James Clapper

1 2 3 20

I Con the Record’s International Privacy Guidelines Swallowed Up by Exceptions

Screen Shot 2014-10-17 at 11.23.58 AMSometimes I Con the Record outdoes itself.

On Tuesday, the Guardian noted a scathing report UN Counterterrorism special rapporteur Ben Emmerson issued last month attacking British and US collection of bulk communications.

“Merely to assert – without particularization – that mass surveillance technology can contribute to the suppression and prosecution of acts of terrorism does not provide an adequate human rights law justification for its use. The fact that something is technically feasible, and that it may sometimes yield useful intelligence, does not by itself mean that it is either reasonable or lawful.”

[snip]

“It is incompatible with existing concepts of privacy for states to collect all communications or metadata all the time indiscriminately. The very essence of the right to the privacy of communication is that infringements must be exceptional, and justified on a case-by-case basis.”

Today, I Con the Record released a “Status Report” on an initiative President Obama ordered in his PPD-28 back in January to extend privacy protections to foreigners.

As we work to meet the January 2015 deadline, PPD-28 called on the Director of National Intelligence to prepare an interim report on the status of our efforts and to evaluate, in coordination with the Department of Justice and the rest of the Intelligence Community, additional retention and dissemination safeguards.

The DNI’s interim report is now being made available to the public in line with our pledge to share as much information about sensitive intelligence activities as is possible, consistent with our national security.

One thing this interim report requires is that “elements shall publicly release their PPD-28 implementation policies and procedures to the maximum extent possible.” Which requirement, you might assume, this release fulfills.

Which is why it’s so curious I Con the Record chose not to release an unclassified report mandated and mandating transparency — dated July 2014 — until October 2014.

Lest I be called a cynic, let me acknowledge that there are key parts of this that may represent improvements (or may not). The report asserts:

  • Foreigners will be treated with procedures akin to — though not identical to — those imposed by Section 2.3 of EO 12333
  • Just because someone is a foreigner doesn’t mean their information is foreign intelligence; the IC should “permanently retain or disseminate such personal information only if the personal information relates to an authorized intelligence requirement, is reasonably believed to be evidence of a crime, or meets one of the other standards for retention or dissemination identified in section 2.3″ of EO 12333
  • The IC should consider adopting (though is not required to) retention periods used with US person data for foreign personal information (which is 5 years); the IC may get extensions, but only in 5-year chunks of time
  • When disseminating “unevaluated personal information,” the IC should make that clear so the recipient can protect it as such

Those are good things! Yeah us!

There are, however, a series of exceptions to these rules.

First, the guidelines in this report restate PPD-28′s unbelievably broad approval of the use of bulk data, in full. The report does include this language:

[T]he procedures must also reflect the limitations on the use of SIGINT collected in bulk. Moreover, Intelligence Community element procedures should include safeguards to satisfy the requirements of this section. In developing procedures to comply with this requirement, the Intelligence Community must be mindful that to make full use of intelligence information, an Intelligence Community element may need to use SIGINT collected in bulk together with other lawfully collected information. In such situations, Intelligence Community elements should take care to comply with the limitations applicable to the use of bulk SIGINT collection.

Unless I’m missing something, the only “limits” in this section are those limiting the use of bulk collection to almost all of NSA’s targets, including counterterrorism, cybersecurity, and crime, among other things. Thus, the passage not only reaffirms what amounts to a broad permission to use bulk, but then attaches those weaker handing rules to anything used in conjunction with bulk.

Then there are the other exceptions. The privacy rules in this document don’t apply to:

  • Evaluated intelligence (exempting foreigners’ data from the most important treatment US person data gets, minimization in finished intelligence reports; see footnote 3)
  • Personal information collected via other means than SIGINT (excluding most of what the CIA and FBI do, for example; see page 1)
  • Information collected via SIGINT not collecting communications or information about communications (seemingly excluding things like financial dragnets and pictures and potentially even geolocation, among a great many other things; see footnote 2)

And, if these procedures aren’t loosey goosey enough for you, the report includes this language:

It is important that elements have the ability to deviate from their procedures when national security requires doing so, but only with approval at a senior level within the Intelligence Community element and notice to the DNI and the Attorney General.

OK then.

Congratulations world! We’re going to treat you like Americans. Except in the majority of situations when we’ve decided not to grant you that treatment. Rest easy, though, knowing you’re data is sitting in a database for only 5 years, if we feel like following that rule.

Hiding Yahoos: ORCON and the FISC Special Advocate

Some weeks ago, I noted the language in James Clapper’s letter purportedly “supporting” Patrick Leahy’s USA Freedom Act making it clear he intended to retain the information asymmetry that currently exists in the FISA Court — specifically, ex parte communication with the court.

We note that, consistent with the President’s request, the bill estsablishes a process for the appointment of an amicus curiae to assist the FISA Court and FISA Court of Review in matters that present a novel or significant interpretation of the law. We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

The Yahoo documents released a few weeks back illustrate how this might work in practice.

We’ve known since January 2009 that Yahoo (which we then only knew was an Internet company) didn’t receive the materials — perhaps most importantly, the minimization procedures — it needed to adequately challenge the program.

The cover sheet to the ex parte appendix provided to the FISCR illustrates the range of things withheld from Yahoo’s attorney, Marc Zwillinger, who apparently had a Top Secret clearance. In addition to the minimization procedures for NSA and FBI, the government withheld the “linking” procedures used to identify targets (the titles of these documents are redacted in the released version, but this post explains why at least some must pertain to these procedures; note, I think the government also withheld these from Judge Reggie Walton at the FISC level!), and a January 15, 2008 Colleen Kollar-Kotelly FISC opinion assessing the adequacy of the original certifications.

Comparing two versions of Walton’s April 25, 2008 opinions — a version redacted for Yahoo’s use in 2008, and the version redacted for public release now — provides context on the key issues obscured or suppressed entirely from Yahoo’s view. (Note two things about these redactions: first, with the exception of language on the information the government demanded from Yahoo, we’re receiving more information than Yahoo’s cleared attorney received when he was fighting this case. And the older document actually includes two sets of redactions: the more faded redactions used for Yahoo, and a more opaque set done for this release, the latter of which hide details about the Directives given to Yahoo.)

Effectively, the government hid what they changed when they rewrote Certifications underlying their demands to Yahoo just 2 weeks before the law expired. A significant part of those changes involves getting FBI involved in the process (I increasingly suspect those January 29, 2008 Certifications are when the government first obtained official permission for FBI back door searches).

Notice of the new Certificates was given to Yahoo on February 16, 2008, the day PAA expired, and signed by then Solicitor General Paul Clement, though signed as Acting Attorney General (see page 81). One day earlier, Judge Walton had given the government an ex parte order requiring them to address whether the ex parte materials they had submitted to him in December “constitutes the complete and up-to-date set of certifications … applicable to the directives that are at issue in this proceeding.” Walton also required the government to provide notice to Yahoo they were going to submit a new classified appendix.

Apparently, Walton had gotten wind of the fact — but had not been told formally — that the government had submitted entirely new Certifications affecting their treatment of the data they would obtain from Yahoo. So he ordered them to update the record so his review actually considered the surveillance as it would be implemented.

I’ve listed most of the differences between the two memoranda below. While much of it pertains to prior classified decisions and the operation of FISC generally, the biggest sections redacted from Yahoo but released in part to us now describe the new certifications, including FBI’s new role in the process.  Of particular concern, the government withheld Walton’s comment admonishing the government for changing the certifications, “without appropriately informing the Court or supplementing the record in this matter until ordered to do so” (page 4), though footnote 4 and page 35 make it clear that Walton revealed some details of the government’s belated disclosures in a February 29 order for more briefing.

More troubling still, they hid Walton’s still significantly-redacted assessment that the changes in the Certifications would not change the nature of the government’s demand from Yahoo (page 38).

Neither type of amendment altered the nature of the assistance to be rendered by Yahoo,40

40 Yahoo has submitted a sworn statement that, prior to serving the directives on Yahoo, representatives of the government “indicated that, at the outset, it only would expect…

I wrote about these changing requests here. And while on paper the changing requests couldn’t have been a result of the changed Certification — Yahoo’s Manager of Legal Compliance described them in a January 23 submission, and the new Certifications were issued the following week — I find the timing, and the government’s failure to notice Walton on them, suspect enough that it’s the kind of thing that should have been briefed. Plus, as I’ll show in a follow-up post, I’m fairly certain the government hid  from both FISC and FISCR the degree to which this was about targeting Americans.

Once Walton learned that the government’s requests to Yahoo had changed between the date of Kollar-Kotelly’s initial approval and the expiration of the law, it seems it should have merited more direct briefing, but that would have required admitting that the changes put domestic law enforcement in the center of the program, which presents (or should present) significantly different Fourth Amendment concerns, notably increasing the importance of prior interpretations of the “significant purpose” language instituted under the PATRIOT Act.

In other words, not only did the ex parte nature of this proceeding hide the details Yahoo would have needed to make a robust Fourth Amendment argument, as well as evidence that the government was not being entirely forthcoming to FISC (which would have bolstered Yahoo’s separation of powers claim), it also hid what may be specifically pertinent details behind the government’s last minute changed certifications.

In theory, this shouldn’t happen with the USA Freedom Advocate, because the bill specifically requires the Advocate have access to certifications necessary for her to complete her duties.

(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—

[snip]

(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;

By comparison, the government was challenging Yahoo’s legal standing to take this challenge in the first place.

But I find the apparent basis for withholding information from Yahoo to be relevant. This memorandum, at least, was originally classified Top Secret/ORCON (Originator Controlled); the redacted memorandum given to Yahoo was classified Secret. That means that the changes arose, at least in part, from the ability of the originator (which may be DOJ’s National Security Division, given that Mark Bradley conducted the declassification review) to determine who gets the document. As I noted, there are two bases in USAF that would permit the government to withhold information, classification and privilege. Withholding information under an ORCON claim likely stems from both (though I am checking this).

So while the government should not be able to treat the advocate the same way they treated Yahoo (which, after all, FISC treated as a Congressionally sanctioned challenger to the orders, just as it would the advocate), they seem to have the prerogative to. (Update: I should add that Walton permitted the government to do all the ex parte briefing here under FISA’s ex parte briefing language; given that USAF doesn’t change that for any of the authorities in question, we should assume this precedent will apply to the advocate.)

To be clear, the USAF advocate is not one of the things that I believe sets back a slow reform process (as, for example, I believe the “transparency” provisions and some weakened minimization procedures do). I think it most likely that the advocate will evolve the way PCLOB has, which was first authorized in 2004, thwarted by Executive obstruction (on precisely these kinds of issues), reauthorized as a more effective body in 2007, then slow-walked again — partly by President Obama, though partly by Congress — for another 6 years. That is, if the advocate is at least as self-respecting as Lanny Davis (!), she will quit if the Executive ignores the intent of Congress that she have access to the materials she needs to do her job, exposing the inefficacy of the existing system. All that, of course, assumes she will cop onto what has been withheld. Clearly, Yahoo got a sense of it during this process, though FISC and FISCR seem to have realized only some of the other stuff withheld from them.

That is, judging by the PCLOB example, if all goes well and if USAF were to pass this year, we might have a fully functional advocate by 2023!

The Yahoo materials released show that the government withheld pertinent information from Yahoo, FISC, and FISCR until forced to provide it, and they never provided any of them with all the information they should have.

That it retains the ability to do so under USAF doesn’t bode well for the advocate. But that’s really just a subset to a larger issue that, even when authorized by Congress to provide oversight of this executive spying, the government has consistently, for years, been less than fully cooperative with FISC’s authority to do so.

As I’ve said, the surest way to reform surveillance is to eliminate the FISA Court.

Continue reading

John Bates Gets Slapped Down for Speaking Out of Turn, Again

A few weeks back, I pointed to 9th Circuit Chief Judge Alex Kozinski’s criticism of John Bates’ presumption to speak for the judiciary in his August 5 letter complaining about some aspects of USA Freedom Act. Kozinski was pretty obviously pissed.

But compared to the op-ed from retired District Court Judge Nancy Gertner – who effectively scolds Bates, as the Administrative staff, speaking out of turn — Kozinski was reserved.

[W]hatever the merits of Bates’ concerns—and other judges have dissented from it—he most assuredly does not speak for the Third Branch.

[snip]

Bates has been appointed by Chief Justice John Roberts to serve as director of the Administrative Office of the U.S. Courts, the body that administers the federal courts. It was created in 1939 to take the administration of the judiciary out of the Department of Justice. Its principal tasks were data collection and the creation of budgets and, while its duties have grown over the years, they remain administrative (dealing with such things as court reporters, interpreters, judicial pay, maintenance of judicial buildings, staffing etc.).

When members of Congress solicit the “judiciary’s” opinion they may write to the office’s director, but he has no authority to make policy for the federal judiciary. It is the Judicial Conference of the United States Courts, to which the AO director is only the “secretary,” that has that responsibility.

I’m very supportive of Gertner’s defense of judicial independence and her concern about the operation of the FISA Court.

But her critique goes off the rails when she points to DOJ’s purported support of USA Freedom Act as a better indication of the Executive’s views than Bates’ comments.

Moreover, a great deal of Bates’ letter focuses on the Senate proposals’ impact on the executive branch and the intelligence community. The Senate bill would burden the executive with more work and even delay the FISA court’s proceedings, he suggests. Worse yet, the executive may be reluctant to share information with an independent advocate—a troubling claim.

Bates’ concerns are belied by the support voiced by the Department of Justice and the president for the Senate proposal. Surely, the executive branch understands its own needs better than does Bates. Surely, the executive branch has confidence in the procedures that the FISA court would have in place for dealing with classified information, just as the courts that have dealt with other national security issues have had.

And surely, the executive would abide by what the law requires, notwithstanding Bates’ predictions about its “reluctance” to share information with a special advocate.

DOJ’s “support” of the bill was expressed when Eric Holder co-signed a letter (which Gertner tellingly doesn’t mention, much less link) from James Clapper which, when read with attention, clearly indicated the Executive would interpret the bill to be fairly permissive on most of the issues on which the Senate bill would otherwise improve on the House one. Holder’s “support” of the bill strongly indicates that DOJ, with ODNI, plans to use the classification and privilege “protections” in the bill to refuse to share information with the special advocate.

And that’s precisely the part of the letter where Holder and Clapper invoke Bates.

Continue reading

USA Freedom Act’s So-Called “Transparency” Provisions Enable Illegal Domestic Surveillance

I regret that I am only now taking a close look at the “transparency” provisions in Patrick Leahy’s version of USA Freedom Act. They are actually designed not to provide “transparency,” but to give a very misleading picture of how much spying is going on. They are also designed to permit the government to continue not knowing how much content it collects domestically under upstream and pen register orders, which is handy, because John Bates told them if they didn’t know it was domestic then collecting domestic isn’t illegal.

In this post, I’ve laid out the section of the bill that mandates reporting from ODNI, with my comments interspersed along with what the “transparency” report Clapper did this year showed.

(b) MANDATORY REPORTING BY DIRECTOR OF NATIONAL INTELLIGENCE.—

(1) IN GENERAL.—Except as provided in subsection (e), the Director of National Intelligence shall annually make publicly available on an Internet Web site a report that identifies, for the preceding 12-month period—

This language basically requires the DNI to post a report on I Con the Record every year. But subsection (e) provides a number of outs.

Individual US Person FISA Orders

(A) the total number of orders issued pursuant to titles I and III and sections 703 and 704 and a good faith estimate of the number of targets of such orders;

This language requires DNI to describe, in bulk, how many individual US persons are targeted in a given year (there were 1,767 orders and 1,144 estimated targets last year). But it only requires DNI to give a “good faith estimate” of these numbers (and that’s what they’re listed as in ODNI’s report from last year)! If there’s one thing DNI should be able to give a rock-solid number for, it’s individual USP targets. But … apparently that’s not the case.

Screen Shot 2014-09-10 at 10.29.15 AM

Section 702 Orders

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders;

(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

This language requires DNI to provide an estimate of the number of targets of Section 702 which includes both upstream and PRISM production. Last year, this was one order (ODNI doesn’t tell us, but there were at least 3 certificates –Counterterrorism, Counterproliferation, and Foreign Government) affecting 89,138 targets.

Screen Shot 2014-09-10 at 10.23.26 AM

The new reporting requires the government to come up with some estimate of how many communications are collected, as well as how many are located inside the US.

Except DNI is permitted to issue a certification saying that there are operational reasons why he can’t provide that last bit — how many are in the US. Thus, 4 years after refusing to tell John Bates how many Americans’ communications NSA was sucking up in upstream collection, Clapper is now getting the right to continue to refuse to provide that ratified by Congress. And remember — Bates also said that if the government didn’t know it was collecting that content domestically, then it wasn’t really in violation of 50 USC 1809(a). So by ensuring that it doesn’t have to count this, Clapper is ensuring that he can continue to conduct illegal domestic surveillance.

Don’t worry though. The bill includes language that says, even though this provision permits the government to continue conducting illegal domestic collection, “Nothing in this section affects the lawfulness or unlawfulness of any government surveillance activities described herein. ”

Back Door Searches

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

This language counts back door searches.

But later in the bill, the FBI — which we know does the bulk of these back door searches — is exempted from all of this reporting. As I noted in this post, effectively the Senate is saying it’s no big deal of FBI doesn’t track how many warrantless searches of US person content it does, even of people against whom the FBI has no evidence of wrongdoing.

In addition, note that odd limit to (v). DNI only has to report metadata searches “initiated by an officer, employee, or agent” of the United States. That would seem to exempt any back door metadata searches by foreign governments (it might also exempt contractors, but they should be included as “agents” of the US). Which, given that CIA doesn’t currently count its metadata searches, and given that CIA conducts a bunch of metadata searches on behalf of other entities, leads me to suspect that CIA may be doing metadata searches “initiated” by foreign governments. But that’s a guess. One way or another, though, this clause was written to not count some of these metadata searches. [Update: On reflection, that language may be designed to avoid counting automated processes as searches -- if they're initiated by a robot rather than an employee they're not counted!]

Pen Register Orders

C) the total number of orders issued pursuant to title IV and a good faith estimate of—

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders; and

(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

This language counts how many Pen Register orders the government obtains, how many individuals get sucked up, and how many are in the US, both of which are additions on what ODNI reported this year.

Screen Shot 2014-09-10 at 10.50.08 AM

But that last bit — counting people in the US — is again a permissible exemption under the bill. Which is, as you’ll recall, the other way NSA has been known to engage in illegal domestic content collection. The only known bulk pen register is currently run by FBI, but in any case, the exemption has the same effect, of permitting the government from ever having to admit that it is breaking the law.

Traditional Section 215 Collection

(D) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of—

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders; and

(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

This requires DNI to report on traditional Section 215 orders, but the entire requirement is a joke on two counts.

Screen Shot 2014-09-10 at 11.09.02 AM

First, note that, for a reporting requirement for a law permitting the government to collect “tangible things,” it only requires individualized reporting for “communications.” “Individuals whose communications were collected” are specifically defined as only involving phone calls and electronic communications.

So this “transparency” bill will not count how many individuals have their financial records, beauty supply purchases, gun purchases, pressure cooker purchases, medical records, money transfers, or other things sucked up, much of which we know to be done under this bill. And this is particularly important, because the law still permits bulk collection of these things. Thus, this “transparency” report creates the illusion that far less collection is done under Section 215 than actually is, it creates the illusion that bulk collection is not going on when it is.

But it gets worse!

Continue reading

James Clapper’s Letter DIDN’T Endorse S 2685; It Endorsed HR 3361

I’m sorry to return to James Clapper’s letter that has been grossly misreported as endorsing Patrick Leahy’s USA Freedom Act.

In this post I pointed out what Clapper’s letter really said. In this one, I described why it is so inexcusable that Clapper emphasized FBI’s exemption from reporting requirements (I will have a follow-up soon about why that earlier post just scratches the surface). And this post lays out some — but not all — the ways Clapper’s letter said he would gut the Advocate provision.

But I think there’s a far better way of understanding Clapper’s letter. He didn’t endorse Leahy’s USAF, S 2685. He endorsed USA Freedumber, HR 3361.

Below the rule I’ve put a summary of changes from USA Freedumber to Leahy USA Freedom, HR 3361 to S 2685. I did it a very long time ago, and there are things I’d emphasize differently now, but it will have to do for now (it may also be helpful to review this summary of how USA Freedumber made USA Freedumb worse). Basically, S 2685 improved on HR 3361 by,

  • Tightening the definition of “specific selection term”
  • Adding transparency (though, with exemptions for FBI reporting)
  • Improving the advocate
  • Limiting prospective CDR collection (but not retention and therefore probably dissemination) to counterterrorism

This closely matches what the coalition that signed onto S 2685 laid out as the improvements from HR 3361 to S 2685.

[T]he new version of the bill:

  • Strengthens and clarifies the ban on “bulk” collection of records, including by tightening definitions to ensure that the government can’t collect records for everyone in a particular geographic area or using a particular communication service, and by adding new post-collection minimization procedures;
  • Allows much more detailed transparency reporting by companies—and requires much more detailed transparency reporting by the government—about the NSA’s surveillance activities; and
  • Provides stronger reforms to the secret Foreign Intelligence Surveillance Court’s processes, by creating new Special Advocates whose duty is to advocate to the court in favor of privacy and civil liberties, and by strengthening requirements that the government release redacted copies or summaries of the court’s significant decisions.

Though as I explained here, there is no public evidence the minimization procedures required by the bill are even as stringent as what the FISC currently imposes on most orders, so the minimization procedures of S 2685 might – like the emergency procedures do — actually weaken the status quo.

Here are three of the key passages from Clapper’s letter that I believe would address the intent of the bill as written.

  • “Recognizing that the terms [laid out in the definition of specific selection term] enumerated in the statute may not always meet operational needs, the bill permits the use of other terms.”
  • “The transparency provisions in this bill … recognize the technical limitations on our ability to report certain types of information.”
  • “The appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Office of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address those concerns.”

In other words, the limiting language in Clapper’s letter very clearly maps the changes from HR 3361 to S 2685.

He clearly says he doesn’t have to follow the new limits on specific selection terms. He signals he will use his authority to make classification and privilege determinations to keep information away from the amicus (or retain ex parte procedures via some other means). And by endorsing John Bates’ letter, he revealed his intention to take out requirements that the amicus advocate in favor of privacy and civil liberties. In addition — this is the part of Bates’ letter I missed in my previous analysis — he thereby endorsed Bates’ recommendation to “delet[e] this provision [specifying that the Court must release at least a summary], leaving in place the provision that significant FISA court decision would continue to be released, whenever feasible, in redacted form.”

Plus, as I mentioned, his use of “metadata” rather than “Call Detail Record” suggests he may play with that laudable limit in the bill as well.

I think Clapper’s read on the exemption for FBI is totally a fair reading of the bill; I just happen to think the Senate is doing a great deal of affirmative damage by accepting it. (Again, I hope to explain more why that is the case in the next day or so.)

Voila! Clapper’s “endorsement” of the bill managed to carve out almost all the improvements from HR 3361 to S 2685 (as well as emphasize Congress’ ratification for the FBI exemption, the huge reservation on the one improvement he left untouched). The only other improvement Clapper left in place was the limit on collection of prospective phone record to counterterrorism purposes.

That’s it. If Clapper’s views hold sway, that’s all this bill is: USA Freedumber with the retention of the status quo counterterrorism application for CDR collection.

Continue reading

Supporters of USA Freedom Ignore the Courts

The National Journal reports that Leahy’s USA Freedom Act probably won’t move until after the election, if not next year.

A bill that would curtail the government’s broad surveillance authority is unlikely to earn a vote in Congress before the November midterms, and it might not even get a vote during the postelection lame-duck session.

The inaction amounts to another stinging setback for reform advocates, who have been agitating for legislation that would rein in the National Security Agency ever since Edward Snowden’s leaks surfaced last summer. It also deflates a sudden surge in pressure on Congress to pass the USA Freedom Act, which scored a stunning endorsement from Director of National Intelligence James Clapper last week.

Of course, contrary to what the NJ keeps reporting, that letter is not a stunning endorsement. On the contrary, it’s a signal James Clapper would change — at a minimum — the FISA Advocate position, and probably the Call Detail Record provision as well.

And even while the story suggests timing is the problem, further down the story suggests the bill doesn’t have the votes.

But beyond the calendar squeeze and geopolitical tensions, the Freedom Act has never had a clear path forward. It was not embraced by defense hawks such as Senate Intelligence Committee Chairwoman Dianne Feinstein or Sens. Ron Wyden and Mark Udall, who have become icons of the surveillance-reform movement. The two Democrats said they wanted to strengthen the bill to require warrants for “backdoor” searches of Americans’ Internet data that can be incidentally collected during foreign surveillance hauls. Sources indicated that their support for the Freedom Act remains a bridge too far.

“We were told to go after Republicans,” one industry said.

Wyden and Udall’s reticence to publicly back Leahy’s bill may stem from a conviction that they can get a better deal next Congress, with Section 215 of the USA Patriot Act—the legal underpinning for the NSA’s phone-records collection—due to expire on June 1, 2015.

Without the left flank of the Senate, this wasn’t going to pass. But so long as this bill endorsed warrantless back door searches of Americans at the assessment stage, it wasn’t going to get those votes.

The story ends with a solitary quote purportedly representing the voices of “many” people.

But many see an NSA reform debate that rolls into next year as no sure bet, regardless of what party holds control of the Senate.

“If the USA Freedom Act is not passed this Congress, we are really in uncharted territory, and the process has to start all over again,” said Harley Geiger, senior counsel at the Center for Democracy & Technology, a pro-reform group. “All the elements for reform are in place now, but it just happens that we don’t have much time.”

Geiger is the same purpose mis-reading Clapper’s letter as a complete endorsement of the bill.

Note what doesn’t get mentioned in any of this, though?

The Courts.

Last we heard from the 2nd Circuit, it sounded very very skeptical that it was constitutional to, “collect everything there is to know about everybody and have it all in one big government cloud.” And while SCOTUS was happy to reverse precisely this court in Section 702, both ACLU’s standing and the details of the program are much clearer this time. Had Congress legislated quickly, it likely would moot this and several other challenges to this dragnet. 

This way, at least, the courts will be forced to determine whether it is actually legal for the government to conduct dossiers of every American and store them on a cloud.

James Clapper, Bates-Stamp, and Gutting the FISA Advocate

As I noted the other day, in his letter purportedly “supporting” Patrick Leahy’s USA Freedom Act, James Clapper had this to say about the special advocate amicus curiae position laid out by the law.

We note that, consistent with the President’s request, the bill estsablishes a process for the appointment of an amicus curiae to assist the FISA Court and FISA Court of Review in matters that present a novel or significant interpretation of the law. We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

Clapper stretches the actual terms of all four provisions of the bill he discusses — he admits he’ll use selection terms outside those enumerated by the statute, he discusses collecting “metadata” rather than the much more limited “call detail records” laid out in the bill, and he facetiously claims FBI won’t count its back door searches because of technical rather than policy choices.

But I think Clapper’s comments about the FISC amicus curiae deserve particular attention, because the letter suggests strongly that Clapper will ignore the law on one of the key improvements in the bill.

Clapper claims, first of all, that Obama has called for the appointment of an amicus curiae.

That’s false.

Obama actually called for fully-independent advocates.

To ensure that the Court hears a broader range of privacy perspectives, I am calling on Congress to authorize the establishment of a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court.

That may seem like semantics. But in his letter, Clapper signals he will make the amicus curiae something different. First, he emphasized this amicus will not interfere with ex parte communications between the court and the government. That may violate this passage of Leahy’s bill, which guarantees the special advocate have access to anything that is “relevant” to her duties.

(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—

[snip]

(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;

Given that in other parts of 50 USC 1861, “relevant” has come to mean “all,” it’s pretty amazing that Clapper says the advocate won’t have access to all communication between the government and the court.

There are just two bases on which the advocate can be denied access to documents she would need.

(i) IN GENERAL.—A special advocate, experts appointed to assist a special advocate, or any other amicus or technical expert appointed by the court may have access to classified documents, information, and other materials or proceedings only if that individual is eligible for access to classified information and to the extent consistent with the national security of the United States.

(ii) RULE OF CONSTRUCTION.— Nothing in this section shall be construed to require the Government to provide information to a special advocate, other amicus, or technical expert that is privileged from disclosure.

If we could believe that Clapper were operating on good faith, this language would be fairly innocuous. But given that Clapper has made it very explicit he wants to continue to conduct ex parte communication, and given that the Director of National Intelligence has a significant role in both need to know determinations and privilege claims, this language — and Clapper’s commitment to retain ex parte communications — is a pretty good indication he plans to deny access based on these two clauses.

And all that’s before Clapper says he plans to continue to work with Leahy to address some of John Bates purported concerns.

As a reminder, in Bates’ most recent letter, he claimed to be speaking “on behalf of the Judiciary” and used the royal “we” throughout. In response to the letter, Steve Vladeck raised real questions what basis Bates had to use that royal “we.”

Judge Bates’s latest missive … raises the question of why Judge Bates believes he’s entitled to speak “on behalf of the Judiciary”–especially when at least two former FISA judges have expressly endorsed reforms far more aggressive than those envisaged by the Senate bill, and when the substance of Judge Bates’s objections go principally to burdens on the Executive Branch, not the courts.

Then Senior 9th Circuit Chief Judge Alex Kozinski weighed in. While he professed not to have studied the matter, he made it quite clear that he

was not aware of Director Bates’s letter before it was sent, nor did [he] receive a copy afterwards.

[snip]

having given the matter little consideration, and having had no opportunity to deliberate with the other members of the Judicial Conference, I have serious doubts about the views expressed by Judge Bates. Insofar as Judge Bates’s August 5th letter may be understood as reflecting my views, I advise the Committee that this is not so.

In other words, Bates decided to speak for the Judiciary without consulting them.

And, as Vladeck correctly notes, what he said seemed to represent the views of the Executive, not the Judiciary. I think that conclusion is all the more compelling when you consider the 3 big opinions we know Bates wrote while serving on FISC:

  • Around July 2010: After noting that the Executive had violated the PRTT orders from 2004 until 2009 when it was shut down, including not disclosing that virtually every record collected included unauthorized collection, he reauthorized and expanded the program 11- to 24-fold, expanding both the types of data permitted and the breadth of the collection. Bates did prevent the government from using some of what it had illegally collected in the past, but told them if they didn’t know it was illegal they could use it.
  • October 3, 2011: The year after he had reauthorized PRTT in spite of the years of violation, the government informed him they had been illegally collecting US person content for 3 years. Bates authorized some of this collection prospectively (though more assertively required them to get rid of the past illegal collection). At the same time, Bates permitted NSA and CIA to conduct back door searches of US person PRISM content.
  • February 19, 2013: Bates unilaterally redefined the PATRIOT Act to permit the government to collect on US persons solely for their First Amendment activities, so long as the activities of their associates were not protected by the First Amendment.

In short, even though Bates knew better than anyone but perhaps Reggie Walton of the Executive’s persistent violations of FISA orders, he repeatedly expanded these programs in dangerous ways even as he found out about new violations.

That’s they guy lecturing Leahy on how the FISC needs to work, invoking the royal “we” he hasn’t gotten permission to use.

And consider the things Bates asked for in his most recent letter – which, by invocation, Clapper is suggesting he’ll demand from Leahy.

  • The advocate should not be mandated to speak for privacy and civil liberties.
  • The advocate should not be adversarial because that might lead the government to stop sharing information it is required to share.
  • The advocate should not be required to be consulted on all novel issues [I wonder now if Bates considers the First Amendment application a novel issue?] because that might take too long.

Basically, Bates says Leahy should replace his language with the House language.

In our view, the greater flexibility and control that the FISA courts would have under the amicus provision in H.R. 3361 make it a better fit for FISA court proceedings than the special advocate provision of S. 2685. As discussed above, the House bill would give the FISA courts substantial flexibility not only in deciding when to appoint an amicus in the first place, but also in tailoring the nature and scope of the assistance provided to the circumstances of a particular matter.

So the guy who Bates-stamped so many dangerous decisions wants FISC to retain the authority to continue doing so.

Again, Clapper is absolutely wrong when he claims this kind of thing — a role the FISC can sharply limit what advice it gets and the DNI can sustain ex parte proceedings by claiming privilege or need to know — is what President Obama endorsed 8 months ago.

Which raises the question: is the President going to tell his DNI to implement his own policy choices? Or is he going to let James Clapper and Bob Litt muddle up a democratic bill again?

Clapper’s Claim that FBI Cannot Count Back Door Searches for Technical Reasons Probably Bullshit

I wanted to explain why I think it’s such a big deal that James Clapper specifically highlighted the carve out for transparency reporting on FBI’s back door searches in Leahy’s version of Freedom Act’s in his letter supporting the bill.

As I described, the bill requires reporting on back door searches, but then exempts the FBI from that reporting.

But that’s not the part of the bill that disturbs me the most. It’s this language:

‘(3) FEDERAL BUREAU OF INVESTIGATION.—

Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

The language refers, in part,  to requirements that the government report to Congress:

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

These are back door searches on US person identifiers of Section 702 collected data — both content (iv) and metadata (v).

In other words, after having required the government to report how many back door searches of US person data it conducts, the bill then exempts the FBI.

In his letter, Clapper says,

[W]e are comfortable with the transparency provisions in this bill because, among other things, they recognize the technical limitations on our ability to report certain types of information.

FBI back door searches are the most obvious limit on transparency guidelines, and FBI told PCLOB they couldn’t count them for technical reasons.

So effectively, Clapper is suggesting that Congress has recognized that FBI is incapable — for technical reasons — of counting how often it conducts back door searches.

That technical claim is almost certainly bullshit.

As a reminder, here’s what the government told PCLOB about FBI’s back door searches.

Because they are not identified as such in FBI systems, the FBI does not track the number of queries using U.S. person identifiers. The number of such queries, however, is substantial for two reasons.

First, the FBI stores electronic data obtained from traditional FISA electronic surveillance and physical searches, which often target U.S. persons, in the same repositories as the FBI stores Section 702–acquired data, which cannot be acquired through the intentional targeting of U.S. persons. As such, FBI agents and analysts who query data using the identifiers of their U.S. person traditional FISA targets will also simultaneously query Section 702–acquired data.

Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts. In the case of an assessment, an assessment may be initiated “to detect, obtain information about, or prevent or protect against federal crimes or threats to the national security or to collect foreign intelligence information.”254 If the agent or analyst conducting these queries has had the training required for access to unminimized Section 702–acquired data, any results from the Section 702 data would be returned in these queries. If an agent or analyst does not have access to unminimized Section 702–acquired data — typically because this agent or analyst is assigned to non-national security criminal matters only — the agent or analyst would not be able to view the unminimized data, but would be notified that data responsive to the query exists and could request that an agent or analyst with the proper training and access to review the unminimized Section 702–acquired data.

Continue reading

The Holder-Clapper Letter Ought to Make You Worry about Leahy’s USA Freedom

As the press is reporting right now, James “Too Cute by Half” Clapper and Eric Holder have written Patrick Leahy a letter endorsing his version of the dragnet reform bill. Reports claim this shows that Clapper supports reform.

Consider me unimpressed.

To understand why, it helps to understand what this letter was once supposed to do. According to a Senate source who is skeptical this reform does enough, it was supposed to provide language that would endorse civil libertarians’ understanding of key terms of the bill. I’m not sure if the letter is still supposed to do that work — if it is not, that is a story unto itself. But the language in this letter doesn’t make any commitments on the key points of concern.

As an initial matter, I was told this letter would include language making it clear that the “connection chaining” language I’ve been so concerned about would limit contact chaining to actual calls made. The letter doesn’t address connection chaining at all. Huh. How about that?

Here’s what Clapper’s letter says about the prospective call detail record (CDR) collection:

The bill also provides a mechanism to obtain telephone metadata records in order to identify potential contacts of suspected terrorists inside the United States. The Intelligence Community believes that, based on communications providers’ existing practices in retaining metadata, the bill will retain the essential operational capabilities of the existing bulk telephone metadata program while eliminating bulk collection.

It’s good news the IC is not asking for data retention requirements — but you ought to ask why, given that the most important provider, Verizon, has told the Senate Intelligence Committee that it only keeps billing records — not CDRs – for 18 months.

Note, however, that Clapper doesn’t use CDR language here — he uses “metadata,” which is actually broader — potentially far broader — than CDRs as defined by the bill. We know, for example, that the IC considers location data metadata — and James Cole told Mark Warner they might ask for hybrid orders to get location data. We know from the ICREACH documents that the IC admits it uses a different definition of metadata than the FISA Court does (the IC’s definition of metadata not only includes content, but also substantive information about people). We know that providers store customer things-that-count-as-metadata on their clouds, indefinitely. Adopting metadata here, in short, may back off the otherwise limited definition of CDR, which is one of the bills laudable limiting factors.

The letter’s claim to end bulk collection does nothing to reflect that the IC’s definition of bulk — anything without a discriminator — has nothing to do with the common English definition of it; it certainly doesn’t promise to end the English language definition of bulk. Moreover, it only promises to limit bulk collection to the “greatest extent practicable.”

[T]he bill permits collection under Section 215 of the USA PATRIOT Act using a specific selection term that narrowly limits the scope of the tangible things sought to the greatest extent reasonably practicable, consistent with the purposes for seeking the tangible things. Recognizing that the terms enumerated in the statute may not always meet operational needs, the bill permits the use of other terms, provided there are court-approved minimization procedures that prohibit the dissemination and require the destruction within a reasonable period of time of any information that has not been determined to satisfy certain specific requirements.

That “reasonably practicable” language is a direct quote from the bill. It adds nothing, and given that Bob Litt refuses to limit FBI back door searches because it’s not practicable, what the IC means by practicable could very easily encompass gross privacy violations — ones that have already been approved by FISC! And remember–the IC can use corporate persons as selection terms.

Then the letter all but admits it will use selection terms that violate this principle, but points to the minimization procedures required by the law to rationalize that. As I’ve pointed out, there’s no reason to believe the minimization procedures will be any more stringent than what the FISC currently requires — and there’s at least some reason to suspect they might be weaker than current minimization procedures. (And remember, the retention requirements for the CDR authority almost certainly broadens permitted dissemination to foreign intelligence purpose, which might lead to a similar broadening of it elsewhere under the authority.)

The transparency paragraph includes this language.

the transparency provisions  in this bill … among other things, [] recognize the technical limitations on our ability to report certain types of information.

This is James Clapper saying quite clearly to anyone willing to listen that he sees this bill — which explicitly carves out FBI back door searches from any transparency reporting — as Congressional endorsement of the idea that we should never demand the number of FBI back door searches. This language, by itself, ought to make the bill toxic.

Congratulations NGOs. You’re backing the idea that the FBI should be able to use 702 and 12333 collected information in criminal contexts with zero oversight or accountability.

Finally, Clapper’s letter makes it clear that Leahy’s bill will do nothing to stop ex parte communication between the Executive and FISC. And he even points to John Bates’ ridiculous letter (huh, now we have a better sense of who put Bates up to that!) to warn he’ll carve out even more.

We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

Especially after we learned Bates single-handedly rewrote PATRIOT last year to make it okay to spy on Americans for their protected speech, we should do nothing to accommodate Bates’ wishes, especially since he didn’t speak with the authority of his position. The FISC, as Bates envisions it, doesn’t resemble a real court at all.

In short, there’s one piece of good news in this letter — that the IC won’t ask for data retention requirements — and a whole lot of reason to be even more skeptical of the bill.

James Clapper Thinks Fictitious Email Metadata Is Properly Classified

If you didn’t already need proof that the FISA Court needs to consult technical advisors before they permit the government to collect all of Americans’ metadata, consider this lesson DOJ offered as part of its initial application for the Internet dragnet (see page 16).

Fictional Metadata

 

Of course, you’re prohibited from seeing the better part of that lesson — the fictional example of metadata they offered — because James Clapper has deemed it classified.

Funny. Eric Holder recently claimed in a Congressional hearing that if something’s not true it’s not classified. I guess the fictions they tell FISC judges are another matter.

1 2 3 20
Emptywheel Twitterverse
bmaz @StephanieKelton @pkelton Show him one of the little furry Samoyeds. No human can resist. Seriously!
2mreplyretweetfavorite
bmaz Kiki, contemplating getting a kind of daughter: http://t.co/VKgoZGauJA
3mreplyretweetfavorite
bmaz @StephanieKelton @pkelton Trust me, get a Samoyed. You will definitely need one of these http://t.co/2FVyiJTllA but you will never be sorry.
4mreplyretweetfavorite
emptywheel RT @ghappour: Doc released by Joint Chiefs of Staff argues for controlling offensive cyber ops requiring “national level” approval. http://…
10mreplyretweetfavorite
bmaz @StephanieKelton Yeah, easy for you to say that, but then they turn into THIS: http://t.co/RmafmOoihx
12mreplyretweetfavorite
emptywheel @bmaz Ohh. Kiki likes be an only steak-eater. (Remind me to tell you abt McC waking us up by pacing bc we forgot to give him steak on table)
12mreplyretweetfavorite
bmaz Welp, at Casa de bmaz the current discussion is whether or not to get another one of these (yes we already have one): http://t.co/qbvy66kri3
17mreplyretweetfavorite
bmaz Who will fire and hire a new coach and/or athletic director first, Michigan or Florida? https://t.co/P3QJ6pEWnL
52mreplyretweetfavorite
bmaz The Decline and Fall of the Bo Merlot Empire https://t.co/P3QJ6pEWnL A tragic tale about Michigan Men. With music by Mose Allison+Jack Bruce
1hreplyretweetfavorite
emptywheel RT @AllThingsHLS: My latest article for @ForeignPolicy on Lone Wolves with links to @intelwire and @dmataconis http://t.co/C1fSGKB1lY
1hreplyretweetfavorite
emptywheel RT @ianbremmer: Largest contribution of foreign medical staff to fight Ebola in West Africa: Cuba
1hreplyretweetfavorite
emptywheel @joshgerstein Murkan ingenuity never ceases to amaze me. Wanna write screen play for Ebola infected terrorists landing rising up, invading?
1hreplyretweetfavorite
October 2014
S M T W T F S
« Sep    
 1234
567891011
12131415161718
19202122232425
262728293031