tell than: ‘It’s under review, and everybody does it,’ ” the senior administration official said, speaking of the U.S. belief that other governments routinely electronic eavesdrop on foreign leaders.

There’s one more odd part of this story. It claims that after 9/11, the NSA was pilloried for its lapses leading up to the attack.

After the 2001 terrorist attacks, the NSA was pilloried for missing clues of the plot. It reinvented itself as a terrorist-hunting machine, channeling its computing power to zero in on suspects any time they communicated.

That’s not what happened. The National Security establishment has repeatedly, falsely portrayed NSA’s failure to realize Khalid al-Mihdhar was calling an Al Qaeda line in Yemen and CIA’s failure to share information about Mihdhar’s travel. And none of the 9/11 Commission’s recommendations address NSA (by the time of the report, the “wall” between intelligence and FBI, which otherwise would have been a recommendation, had been down for almost 3 years). But beyond that, no one has scrutinized NSA’s collections (in part because they include damning intercepts implicating the Saudis).

Moreover, the claim that this dragnet exists solely to “zero in on suspects any time they communicated” ignores the shift from terrorism to cybersecurity.

In short, while WSJ’s sources seem to be claiming catastrophe, the story they’re telling is business as usual.

Obama has fired Generals for failure to protect a single base, not to mention cheating at poker. He seems intent on keeping Alexander — at least to get through this scandal — precisely because he’s so good at cheating at (metaphorical) poker.

Shorter Rupp: We Inform Members at Briefings They Can’t Attend Because They’re Too Busy

Since it became clear Mike Rogers had chosen not to pass on the Administration’s notice of phone dragnet problems, I’ve been wondering if he did the same with any notice about the FISA Amendments Act upstream problems.

In response to a query from Politico, Rogers and his counterpart Dutch Ruppersberger seem to suggest they did not pass on the notice.

Moreover, the House leaders who held the keys to the report did not loudly broadcast its existence to the rest of the chamber. The chairman of the Intelligence Committee, Rogers, and the panel’s ranking Democrat, Dutch Ruppersberger of Maryland, declined to say whether they even had sent a letter in 2012 informing members there had been a critical document to view. Hill sources say they don’t recall anything of the sort.

More telling still, though, is Rupp’s justification for providing briefings instead of the actual white paper.

Party leaders did hold unclassified and classified briefings on FISA, but they occurred just days before the House’s September 2012 vote to reauthorize the law. The Republican briefing, for example, occurred only two days before the House approved the FISA Amendments Act, according to an invite obtained by POLITICO. Yet nowhere in the message, sent Sept. 7, 2012, is any mention of the White House white paper on FISA oversight — the document that detailed how the agency had erred in collecting U.S. communications.

Committee leaders, though, stress they acted appropriately. “Members were notified of the contents of the white paper through the briefing,” Ruppersberger told POLITICO. “We felt that a briefing was an appropriate way to notify members of this important issue so that they would have the opportunity to get all of their questions answered immediately.”

The congressman continued: “Some members chose to take advantage of a briefing and some did not. We thought offering a briefing shortly before the vote was held would work best with members’ busy schedules and keep the issue fresh in their minds as they cast their vote.” [my emphasis]

In his explanation, Rupp explains that members have busy schedules.

And his accommodation for those busy schedules was to require members who want to be informed on issues they didn’t receive notice of adjust their busy schedule to show up at one of two briefings, rather than go to a SCIF to read a document during whatever time is most convenient for them. Indeed, I’ve heard from members that that’s part of the problem with briefings — they require people to drop all their other important issues and cater to Rogers’ and Rupp’s schedules, instead. All to learn about issues not identified in the meeting notice.

I’d add two points to the Politico piece. First, while it notes that the notice pitched the 2011 compliance problems as an example of functional oversight, there’s another problem with it. It doesn’t appear to reveal that some agency (probably FBI) already did, and the NSA newly started searching on incidentally collected US person data. Thus, it left out one of the most crucial aspects of the 2011 opinion, that it permitted the access to US person communications without a warrant.

And then a persnickety issue. Politico makes this claim.

The Washington Post first revealed that lapse in PATRIOT Act oversight in August, which at the time Rogers acknowledged “very few members” had taken advantage of any related briefing opportunities.

As the reporter admitted he knew, the WaPo did not, in fact, “first” reveal the earlier failure to pass on the notice. The WaPo reporting followed my own and the Guardian’s, as well as several other sites. The whole issue of “first” is stupid, but why use it, particularly if you know it is factually inaccurate?

NSA Bids to Expand Power Domestically to Track Chinese (!?) Terrorists

While all sane people are trying to rein in NSA’s authority, the Gang of Four plans to use today’s parade of liars to expand NSA’s authority.

In explaining the need for this expanded authority, Dianne Feinstein and Mike Rogers claimed to the AP this is about terrorists.

The chairwoman of the Senate Intelligence Committee, Sen. Dianne Feinstein, D-Calif., told The Associated Press that her committee is drafting a bill that would amend the law’s Section 702 provision, which authorizes targeting non-Americans outside the U.S., to allow uninterrupted spying on a suspect for “a limited period of time after the NSA learns the target has traveled to the United States, so the government may obtain a court order based on probable cause.”

“Logically, someone under NSA surveillance, such as a terrorist, may present more interest to the government if they are inside the United States,” but the surveillance can be temporarily stopped while the NSA or FBI builds its case to permit uninterrupted spying, Feinstein said.

[snip]

“I call it the terrorist lottery loophole,” said Rep. Mike Rogers, D-Mich., the chairman of the House Intelligence Committee. “If you can find your way from a foreign country where we have reasonable suspicion that you are … a terrorist … and get to the United States, under a current rule, they need to turn it off and do a complicated handoff” to the FBI.

But further down, Rogers make it clear that this measure is designed to address the roamer problem that was revealed in an internal NSA audit earlier this year.

“It’s a foreign phone, it’s pinging off foreign networks,” Rogers said. “The suspect may turn it off. The suspect gets here. Now all of the sudden, the next thing they know, they (the NSA) are picking it up, but it’s in Brooklyn. … But they’ve been listening to it for two days. They have to turn it off, and then report it as an incident.”

We know from that audit report that this roamer problem actually declined during the period in question (though it did rise for Section 702 authority), contrary to NSA attempts to attribute the rise in violations to it. In addition, at least at that time, the problem primarily arose from Chinese targets entering the US, not Middle Eastern terrorists (the breakdown of violations from NSA’s geographical focus areas seems to support this). Indeed, the NSA made the embarrassingly false claim that the increase (which was actually a decrease) of roaming incidents was just about Chinese New Year.

The increase [sic] in incidents reported for 1QCY12 was due to an increase in the number of reported Global System for Mobile Communications (GSM) roamer1 incidents, which may be attributed to an increase in Chinese travel to visit friends and family for the Chinese Lunar New Year holiday.

So apparently we’re now beset by hordes of Chinese terrorists visiting the US for Chinese New Year we knew nothing about.

There’s one more problem with the claim that they will allow the NSA (or maybe the FBI) to track GSM phones without a warrant domestically. The Gang of Four claims the amended law would allow the NSA to continue tracking that GSM phone for “a limited period of time after the NSA learns the target has traveled to the United States.”

But the entire reason the roamer problem exists is because NSA only gets updates on location quarterly, so unless they learn about these Chinese terrorists’ travel by some content data, they don’t even know the phone is in the US. Continue reading

Emptywheel Twitterverse
emptywheel @joshleitzel Not a lot. One of the most interesting details is the way OLC memos point to national emergency rather than AUMF.
45mreplyretweetfavorite
bmaz My question at the outset was why GM concealment was not bankruptcy fraud; now that will be litigated. Good. http://t.co/CCL3wm2HYE
8hreplyretweetfavorite
bmaz @trevortimm Be terrified. Very terrified. Cause what you saw is, I think, all you get.
9hreplyretweetfavorite
bmaz @johnson_carrie According to my wife, "impossible jerk" characterizes lawyers in many locales @npratc
9hreplyretweetfavorite
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT The constitutional framing is amazingly resilient, but resets are slow.
9hreplyretweetfavorite
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT I represent far too many of the former and lament the latter. Things change though
9hreplyretweetfavorite
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT Frankly, US can exert such influence, will not be effective foreign prosec either
9hreplyretweetfavorite
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT Yes, in these considerations, that is exactly right. Not happening.
9hreplyretweetfavorite
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT I wasn't being a smart ass, just honest as to situation.
10hreplyretweetfavorite
bmaz @mucha_carlos @ColMorrisDavis @KenDilanianLAT @HoltenMark Safe enough bet; no administration will want to open that can of worms.
10hreplyretweetfavorite
bmaz @mucha_carlos @ColMorrisDavis @KenDilanianLAT @HoltenMark ...ought to give pause in above regards too. If DOJ ever cared about these crimes.
10hreplyretweetfavorite
bmaz @mucha_carlos @ColMorrisDavis @KenDilanianLAT @HoltenMark Well, yes, and the wild expansion of extraterritorial jurisdiction in other cases
10hreplyretweetfavorite
April 2014
S M T W T F S
« Mar    
 12345
6789101112
13141516171819
20212223242526
27282930