John Bates

1 2 3 7

Working Thread, PCLOB Report

The pre-release PCLOB report on Section 702 is here. This will be a working thread.

PDF 16: First recommendation is to include more enunciation of foreign intel purpose. This was actually a Snowden revelation the govt poo pooed.

PDF 17: Recommends new limits on non-FI criminal use of FBI back door searches, and some better tracking of it (surprised that’s not stronger!). Also recommends new documentation for NSA, CIA back door queries.  Must mean CIA is a problem.

PDF 17: Recommends FISC get the “rules” NSA uses. That suggests there may be some differences between what the govt does and what it tells FISC it does.

PDF 17: Recommends better assessment of filtering for upstream to leave out USP data. John Bates was skeptical there wasn’t better tech too.

PDF 18: Suggestion there are more types of upstream collection than there needs to be.

PDF 27 fn 56: Notes some room in the definition of Foreign Intelligence.

PDF 30: Note how PCLOB deals with issues of scope.

PDF 34: Note the discussion of due diligence. Due diligence problems amount for about 9% of NSA violations.

PDF 34-35: This must be a response to violations reported by Risen and Lichtblau, and is probably one of the things referred to in NSA’s review of its own COINTELPRO like problems.

In a still-classified 2009 opinion, the FISC held that the judicial review requirements regarding the targeting and minimization procedures required that the FISC be fully informed of every incident of noncompliance with those procedures. In the 2009 opinion, the court analyzed whether several errors in applying the targeting and minimization procedures that had been reported to the court undermined either the court’s statutory or constitutional analysis. (The court concluded that they did not.)

PDF 39: NSA gets all PRISM collection, and it goes from there to CIA and FBI. CIA and FBI get only PRISM data.

PDF 42: Another FISC opinion to be released.

In a still-classified September 2008 opinion, the FISC agreed with the government’s conclusion that the government’s target when it acquires an “about” communication is not the sender or recipients of the communication, regarding whom the government may know nothing, but instead the targeted user of the Section 702–tasked selector.

PDF 43: This sounds like a lot of about collection is of forwarded emails.

There are technical reasons why “about” collection is necessary to acquire even some communications that are “to” and “from” a tasked selector. In addition, some types of “about” communications actually involve Internet activity of the targeted person.138 The NSA cannot, however, distinguish in an automated fashion between “about” communications that involve the activity of the target from communications that, for instance, merely contain an email address in the body of an email between two non-targets.139 

PDF 45: I’ll have to check but some of these cites to Bates may be to still redacted sections.

[Headed to bed--will finish my read in the AM]

PDF 47: One thing PCLOB doesn’t explain is if the FBI and CIA targeting takes place at NSA or at those agencies. In the past, it had been the former.

PDF 49: .4% o f targeting ends up getting an American.

PDF 55: NSA shares technical data for collection avoidance purposes. This sounds like the defeat list in the phone dragnet, and like that, seems tailored not just for protecting USPs generally, but sensitive communications (like those of MoCs) more specifically.

PDF 57: This was implicit in some of the docs released by Snowden, but the govt now tags Section 702 data, as they do Section 215, so as to ensure it gets the heightened treatment provided by the law.

Continue reading

In Advance of PCLOB, WaPo Busts ODNI’s Limited Hang Out on Certifications

Earlier today, I got to tell the journalists who have long ignored that the FBI does back door searches — or even suggested I was guessing that they do, when it appeared in multiple public documents — that I had been telling them so for a long time.

But today I also have to admit I got suckered by a year-long Director of National Intelligence effort at a limited hangout. That effort was, I’m convinced, designed to hide that the Section 702 program is far broader than government witnesses wanted to publicly admit it was. Nevertheless, I was wrong about a supposition I had believed until about 2 months ago.

Since the first days after the Snowden leaks, the government has suggested it had 3 certificates under Section 702, covering counterterrorism, counterproliferation, and cybersecurity.  But — as the WaPo reports (as with the ODNI back door search numbers, in convenient timing that conveniently preempts the PCLOB report) — that’ s not the case. The NSA has a certificate that covers every foreign government except the other 4 members of the 5 Eyes (UK, Canada, New Zealand, and Australia), as well as various foreign organizations like OPEC, the European Central Bank, and various Bolivarist groups.

For an entire year, the government has been suggesting that is not the case. I even believed them, the one thing I know of where I got utterly suckered. I was wrong.

Frankly, this certification should not be a surprise. It is solidly within the letter of the law, which permits collection on any agent of a foreign power. From the very first PRISM revelations, which showed collection on Venezuela, it was clear NSA collected broadly, including on Bolivarist governments and energy organizations.

But consistently over the last year, the NSA has suggested it only had certifications for CT, CP, and cyber.

On June 8 of last year, for example, ODNI listed 3 Section 702 successes.

  • Communications collected under Section 702 have provided the Intelligence Community insight into terrorist networks and plans. For example, the Intelligence Community acquired information on a terrorist organization’s strategic planning efforts.
  • Communications collected under Section 702 have yielded intelligence regarding proliferation networks and have directly and significantly contributed to successful operations to impede the proliferation of weapons of mass destruction and related technologies.
  • Communications collected under Section 702 have provided significant and unique intelligence regarding potential cyber threats to the United States including specific potential computer network attacks. This insight has led to successful efforts to mitigate these threats

The October 3, 2011 John Bates opinion, released in October, made it clear there were just 3 certificates at that point.

3 certificates

 

 

(Though note the Semiannual Compliance Review released last year looked to be consistent with at least one more certificate.)

The President’s Review Group emphasized the categorical nature of certificates, and in its second discussion thereof named those same three categories.

[S]ection 702 authorized the FISC to approve annual certifications submitted by the Attorney General and the Director of National Intelligence (DNI) that identify certain categories of foreign intelligence targets whose communications may be collected, subject to FISC-approved targeting and minimization procedures. The categories of targets specified by these certifications typically consist of, for example, international terrorists and individuals involved in the proliferation of weapons of mass destruction.

[snip]

Section 702 requires that NSA’s certifications attest that a “significant purpose” of any acquisition is to obtain foreign intelligence information (i.e. directed at international terrorism, nuclear proliferation, or hostile cyber activities), that it does not intentionally target a United States person, that it does not intentionally target any person known at the time of acquisition to be in the United States, that it does not target any person outside the United States for the purpose of targeting a person inside the United States, and that it meets the requirements of the Fourth Amendment.

And in March testimony before PCLOB, NSA General Counsel Raj De suggested those same three topics.

But beyond that there has to be a valid foreign intelligence reason within the ambit of one of those certifications that the FISC approves annually. Those are certifications on things like counterterrorism, encountering WMDs, for example, weapons of mass destruction.

Most recently, former DOJ official Carrie Cordero – who has been involved in this whole certification process – claimed in the CATO debate we’ve been engaged in “they are not so broad that they cover any and everything that might be foreign intelligence information.”

And yet, there’s a foreign intelligence certificate that covers any and everything that might be foreign intelligence information, a certificate that destroys the whole point of having certificates (though if there’s a cyber one, I suspect it has its own problems, in that it permits domestic collection).

Lots of people are claiming WaPo’s latest is no big deal, because of course the NSA spies on foreign government’s. They’re right, to a point. Except that the government has been strongly implying, since day one, that Section 702 was narrowly deployed, not available to use against all but our 4 closest spying allies.

PCLOB is surely about to make it clear that’s not the case. And voila! All of a sudden it becomes clear the government has been misleading when it claimed this was narrowly deployed.

Riley Meets the Dragnet: Does “Inspection” amount to “Rummaging”?

It’s clear today’s decision in Riley v. California will be important in the criminal justice context. What’s less clear is its impact for national security dragnets.

To answer the question, though, we should remember that question really amounts to several. Does it affect the existing phone dragnet, which aspires to collect the phone records of every person in the US? Does it affect the government’s process of collecting massive amounts of data from which to cull an individual’s data to make up a “fingerprint” that can be used for targeting and other purposes? Will it affect the program the government plans to implement under USA Freedumber, in which the telecoms perform connection-based chaining for the NSA, and then return Call Detail Records as results? Does it affect Section 702? I think the answer may be different for each of these, though I think John Roberts’ language is dangerous for all of this.

In any case, Roberts wants it to be unclear. This footnote, especially, claims this opinion does not implicate cases — governed by the Third Party doctrine — where the collection of data is not considered a search.

1Because the United States and California agree that these cases involve searches incident to arrest, these cases do not implicate the question whether the collection or inspection of aggregated digital information amounts to a search under other circumstances.

Orin Kerr reads this as addressing the mosaic theory directly – which holds that a Fourth Amendment review must consider the entirety of the government collection — (and he is the expert, after all). Though I’m not impressed with his claim that the analogue language Roberts uses directly addresses the mosaic theory; Kerr seems to be arguing that because Roberts finds another argument unwieldy, he must be addressing the theory that Kerr himself finds unwieldy. Moreover, in addition to  this section, which Kerr says supports the Mosaic theory,

An Internet search and browsing history, for example, can be found on an Internet-enabled phone and could reveal an individual’s private interests or concerns—perhaps a search for certain symptoms of disease, coupled with frequent visits to WebMD. Data on a cell phone can also reveal where a person has been. Historic location information is a stand-ard feature on many smart phones and can reconstruct someone’s specific movements down to the minute, not only around town but also within a particular building. See United States v. Jones, 565 U. S. ___, ___ (2012) (SOTOMAYOR, J., concurring) (slip op., at 3) (“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.”).

I think the paragraph below it also supports the Mosaic theory — particularly its reference to a “revealing montage of the user’s life.”

Mobile application software on a cell phone, or “apps,” offer a range of tools for managing detailed information about all aspects of a person’s life. There are apps for Democratic Party news and Republican Party news; apps for alcohol, drug, and gambling addictions; apps for sharing prayer requests; apps for tracking pregnancy symptoms; apps for planning your budget; apps for every conceivable hobby or pastime; apps for improving your romantic life. There are popular apps for buying or selling just about anything, and the records of such transactions may be accessible on the phone indefinitely. There are over a million apps available in each of the two major app stores; the phrase “there’s an app for that” is now part of the popular lexicon. The average smart phone user has installed 33 apps, which together can form a revealing montage of the user’s life.

I’d argue that the opinion as a whole endorses the notion that you need to assess the totality of the surveillance in question. But then the footnote adopts the awkward phrase, “collection or inspection of aggregated digital information,” to suggest there may be some arrangement under which the conduct of such analysis might not constitute a search requiring a higher standard. (And all that still leaves the likely possibility that the government would scream “special need” and get an exception to get the data anyway; as they surely will do to justify ongoing border searches of computers.)

Of crucial importance, then, Roberts seems to be saying that it might be okay to conduct mosaic analysis, depending on where you get the data and/or whether you actually obtain or instead simply inspect the data.

That’s crucial, of course, because the government is, as we speak, replacing a phone dragnet in which it collects all the data from everyone and analyzes it (or rather, claims to only access only a minuscule portion of it, claiming to do so only through phone-based contacts) with one where it will go to “inspect” the data at telecoms.

So Roberts seems to have left himself an out (or included language designed to placate even Democrats like Stephen Breyer, to say nothing of Clarence Thomas, to achieve unanimity) that happens to line up nicely with where the phone dragnet, at least, is heading.

All that said, Robert’s caveat may not be broad enough to cover the new-and-improved phone dragnet as the government plans to implement it. After all, the “connection” based analysis the government intends to do may only survive via some kind of argument that letting telecoms serve as surrogate spooks makes this kosher under the Fourth Amendment. Because we have every reason to expect that the NSA intends to — at least — tie multiple online and telecom identities together to chain on all of them, and use cell location to track who you meet. And they may well (likely, if not now, then eventually) intend to use things like calendars and address books that Roberts argues makes cell phones not cell phones, but minicomputers that serve as “cameras,video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.” Every single one of those minicomputer functions is a potential “connection” based chain.

So while the new-and-improved phone dragnet may fall under Roberts’ “inspect” language, it involves far more yoking of the many functions of cell phones that Roberts finds to be problematic.

Then there’s this passage, that Roberts used to deny the government the ability to “just” get call logs.

We also reject the United States’ final suggestion that officers should always be able to search a phone’s call log,as they did in Wurie’s case. The Government relies on Smith v. Maryland, 442 U. S. 735 (1979), which held that no warrant was required to use a pen register at telephone company premises to identify numbers dialed by a particular caller. The Court in that case, however, concluded that the use of a pen register was not a “search” at all under the Fourth Amendment. See id., at 745–746. There is no dispute here that the officers engaged in a search of Wurie’s cell phone. Moreover, call logs typically contain more than just phone numbers; they include any identifying information that an individual might add, such as the label “my house” in Wurie’s case. [my emphasis]

The first part of this passage makes a similar kind of distinction as you see in that footnote (and may support my suspicion that Roberts is trying to carve out space for the new-and-improved phone dragnet). Using a pen register at a telecom is not a search, because it doesn’t involve seizing the phone itself.

But the second part of this passage — which distinguishes between pen registers and call logs — seems to be the most direct assault on the Third Party doctrine in this opinion, because it suggests that data that has been enhanced by a user — phone numbers that are not just phone numbers – may not fall squarely under Smith v. Maryland.

And that’s important because the government intends to get far more data than phone numbers while at the telecoms under the new-and-improved phone dragnet. It surely at least aspires to get logs just like the one Roberts says the cops couldn’t get from Wurie.

Think, too, of how this should limit all the US person data the government collects overseas that the government then aggregates to make fingerprints, claiming incidentally collected data does not require any legal process. That data is seized not from telecoms but rather stolen off cables — does that count as public collection or seizure?

Perhaps the language that presents the most sweeping danger to the dragnet, however, is the line that both Kerr and I like best from the opinion.

Alternatively, the Government proposes that law enforcement agencies “develop protocols to address” concerns raised by cloud computing. Reply Brief in No. 13–212, pp. 14–15. Probably a good idea, but the Founders did not fight a revolution to gain the right to government agency protocols.

Admittedly, Roberts is addressing a specific issue, the government’s proposal of how to protect personal data stored on a cloud that might be accessed from a phone (as if the government gives a shit about such things!).

But the underlying principle is critical. For every single dragnet program the government conducts at NSA, it dismisses obvious Fourth Amendment concerns by pointing to minimization procedures.

The FISC allowed the government to conduct the phone dragnet because it had purportedly strict minimization procedures (which the government ignored); it allowed the government to conduct an Internet dragnet for the same reason; John Bates permitted the government to address domestic content collection he deemed a violation of the Fourth Amendment with new minimization procedures; and the 2008 FISCR opinion approving the Protect America Act (which FISCR and the government say covers FAA as well) relied on targeting and minimization procedures to judge it compliant with the Fourth Amendment. FISC is also increasingly using minimization procedures to deem other Section 215 collections compliant with the law, though we know almost nothing about what they’re collecting (though it’s almost certain they involve Mosaic collection).

Everything, everything, ev-er-y-thing the NSA does these days complies with the Fourth Amendment only under the theory that minimization procedures — “government agency protocols” — provide adequate protection under the Fourth Amendment.

It will take a lot of work, in cases in which the government will likely deny anyone has standing, with SCOTUS’ help, to make this argument. But John Roberts said today that the government agency protocols that have become the sole guardians of the Fourth Amendment are not actually what our Founders were thinking of.

Ultimately, though, this passage may be Roberts’ strongest condemnation — whether he means it or not — of the current dragnet.

Our cases have recognized that the Fourth Amendment was the founding generation’s response to the reviled “general warrants” and “writs of assistance” of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity. Opposition to such searches was in fact one of the driving forces behind the Revolution itself.

Roberts elsewhere says that cell searches are more intrusive than home searches. And by stealing and aggregating that data that originates on our cell phones, the government is indeed rummaging in unrestrained searches for evidence of criminal activity or dissidence. Roberts likely doesn’t imagine this language applies to the NSA (in part because NSA has downplayed what it is doing). But if anyone ever gets an opportunity to demonstrate all that NSA does to the Court, it will have to invent some hoops to deem it anything but digital rummaging.

I strongly suspect Roberts believes the government “inspects” rather than “rummages,” and so believes his opinion won’t affect the government’s ability to rummage, at least at the telecoms.  But a great deal of the language in this opinion raises big problems with the dragnets.

Massie-Lofgren Would Shut Down ALL Back Door Searches under Section 702

There are two details about the Massie-Lofgren Amendmentwhich passed the house by a 293-123 vote last night — that are currently being missed. First, the bill would shut down all back door searches under Section 702.

Except as provided in subsection (b), none of the funds made available by this Act may be used by an officer or employee of the United States to query a collection of foreign intelligence information acquired under section 702 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1881a) using a United States person identifier.

That means it would apply to FBI, in addition to CIA and NSA (which is what some people are reporting).

That’s the other detail people are missing. According to the John Bates opinion in which he first authorized back door searches for NSA and CIA in 2011, a third agency, which another document says is the FBI, had had that authority going back to 2008. According to the same language, FBI also had the authority to conduct back door searches on traditional FISA taps, which they would retain under this amendment.

 

USA Freedumber Reverses John Bates’ Attempts at Oversight

I’ve written about this here and here, but I’m going to make one more effort at explaining why I believe HR 3361 (AKA USA Freedumber Act) will undo the paltry efforts John Bates made to rein in the NSA.

My argument is that with section 202 of HR 3361, the government is creating something new — Attorney General created “privacy procedures” — that serve to dramatically alter the concept of minimization procedures and in doing so undermining the authority of the FISA Court to limit illegal activities.

The government and NSA’s boosters have long argued that minimization procedures — limits on the collection, retention, and dissemination of US person data — play an affirmative role in protecting US person privacy even while the government “collects it all.” Significantly, they point the the FISA Court’s role in reviewing minimization procedures as a key part of oversight of these massive dragnets.

But they’ve always played a funny game with minimization procedures on the legally most problematic part of their dragnet, the Internet dragnet. And a last minute change to HR 3361 seems to codify that funny game.

Unlike the FISA authorization for content in motion, stored communication, and business record collection, the Pen Register/Trap and Trace provision (50 USC 1842) they used to collect Internet metadata collection includes no provision for minimization procedures. The original USA Freedom Act and the compromise bill added minimization procedures and gave FISC judges the authority to review compliance with them. But at the last minute, the intelligence community replaced that provision with “Privacy Procedures” over which only the Attorney General has sole authority.

SEC. 202. PRIVACY PROCEDURES.

(a) IN GENERAL.—Section 402 (50 U.S.C. 1842) is amended by adding at the end the following new sub-section:

‘(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect national security, include protections for the collection, retention, and use of information concerning United States persons.

Given the history of the PR/TT program, I believe this may (and may be designed to) permit the ongoing acquisition of illegal content.

DOJ argues FISC may only rubber stamp

Before we look at the history of minimization procedures under the FISC-authorized Internet dragnet, understand that even as the government asked the FISC to rubber stamp one of the only parts of the illegal wiretapping program DOJ saw fit to shut down, it also argued that FISC’s authority to do was very limited.

In Colleen Kollar-Kotelly’s July 2004 opinion, she made clear the government believed she could only review the presence of language in the application, not whether it complied with the law, including the “relevance” provision.

In the Government’s view, the Court’s exclusive function regarding this certification would be to verify that it contains the words required by § 1842(c)(2); the basis for a properly worded certification would be of no judicial concern. See Memorandum of Law and Fact at 28-34.

The Court has reviewed the Government’s arguments and authorities and does not find them persuasive.19

19 For example, the Government cites legislative history that “Congress intended to ‘authorize[] FISA judges to issue a pen register or trap and trace upon a certification that the information sought is relevant to’” an FBI investigation. Memorandum of Law and Fact at 30 (quoting S. Rep. No. 105-185, at 27 (1998). However, authorizing the Court to issue an order when a certification is made, and requiring it to do so without resolving doubts about the correctness of the certification are quite different. (26-27)

Six years later, the government was still arguing the FISC could only serve as a rubber stamp. John Bates’ 2010 opinion again had to deal with such a claim.

The Government again argues that the Court should conduct no substantive review of the certification of relevance. See Memorandum of Law at 29. This opinion follows Judge Kollar-Kotelly’s [redacted] Opinion in assuming, without conclusively deciding, that substantive review is warranted. (73 fn 58)

The government’s review that the FISC is no more than a rubber stamp is particularly interesting given the discussion over minimization procedures.

The government invites rubber stamp judges to modify minimization procedures 

Even in spite of DOJ’s view that the FISC should be no more than a rubber stamp on PRTT applications, they nevertheless invited the judges to review and modify minimization procedures submitted in light of the extent of the collection being approved.

Continue reading

If George Bush Can Close NSA’s Back Door Loophole, Why Can’t Barack Obama?

As per usual, there was a tidbit of news in Ron Wyden’s questions at yesterday’s hearing on the USA Freedumber.

He revealed that the back door loophole was closed during the Bush Administration.

Let me start by talking about the fact that the House bill does not ban warrantless searches for Americans’ emails. And here, particularly, I want to get into this with you, Mr. Ledgett if I might. We’re talking of course about the backdoor search loophole, section 702 of the FISA statute. This allows NSA in effect to look through this giant pile of communications that are collected under 702 and deliberately conduct warrantless searches for the communications of individual Americans.  This loophole was closed during the Bush Administration, but it was reopened in 2011, and a few months ago the Director of National Intelligence acknowledged in a letter to me that the searches are ongoing today. [my emphasis]

I’m not sure precisely what he’s talking about, though I assume either the transition from the illegal program to Protect America Act, or the transition from PAA to FISA Amendments Act, removed NSA’s ability to conduct back door searches. Reading between the redactions in John Bates’ October 3, 2011 opinion, FBI apparently has had the authority to do back door searches on both traditional FISA and warrantless collection from 2008, so from the beginning of FAA.

But from what Wyden said, the NSA had the ability to do back door searches, lost it, and now has it again.

I’d sure like to know more about what happened to lead people to believe NSA should have that authority taken away from it.

Why Is DOJ Hiding Three Phone Dragnet Orders in Plain Sight?

The ACLU and EFF FOIAs for Section 215 documents are drawing to a head. Later this week, EFF will have a court hearing in their suit. And last Friday, the government renewed its bid for summary judgment in the ACLU case.

Both suits pivot on whether the government’s past withholdings on Section 215 were in good faith. Both NGOs are arguing they weren’t, and therefore the government’s current claims — that none of the remaining information may be released — cannot be treated in good faith. (Indeed, the government likely released the previously sealed NSA declaration to substantiate its claim that it had to treat all documents tying NSA to the phone dragnet with a Glomar because of the way NSA and DOJ respectively redact classification mark … or something like that.)

But the government insists it is operating in good faith.

Instead, the ACLU speculates, despite the government’s declarations to the contrary, that there must be some non-exempt information contained in these documents that could be segregated and released. In an attempt to avoid well-established law requiring courts to defer to the government’s declarations, especially in the area of national security, the ACLU accuses the government of bad faith and baldly asserts that the government’s past assertions regarding segregability—made before the government’s discretionary declassification of substantial amounts of information regarding its activities pursuant to Section 215— “strip the government’s present justifications of the deference due to them in ordinary FOIA cases.” ACLU Br. at 25. The ACLU’s allegations are utterly unfounded. For the reasons set forth below, the government’s justifications for withholding the remaining documents are “logical and plausible,”

EFF and ACLU have focused closely on a August 20, 2008 FISC order describing a method to conduct queries; I have argued it probably describes how NSA makes correlations to track correlations.

The government is refusing to identify 3 orders it has already identified

But — unless I am badly mistaken, or unless the government mistakenly believes it has turned over some of these orders, which is possible! — I think there are three other documents being withheld (ones the government hasn’t even formally disclosed to EFF, even while pretending they’ve disclosed everything to EFF) that raise questions about the government’s good faith even more readily: the three remaining phone dragnet Primary Orders from 2009. All three have been publicly identified, yet the government is pretending they haven’t been. They are:

BR 09-09, issued on July 8, 2009. Not only was this Primary Order identified in paragraph 3 of the next Primary Order, but it was discussed extensively in the government’s filing accompanying the end-to-end report. In addition, the non-approval of one providers’ metadata  (I increasingly suspect Sprint is the provider) for that period is reflected in paragraph 1(a) of that next Primary Order.

BR 09-15, issued on October 30, 2009. The docket number and date are both identified on the first page of this supplemental order.

BR 09-19, issued on December 16, 2009. It is mentioned in paragraph 3 of the next Primary Order. The docket number and the date are also referred to in the documents pertaining to Sprint’s challenge recently released. (See paragraph 1 and paragraph 5 for the date.)

Thus, the existence of all three Primary Orders has been declassified, even while the government maintains it can’t identify them in the context of the FOIAs where they’ve already been declassified.

The government has segregated a great deal of the content of BR 09-09

The government’s withholding of BR 09-09 is particularly ridiculous, given how extensively the end-to-end motion details it. From that document, we learn:

  • Pages 5-7 approve a new group for querying. (see footnote 2)
  • Pages 9-10 require those accessing the dragnet be briefed on minimization procedures tied to the dragnet (see PDF 22); this is likely the language that appears in paragraph G of the subsequent order. This specifically includes technical personnel. (see PDF 49)
  • Pages 10-11 require weekly reporting on disseminations. (see PDF 23) This is likely the information that appears in paragraph H in the subsequent order.
  • Page 12 affirmatively authorizes the data integrity search to find “certain non user specific numbers and [redacted] identifiers for purposes of metadata reduction and management” (see footnote 19 and PDF 55)
  • Page 8 and 13-14 lay out new oversight roles, especially for DOJ’s National Security Division (see PDF 22); these are likely the requirements laid out in paragraphs M through R in subsequent orders. Those same pages also require DOJ to share the details of NSD’s meeting with NSA in new FISC applications. (see PDF 23)
  • BR 09-09 included the same reporting requirements as laid out in BR 09-01 and BR 09-06 (see PDF 5)
  • Pages 16 -17 also included these new reporting requirements: (see PDFs 6 and 29 – 30)
    • a full explanation of why the government has permitted dissemination outside NSA of U.S. person information in violation of the Court’s Orders in this matter;
    • a full explanation of the extent to which NSA has acquired call detail records of foreign-to-foreign communications from [redacted] pursuant to orders of the FISC, and whether the NSA’s storage, handling, and dissemination of information in those records, or derived therefrom, complied with the Court’s orders; and
    • either (i) a certification that any overproduced information, as described in footnote 11 of the government’s application [i.e. credit card information), has been destroyed, and that any such information acquired pursuant to this Order is being destroyed upon recognition; or (ii) a full explanation as to why it is not possible or otherwise feasible to destroy such information.
  • BR 09-09 specifically mentioned that NSA had generally been disseminating BR FISA data according to USSID 18 and not the more restrictive dissemination provisions of the Court’s Orders. (see footnote 12)
  • BF 09-09 approved Chief, Information Sharing Services, the Senior Operations Officer, the Signals Intelligence
    Directorate (So) Director, the Deputy Director of NSA, and the Director of NSA to authorize US person disseminations. (see footnote 22 and PDF 28)

Significant parts of at least 13 pages of the Primary Order (the next Primary Order is 19 pages long) have already been deemed segregable and released. Yet the government now appears to be arguing, while claiming it is operating in good faith, that none of these items would be segregable if released with the order itself!

Wildarse speculation about why the government is withholding these orders

Which raises the question of why. Why did the government withhold these 3 orders, alone among all the known regular Primary Orders from the period of EFF and ACLU’s FOIAs? (See this page for a summary of the known orders and the changes implemented in each.)

The reason may not be the same for all three orders. BR 09-09 deals with two sensitive issues — the purging of credit card information and tech personnel access — that seem to have been resolved with that order (at least until the credit card problems returned in March 2011).

But there are two things that all three orders might have in common.

First, BR 09-09 deals closely with dissemination problems — the ability of CIA and FBI to access NSA results directly, and the unfettered sharing of information within NSA. BR 09-15 lays out new dissemination rules, with the supplement in November showing NSA to still be in violation. So it’s likely all 3 orders deal with dissemination violations (and therefore with poison fruit of inappropriate dissemination that may still be in the legal system), and that the government is hiding one of the more significant aspects of the dragnet violations by withholding those orders.

I also think it’s possible the later two (potentially all three, but more likely the later two) orders combine the phone and Internet dragnets. That’s largely because of timing: A June 22, 2009 order — the first one to deal with the dissemination problems formally addressed in BR 09-09 — dealt with both dragnets. There is evidence the Internet dragnet data got shut down (or severely restricted) on October 30, 2009, the date of BR 09-15. And according to the 2010 John Bates Internet dragnet opinion, NSA applied to restart the dragnet in late 2009 (so around the time of BR 09-19). So I think it possible the later orders, especially, deal with both programs,  thereby revealing details about the legal problems with PRTT the government would like to keep suppressed. (Note, if BR 09-15 and BR 09-19 are being withheld because they shut down Internet production, it would mean all three orders shut down some production, as BR 09-09 shut down one provider’s telephone production.)

Another possibility has to do with the co-mingling of EO 12333 and Section 215 data. These three orders all deal with the fact that providers (at least Verizon, but potentially the other two as well) had included foreign-to-foreign phone records along with the production of their domestic ones.That’s the reason production from one provider got shut down in BR 09-09. And immediately after the other withheld records, the Primary Orders always included a footnote on what to do with EO 12333 data turned over pursuant to BR FISA orders (see footnote 7 and footnote 10 for examples). Also, starting in March 2009, the Orders all contain language specifically addressing Verizon. So we know the FISC was struggling to come up with a solution for the fact that NSA had co-mingled data obtainable under EO 12333 and data the telecoms received PATRIOT Act orders from. (I suspect this is why Sprint insisted on legal cover, ultimately demanding the legal authorization of the program with the December order.) So it may be that all these orders reveal too much about the EO 12333 dragnet — and potential additional violations — to be released.

Whatever the reason, there is already so much data in the public domain, especially on BR 09-09, it’s hard to believe withholding it is entirely good faith.

NSA’s Training Programs Are a Mess

OGC Questions
In addition to the way NSA claims to be operating under EO 12333 at times when it might be operating under some law passed by Congress, there’s another reason why Snowden’s question to NSA’s Office of General Counsel is worthwhile (though I doubt it’s why he asked).

NSA’s training programs — at least as released to ACLU and EFF under FOIA — are a horrible contradictory mess.

Two training programs closely related to the one he emailed in response to got released last year (though neither appears to be the training program in question): A “Core Intelligence Oversight Training” dating to sometime in 2009 or later, and this Office of General Counsel Powerpoint that is referred to as a Cryptological School Course, from which the image above was taken. (Side note: I repeat what I have said in the past: from a training methodology standpoint, these “training programs” are unbelievably shitty, which is particularly notable given that DOD does pay for a lot of state-of-the-art training programs on other topics.)

The Core Intelligence Oversight Training isn’t really training at all. It’s just a reproduction of the regulations in question. It includes:

  • The 2008 update of EO 12333, but with the original 1981 date attached
  • DOD 5240 1-R, dated 1982
  • NSA/CSS Policy 1-23, issued on March 11, 2004 (interesting date to update such a policy!), and revised twice, most recently May 29, 2009; it includes an Annex that serves as a classified annex to EO 12333 that is dated April 26, 1988
  • DTM 08-052, dated Jun 17, 2009; it cites EO 12333 “as amended” but doesn’t provide any amendment date

Several of these documents purport to implement or refer to FISA, but only the NSA/CSS Policy post-dates the detailed implementation of FISA Amendments Act (and it precedes key changes to the current minimization procedures tied to FISA).

And read together, these documents are utterly confusing.

My favorite is this part of DOD 5240, which would seem to contradict James “Too Cute by Half” Clapper’s definition of collection.

Collection. Information shall be considered as “collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties. Thus, information volunteered to a DoD intelligence component by a cooperating source would be “collected” under this procedure when an employee of such component officially accepts, in some manner, such information for use within that component. Data acquired by electronic means is “collected” only when it has been processed into intelligible form.

But both its definition of electronic surveillance and its rules on collecting the content of Americans overseas were superseded by FAA’s requirement of an order to collect on US persons overseas (and no longer considers electronic surveillance overseas electronic surveillance).

Except as provided in paragraph C5.2.5., below, DoD intelligence components may conduct electronic surveillance against a United States person who is outside the United States for foreign intelligence and counterintelligence purposes only if the surveillance is approved by the Attorney General.

The “updated” documents don’t help either. Because NSA/CSS Policy 1-23 relies on the annex dating to 1988, it claims NSA can collect on the content of Americans with Attorney General approval for 90 days.

(4) with specific prior approval by the Attorney General based on a finding by the Attorney General that there is probable cause to believe the United States person is an agent of a foreign power and that the purpose of the interception or selection is to collect significant foreign intelligence. Such approvals shall be limited to a period of time not to exceed ninety days for individuals and one year for entities.

Remember, this is purportedly “training,” and yet I’m not clear how an NSA trainee would learn that collecting content on Americans overseas requires a FISA order.

Trainees could get that information from the 2009 Cryptological School Course, which properly defines electronic surveillance and lays out Section 703-5.

But even that training course is out of date. For example, it says NSA cannot use FAA authorities to target “anything/anyone in the US,” but upstream collection under 702 targets those using certain selectors as content in the US. And even the 2011 minimization procedures limiting upstream collection don’t require destruction of upstream communications in which all communicants are in the US.

This program also includes the oblique comment that searching in databases of raw data constitutes a “collection/targeting” activity.

To protect the privacy rights of U.S. citizens, Department of Justice has determined searches of these databases are a collection/targeting activity.

Which would seem to conflict with the definition of collection a trainee got from DOD 5240.

I realize experienced NSA professionals have a better idea of how these various regulations all fit together. And I realize some of this is controlled through access controls that ensure NSA people only access the most up-to-date rules.

But these documents are billed as training, about the core restrictions regarding their collection. And they are downright contradictory.

I don’t think that’s why Snowden asked the OGC the question he did. Though the response he got regarding precedence of the various agency directives — that “DOD and ODNI regulations are afforded similar precedence though subject matter or date could result in one having precedence over another” — would only exacerbate any confusion a trainee had.

But if the training program Snowden was using is anything like these documents, there’d be good reason to believe that inexperienced trainees were not getting a clear idea of what they were allowed to do with US person data.

Update: One more point about these training programs, especially the classified annex to EO 12333 that dates to 1988. This is a problem that both PCLOB and HPSCI have identified and tried to fix (though HPSCI did not include their bill language to do so in either the USA Freedumber or the unclassified parts of the Intelligence Authorization). This shows why it is important: because NSA people are being trained on materials that tell them they can collect US person data overseas without a FISA order.

Four Reasons USA Freedumber is Worse than the Status Quo

In the post-HR 3361 passage press conference yesterday, Jerry Nadler suggested the only reason civil libertarians oppose the bill is because it does not go far enough.

That is, at least in my case, false.

While I have concerns about unintended consequences of outsourcing holding the call data to the telecoms (see my skepticism that it ends bulk collection here and my concerns about high volume numbers here), there are a number of ways that USA Freedumber is worse than the status quo.

These are:

  • The move to telecoms codifies changes in the chaining process that will almost certainly expand the universe of data being analyzed
  • In three ways, the bill permits phone chaining for purposes outside of counterterrorism
  • The bill weakens minimization procedures on upstream collection imposed by John Bates, making it easier for the government to collect domestic content domestically
  • The bill guts the current controls on Pen Register authority, making it likely the government will resume its Internet dragnet

The NSA in your smart phone: Freedumber codifies changes to the chaining process

As I have described, the language in USA Freedumber makes it explicit that the government and its telecom partners can chain on connections as well as actual phone call contacts. While the new automatic search process approved by the FISA Court in 2012 included such chaining, by passing this bill Congress endorses this approach. Moreover, the government has never been able to start running such automatic queries; it appears they have to outsource to the telecoms to be able to do so (probably in part to make legal and technical use of location data). Thus, moving the phone chaining to the telecoms expands on the kinds of chaining that will be done with calls.

We don’t know all that that entails. At a minimum (and, assuming the standard of proof is rigorous, uncontroversially) the move will allow the government to track burner phones, the new cell phones targets adopt after getting rid of an old one.

It also surely involves location mapping. I say that, in part, because if they weren’t going to use location data, they wouldn’t have had to move to the telecoms. In addition, AT&T’s Hemisphere program uses location data, and it would be unrealistic to assume this program wouldn’t include at least all of what Hemisphere already does.

But beyond those two functions, your guess is as good as mine. While the chaining must produce a Call Detail Record at the interim step (which limits how far away from actual phone calls the analysis can get), it is at least conceivable the chaining could include any of a number of kinds of data available to the telecoms from smart phones, including things like calendars, address books, and email.

The fact that the telecoms and subsidiary contractors get immunity and compensation makes it more likely that this new chaining will be expansive, because natural sources of friction on telecom cooperation will have been removed.

Freedumber provides three ways for NSA to use the phone dragnet for purposes besides counterterrorism

As far as we know, the current dragnet may only be used for actual terrorist targets and Iran. But USA Freedumber would permit the government to use the phone dragnet to collect other data by:

  • Requiring only that selection terms be associated with a foreign power
  • Permitting the retention of data for foreign intelligence, not just counterterrorism, purposes
  • Allowing the use of emergency queries for non-terrorism uses

Freedumber permits searches on selection terms associated with foreign powers

On its face, USA Freedumber preserves this counterterrorism focus, requiring any records obtained to be “relevant to” an international terrorist investigation. Unfortunately, we now know that FISC has already blown up the meaning of “relevant to,” making all data effectively relevant.

The judicial approval of the specific selection term, however — the court review that should be an improvement over the status quo — is not that tie to terrorism, but evidence that the selection term is a foreign power or agent thereof.

Thus, the government could cite narcoterrorism, and use the chaining program to investigate Mexican drug cartels. The government could raise concerns that al Qaeda wants to hack our networks, and use chaining to investigate hackers with foreign ties. The government could allege Venezuela supports terrorism and investigate Venezuelan government sympathizers.

There are a whole range of scenarios in which the government could use this chaining program for purposes other than counterterrorism.

Freedumber permits the retention of any data that serves a foreign intelligence purpose

And once it gets that data, the government can keep it, so long as it claims (to itself, with uncertain oversight from the FISC) that the data has a foreign intelligence purpose.

At one level, this is a distinction without a difference from the language that USA Freedumb had used, which required the NSA to destroy the data after five years unless it was relevant to a terrorism investigation (which all data turned over to NSA would be, by definition). But the change in language serves as legislative approval that the use of the data received via this program can be used for other purposes.

That will likely have an impact on minimization procedures. Currently, the NSA needs a foreign intelligence purpose to access the corporate store, but can only disseminate data from it for counterterrorism purposes. I would imagine the changed language of the bill will lead the government to successfully argue that the minimization procedures permit the dissemination of US person data so long as it meets only this flimsy foreign intelligence purpose. In other words, US person data collected in chaining would be circulating around the government more freely.

Freedumber’s emergency queries do not require any tie to terrorism

As I noted, the revisions USA Freedumber made to USA Freedumb explicitly removed a requirement that emergency queries be tied to a terrorism investigation.

(A) reasonably determines that an emergency situation requires the production of tangible things to obtain information for an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to protect against international terrorism before an order authorizing such production can with due diligence be obtained;

That’s particularly troublesome, because even if the FISC rules the emergency claim (certified by the Attorney General) was not legally valid after the fact, not only does the government not have to get rid of that data, but the Attorney General (the one who originally authorized its collection) is the one in charge of making sure it doesn’t get used in a trial or similar proceeding.

In short, these three changes together permit the government to use the phone dragnet for a lot more uses than they currently can.

Freedumber invites the expansion of upstream collection

When John Bates declared aspects of upstream collection to be unconstitutional in 2011, he used the threat of referrals under 50 USC 1809(a) to require the government to provide additional protection both to entirely domestic communications that contained a specific selector, and to get rid of domestic communications that did not contain that specific selector at all. The government objected (and considered appealing), claiming that because it hadn’t really intended to collect this data, it should be able to keep it and use it. But ultimately, that threat (especially threats tied to the government’s use of this data for ongoing FISA orders) led the government to capitulate.

The changes in Freedumber basically allow the government to adopt its old “intentional” claim, reversing Bates’ restrictions. Continue reading

USA Freedumber Appears to Strengthen RuppRoge’s Affirmative Endorsement of an Internet Dragnet

Working on a detailed comparison of the difference between the USA Freedumb and USA Freedumber bills, one of the most alarming changes is the gutting of Pen Register minimization procedures. They took language not only adding minimization procedures to Pen Register orders,

(b) APPLICATION.—Section 402(c) (50 U.S.C. 1842(c)), as amended by section 201 of this Act, is further amended by adding at the end the following new paragraph:

(4) a statement of proposed minimization procedures.

(c) ORDER.—Section 402(d) (50 U.S.C. 1842(d)) is amended—

(1) in paragraph (1), by inserting ‘‘and that the proposed minimization procedures meet the definition of minimization procedures under this title’’

But permitting the court to review whether the government met those minimization procedures.

(h) At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the minimization procedures by reviewing the circumstances under which information concerning United States persons was retained or disseminated.’

They even specified the government had to follow those minimization procedures!

USA Freedumber changed that by letting the Attorney General review what are are now called “privacy procedures.”

(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard non-publicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect  national security, include protections for the collection, retention, and use of information concerning United States persons.

They limit the extent of these “privacy procedures” “to the extent practicable … with the need to protect national security.” That is, they don’t have to follow these “privacy procedures” if it’ll harm national security, and the change seems to show legislative intent to deprive the FISC of any review.

That’s alarming for a number of reasons:

  • From the very beginning of the Internet dragnet, the government claimed FISC had almost no authority over the approval process (much less compliance) on Pen Registers
  • This language comes right out of — but makes worse — the section of Mike Rogers’ RuppRoge bill that affirmatively approves the (re)creation of an Internet dragnet
  • There’s a curious entry in the NSA classification guide showing FBI conducting a PRTT program after the time NSA’s program got shut down

NSA versus FISC

According to a footnote in the 2010 John Bates opinion on the Internet dragnet, when the government first applied to Colleen Kollar-Kotelly for a FISC order to authorize the dragnet, they claimed she had no authority to do anything but rubber stamp the application.

2010 Bates Opinion footnote

We know that, having made that argument, the government got caught in violating the rules Kollar-Kotelly placed on the collection, but then continued to violate the rules for at least 5 more years, until 2009, when it got shut down for a while.

It would seem that the original language in USA Freedom Act would have clarified this issue, and made clear the FISC could exercise real oversight over any PRTT collection.

Adopting RuppRoge’s Internet Dragnet language

This language adopts the nomenclature from the HPSCI’s RuppRoge bill. (See page 18.)

But these “privacy procedures” seem qualitatively worse than the RuppRoge bill in several ways. RuppRoge provides loosey goosey judicial review of the privacy procedures. And it did not include the “extent practicable” language.

Given the background — given the fact that the government has already told the FISC it shouldn’t have real oversight over PRTT — this language seems to lay clear legislative intent that FISC should have no role whatsoever, especially not with minimization procedures (which, after all, is what they fought with the FISC over for at least  years).

The secrecy behind the FBI’s PRTT orders on behalf of NSA

PRTT1

Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.

These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.

But that the FBI PR/TT program – which seems different than these individual orders — was considered TS/SI/NOFORN.

PRTT2

If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level)  – is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.

This is considered one of the most sensitive secrets in the whole FISA package.

PRTT3

Even minimized PRTT data is considered TS/SCI.

PRTT4

Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.

So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.

Except there’s the date.

This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)

That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.

If FBI had a PRTT program active in 2012 that was separate from the NSA PRTT program (I’m not sure that’s the case; it could be they just didn’t update this part of the classification guide), then is it still active? Has the Internet dragnet just moved to FBI?

If so, it’s no wonder why the Intelligence Community would want to guarantee that FISC had no review of it.

Update: Note, too, that the bill removes reporting requirements related to PRTT.

 

1 2 3 7

Emptywheel Twitterverse
bmaz @PogoWasRight YESS!!!
2mreplyretweetfavorite
bmaz RT @PogoWasRight: @bmaz Maybe Ferrari needs some legalese in bills of sale prohibiting idiotic paint jobs... and Rob Ford...
2mreplyretweetfavorite
JimWhiteGNV RT @HinaShamsi: One president let the CIA torture. The next shut down torture but expanded CIA killing. Is it any wonder that the agency ha…
2mreplyretweetfavorite
JimWhiteGNV @bmaz Time to get the Led out?
17mreplyretweetfavorite
bmaz Sorry neighbors with a few watts on yer outdoor patio with yer Beyonce whatever bullshit. That just does not cut it in this cactus patch.
18mreplyretweetfavorite
JimWhiteGNV RT @AliAbunimah: STOP SENDING BOMBS. RT @JohnKerry: 72-hour humanitarian ceasefire in #Gaza begins tomorrow AM/US will provide humanitarian…
32mreplyretweetfavorite
JimWhiteGNV RT @barryeisler: When CIA/Senate dust clears, result will be further proof US is an oligarchy, and oligarchs, even if forced to resign, are…
36mreplyretweetfavorite
JimWhiteGNV But did @CIA spy on DOJ while DOJ decided whether to prosecute CIA for spying on the Senate? That might finally get DOJ moving...
1hreplyretweetfavorite
JimWhiteGNV RT @emptywheel: Remember people: John Brennan is the witness to every drone strike Obama approved--legal or not. His job is secure.
1hreplyretweetfavorite
emptywheel Remember people: John Brennan is the witness to every drone strike Obama approved--legal or not. His job is secure.
1hreplyretweetfavorite
emptywheel RT @liferstate: Need an emoji for the feeling when you realize the problem isn't that you're out of shape, it's that your bike tires were d…
1hreplyretweetfavorite
emptywheel Has anyone done cross tabs on criticism for Israel's attack on Gaza and support for gay rights?
1hreplyretweetfavorite
July 2014
S M T W T F S
« Jun    
 12345
6789101112
13141516171819
20212223242526
2728293031