I have long scoffed at the claim that the phone dragnet violations discovered in 2009 were accidental. It has always been clear they were, instead, features of Stellar Wind that NSA simply never turned off, even though they violated the FISC orders on it.
It describes that numbers were put on an alert list and automatically chained.
An automated process was created to alert and automatically chain new and potential reportable telephone numbers using what was called an “alert list.” Telephone numbers on the alert list were automatically run against incoming metadata to look for contacts. (PDF 31)
This was precisely the substance of the violations admitted in 2009.
So NSA lied to FISC about that, and the IC lied to us about it when this came out in 2013.
Update: Note the reference to the violations on PDF 36 — though they don’t admit that it’s the same damn alert list and that NSA’s IG considered telling FISC from the start.
In an column explicitly limited to the phone dragnet, Conor Friedersdorf pointed to a post I wrote about Section 215 generally and suggested I thought the phone dragnet was about to get hidden under a new authority.
Marcy Wheeler is suspicious that the Obama Administration is planning to continue the dragnet under different authorities.
But my post was about more that just the phone dragnet. It was about two things: First, the way that, rather than go “cold turkey” after it ended the Internet dragnet in 2011 as the AP had claimed, NSA had instead already started doing the same kind of collection using other authorities that — while they didn’t collect all US traffic — had more permissive rules for the tracking they were doing. That’s an instructive narrative for the phone dragnet amid discussions it might lapse, because it’s quite possible that the Intelligence Community will move to doing far less controlled tracking, albeit on fewer Americans, under a new approach.
In addition, I noted that there are already signs that the IC is doing what Keith Alexander said he could live with a year ago: ending the phone dragnet in exchange for cybersecurity information sharing. I raised that in light of increasing evidence that the majority of Section 215 orders are used for things related to cybersecurity (though possibly obtained by FBI, not NSA). If that’s correct, Alexander’s comment would make sense, because it would reflect that it is working cybersecurity investigations under protections — most notably, FISC-supervised minimization — all involved would rather get rid of.
Those two strands are important, taken together, for the debate about Section 215 expiration, because Section 215 is far more than the dragnet. And the singular focus of everyone — from the press to activists and definitely fostered by NatSec types leaking — on the phone dragnet as Section 215 sunset approaches makes it more likely the government will pull off some kind of shell game, moving the surveillances they care most about (that is, not the phone dragnet) under some new shell while using other authorities to accomplish what they need to sustain some kind of phone contact and connection chaining.
So in an effort to bring more nuance to the debate about Section 215 sunset, here is my best guess — and it is a guess — about what they’re doing with Section 215 and what other authorities they might be able to use to do the same collection.
Here are the known numbers on how Section 215 orders break out based on annual reports and this timeline.
Since its transfer under Section 215 in 2006, the phone dragnet has generally made up 4 or 5 orders a year (Reggie Walton imposed shorter renewal periods in 2009 as he was working through the problems in the program). 2009 is the one known year where many of the modified orders — which generally involve imposed minimization procedures — were phone dragnet orders.
We know that the government believes that if Section 215 were to sunset, it would still have authority to do the dragnet. Indeed, it not only has a still-active Jack Goldsmith memo from 2004 saying it can do the dragnet without any law, it sort of waved it around just before the USA Freedom Act debate last year as if to remind those paying attention that they didn’t necessarily think they needed USAF (in spite of comments from people like Bob Litt that they do need a new law to do what they’d like to do).
But that depends on telecoms being willing to turn over the dragnet data voluntarily. While we have every reason to believe AT&T does that, the government’s inability to obligate Verizon to turn over phone records in the form it wants them is probably part of the explanation for claims the current dragnet is not getting all the cell records of Americans.
A number of people — including, in part, Ron Wyden and other SSCI skeptics in a letter written last June — think the government could use FISA’s PRTT authority (which does not sunset) to replace Section 215, and while they certainly could get phone records using it, if they could use PRTT to get what it wants, they probably would have been doing so going back to 2006 (the difference in authority is that PRTT gets actual activity placed, whereas 215 can only get records maintained (and Verizon isn’t maintaining the records the government would like it to, and PRTT could not get 2 hops).
For calls based off a foreign RAS, the government could use PRISM to obtain the data, with the added benefit that using PRISM would include all the smart phone data — things like address books, video messaging, and location — that the government surely increasingly relies on. Using PRISM to collect Internet metadata is one of two ways the government replaced the PRTT Internet dragnet. The government couldn’t get 2 hops and couldn’t chain off of Americans, however.
I also suspect that telecoms’ embrace of supercookies may provide other options to get the smart phone data they’re probably increasingly interested in.
For data collected offshore, the government could use SPCMA, the other authority the government appears to have replaced the PRTT Internet dragnet with. We know that at least one of the location data programs NSA has tested out works with SPCMA, so that would offer the benefit of including location data in the dragnet. If cell phone location data is what has prevented the government from doing what they want to do with the existing phone dragnet, SPCMA’s ability to incorporate location would be a real plus for NSA, to the extent that this data is available (and cell phone likely has more offshore availability than land line).
The government could obtain individualized data using NSLs — and it continues to get not just “community of interest” (that is, at least one hop) from AT&T, but also 7 other things that go beyond ECPA that FBI doesn’t want us to know about. But using NSLs may suffer from a similar problem to the current dragnet, that providers only have to provide as much as ECPA requires. Thus, there, too, other providers are probably unwilling to provide as much data as AT&T.
Telecoms might be willing to provide data the government is currently getting under 215 under CISA and CISA collection won’t be tied in any way to ECPA definitions, though its application is a different topic, cybersecurity (plus leaks and IP theft) rather than terrorism. So one question I have is whether, because of the immunity and extended secrecy provisions of CISA, telecoms would be willing to stretch that?
In addition to the phone dragnet, FBI and other IC agencies seem to operate other dragnets under Section 215. It’s probably a decent guess that the 8-13 other 215 orders prior to 2009 were for such things. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year. Other items discussed involve hotel dragnets and explosives precursor dragnets, the latter of which would have been expanded after the 2009 Najibullah Zazi investigation. In other words, there might be up to 5 dragnets, each representing 4-5 orders a year (assuming they work on the same 90-day renewal cycle), so a total of around 22 of the roughly 175 orders a year that aren’t the phone dragnet (the higher numbers for 2006 are known to be combination orders both obtaining subscription data for PRTT orders and location data with a PRTT order; those uses stopped in part with the passage of PATRIOT reauthorization in 2006 and in part with FISC’s response to magistrate rulings on location data from that year).
Some of these dragnets could be obtained, in more limited fashion, with NSLs (NSLs currently require reporting on how many US persons are targeted, so we will know if they move larger dragnets to NSLs). Alternately, the FBI may be willing to do these under grand jury subpoenas or other orders, given the way they admitted they had done a Macy’s Frago Elite pressure cooker dragnet after the Boston Marathon attack. The three biggest restrictions on this usage would be timeliness (some NSLs might not be quick enough), the need to have a grand jury involved for some subpoenas, and data retention, but those are all probably manageable hurdles.
Finally, there is the Internet content — which we know makes up for a majority of Section 215 orders — that moved to that production from NSLs starting in 2009. It’s probably a conservative bet that over 100 of current dragnet orders are for this kind of content. And we know the modification numbers for 2009 through 2011 — and therefore, probably still — are tied to minimization procedure requirements imposed by the FISC.
A recent court document from a Nicholas Merrill lawsuit suggests this production likely includes URL and data flow requests. And the FBI has recently claimed –for what that’s worth — that they rely on Section 215 for cybersecurity investigations.
Now, for some reason, the government has always declined to revise ECPA to restore their ability to use NSLs to obtain this collection, which I suspect is because they don’t want the public to know how extensive the collection is (which is why they’re still gagging Merrill, 11 years after he got an NSL).
But the data here strongly suggests that going from NSL production to Section 215 production has not only involved more cumbersome application processes, but also added a minimization requirement.
And I guarantee you, FBI or NSA or whoever is doing this must hate that new requirement. Under NSLs, they could just horde data, as we know both love to do, the FBI even more so than the NSA. Under 215s, judges made them minimize it.
As I noted above, this is why I think Keith Alexander was willing to do a CISA for 215 swap. While CISA would require weak sauce Attorney General derived “privacy guidelines,” those would almost certainly be more lenient than what FISC orders, and wouldn’t come with a reporting requirement. Moreover, whereas at least for the phone dragnet, FISC has imposed very strict usage requirements (demanding that a counterterrorism dragnet be used only for counterterrorism purposes), CISA has unbelievably broad application once that data gets collected — not even requiring that terrorist usages be tied to international terrorism, which would seem to be a violation of the Keith Supreme Court precedent).
All of this is to suggest that for cybersecurity, IP theft, and leak investigations, CISA would offer FBI their ideal collection approach. It would certainly make sense that Alexander (or now, Admiral Mike Rogers and Jim Comey) would be willing to swap a phone dragnet they could largely achieve the same paltry results for using other authorities if they in exchange got to access cybersecurity data in a far, far more permissive way. That’d be a no-brainer.
There’s just one limitation on this formula, potentially a big one. CISA does not include any obligation. Providers may share data, but there is nothing in the bill to obligate them to do so. And to the extent that providers no longer provide this data under NSLs, it suggests they may have fought such permissive obligation in the past. It would seem that those same providers would be unwilling to share it willingly.
But my thoughts on CISA’s voluntary nature are for another post.
One final thought. If the government is contemplating some or all of this, then it represents an effort — one we saw in all versions of dragnet reform to greater (RuppRoge) or lesser degrees (USAF) — to bypass FISC. The government and its overseers clearly seem to think FISC-ordered minimization procedures are too restrictive, and so are increasingly (and have been, since 2009) attempting to replace the role played by an utterly dysfunctional secret court with one entirely within the Executive.
This is the reason why Section 215 sunset can’t be treated in a vacuum: because, to the extent that the government could do this in other authorities, it would largely involve bypassing what few restrictions exist on this spying. Sunsetting Section 215 would be great, but only if we could at the same time prevent the government from doing similar work with even fewer controls.
The AP has a story that it calls an “Exclusive” and says “has not been reported before” reporting that the NSA considered killing the phone dragnet back before Edward Snowden disclosed it.
The National Security Agency considered abandoning its secret program to collect and store American calling records in the months before leaker Edward Snowden revealed the practice, current and former intelligence officials say, because some officials believed the costs outweighed the meager counterterrorism benefits.
After the leak and the collective surprise around the world, NSA leaders strongly defended the phone records program to Congress and the public, but without disclosing the internal debate.
The proposal to kill the program was circulating among top managers but had not yet reached the desk of Gen. Keith Alexander, then the NSA director, according to current and former intelligence officials who would not be quoted because the details are sensitive. Two former senior NSA officials say they doubt Alexander would have approved it.
Still, the behind-the-scenes NSA concerns, which have not been reported previously, could be relevant as Congress decides whether to renew or modify the phone records collection when the law authorizing it expires in June.
The story looks a lot like (though has mostly different dates) this AP story, published just after USA Freedom Act failed in the Senate in November.
Years before Edward Snowden sparked a public outcry with the disclosure that the National Security Agency had been secretly collecting American telephone records, some NSA executives voiced strong objections to the program, current and former intelligence officials say. The program exceeded the agency’s mandate to focus on foreign spying and would do little to stop terror plots, the executives argued.
The 2009 dissent, led by a senior NSA official and embraced by others at the agency, prompted the Obama administration to consider, but ultimately abandon, a plan to stop gathering the records.
The secret internal debate has not been previously reported. The Senate on Tuesday rejected an administration proposal that would have curbed the program and left the records in the hands of telephone companies rather than the government. That would be an arrangement similar to the one the administration quietly rejected in 2009.
The unquestioned claim that the program doesn’t get cell data — presented even as the Dzhokhar Tsarnaev case makes clear it does* — appears in both (indeed, this most recent version inaccurately references T-Mobile cell phone user Basaaly Moalin’s case — getting the monetary amounts wrong — without realizing that that case, too, disproves the cell claim).
Most importantly, however, both stories report these previous questions about the efficacy of the phone dragnet in the context of questions about whether the program will be reauthorized after June.
Perhaps the most telling detail, however, is that this new story inaccurately describes what happened to the Internet dragnet in 2011.
There was a precedent for ending collection cold turkey. Two years earlier, the NSA cited similar cost-benefit calculations when it stopped another secret program under which it was collecting Americans’ email metadata — information showing who was communicating with whom, but not the content of the messages. That decision was made public via the Snowden leaks.
The NSA in no way went “cold turkey” in 2011. Starting in 2009, just before it finally confessed to DOJ it had been violating collection rules for the life of the program, it rolled out the SPCMA program that allowed the government to do precisely the same thing, from precisely the same user interface, with any Internet data accessible through EO 12333. SPCMA was made available to all units within NSA in early 2011, well before NSA “went cold turkey.” And, at the same time, NSA moved some of its Internet dragnet to PRISM production, with the added benefit that it had few of the data sharing limits that the PRTT dragnet did.
That is, rather than going “cold turkey” the NSA moved the production under different authorities, which came with the added benefits of weaker FISC oversight, application for uses beyond counterterrorism, and far, far more permissive dissemination rules.
That AP’s sources claimed — and AP credulously reported — that this is about “cold turkey” is a pretty glaring hint that the NSA and FBI are preparing to do something very similar with the phone dragnet. As with the Internet dragnet, SPCMA permits phone chaining for any EO 12333 phone collection, under far looser rules. And under CISA, anyone who “voluntarily” wants to share this data (which always includes AT&T and likely includes other backbone providers) can share promiscuously and with greater secrecy (because it is protected by both Trade Secret and FOIA exemption). Some of this production, done under PRISM, would permit the government to get “connection” chaining information more easily than under a phone dragnet. And as with the Internet dragnet, any move of Section 215 production to CISA production evades existing FISC oversight.
A year ago, Keith Alexander testified that if they just had a classified data sharing program — like CISA — they could live without the dragnet. A year ago, basically, Alexander said he’d be willing to swap CISA for the phone dragnet.
Remarkably, these inaccurate AP stories always seem to serve that story, all while fostering a laughable myth that “ending the phone dragnet” would in any way end the practice of a phone dragnet.
*Update 3/30: My claim that the Marathon case proves they got cell call data relies only on FBI claims they were able to use the dragnet to good effect. I actually think that FBI used an AT&T specific dragnet — not the complete phone dragnet — to identify the brothers’ phones (while the government has offered conflicting testimony on this account, I’m fairly certain all of Dzhokhar’s phones and Tamerlan’s pre-paid phone discussed at Dzhokhar’s trial were T-Mobile phones). But if that’s the case, then FBI lied outright when making those earlier claims. I’m perfectly willing to believe that, but if that’s the now-operative story I’d love for someone to confirm it.
The Shadow Factory was published on October 14, 2008.
8 days before that, the NSA notified the Senate Intelligence Committee (just the SSCI at first?!?!) about an impending (it aired on October 9) Brian Ross interview with whistleblowers from James Bamford‘s book on ABC.
The interview included a clip from Michael Hayden’s 2006 CIA Director confirmation hearing before SSCI in which he claimed Americans’ private conversations would never be intercepted.
In testimony before Congress, then-NSA director Gen. Michael Hayden, now director of the CIA, said private conversations of Americans are not intercepted.
“It’s not for the heck of it. We are narrowly focused and drilled on protecting the nation against al Qaeda and those organizations who are affiliated with it,” Gen. Hayden testified.
He was asked by Senator Orrin Hatch (R-UT), “Are you just doing this because you just want to pry into people’s lives?”
“No, sir,” General Hayden replied.
It also included flaccid responses from both then CIA Director Hayden and his spokesperson Mark Mansfield (who was actively involved in pre-emptive leaks to the press on torture) and Keith Alexander (who was Deputy Chief of Staff for Army Intelligence at the time of the violations).
In addition, the ABC report included a quote from then SSCI Chair Jello Jay Rockefeller (who, of course, would have found out about it from the agency days before the report).
The chairman of the Senate Intelligence Committee, Jay Rockefeller (D-WV), called the allegations “extremely disturbing” and said the committee has begun its own examination.
“We have requested all relevant information from the Bush Administration,” Rockefeller said Thursday. “The Committee will take whatever action is necessary.”
It also made clear that Orrin Hatch had been the one to pitch the softball to Hayden in 2006, about which — it is abundantly clear — he lied about.
Finally, it includes an anonymous quote from a “US intelligence official” making it clear that all US government employees might be spied on, contrary to Hayden’s public claims during the confirmation process.
Asked for comment about the ABC News report and accounts of intimate and private phone calls of military officers being passed around, a US intelligence official said “all employees of the US government” should expect that their telephone conversations could be monitored as part of an effort to safeguard security and “information assurance.”
There appear to be several things going on with this.
First, this is ABC News, one of the outlets notorious for laundering intelligence claims; indeed, it is possible this is a limited hangout, an attempt to preempt one of the most alarming revelations in Bamford’s book. While the report doesn’t say it explicitly, it implies the claims of whistleblowers Kinne and Faulk prove Hayden to have lied in his CIA Director confirmation hearing, in response to the softball thrown by Hatch. In any case, the briefing about this disclosure appears to have gone exclusively to SSCI (with follow-up briefings to both intelligence oversight committees afterwards), the committee that got the apparently false testimony (and not for the last time, from Michael Hayden!). But by briefing the Committee, it also gave Jello Jay an opportunity — and probably, explicit permission — to sound all stern about a practice the Committee likely knew about.
In the IOB Report, this is portrayed as a model of oversight. But from what we know about the parties involved, it is just as likely to have been an effort at press management.
Update: The 3Q 2009 report describes the outcome of the report. It found “no targeting of US persons.”
In this post, I argued that a likely explanation for the NSA’s limits on collecting domestic cell phone data stem from a decision Verizon made in 2009 to stop participating in an FBI call records program. I’m not sure if I’m right about the cause (I know I’m not right about the timing), but I based part of my argument on how the FISA Court resolved a problem with telecoms turning over foreign data in 2009. And that resolution definitely indicates there’s something different about the way Verizon produces dragnet data from how AT&T does (Sprint is probably a third case, but not as important for these purposes).
Let me be clear: Verizon was not the only telecom to have the problem. It affected at least one other telecom; I believe it may have affected all of them. But the FISC resolved it differently with Verizon, which I believe shows that Verizon complies with the Section 215 orders in different fashion than AT&T and Sprint.
The problem was first identified when, in May 2009, Verizon informed the NSA it had been including foreign-to-foreign records in the data it provided to the NSA. Here’s how David Kris explained it in his report accompanying the phone dragnet end to end report.
NSA advised that for the first time, in May 2009, [redacted–Verizon] stated it produced foreign-to-foreign record pursuant to the Orders. [redacted–Verizon] stopped its production of this set of foreign-to-foreign records on May 29, 2009, after service of the Secondary Order in BR 09-06, which carves out foreign-to-foreign records from the description of records to be produced. (19)
In an accompanying declaration Keith Alexander provided more detail.
In May 2009, during a discussion between NSA and [redacted–Verizon] regarding the production of metadata, a [redacted–Verizon] representative stated that [redacted] produced the records [redacted] pursuant to the BR FISA Orders. This was the first indication that NSA had ever received from [redacted–Verizon] of its contrary understanding. At the May 28, 2009, hearing in docket number BR 09-06, the government informed the Court of [redacted redacted]. To address the issue, based on the government’s proposal, the Court issued a Secondary Order to [redacted] in docket number BR 09-06 that expressly excluded foreign-to-foreign call detail records from the scope of records to be produced. On May 29, 2009, upon service of the Secondary Order in docket number BR 09-06, [redacted–Verizon] ceased providing foreign-to-foreign records [redacted]. (42/PDF67)
Almost every dragnet order since that May 29, 2009 one has broken its production order out into two subparagraphs to reflect this change.
We can be virtually certain that Verizon is this provider, because the Verizon secondary order leaked by Edward Snowden includes the language excluding foreign-to-foreign data. That long redaction likely hides Verizon’s full name under this program, “Verizon Business Network Services, Inc. on behalf of MCI Communication Services Inc., d/b/a Verizon Business Services (individually and collectively “Verizon”), which is the name initially used in the secondary order.
Additionally, ODNI originally released the January 20, 2011 primary order with the paragraph that clarifies this with Verizon’s name unredacted. The paragraph remains in the dragnet orders, even after Verizon and Vodaphone split earlier this year (though if the split affected this issue, they may have hidden the fact by retaining the paragraph, given that they’re now anticipating declassification of the orders).
Less than a month after this incident, on June 25, the NSA finished its End-to-End report, which reported just the Verizon issue. Sometime between then and July 9, the FISC appears to have realized one of the other providers had a similar problem. The July 9, 2009 dragnet order, in the only exception I know to the two-part production order, looked like this:
The production order is to plural custodians of records, meaning at least two providers must be named. But it applies the Verizon rules to all of the named providers.
The order also requires an explanation for inclusion of the foreign-to-foreign records (see the bullet at 16-17). It is redacted in the released order but the DOJ submission (see page 6) shows that Judge Walton ordered,
a full explanation of the extent to which NSA has acquired call detail records of foreign-to-foreign communications from [redacted–too long to just be Verizon] pursuant to orders of the FISC, and whether the NSA’s storage, handling, and dissemination of information in those records, or derived therefrom, complied with the Court’s orders;
The September 3, 2009 order reverts to the two-paragraph structure. But it also orders retroactive production from one of the providers (AT&T or Sprint, probably the latter based on redaction length) named in the first paragraph (I first wrote about this here).
In addition, the Custodian of Records of [redacted] shall produce to NSA upon service of the appropriate Secondary Order an electronic copy of the same tangible things created by [redacted] for the period from 5:11 p.m. on July 9, 2009 to the date of this Order, to the extent those records still exist.
And adds a requirement that NSA report on any significant changes in reapplications, including on any changes to how the government obtains the data from carriers.
Any application to renew or reinstate the authority granted herein shall include a report describing: (1) the queries made since the end of the reporting period of the last report filed with the Court; (ii) the manner in which NSA applied the procedures set forth in paragraph (3)C above; and (iii) any proposed changes in the way in which the call detail records would be received from the carriers and any significant changes to the systems NSA uses to receive, store, process, and disseminate BR metadata. [my emphasis]
The DOJ report provides further evidence that at least one other provider provided foreign-to-foreign records. When Kris introduces this problem (see page 18), he references a three part discussion in Alexander’s declaration.
You can see the heading for the third provider on page 46/PDF 71 of the Alexander declaration.
So the report appears to have commented on all three providers. The problem clearly affected two of them.
But FISC only retains the clarification for Verizon.
As I said, I appear to be wrong about the timing of this. I had suggested it was tied to Verizon deciding not to reup its contract under the FBI phone program in 2009. That almost certainly had to have happened (as Charlie Savage noted to me via Twitter, the Exigent Letter IG Report was focused on AT&T, MCI, and Verizon, and one of the latter two, which means basically one part of Verizon, backed out).
But the End-to-End Report makes it clear Verizon first started turning over this data in January 2007.
This foreign-to-foreign metadata started coming into NSA in January 2007. (15)
There was not even a dragnet order signed in January 2007, so it can’t be tied primarily to the phone dragnet. It also preceded the end of the on-site phone provider program (which ended in December 2007) and even the release of the first NSL IG Report in March 2007, which led the providers to get squirrelly (see page 191 for these dates).
The details regarding the potential problems with Verizon’s provision of foreign-to-foreign records suggests this may have something to do with upstream production (Verizon had been providing upstream records to the NSA for years, but it only came under the oversight of the FISC in January 2007).
Furthermore, because the records are records of foreign-to-foreign communications, almost all of them do not concern the communications of U.S. persons. To the extent any of the records concern the communications of U.S. persons, such communications would be afforded the same protections as any other U.S. person communication [redacted] authorities. Id. at 43. (19)
almost all of them concern the communications of non-U.S. persons located outside the United States. If NSA were to find that any of the records concerned U.S. persons, their dissemination would be governed by the terms of USSID 18 which are the procedures established pursuant to EO 12333, as amended. (68)
The discussion of records that might “concern the communications” sounds like an “about” search (though I’m not sure of what).
All that said, AT&T should have had the same upstream “about” obligations starting in January 2007 that Verizon did. I suspect (based on my guess that Sprint is the production that got shut down) the order in the July 9, 2009 order is the only instruction they ever got to stop providing foreign-to-foreign records. Yet FISC felt the need — still feels the need — to keep that explicit order to Verizon in every single primary order.
Mind you, all this shows that Verizon was able to shut down the foreign production immediately, on the same day. So it’s clear they can shut down certain kinds of production.
All this seems to suggest that — in addition to at least some part of Verizon withdrawing from the FBI’s records program, and to Verizon not retaining records for the same length of time AT&T does — Verizon also produces phone dragnet data differently than AT&T does.
Via Mike Masnick, I see that in addition to submitting a new state secrets declaration and a filing claiming EFF’s clients in Jewel v. NSA don’t have standing, the government also submitted a secret supplemental brief on its statement of authorities, which EFF has challenged.
The secret supplemental brief is interesting given the government’s outrageous state secrets claim in the lawsuit against United Against a Nuclear Iran, in which it refuses to explain why it must protect the intelligence sources and methods of an allegedly independent NGO. It seems the government’s state secrets claims are getting even more outrageous than they already were.
That’s particularly interesting given what appears to be the outlines of a claim that if the court recognizes Jewel’s standing, then all hell will break loose.
Due to the failings of Plaintiffs’ evidence described above, the Court need not consider the impact of the state secrets privilege on the standing issue. However, if the Court were to find Plaintiffs’ declarations admissible and sufficiently probative of Plaintiffs’ standing to raise a genuine issue meriting further inquiry (which it should not), adjudication f the standing issue could not proceed without risking exceptionally grave damage to national security (a threshold issue on which the Court requested briefing). That is so because operational details of Upstream collection that are subject to the DNI’s assertion of the state secrets privilege in this case are necessary to address Plaintiffs’ theory of standing. The Government presented this evidence to the Court in the DNI’s and NSA’s classified declarations of December 20, 2013, and supplements it with the Classified Declaration of Miriam P., NSA, submitted in camera, ex parte, herewith. Disclosure of this evidence would risk informing our Nation’s adversaries of the operational details of the NSA’s Upstream collection, including the identities of electronic-communications-service providers assisting with Upstream collection.
Behind these claims of grave harm are the reality that if US persons started to get standing under the dragnet, then under John Bates’ rules (in which illegal wiretapping is only illegal if the government knows US persons are targeted), the entire program would become illegal. So I suspect the government is ultimately arguing that Jewel can’t have standing because it would make the entire program illegal (which is sort of the point!).
But the biggest reason I’m intrigued by the government’s sneaky filing is because of what happened the last time it submitted such a sneaky filing.
I laid out in this post how a state secrets filing submitted in EFF’s related Shubert lawsuit by Keith Alexander on October 30, 2009 demonstrably lied. Go back and read it–it’s a good one. A lot of what I show involves Alexander downplaying the extent of the phone dragnet problems.
But we now know more about how much more Alexander was downplaying in that declaration.
As I show in this working thread, it is virtually certain that on September 30, 2009, Reggie Walton signed this order, effectively shutting down the Internet dragnet (I’m just now noticing that ODNI did not — as it has with the other FISC dragnet orders — release a copy with the timestamp that goes on all of these orders, which means we can’t determine what time of the day this was signed). Some time in the weeks before October 30, DOJ had submitted this notice, admitting that NSA had been violating the limits on “metadata” collection from the very start, effectively meaning it had been collecting content in the US for 5 years.
Precisely the kind of illegal dragnet Virginia Shubert was suing the government to prevent.
Mind you, there are hints of NSA’s Internet dragnet violations in Alexander’s declaration. In ¶59, Alexander says of the dragnet, “The FISC Telephone Business Records Order was most recently reauthorized on September 3, 2009, with authority continuing until October 30, 2009″ (Walton signed the October 30, 2009 phone dragnet order around 2:30 ET, which would be 11:30 in NDCA where this declaration was filed). In ¶58, he says, “The FISC Pen Register Order was most recently reauthorized on [redacted], 2009, and requires continued assistance by the providers through [redacted] 2009″ (this is a longer redaction than October 30 would take up, so it may reflect the 5PM shutdown Walton had imposed). So it may be that one of the redacted passages in Alexander’s declaration admitted that FISC had ordered the Internet dragnet shut down.
In addition, footnote 24 is quite long (note it carries onto a second page); particularly given that the tense used to describe the dragnets in the referenced paragraph differ (the Internet dragnet is in the past tense, the phone dragnet is in the present tense), it is possible Alexander admitted to both the compliance violation and that NSA had “voluntarily” stopped querying the dragnet data.
Further, in his later discussions, he refers to this data as “non-content metadata” and “records about communication transactions,” which may reflect a tacit (or prior) acknowledgment that the NSA had been collecting more than what, to the telecoms who were providing it, was legally metadata, or, if you will, was in fact “content as metadata.”
To the extent that the plaintiffs “dragnet” allegations also implicate other NSA activities, such as the bulk collection of non-content communications meta data or the collection of communications records, see, e.g., Amended Compl ¶58, addressing their assertions would require disclosure of NSA sources and methods that would cause exceptionally grave harm to national security.
Accordingly, adjudication of plaintiffs’ allegations concerning the collection of non-content meta data and records about communication transactions would risk or require disclosure of critical NSA sources and methods for [redacted] contacts of terrorist communications as well as the existence of current NSA activities under FISC Orders. Despite media speculation about those activities, official confirmation and disclosure of the NSA’s bulk collection and targeted analysis of telephony meta data would confirm to all of our foreign adversaries [redacted] the existence of these critical intelligence capabilities and thereby severely undermine NSA’s ability to gather information concerning terrorist connections and cause exceptionally grave harm to national security.
So it seems that Alexander provided some glimpse to Vaughn Walker of the troubles with the Internet dragnet program. So when after several long paragraphs describing the phone dragnet problems (making no mention even of the related Internet dragnet ones), Alexander promised to work with the FISC on the phone dragnet “and other compliance issues,” he likely invoked an earlier reference to the far more egregious Internet dragnet ones.
NSA is committed to working with the FISC on this and other compliance issues to ensure that this vital intelligence tool works appropriately and effectively. For purposes of this litigation, and the privilege assertions now made by the DNI and by the NSA, the intelligence sources and methods described herein remain highly classified and the disclosure that [redacted] would compromise vital NSA sources and methods and result in exceptionally grave harm to national security.
I find it tremendously telling how closely Alexander ties the violations themselves to the state secrets invocation.
The thing is, at this point in the litigation, the only honest thing to submit would have been a declaration stating, “Judge Walker? It turns out we’ve just alerted the FISC that we’ve been doing precisely what the plaintiffs in this case have accused of us — we’ve been doing it, in fact, for 5 years.” An honest declaration would have amounted to concession of the suit.
But it didn’t.
And that state secrets declaration, like the one the government submitted at the end of September, was accompanied by a secret statement of authorities, a document that (unless I’m mistaken) is among the very few that the government hasn’t released to EFF.
Which is why I find it so interesting that the government is now, specifically with reference to upstream collection, following the same approach.
Do these secret statements of authority basically say, “We admit it, judge, we’ve been violating the law in precisely the way the plaintiffs claim we have. But you have to bury that fact behind state secrets privilege, because our dragnets are more important than the Fourth Amendment”? Or do they claim they’re doing this illegal dragnettery under EO 12333 so the court can’t stop them?
If so, I can see why the government would want to keep them secret.
Update: I originally got the name of Shubert wrong. Virginia Shubert is the plaintiff.
As you’ve likely read, NSA’s Chief Technology Officer has so little to keep him busy he’s also planning on working 20 hours a week for Keith Alexander’s new boondoggle.
Under the arrangement, which was confirmed by Alexander and current intelligence officials, NSA’s Chief Technical Officer, Patrick Dowd, is allowed to work up to 20 hours a week at IronNet Cybersecurity Inc, the private firm led by Alexander, a retired Army general and his former boss.
The arrangement was approved by top NSA managers, current and former officials said. It does not appear to break any laws and it could not be determined whether Dowd has actually begun working for Alexander, who retired from the NSA in March.
Dowd is the guy with whom Alexander filed 7 patents for work developed at NSA.
During his time at the NSA, Alexander said he filed seven patents, four of which are still pending, that relate to an “end-to-end cybersecurity solution.” Alexander said his co-inventor on the patents was Patrick Dowd, the chief technical officer and chief architect of the NSA. Alexander said the patented solution, which he wouldn’t describe in detail given the sensitive nature of the work, involved “a line of thought about how you’d systematically do cybersecurity in a network.”
That sounds hard to distinguish from Alexander’s new venture. But, he insisted, the behavior modeling and other key characteristics represent a fundamentally new approach that will “jump” ahead of the technology that’s now being used in government and in the private sector.
Presumably, bringing Dowd on board will both make Alexander look more technologically credible and let Dowd profit off all the new patents Alexander is filing for, which he claims don’t derive from work taxpayers paid for.
Capitalism, baby! Privatizing the profits paid for by the public!
All that said, I’m wondering whether this is about something else — and not just greed.
Yesterday, as part of a bankster cybersecurity shindig, one of Alexander’s big named clients, SIFMA, rolled out its “Cybersecurity Regulatory Guidance.” It’s about what you’d expect from a bankster organization: demands that the government give what it needs, use a uniform light hand while regulating, show some flexibility in case that light hand becomes onerous, and never ever hold the financial industry accountable for its own shortcomings.
Bullet point 2 (Bullet point 1 basically says the US government has a big role to play here which may be true but also sounds like a demand for a handout) lays out the kind of public-private partnership SIFMA expects.
Principle 2: Recognize the Value of Public–Private Collaboration in the Development of Agency Guidance
Each party brings knowledge and influence that is required to be successful, and each has a role in making protections effective. Firms can assist regulators in making agency guidance better and more effective as it is in everyone’s best interests to protect the financial industry and the customers it serves.
The NIST Cybersecurity Framework is a useful model of public-private cooperation that should guide the development of agency guidance. NIST has done a tremendous job reaching out to stakeholders and strengthening collaboration with financial critical infrastructure. It is through such collaboration that voluntary standards for cybersecurity can be developed. NIST has raised awareness about the standards, encouraged its use, assisted the financial sector in refining its application to financial critical infrastructure components, and incorporated feedback from members of the financial sector.
In this vein, we suggest that an agency working group be established that can facilitate coordination across the agencies, including independent agencies and SROs, and receive industry feedback on suggested approaches to cybersecurity. SIFMA views the improvement of cybersecurity regulatory guidance and industry improvement efforts as an ongoing process.
Effective collaboration between the private and public sectors is critical today and in the future as the threat and the sector’s capabilities continue to evolve.
Again, this public-private partnership may be necessary in the case of cybersecurity for critical infrastructure, but banks have a history of treating such partnership as lucrative handouts (and the principle document’s concern about privacy has more to do with hiding their own deeds, and only secondarily discusses the trust of their customers). Moreover, experience suggests that when “firms assist regulators in making agency guidance better,” it usually has to do with socializing risk.
In any case, given that the banks are, once again, demanding socialism to protect themselves, is it any wonder NSA’s top technology officer is spending half his days at a boondoggle serving these banks?
And given the last decade of impunity the banks have enjoyed, what better place to roll out an exotic counter-attacking cybersecurity approach (except for the risk that it’ll bring down the fragile house of finance cards by mistake)?
Alexander said that his new approach is different than anything that’s been done before because it uses “behavioral models” to help predict what a hacker is likely to do. Rather than relying on analysis of malicious software to try to catch a hacker in the act, Alexander aims to spot them early on in their plots.
One of the most recent stories on the JP Morgan hack (which actually appears to be the kind of Treasuremapping NSA does of other country’s critical infrastructure all the time) made it clear the banksters are already doing the kind of data sharing that Keith Alexander wailed he needed immunity to encourage.
The F.B.I., after being contacted by JPMorgan, took the I.P. addresses the hackers were believed to have used to breach JPMorgan’s system to other financial institutions, including Deutsche Bank and Bank of America, these people said. The purpose: to see whether the same intruders had tried to hack into their systems as well. The banks are also sharing information among themselves.
So clearly SIFMA’s call for sharing represents something more, probably akin to the kind of socialism it benefits from in its members’ core business models.
In the intelligence world, they use the term “sheep dip” to describe how they stick people subject to one authority — such as the SEALs who killed Osama bin Laden — under a more convenient authority — such as CIA’s covert status. Maybe that’s what’s really going on here: sheep dipping NSA’s top tech person into the private sector where his work will evade even the scant oversight given to NSA.
If SIFMA’s looking for the kind of socialistic sharing akin to free money, then why should we be surprised the boondoggle at the center of it plans to share actual tech personnel?
Update: Reuters reports the deal’s off. Apparently even Congress (beyond Alan Grayson, who has long had questions about Alexander’s boondoggle) had a problem with this.
Have you noticed that every time someone covers all the patents Keith Alexander is getting for his cybersecurity boondoggle, the number of patents grows?
In this installment, it is 10.
IronNet is working with lawyers to draft as many as 10 patent applications in which the NSA would have no stake. Alexander said the “real key” to the patents was a person who never worked for the agency.
In addition to dispensing advice, IronNet is working with lawyers to draft as many as 10 patent applications that will include Alexander as co-inventor on one and “maybe a few others,” he said.
Of course, no matter how many patents it will be, Alexander is still left with the problem of explaining either why this isn’t stuff taxpayers paid for at NSA, or why Alexander didn’t implement these whiz-bang solutions while in charge of NSA.
So he’s inching closer and closer to one that might work: he’s going to patent having no knowledge.
Current cybersecurity strategies assume the defender knows what threats are present, and can quickly identify them by their digital profile, known as their signature. Alexander said IronNet’s approach is to counter those attacks as quickly as possible, without that prior knowledge.
“All the patents and stuff that people work on today assume knowledge of the threat,” he said. “What it means is a new approach. Something that’s never been used.”
It’s surely a novel approach — attacking perceived threats before you’re sure what that threat is. I’m just not sure how well it’s going to work.
While Alexander is busy shoring up his 10, 11, 12 patents, I think I’ll rush to copyright my new novel, in which a hubristic cybersecurity profiteer takes down the entire banking system by attacking core finance functions he identifies as attacks.
On Sunday I asked who was crying wolf — JP Morgan itself, or Mike Rogers — about the claimed JP Morgan attack that might not be a serious attack at all and had been attributed to Russia without yet proof of that.
So who should crawl out of his sinecure but Keith Alexander?
Keith Alexander, the NSA director from 2005 until last March, said he had no direct knowledge of the attack though it could have been backed by the Russian government in response to sanctions imposed by the U.S. and EU over the crisis in Ukraine.
“How would you shake the United States back? Attack a bank in cyberspace,” said Alexander, a retired U.S. Army general who has started his own cybersecurity company to sell services to U.S. banks. “If it was them, they just sent a real message: ‘You’re vulnerable.’”
The hackers who attacked JPMorgan, the biggest U.S. bank, were “a group with exceptional skills or a nation-state backed group,” Alexander said in an interview yesterday at Bloomberg’s Washington bureau.
“If you wanted to send a message, do you think that was significant enough for the U.S. government to say one of the best banks that we have from a cybersecurity perspective was infiltrated by somebody?” Alexander asked. “And if they could get in to do that, even if they never use it, they could get in and collapse it. Does that cause you concern?”
Note how Alexander admits he has no personal knowledge of the attack but then opines about the skills of the hackers and goes from there to hypothesize how this was a response from Russia?
So maybe it wasn’t JP Morgan or Mike Rogers crying wolf. It sure looks like Alexander is willingly feeding the poorly evidenced claims about this hack.
But don’t worry, Keith Alexander doesn’t have a conflict of interest at all.
In the middle of a discussion of how the NSA let FBI, CIA, and NCTC directly access the database of Internet query results in the report accompanying the Internet dragnet End-to-End report, a footnote describes searches NSA’s litigation support team conducts. (See page 12)
In addition to the above practices, NSA’s litigation support team conducts prudential searches in response to requests from Department of Justice or Department of Defense personnel in connection with criminal or detainee proceedings. The team does not perform queries of the PR/TT metadata. This practice of sharing information derived from PR/TT metadata was later specifically authorized. See Primary Order, Docket Number PR/TT [redacted] at 12-13. The Government respectfully submits that NSA’s historic practice of sharing of U.S. person identifying information in this manner before it was specifically authorized does not constitute non-compliance with the PR/TT Orders.
Keith Alexander’s declaration accompanying the E2E adds more detail. (See page 16)
The designated approving official does not make a determination to release information in response to requests by Department of Justice or Department of Defense personnel in connection with criminal or detainee proceedings. In the case of such requests, NSA’s Litigation Support Team conducts prudential, specific searches of databases that contain both previously disseminated reporting and related analyst notes. The team does not perform queries of the PR/TT metadata. NSA then provides that research to Department of Justice or Department of Defense personnel for their review in connection with criminal or detainee proceedings. This practice of sharing information derived from the PR/TT metadata is now specifically authorized. See Primary Order, Docket Number PR/TT [redacted] at 12-13.
Language approving searches of the corporate store conducted on behalf of DOJ and DOD does not appear (at least not at 12-13) in the early 2009 — probably March 2, 2009 — Internet dragnet primary order. But related language was included in the September 3, 2009 phone dragnet order (it does not appear in the July 8, 2009 phone dragnet order, so that appears to have been the first approval for it). Given the timing, the language might stem either from another notice of violation to the FISC (one the government has redacted thus far); or, it might be a response to recommendations made in the Joint IG Report on the illegal dragnet, which was released July 10, 2009, and which did discuss discovery problems.
But the language describing the Litigation Support Team searches is far less descriptive in the September 3, 2009 phone dragnet order.
Notwithstanding the above requirements, NSA may share information derived from the BR metadata, including U.S. person identifying information, with Executive Branch personnel in order to enable them to determine whether the information contains exculpatory or impeachment information or is otherwise discoverable in legal proceedings.
The E2E and Alexander’s declaration make two things more clear.
First, NSA can disseminate this information without declaring the information is related to counterterrorism (that’s the primary dissemination limitation discussed in this section), and of course, without masking US person information. That would at least permit the possibility this data gets used for non-counterterrorism purposes, but only when it should least be permitted to, for criminal prosecutions of Americans!
Remember, too, the government has explicitly said it uses the phone dragnet to identify potential informants. Having non-counterterrorism data available to coerce cooperation would make that easier.
The E2E and Alexander declaration also reveal that the Litigation Support Team conducts these searches not just for DOJ, but also for DOD on detainee matters.
That troubles me.
According to the NYT’s timeline, only 20 detainees arrived at Gitmo after these dragnets got started, and 14 of those were High Value Detainees who had been stashed elsewhere for years (as were the last batch arrived in 2004). None of the men still detained at Gitmo, at least, had been communicating with anyone outside of very closely monitored situations for years. None of the Internet dragnet data could capture them (because no historical data gets collected). And what phone data might include them — and remember, the phone dragnet was only supposed to include calls with one end in the US — would be very dated.
So what would DOD be using these dragnets for?
Perhaps the detainees in question weren’t Gitmo detainees but Bagram detainees. Plenty of them had been out communicating more recently in 2004 and 2006 and even 2009, and their conversations might have been picked up on an Internet dragnet (though I find it unlikely any were making phone calls to the US).
It’s possible the dragnet was used, in part, to track released detainees. Is dragnet contact chaining one of the things that goes into claims about “recidivist” detainees?
Finally, a more troubling possibility is that detainee attorneys’ contacts with possible witnesses got tracked. Is it possible, for example, that DOD tracked attorneys’ contacts with detainee family members in places like Yemen? Given allegations the government spied on detainees’ lawyers, that’s certainly plausible. Moreover, since NSA does not minimize contacts between attorneys and their client until the client has been indicted, and so few of the Gitmo detainees have been charged, it would be utterly consistent to use the dragnet to track lawyers’ efforts to defend Gitmo detainees. Have the dragnets been focused on attorneys all this time?
One thing is clear. There is not a single known case where DOJ or DOD have used the dragnets to provide exculpatory information to someone; Dzhokhar Tsarnaev was unable to obtain discovery on dragnet information even after the government bragged about using the dragnet in his case.
Nevertheless, NSA has been sharing US person information without even having to attest it is counterterrorism related, outside of all the minimization procedures the government boasts about.