1 2 3 5

Back Door Searches: One of Two Replacements for the Internet Dragnet?

I said the other day, most of NSA’s Civil Liberties and Privacy Office comment to the Privacy and Civil Liberties Oversight Board on Section 702 was disappointing boilerplate, less descriptive than numerous other statements already in the public record.

In the passage on back door searches I looked at, however, there was one new detail that is very suggestive. It said NSA does more back door searches on metadata than on content under Section 702.

NSA distinguishes between queries of communications content and communications metadata. NSA analysts must provide justification and receive additional approval before a content query using a U.S. person identifier can occur. To date, NSA analysts have queried Section 702 content with U.S. person identifiers less frequently than Section 702 metadata.

Consider what this means. NSA collects content from a selector — say, all the Hotmail communications of ScaryAQAPTerrorist. That content of course includes metadata (setting aside the question of whether this is legally metadata or content for the moment): the emails and IPs of people who were in communication with that scary terrorist.

The NSA is saying that the greater part of their back door searches for US person content — say, searching on the email, “” — is just for metadata.

Given the timing, it seems that they’re using back door searches as one of two known replacements for the PRTT Internet dragnet shut down around October 30, 2009, turned on again between July and October 2010, then shut down for good in 2011 (the other being the SPCMA contact chaining of EO 12333 collected data through US person identifiers).

Recall that NSA and CIA first asked for this back door searches in April 2011. That was somewhere between 6 to 9 months after John Bates had permitted NSA to turn the Internet dragnet back on in 2010 under sharply restricted terms. NSA was still implementing their rules for using back door searches in early 2012, just months after NSA had shut down the (domestic) Internet dragnet once and for all.

And then NSA started using 702 collection for a very similar function: to identify whether suspicious identifiers were in contact with known suspicious people.

There are many parts of this practice that are far preferable to the old Internet dragnet.

For starters, it has the benefit of being legal, which the Internet dragnet never was!

Congress and the FISC have authorized NSA to collect this data from the actual service providers targeting on overseas targets. Rather than collecting content-as-metadata from the telecoms — which no matter how hard they tried, NSA couldn’t make both legal and effective — NSA collected the data from Yahoo and Microsoft and Google. Since the data was collected as content, it solves the content-as-metadata problem.

And this approach should limit the number of innocent Americans whose records are implicated. While everyone in contact with ScaryAQAPTerrorist will potentially be identified via a backdoor search, that’s still less intrusive than having every Americans’ contacts collected (though if we can believe the NSA’s public statements, the Internet dragnet always collected on fewer people than the phone dragnet).

That said, the fact that the NSA is presumably using this as a replacement may lead it to task on much broader selectors than they otherwise might have: all of Yemen, perhaps, rather than just certain provinces, which would have largely the same effect as the old Internet dragnet did.

In addition, this seems to reverse the structure of the old dragnet (or rather, replicate some of the problems of the alert system that set off the phone dragnet problems in 2009). It seems an analyst might test a US person identifier — remember, the analyst doesn’t even need reasonable articulable suspicion to do a back door search — against the collected metadata of scary terrorist types, to see if the US person is a baddie. And I bet you a quarter this is automated, so that identifiers that come up in, say, a phone dragnet search are then run against all the baddies to see if they also email at the press of a button. And at that point, you’re just one more internal approval step away from getting the US person content.

In short, this would seem to encourage a kind of wild goose chase, to use Internet metadata of overseas contact to judge whether a particular American is suspicious. These searches have a far lower standard than the phone and Internet dragnets did (as far as we know, neither the original collection nor the back door search ever require an assertion of RAS). And the FISC is far less involved; John Bates has admitted he doesn’t know how or how often NSA is using this.

But it is, as far as we know, legal.

Is Twitter EFF’s Second NSL Client?

In the past, I’ve tracked the efforts of a telecom — which WSJ convincingly argued was Credo — to challenge a 2011 National Security Letter. It has the support of EFF on that challenge. I also noted language in Credo’s Transparency Report (which was issued after DOJ permitted providers to give broad bands for NSLs, but before DOJ permitted them to give broad bands for other national security demands) saying it was prohibited from giving more information about NSLs and Section 215 orders.

It is important to note that it may not be possible for CREDO or any telecom carrier to release to the public a full transparency report, as the USA PATRIOT Act and other statutes give law enforcement the ability to prevent companies from disclosing whether or not they have received certain orders, such as National Security Letters (NSLs) and Section 215 orders seeking customer information. [my emphasis]

Today, EFF noted that it has filed what should be its response to the government’s appeal in that case.

Only, it makes it it representing not just the known telecom client, but also an Internet client.

The Electronic Frontier Foundation (EFF) filed two briefs on Friday challenging secret government demands for information known as National Security Letters (NSLs) with the Ninth Circuit Court of Appeals.  The briefs—one filed on behalf of a telecom company and another for an Internet company—remain under seal because the government continues to insist that even identifying the companies involved might endanger national security.

While the facts surrounding the specific companies and the NSLs they are challenging cannot be disclosed, their legal positions are already public: the NSL statute is a violation of the First Amendment as well as the constitutional separation of powers.

Now, one obvious potential Internet client would be Google. It is known to have fought NSLs in Judge Susan Illston’s court and lost.

But I wonder whether it isn’t Twitter.

I say that, first of all, because of the cryptic language in Twitter’s own Updated Transparency Report, which was released after the DOJ settlement which should have permitted it to report NSLs. But instead of doing so, it pointed out that it can’t report its national security orders, if any, with enough particularity. It called out NSLs specifically. And it used a language of prohibition.

Last week, the U.S. Department of Justice and various communications providers reached an agreement allowing disclosure of national security requests in very large ranges. While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public, especially for entities that do not receive a significant number of – or any – national security requests.

As previously noted, we think it is essential for companies to be able to disclose numbers of national security requests of all kinds – including national security letters and different types of FISA court orders – separately from reporting on all other requests. For the disclosure of national security requests to be meaningful to our users, it must be within a range that provides sufficient precision to be meaningful. Allowing Twitter, or any other similarly situated company, to only disclose national security requests within an overly broad range seriously undermines the objective of transparency. In addition, we also want the freedom to disclose that we do not receive certain types of requests, if, in fact, we have not received any.

Unfortunately, we are currently prohibited from providing this level of transparency. We think the government’s restriction on our speech not only unfairly impacts our users’ privacy, but also violates our First Amendment right to free expression and open discussion of government affairs. We believe there are far less restrictive ways to permit discussion in this area while also respecting national security concerns. Therefore, we have pressed the U.S. Department of Justice to allow greater transparency, and proposed future disclosures concerning national security requests that would be more meaningful to Twitter’s users. We are also considering legal options we may have to seek to defend our First Amendment rights. [my emphasis]

It was a defiant Transparency Report, and it discussed prohibitions in a way that no one else — except Credo — had done.

Moreover, it would make sense that EFF would be permitted to represent Twitter in such a matter, because it already had a role in Twitter’s challenge of the Administrative subpoena for various WikiLeaks’ associates Twitter data.

Finally, EFF notes that this Internet client is fighting just 2 NSLs; Google is fighting 19.

The very same day that the district court issued that order striking down the statute, a second EFF client filed a similar petition asking the same court to declare the NSL statute to be unconstitutional and to set aside the two NSLs that it received.

Notwithstanding the fact that it had already struck down the NSL statute on constitutional grounds in EFF’s first NSL case, but indicating that it would be up to the Ninth Circuit to evaluate whether that evaluation was correct, the district court denied EFF’s client’s petitionand ordered them to comply with the remaing NSL in the interim.

If Twitter is the client, it would present real First Amendment issues. It would suggest that, after Twitter took the rare step of not just challenging but giving notice in an Administrative subpoena, DOJ decided to use NSLs, which are basically Administrative subpoenas with additional gags, in response.

Update: in potentially related news, Verizon just updated its Transparency Report, claiming it can’t provide details on some bulk orders.

We note that while we now are able to provide more information about national security orders that directly relate to our customers, reporting on other matters, such as any orders we may have received related to the bulk collection of non-content information, remains prohibited.

Between Two Ends of the WikiLeaks Investigation: Parallel Constructing the FBI’s Secret Authorities

Two pieces of news on the government’s investigation of WikIleaks came out yesterday.

At the Intercept, Glenn Greenwald reported:

  • In 2010, a “Manhunting Timeline” described efforts to get another country to prosecute what it called the “rogue” website
  • In a targeting scenario dating to July 25, 2011, the US’ Targeting and General Counsel personnel responded to a question about targeting WikiLeaks’ or Pirate Bay’s server by saying they’d have to get back to the questioner
  • In 2012, GCHQ monitored WikiLeaks — including its US readers — to demonstrate the power of its ANTICRISIS GIRL initiative

Screen Shot 2014-02-19 at 9.42.54 AM
Also yesterday, Alexa O’Brien reported (and contextualized with links back to her earlier extensive reporting):

  • The grand jury investigation of WikiLeaks started at least as early as September 23, 2010
  • On January 4, 2011 (21 days after the December 14, 201 administrative subpoena for Twitter records on Appelbaum and others), DOJ requested Jacob Appelbaum’s Gmail records
  • On April 15, 2011, DOJ requested Jacob Appelbaum’s Sonic records

Now, as O’Brien lays out in her post, at various times during the investigation of WikiLeaks, it has been called a Computer Fraud and Abuse investigation, an Espionage investigation, and a terrorism investigation.

Which raises the question why, long after DOJ had deemed the WikiLeaks case a national security case that under either the terrorism or Espionage designation would grant them authority to use tools like National Security Letters, they were still using subpoenas that were getting challenged and noticed to Appelbaum? Why, if they were conducting an investigation that afforded them all the gagged orders they might want, were they issuing subpoenas that ultimately got challenged and exposed?

Before you answer “parallel construction,” lets reconsider something I’ve been mulling since the very first Edward Snowden disclosure: the secret authority DOJ and FBI (and potentially other agencies) used to investigate not just WikiLeaks, but also WikiLeaks’ supporters.

Back in June 2011, EPIC FOIAed DOJ and FBI (but not NSA) for records relating to the government’s investigation of WikiLeaks supporters.

EPIC’s FOIA asked for information designed to expose whether innocent readers and supporters of WikiLeaks had been swept up in the investigation. It asked for:

  1. All records regarding any individuals targeted for surveillance for support for or interest in WikiLeaks;
  2. All records regarding lists of names of individuals who have demonstrated support for or interest in WikiLeaks;
  3. All records of any agency communications with Internet and social media companies including, but not limited to Facebook and Google, regarding lists of individuals who have demonstrated, through advocacy or other means, support for or interest in WikiLeaks; and
  4. All records of any agency communications with financial services companies including, but not limited to Visa, MasterCard, and PayPal, regarding lists of individuals who have demonstrated, through monetary donations or other means, support or interest in WikiLeaks. [my emphasis]

In their motion for summary judgment last February, DOJ said a lot of interesting things about the records-but-not-lists they might or might not have and generally subsumed the entire request under an ongoing investigation FOIA exemption.

Most interesting, however, is in also claiming that some statute prevented them from turning these records over to EPIC, they refused to identify the statute they might have been using to investigate WikiLeaks’ supporters.

All three units at DOJ — as reflected in declarations from FBI’s David Hardy, National Security Division’s Mark Bradley, and Criminal Division’s John Cunningham – claimed the files at issue were protected by statute.

None named the statute in question. All three included some version of this statement, explaining they could only name the statute in their classified declarations.

The FBI has determined that an Exemption 3 statute applies and protects responsive information from the pending investigative files from disclosure. However, to disclose which statute or further discuss its application publicly would undermine interests protected by Exemption 7(A), as well as by the withholding statute. I have further discussed this exemption in my in camera, ex parte declaration, which is being submitted to the Court simultaneously with this declaration

In fact, it appears the only reason that Cunningham submitted a sealed declaration was to explain his Exemption 3 invocation.

And then, as if DOJ didn’t trust the Court to keep sealed declarations secret, it added this plaintive request in the motion itself.

Defendants respectfully request that the Court not identify the Exemption 3 statute(s) at issue, or reveal any of the other information provided in Defendants’ ex parte and in camera submissions.

DOJ refuses to reveal precisely what EPIC seems to be seeking: what kind of secret laws it is using to investigate innocent supporters of WikiLeaks.

Invoking a statutory exemption but refusing to identify the statute was, as far as I’ve been able to learn, unprecedented in FOIA litigation.

The case is still languishing at the DC District.

I suggested at the time that the statute in question was likely Section 215; I suspected at the time they refused to identify Section 215 because they didn’t want to reveal what Edward Snowden revealed for them four months later: that the government uses Section 215 for bulk collection.

While they may well have used Section 215 (particularly to collect records, if they did collect them, from Visa, MasterCard, and PayPal — but note FBI, not NSA, would have wielded the Section 215 orders in that case), they couldn’t have used the NSA phone dragnet to identify supporters unless they got the FISC to approve WikiLeaks as an associate of al Qaeda (update: Or got someone at NSA’s OGC to claim there were reasons to believe WikiLeaks was associated with al Qaeda). They could, however, have used Section 215 to create their own little mini WikiLeaks dragnet.

Continue reading

Were the 58-61,000 Internet Targets Part of NSA’s 73,000 Targets?

As I noted, Google, Yahoo, and Microsoft all released transparency reports today.

During the second half of 2012, Microsoft had FISA requests affecting 16,000-16,999 accounts, Google had 12,000 – 12,999.  We don’t have Yahoo’s numbers for that period, but for the following six month period they had requests affecting 30,000 – 30,999 accounts; given that numbers for the other two providers dropped during this six month period, it’s likely Yahoo’s did too, so the 30,000 is conservative for the earlier period. So the range for the big 3 email providers in that period is likely around 58,000 – 60,997. [Update: Adding FaceBook would bring it to 62,000 - 64,996. h/t CNet]

I’d like to compare what they report with what this report on FISA Amendments Act compliance shows. I think pages 23 through 26 of the report show that NSA had an average of 73,103 selectors selected via NSA targeting on any given day during the period from June 1, 2012 to November 30, 2012. That’s because the notification delays from the period (212 — see page 26) should be .29% of the average daily selectors (see amount on 23 less amount without the notification delays on page 34).

But remember: these are not the same measurement. The government report number is based on average daily selectors, so it reflects the total of selectors tasked on any given day. Whereas the providers are (I think the numbers must therefore show) the total number of customer selectors affected across the entire 6-month period, and they almost certainly weren’t all tasked across the entire 6 month period (though some surely were).

There’s one possible (gigantic) flaw in this logic. The discussion of the FBI targeting is largely redacted in the government memo. And there have been hints — pretty significant ones — that the FBI takes the lead with the PRISM providers. if so, these numbers are totally unrelated.

Also remember, there are at least two other kinds of 702 targeting: the upstream collection that makes up about 9% of the volume of 702 collection, and phone collection, which is going up again.

This would sure be a lot easier if the government actually backed its claims to transparency.

Is Google Sharing 9,500 Users’ Data, or 65,000?

Screen Shot 2014-02-03 at 2.20.17 PM

Google just released its shiny new transparency numbers reflecting DOJ’s new transparency rules.

While they tell us some interesting things, the numbers show how many questions the transparency system raises. I’ve raised the questions below, linked to my discussion by bolded number.

[NSA presentation, PRISM collection dates, via Washington Post]

Google is using option 1 (perhaps because they had already reported their NSL numbers), in which they break out NSLs separately from FISA orders, but must report in bands of 1000.

Note that Google starts this timeline in 2009, whereas their criminal process numbers pertaining to user accounts only start in 2011. Either because they had these FISA numbers ready at hand, or because they made the effort to go back and get them (whereas they haven’t done the same for pre-2011 criminal process numbers), they’re giving us more history on their FISA orders than they did on criminal process. They probably did this to show the entire period during which they’ve been involved in PRISM, which started on January 14, 2009.

Google gets relatively few non-content requests, and the number — which could be zero! — has not risen appreciably since they got involved in PRISM.(1) (I suspect we’re going to see fairly high non-content requests from Microsoft, because they pushed to break these two categories out).

Continue reading

Clapper and Holder Remind Us “Disclosure” Mostly Pertains to Targets

I want to thank James Clapper and Eric Holder who, in their statement on yesterday’s “disclosure” agreement emphasized the word “target.”

As indicated in the Justice Department’s filing with the Foreign Intelligence Surveillance Court, the administration is acting to allow more detailed disclosures about the number of national security orders and requests issued to communications providers, the number of customer accounts targeted under those orders and requests, and the underlying legal authorities.

I should have given this more emphasis yesterday. All “transparency” numbers provided by the tech companies will describe the number of accounts or “selectors” “targeted,” with the exception of National Security Letter reporting using Option One. So if thousands of other Google accounts are getting sucked into requests for content or metadata, we’ll never know that.

The New Transparency Guidelines

DOJ and the tech companies just came to a deal on new transparency reporting. (h/t Mike Scarcella) It is a big improvement over what the government offered last year which was:

Option One: Provide total number of requests (criminal NSL, FISA) and total number of accounts targeted, broken out by 1000s

Option Two: Provide exact number of criminal requests and accounts affected, and number of NSLs received and accounts affected, broken out by 1000s, without providing any numbers on FISC service

This approach basically permitted the government to hide the FISC surveillance, by ensuring it only ever appeared lumped into the larger universe of criminal requests, along with other bulk requests. In addition, it didn’t let providers say whether they were mostly handing over metadata (NSLs would be limited to metadata, though FISC requests might include both metadata and content) or content in a national security context.

The new solution is:

Option One: Biannual production, with a 6-month delay on FISC reporting

  1. Criminal process, subject to no restrictions
  2. NSLs and the number of customer accounts affected by NSLs, reported in bands of 1000, starting at 0-999
  3. FISA orders for content and the number of customer selectors targeted, both reported in bands of 1000, starting at 0-999
  4. FISA orders for non-content and the number of customer selectors targeted, both reported in bands of 1000, starting at 0-999*

This option subjects a two-year delay on new (internally developed or purchased) platforms, products, or services. So for example, if Google started to get Nest orders today, Google couldn’t include it in their reporting until 2 years from now.

Option Two:

  1. Criminal process, subject to no restrictions
  2. Total national security process, including NSLs and FISA lumped together, reported in bands of 250, starting at 0-250
  3. Total customer selectors targeted under all national security requests, reported in bands of 250, starting at 0-250

* The order has a footnote basically saying the government hasn’t ceded the issue of reporting on the phone dragnet yet (though only tech companies were parties to this, and their only telecom production would be VOIP).

So my thoughts:

First, you can sort of see what the government really wants to hide with these schemes. They don’t want you to know if they submit a single NSL or 215 order affecting 1000 customers, which it’s possible might appear without the bands.They don’t want you to see if there’s a provider getting almost no requests (which would be hidden by the initial bands).

And obviously, they don’t want you to know when they bring new capabilities online, in the way they didn’t want users to know they had broken Skype. Though at this point, what kind of half-assed terrorist wouldn’t just assume the NSA has everything?

I think the biggest shell game might arise from the distinction between account (say, my entire Google identity) and selector (my various GMail email addresses, Blogger ID, etc). By permitting reporting on selectors, not users, this could obscure whether a report affects 30 identities of one customer or the accounts of 30 customers. Further, there’s a lot we still don’t know about what FISC might consider a selector (they have, in the past, considered entire telecom switches to be).

But it will begin to give us an outline of how often they’re using NatSec process as opposed to criminal process, which providers are getting primarily NSL orders and which are getting potentially more exotic FISC orders. Further, it will tell us more about what the government gets through the PRISM program, particularly with regard to metadata versus content.

Update: Apple’s right out of the gate with their report of fewer than 250 orders affecting fewer than 250 “accounts,” which doesn’t seem how they’re supposed to report using that option.

Update: Remember, Verizon issued a transparency report itself, just 5 days ago. Reporting under these new guidelines wouldn’t help them much as the government has bracketed whether it could release phone dragnet information. Moreover, Verizon is almost certainly one of the telecoms that provide upstream content; that would likely show up as just one selector, but it’s not clear how it gets reported.

The Impasse on Executive Spying

In an important post the other day, Steve Vladeck described what he believed to be the most important lesson Edward Snowden has taught us.

They miss the single most important lesson we’ve learned — or should have learned — from Snowden, i.e., that the grand bargain has broken down. Intelligence oversight just ain’t what it used to be, and the FISA Court, as an institution, seemed to have been far better suited to handle individualized warrant applications under the pre-2001 FISA regime than it has been to reviewing mass and programmatic surveillance under section 215 of the USA PATRIOT Act and section 702, as added by the FISA Amendments Act of 2008.

Thus, even if one can point to specific individual programs the disclosure of which probably has not advanced the ongoing public policy conversation, all of the disclosures therefore illuminate a more fundamental issue of public concern — and one that should be (and, arguably, has been) driving the reform agenda: Whatever surveillance authorities the government is going to have going forward, we need to rethink the structure of oversight, both internally within the Executive Branch, and externally via Congress and the courts. That’s not because the existing oversight and accountability mechanisms have been unlawful; it’s because so many of these disclosures have revealed them to be inadequate and/or ineffective. And inasmuch as such reforms may strengthen not just mechanisms of democratic accountability for our intelligence community, but also their own confidence in the propriety and forward-looking validity of their authorities, they will make all of us — including the NSA — stronger in the long term.

While I agree with Vladeck that’s an important lesson from Snowden, I don’t think it has been admitted by those who most need the lesson: most members of Congress (most of all, the Intelligence Committees) and the FISA Court, as well as the other Article III judges who are quickly becoming dragnet experts.

But I’m hopeful PCLOB — which is already under attack even from Susan Collins for having the audacity to conduct independent oversight — will press the issue.

As I have noted in the past, PCLOB has a better understanding of how the Executive uses EO 12333 than any other entity I’ve seen (I think the Review Group may have a similar understanding, but they won’t verbalize it).

That’s why I find their treatment of FISA as a compromise to put questions about separation of powers on hold so interesting.

In essence, FISA represented an agreement between the executive and legislative branches to leave that debate aside 600 and establish a special court to oversee foreign intelligence collection . While the statute has required periodic updates, national security officials have agreed that it created an appropriate balance among the interests at stake, and that judicial review provides an important mechanism regulating the use of very powerful and effective techniques vital to the protection of the country. 601

600 “[T]he bill does not recognize, ratify, or deny the existence of any Presidential power to authorize warrantless surveillance in the United States n the absence of the legislation. It would, rather, moot the debate over the existence or non – existence of this power[.]” HPSCI Report at 24. This agreement between Congress and the executive branch to involve the judiciary in the regulation of intelligence collection activities did not and could not resolve constitutional questions regarding the relationship between legislative and presidential powers in the area of national security . See In re: Sealed Case , 310 F.3d 717, 742 (FISA Ct. Rev. 2002) (“We take for granted that the President does have that authority [inherent authority to conduct warrantless searches to obtain foreign intelligence information] and, assuming that is so, FISA could not encroach on the President ’ s constitutional power.”).

When NSA chose to avoid First Amendment review on the 3,000 US persons it had been watch-listing by simply moving them onto a new list, when it refused to tell John Bates how much US person content it collects domestically off telecom switches, when it had GCHQ break into Google’s cables to get content it ought to be able to obtain through FISA 702, when it rolled out an Internet dragnet contact-chaining program overseas in part because it gave access to US person data it couldn’t legally have here, NSA made it clear it will only fulfill its side of the compromise so long as no one dares to limit what it can do.

That is, Snowden has made it clear that the “compromise” never was one. It was just a facade to make Congress and the Courts believe they had salvaged some scrap of separation of powers.

NSA has made it clear it doesn’t much care what its overseers in Congress or the Court think. It’ll do what it wants, whether it’s in the FISC  or at a telecom switch just off the US shore. And thus far, Obama seems to agree with them.

Which means we’re going to have to start talking about whether this country believes the Executive Branch should have relatively unfettered ability to spy on Americans. We’re going to have to take a step back and talk about separation of powers again.

3 Certifications — Terror, Proliferation, and Cyber — and Stealing from Google

Screen shot 2013-12-19 at 7.10.00 AMFor months, I have been suggesting that the government only uses Section 702 of FISA, under which it collects data directly from US Internet providers and conducts some upstream content from telecom providers, for three purposes:

  • Counterterrorism
  • Counterproliferation
  • Cyber

I have said so based on two things: many points in documents — such as the second page from John Bates’ October 3, 2011 opinion on 702, above — make it clear there are 3 sets of certifications for 702 collection. And other explainer documents released by the government talk about those three topics (though they always stop short of saying the government collects on only those 3 topics).

The NSA Review Group report released yesterday continues this pattern in perhaps more explicit form.

[S]ection 702 authorized the FISC to approve annual certifications submitted by the Attorney General and the Director of National Intelligence (DNI) that identify certain categories of foreign intelligence targets whose communications may be collected, subject to FISC-approved targeting and minimization procedures. The categories of targets specified by these certifications typically consist of, for example, international terrorists and individuals involved in the proliferation of weapons of mass destruction.

If I’m right, it explains one of the issues driving overseas collection and, almost certainly, rising tensions with the Internet companies.

I suggested, for example, that this might explain why NSA felt the need to steal data from Google’s own fiber overseas.

I wonder whether the types of targets they’re pursuing have anything to do with this. For a variety of reasons, I’ve come to suspect NSA only uses Section 702 for three kinds of targets.

  • Terrorists
  • Arms proliferators
  • Hackers and other cyber-attackers

According to the plain letter of Section 702 there shouldn’t be this limitation; Section 702 should be available for any foreign intelligence purpose. But it’s possible that some of the FISC rulings — perhaps even the 2007-8 one pertaining to Yahoo (which the government is in the process of declassifying as we speak) — rely on a special needs exception to the Fourth Amendment tied to these three types of threats (with the assumption being that other foreign intelligence targets don’t infiltrate the US like these do).

Which would make this passage one of the most revealing of the WaPo piece.

One weekly report on MUSCULAR says the British operators of the site allow the NSA to contribute 100,000 “selectors,” or search terms. That is more than twice the number in use in the PRISM program, but even 100,000 cannot easily account for the millions of records that are said to be sent back to Fort Meade each day.

Given that NSA is using twice as many selectors, it is likely the NSA is searching on content outside whatever parameters that FISC sets for it, perhaps on completely unrelated topics altogether. This may well be foreign intelligence, but it may not be content the FISC has deemed worthy of this kind of intrusive search.

That is, if NSA can only collect 3 topics domestically, but has other collection requirements it must fulfill — such as financial intelligence on whether the economy is going to crash, which FISC would have very good reasons not to approve as a special need for US collection — then they might collect it overseas (and in the Google case, they do it with the help of GCHQ). But as Google moved to encryption by default, NSA would have been forced to find new ways to collect it.

Which might explain why they found a way to steal data in motion (on Google’s cables, though).

Here’s the thing, though. As I’ll note in a piece coming out later today, the Review also emphasizes that EO 12333 should only be available for collection not covered by FISA. With Section 702, FISA covers all collection from US Internet providers. So FISC’s refusal to approve (or DOJ’s reluctance to ask for approval) to collect on other topics should foreclose that collection entirely. The government should not be able to collect some topics under 702 here, then steal on other topics overseas.

But it appears that’s what it’s doing.

Continue reading

Will Obama Attempt to Co-Opt the Internet Companies?

Of late, Keith Alexander has added a new thing to his public schtick: inviting tech companies to come up with a way to dragnet more effectively. In the middle of discussions of why NSA must retain the phone dragnet, he’ll stop, and say, if the tech companies can come up with a way to do it better (not just to do the same thing as effectively, mind you, but better), he wants to hear it.

At a minimum, that new schtick should alert you that in 2011 when they “ended” the Internet dragnet, they didn’t end it, they just found a way to do it better, because that’s how Alexander speaks of that decision in this context.

But you might also keep this shift in Alexander’s schtick in mind as you read Matthew Aid’s story about how the President whitewash became a graywash.

At the same time, the agency’s once harmonious relationship with this country’s largest high-tech companies, such as Microsoft, Google and Yahoo, is now a shattered smoking ruin, NSA officials fret. Only the “big three” American telecommunications companies—AT&T, Verizon and Sprint—appear to remain firmly supportive, and even they are beginning to put some distance between themselves and the NSA as shareholders ask pointed questions about their clandestine relationship with the agency.

In this political climate, it was perhaps inevitable that the Review Group would recommend making substantive changes in the way the NSA operates. “We had to go this route,” a Review Group staffer told me in an interview. “If we did not recommend placing some additional controls and checks and balances on the NSA’s operations, the high-tech companies were going to kill us and Congress was going to burn the house down. Besides, our report is non-binding, so who knows what the White House is going to accept and what they are going to toss out.”

Frankly, I think the relationship with some tech companies (Microsoft) has been more harmonious than with others (Yahoo and to some extent Google). And it was never the same as the telecoms enjoy, not least because the telecoms have been stealing the tech companies’ data on and off at the government’s behest for a decade now.

But I’m not at all surprised that citizen outrage had no effect on the Review Group and Administration, but Internet company outrage did.

Fast forward to today, where Obama’s got a meeting with a curious group of CEOs.

  • Tim Cook, CEO, Apple
  • Dick Costolo, CEO, Twitter
  • Chad Dickerson, CEO, Etsy
  • Reed Hastings, co-founder and CEO, Netflix
  • Drew Houston, founder and CEO, Dropbox
  • Marissa Mayer, president and CEO, Yahoo!
  • Burke Norton, chief legal officer, Salesforce
  • Mark Pincus, founder, chief product officer and chairman, Zynga
  • Shervin Pishevar, co-founder and co-CEO, Sherpa Global
  • Brian Roberts, chairman and CEO, Comcast
  • Erika Rottenberg, vice president, general counsel and secretary, LinkedIn
  • Sheryl Sandberg, COO, Facebook
  • Eric Schmidt, executive chairman, Google
  • Brad Smith, executive vice president and general counsel, Microsoft
  • Randall Stephenson, chairman and CEO, AT&T

As WaPo’s piece on this points out, the meeting mixes the leaders of the Internet companies calling for more transparency — Yahoo, Google, and Microsoft, to a lesser extent Apple, LinkedIn, and Facebook, as well as Dropbox — and AT&T, the company that has been stealing from the critics. In addition, Comcast, which almost certainly has joined AT&T in that more harmonious role, will attend.

The initial reports on the meeting dubbed it an effort for the President to discuss — and try to fix — Federal IT contracting in the wake of the ObamaCare website.

But the critics have issued a statement making it clear they intend to talk about surveillance.

So let’s consider the dynamic to expect at this meeting. You’ve got a lot of Internet bigwigs, two Toobz bigwigs, and some smaller CEOs. That dynamic, right away, should prevent a truly candid conversation (because of the differing interests of all the parties).

And against that dynamic, the President will be discussing how to make it easier to contract with real software companies, rather than bloated federal software contractors.

There will be the stilted conversation about NSA (and AT&T) stealing from Internet companies. And a far less stilted conversation about the federal government expanding its contracting with private sector Internet companies.

They’ll have a stilted conversation about reining in government, and a less stilted conversation about putting more government dollars in Internet company pockets.

Update: Changed title to reflect these are Internet companies, not software, and fixed some syntax.

Update: Meanwhile, Obama has named a Microsoft Exec to be his new ObamaCare fixer, which should make it easier to send more business Microsoft’s way.

1 2 3 5

Emptywheel Twitterverse
bmaz My question at the outset was why GM concealment was not bankruptcy fraud; now that will be litigated. Good.
bmaz @trevortimm Be terrified. Very terrified. Cause what you saw is, I think, all you get.
bmaz @johnson_carrie According to my wife, "impossible jerk" characterizes lawyers in many locales @npratc
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT The constitutional framing is amazingly resilient, but resets are slow.
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT I represent far too many of the former and lament the latter. Things change though
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT Frankly, US can exert such influence, will not be effective foreign prosec either
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT Yes, in these considerations, that is exactly right. Not happening.
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT I wasn't being a smart ass, just honest as to situation.
bmaz @mucha_carlos @ColMorrisDavis @KenDilanianLAT @HoltenMark Safe enough bet; no administration will want to open that can of worms.
bmaz @mucha_carlos @ColMorrisDavis @KenDilanianLAT @HoltenMark ...ought to give pause in above regards too. If DOJ ever cared about these crimes.
bmaz @mucha_carlos @ColMorrisDavis @KenDilanianLAT @HoltenMark Well, yes, and the wild expansion of extraterritorial jurisdiction in other cases
bmaz @ColMorrisDavis @KenDilanianLAT @HoltenMark Granted, what Im saying applies to execution of US nationals as opposed to foreign nationals.
April 2014
« Mar