On Friday, officials from James Clapper’s office confirmed in a number of different ways that the government obtains “vast troves” of Americans’ communication overseas. And rather than enforce Dianne Feinstein and Mark Udall’s suggestion that the intelligence community treat it under FISA — as the spirit of FISA Amendment Acts, which extended protection to Americans abroad, would support — Congress instead passed Section 309, a measure to impose limited protections on vast unregulated spying on Americans.
This all happened at CATO’s conference on surveillance, an awesome conference set up by Julian Sanchez.
My panel (moderated very superbly by Charlie Savage) revisited at length the debate between former State Department whistleblower John Napier Tye and Director of National Intelligence Civil Liberties Officer Alex Joel (into which I stuck my nose). As he did in his Politico post responding to Tye’s alarms about the risk of EO 123333 collection against Americans to democracy, Joel pointed to the topical limits on bulk collection Obama imposed in his Presidential Policy Directive 28, which read,
The United States must consequently collect signals intelligence in bulk in certain circumstances in order to identify these threats. Routine communications and communications of national security interest increasingly transit the same networks, however, and the collection of signals intelligence in bulk may consequently result in the collection of information about persons whose activities are not of foreign intelligence or counterintelligence value. The United States will therefore impose new limits on its use of signals intelligence collected in bulk. These limits are intended to protect the privacy and civil liberties of all persons, whatever their nationality and regardless of where they might reside.
In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.
I noted — as I did in my Salon piece on the topic — that bulk collection for even just one topic means the collection of everything, as counterterrorism serves as the excuse to get all phone records in the US in the phone dragnet. Joel did not dispute that, explaining that PPD-28 only limits the use of data that has been bulk collected to these six purposes. PPD-28 does nothing to limit bulk collection itself. Though the fact that these limitations have forced a change in how the NSA operates is testament that they were using data collected in bulk for even more reasons before January.
The NSA is, then, aspiring to collect it all, around the world.
Which was a point confirmed in an exchange between Joel and Tye. Joel claimed we weren’t collecting nearly all of the Internet traffic out there, saying it was just a small fraction. Tye said that was disingenuous, because 80% of Internet traffic is actually things like Netflix. Tye stated that the NSA does collect a significant percentage of the remainder (he implied most, but I’d want to see the video before I characterize how strongly he said that).
Again, collect it all.
Our panel didn’t get around to talking about Section 309 of the Intelligence Authorization, which I examined here. The Section imposes a 5 year retention limit on US person data except for a number of familiar purposes — foreign intelligence, evidence of a crime, encryption, all foreign participants, tech assurance or compliance, or an Agency head says he needs to retain it longer (which requires notice to Congress). Justin Amash had argued, in an unsuccessful attempt to defeat the provision, that the measure provides affirmative basis for sharing US person content collected under EO 12333.
In a later panel at the CATO conference, DNI General Counsel Bob Litt said that the measure doesn’t change anything about what the IC is already doing. Continue reading
In a last minute amendment to the Intelligence Authorization, the House and Senate passed a new section basically imposing minimization procedures for EO 12333 or other intelligence collection not obtained by court order. (See Section 309)
(A) Application.–The procedures required by paragraph (1) shall apply to any intelligence collection activity not otherwise authorized by court order (including an order or certification issued by a court established under subsection (a) or (b) of section 103 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803)), subpoena, or similar legal process that is reasonably anticipated to result in the acquisition of a covered communication to or from a United States person and shall permit the acquisition, retention, and dissemination of covered communications subject to the limitation in subparagraph (B).
(B) Limitation on retention.–A covered communication shall not be retained in excess of 5 years, unless–
(i) the communication has been affirmatively determined, in whole or in part, to constitute foreign intelligence or counterintelligence or is necessary to understand or assess foreign intelligence or counterintelligence;
(ii) the communication is reasonably believed to constitute evidence of a crime and is retained by a law enforcement agency;
(iii) the communication is enciphered or reasonably believed to have a secret meaning;
(iv) all parties to the communication are reasonably believed to be non-United States persons;
(v) retention is necessary to protect against an imminent threat to human life, in which case both the nature of the threat and
the information to be retained shall be reported to the congressional intelligence committees not later than 30 days after the
date such retention is extended under this clause;
(vi) retention is necessary for technical assurance or compliance purposes, including a court order or discovery obligation, in which case access to information retained for technical assurance or compliance purposes shall be reported to the congressional
intelligence committees on an annual basis; or
(vii) retention for a period in excess of 5 years is approved by the head of the element of the intelligence community responsible for such retention, based on a determination that retention is necessary to protect the national security of the United States, in which case the head of such element shall provide to the congressional intelligence committees a written certification describing–
(I) the reasons extended retention is necessary to protect the national security of the United States; (II) the duration for which the head of the element is authorizing retention;
(III) the particular information to be retained; and
(IV) the measures the element ofthe intelligence community is taking toprotect the privacy interests of UnitedStates persons or persons locatedinside the United States.
The language seems to be related to — but more comprehensive than — language included in the RuppRoge bill earlier this year. That, in turn, seemed to arise out of concerns raised by PCLOB that some unnamed agencies had not revised their minimization procedures in the entire life of EO 12333.
Whereas that earlier passage had required what I’ll call Reagan deadenders (since they haven’t updated their procedures since him) to come up with procedures, this section effectively imposes minimization procedures similar to, though not identical, to what the NSA uses: 5 year retention except for a number of reporting requirements to Congress.
I suspect these are an improvement over whatever the deadenders have been using But as Justin Amash wrote in an unsuccessful letter trying to get colleagues to oppose the intelligence authorization because of the late addition, the section provides affirmative basis for agencies to share US person communications whereas none had existed.
Sec. 309 authorizes “the acquisition, retention, and dissemination” of nonpublic communications, including those to and from U.S. persons. The section contemplates that those private communications of Americans, obtained without a court order, may be transferred to domestic law enforcement for criminal investigations.
To be clear, Sec. 309 provides the first statutory authority for the acquisition, retention, and dissemination of U.S. persons’ private communications obtained without legal process such as a court order or a subpoena. The administration currently may conduct such surveillance under a claim of executive authority, such as E.O. 12333. However, Congress never has approved of using executive authority in that way to capture and use Americans’ private telephone records, electronic communications, or cloud data.
In exchange for the data retention requirements that the executive already follows, Sec. 309 provides a novel statutory basis for the executive branch’s capture and use of Americans’ private communications. The Senate inserted the provision into the intelligence reauthorization bill late last night.
Which raises the question of what the emergency was to have both houses of Congress push this through at the last minute? Back in March, after all, RuppRoge was happy to let the agencies do this on normal legislative time.
I can think of several possibilities:
Or maybe this is meant to provide the patina of legality to some other dragnet we don’t yet know about.
Still, I find it an interesting little emergency the intelligence committees seem to want to address.
Tomorrow is dragnet day, the next 90-day reauthorization for the dragnet.
In advance of that date, Pat Leahy just called on President Obama to simply let the dragnet end.
The President can end the NSA’s dragnet collection of Americans’ phone records once and for all by not seeking reauthorization of this program by the FISA Court, and once again, I urge him to do just that. Doing so would not be a substitute for comprehensive surveillance reform legislation – but it would be an important first step.
Leahy joins 4 other Democrats who have already called for the President to unilaterally stop the dragnet.
At a hearing last month, Adam Schiff suggested to DIRNSA Mike Rogers that they move forward without waiting for a new law.
“There’s nothing in statute that requires the government to gather bulk data, so you could move forward on your own with making the technological changes,” Schiff said. “You don’t have to wait for the USA Freedom Act.”
There’s no reason for the NSA to wait for congressional approval to put additional limits on the program “if you think this is the correct policy,” Schiff added. “Why continue to gather the bulk metadata if [Obama administration officials] don’t think this is the best approach?”
And back in June, Senators Wyden, Udall, and Heinrich not only made a similar suggestion in a letter to the President, but laid out how Obama could achieve what he says he wants to without waiting for legislation.
But the President is not going to end the dragnet. Heck, for all we know, FISC has already signed the reauthorization.
Mind you, it may be that President Obama can’t start the new-and-improved dragnet without offering providers immunity and compensation. But if Obama can’t simply end the dragnet without offering telecoms and second level contractors broad immunity, then he’s obviously planning on something more exotic than just regular phone contact chaining.
There has been a lot of belated attention to the impact that Mark Udall’s loss yesterday will have on the Senate Intelligence Committee. I’ve been pointing to the possibility of a Udall loss and a Richard Burr Chairmanship since March. I warned you all of this when there was still time to do something about it!
Yesterday’s election will have huge impact on intelligence matters. It’s crystal clear, for example, that Burr has zero intention of exercising any oversight into the intelligence community, as we know he has been uninterested in their law-breaking in the past. I actually think Burr may be more interested in their competence than Feinstein has been, but that may be just a pipe-dream.
Burr might even be the very very rare Gang of Four member who doesn’t use the position to leak what the intelligence community wants to make public to the press. I say that because Burr was a key player in requiring the White House to provide the committees a list of sanctioned leaks, which I actually think was a badly needed reform (though I have no idea whether the White House has complied).
There’s also the matter of the 3 or 4 new Republicans that will gain seats on the Intelligence Committee (adding at least one for the majority, along with replacing Saxby Chambliss and Tom Coburn, both of whom retired). It’d be nice to see a libertarian among these — perhaps someone like Mike Lee, given that Utah has a lot of intelligence equities. But I highly doubt Mitch McConnell would put anyone with an interest in civil liberties on the Committee.
But there is one area where yesterday’s shellacking might harbor good news for civil liberties: Thad Cochran.
With Republicans in the majority, Barb Mikulski (D-NSA) will lose her Chairmanship of the Appropriations Committee; Cochran is expected to get that Chair. Mikulski has always been — even more than Dianne Feinstein — the impediment to any real civil liberties change in the Senate, because she is far more powerful. Importantly, she served as a guarantee that smart policies put through on appropriations bills — like Alan Grayson’s elimination of a requirement that NIST consult with the NSA on encryption standards, and the Massie-Lofgren amendment to defund back door searches — would not make it into any final bill.
Losing the majority, even losing Mikulski on Appropriations on all other matters, is a huge loss, don’t get me wrong.
But it does mean that Thad Cochran might, just maybe, allow good things to move through the Senate on appropriations. With Barb Mikulski there was no chance in hell of doing something on an appropriations bill. Without her, there’s at least a possibility. (Remember that Ted Stevens permitted a Ron Wyden amendment defunding TIA to go through appropriations in 2003, so such things are not unheard of.)
There’s no reason to believe that Cochran, in general, is any friendlier to civil liberties than Mikulski. But he’s not the NSA’s own personal senator. And that may be a tiny bright spot.
In an editorial calling on Congress to pass the USA Freedom Act, the USA Today makes this claim.
Obama’s proposal last January — to leave the data with phone companies, instead of with the government — can’t happen without a new law. And, as in so many other areas, the deeply divided Congress has failed to produce one.
I don’t know whether that is or is not the case.
I do know 3 Senate Intelligence Committee members say it is not the case.
Ron Wyden, Mark Udall, and Martin Heinrich wrote Obama a letter making just this point in June. They argued that Obama could accomplish most, if not all, of what he claimed he wanted without legislation, largely with a combination of Section 215 Orders to get hops and Pen Registers to get prospective collection.
[W]e believe that, in the meantime, the government already has sufficient authorities today to implement most, if not all, of the Section 215 reforms laid out in your proposal without delay in a way that does not harm our national security. More comprehensive congressional action is vital, but the executive branch need not wait for Congress to end the dragnet collection of millions of Americans’ phone records for a number of reasons.
First, we believe that the Foreign Intelligence Surveillance Court’s (FISC) expansive interpretation of the USA PATRIOT Act to allow the collection of millions of Americans’ phone records makes it likely that the FISC would also agree to a more narrowly-drawn interpretation of the law, without requiring further congressional action. Certainly, it seems likely that the FISC would permit the executive branch to use its current authorities to obtain phone records up to two “hops” from a suspicious phone number or to compel technical assistance by and compensation for recipients of court orders. Unless the FISC has already rejected such a request from the government, it does not seem necessary for the executive branch to wait for Congress before taking action.
Second, we believe that the FISC would likely approve the defined and limited prospective searches for records envisioned under your proposal pursuant to current USA PATRIOT Act Section 214 pen register authorities, given how broadly it has previous interpreted these authorities. Again, we believe it is vital for Congress to enact reforms, but we also believe that the government has sufficient authorities today under the USA PATRIOT Act to conduct these targeted prospective searches in the interim.
Finally, although we have seen no evidence that the government has needed the bulk phone records collection program to attain any time-sensitive objectives, we agree that new legislation should provide clear emergency authorities to allow the government to obtain court approval of individual queries after the fact under specific circumstances. The law currently allows prospective emergency acquisitions of call records under Section 403 of the Foreign Intelligence Surveillance Act (FISA), and the acquisition of past records without judicial review under national security letter authorities. While utilizing a patchwork of authorities is not ideal, it could be done on an interim basis, while Congress works to pass legislation.
Just weeks before they sent this, Deputy Attorney General James Cole had seemed to say they could (if not already were) getting hybrid orders, in that case mixing phone and location. So it seems like DOJ is confident they could use such hybrid orders, using Section 215 for the hops and Pen Registers for the prospective collection (though, given that they’re already using Section 215 for prospective collection, I’m not sure why they’d need to use hybrids to get anything but emergency orders).
And it makes sense. After all, the public claims about what the Call Detail Record provision would do, at least, describe it as a kind of Pen Register on steroids, 2-degrees of Pen Register. As the Senators suggest, FBI already gets two-degree information of historical records with mere NSLs, so it’d be surprising if they couldn’t get 2 degrees prospectively with a court order.
So at least according to three members of the Senate Intelligence Committee, USA Today is simply wrong.
Mind you, I’m not entirely convinced they’re right.
That’s because I suspect the new CDR provision is more than a Pen Register on steroids, is instead something far more intrusive, one that gets far beyond mere call records. I suspect the government will ask the telecoms to chain on location, address books, and more — as they do overseas — which would require far more than a prospective Pen Register and likely would require super immunity, as the bill provides.
I suspect the Senators are wrong, but if they are, it’s because Obama (or his Intelligence Community) wants something that is far more invasive then they’ve made out.
Still, for USAF supporters, there seems no question. If all Obama wants to replace the phone dragnet is prospective 2-degree call (not connection) chaining on RAS targets, he almost certainly has that authority.
But if he needs more authority, then chances are very good he’s asking for something far more than he has let on.
Update: Note, USAT makes at least one other clear error in this piece, as where it suggests the “the program” — the phone dragnet — imposes costs on cloud companies like Microsoft and Google.
As you likely know, I’m firmly of the belief that one should call DC memoirs — especially those written by National Security figures — autobiographical novels, because they tend to stray so far from the truth (that’s true of all autobiographies, but in DC it seems far more motivated). Turbo-Tax Timmy Geithner is about the only DC figure whose memoir has ever been treated with any of the skepticism it deserves.
With that in mind, I wanted to look at this detail from Leon Panetta’s book, which Katherine Hawkins alerted me to.
To illustrate how Obama’s micromanagement hurt relations with Congress, Panetta describes the negotiations with Dianne Feinstein over the cables that went into the torture report.
She requested access for her staff to every operational cable regarding the program, a database that had to be in the hundreds of thousands of documents. These were among the most sensitive documents the agency had. But Feinstein’s staff had the requisite clearances and we had no basis to refuse her. Still, I wanted to have some control over this material, so I proposed a deal: Instead of turning over the documents en masse to her staff, we would set up a secure room in Virginia. Her staff could come out to the secure facility and review documents one by one, and though they could take notes, the documents themselves would stay with CIA.
When the White House found out, they went apeshit, calling Panetta into the Situation Room for a spanking.
“The president wants to know who the fuck authorized this release to the committees,” Rahm said, slamming his hand down on the table. “I have a president with his hair on fire, and I want to know what the fuck you did to fuck this up so bad.”
I’d known Rahm a long time, and I was no stranger to his language or his temper, so I knew when to worry about an outburst and when it was mostly for show. On this occasion, my hunch was that Rahm wasn’t that perturbed but that Obama probably was and that others at the table, particularly Brennan and McDonough, were too. Rahm was sticking up for them by coming after me.
It went back and forth like this for about fifteen minutes. Brennan and I even exchanged sharp words when I, unfairly, accused him of not sticking up for the agency in the debate over the interrogation memos. Finally, the White House team realized that whether they liked it or not, there was no way we could go back on our deal with the committee. And just like that, the whole matter was dropped.
Rahm and Brennan spanked Panetta, he claims, but then the whole thing blew over.
There are just three problems with this story.
First, according to the quotations Dianne Feinstein revealed from her agreement with Panetta, the CIA wasn’t supposed to “have … control over this material.”
Per an exchange of letters in 2009, then-Vice Chairman Bond, then-Director Panetta, and I agreed in an exchange of letters that the CIA was to provide a “stand-alone computer system” with a “network drive” “segregated from CIA networks” for the committee that would only be accessed by information technology personnel at the CIA—who would “not be permitted to” “share information from the system with other [CIA] personnel, except as otherwise authorized by the committee.”
Far more significantly, Panetta doesn’t mention the documents that disappeared during Panetta’s tenure — ostensibly, on orders from the White House.
In early 2010, the CIA was continuing to provide documents, and the committee staff was gaining familiarity with the information it had already received.
In May of 2010, the committee staff noticed that [certain] documents that had been provided for the committee’s review were no longer accessible. Staff approached the CIA personnel at the offsite location, who initially denied that documents had been removed. CIA personnel then blamed information technology personnel, who were almost all contractors, for removing the documents themselves without direction or authority. And then the CIA stated that the removal of the documents was ordered by the White House. When the committee approached the White House, the White House denied giving the CIA any such order.
After a series of meetings, I learned that on two occasions, CIA personnel electronically removed committee access to CIA documents after providing them to the committee. This included roughly 870 documents or pages of documents that were removed in February 2010, and secondly roughly another 50 were removed in mid-May 2010.
And Panetta also doesn’t mention what may or may not be the same set of documents, those withheld by CIA on behalf of the White House, as described by Stephen Preston in response to Mark Udall.
With specific reference to documents potentially subject to a claim of executive privilege, as noted in the question, a small percentage of the total number of documents produced was set aside for further review. The Agency has deferred to the White House and has not been substantively involved in subsequent discussions about the disposition of those documents.
In other words, CIA didn’t live up to its deal with Feinstein, not with respect to this set of documents, anyway. After turning over all the cables it believed SSCI had a right to obtain, it then took some back. As far as we know, it never did provide them.
We know that one of the Torture Report’s conclusions is that the CIA lied to the White House.
While there’s good reason to believe CIA lied to Condi Rice, there’s also abundant reason to believe that Dick Cheney and David Addington knew precisely what was going on. If I had to guess, the documents CIA stole back probably make that clear.
Panetta would have us believe that, after his spanking by John Brennan and others, the whole matter was dropped. Which is a convenient tale, except that it obscures that the White House succeeded in clawing back documents CIA originally believed SSCI was entitled to.
The National Journal reports that Leahy’s USA Freedom Act probably won’t move until after the election, if not next year.
A bill that would curtail the government’s broad surveillance authority is unlikely to earn a vote in Congress before the November midterms, and it might not even get a vote during the postelection lame-duck session.
The inaction amounts to another stinging setback for reform advocates, who have been agitating for legislation that would rein in the National Security Agency ever since Edward Snowden’s leaks surfaced last summer. It also deflates a sudden surge in pressure on Congress to pass the USA Freedom Act, which scored a stunning endorsement from Director of National Intelligence James Clapper last week.
Of course, contrary to what the NJ keeps reporting, that letter is not a stunning endorsement. On the contrary, it’s a signal James Clapper would change — at a minimum — the FISA Advocate position, and probably the Call Detail Record provision as well.
And even while the story suggests timing is the problem, further down the story suggests the bill doesn’t have the votes.
But beyond the calendar squeeze and geopolitical tensions, the Freedom Act has never had a clear path forward. It was not embraced by defense hawks such as Senate Intelligence Committee Chairwoman Dianne Feinstein or Sens. Ron Wyden and Mark Udall, who have become icons of the surveillance-reform movement. The two Democrats said they wanted to strengthen the bill to require warrants for “backdoor” searches of Americans’ Internet data that can be incidentally collected during foreign surveillance hauls. Sources indicated that their support for the Freedom Act remains a bridge too far.
“We were told to go after Republicans,” one industry said.
Wyden and Udall’s reticence to publicly back Leahy’s bill may stem from a conviction that they can get a better deal next Congress, with Section 215 of the USA Patriot Act—the legal underpinning for the NSA’s phone-records collection—due to expire on June 1, 2015.
Without the left flank of the Senate, this wasn’t going to pass. But so long as this bill endorsed warrantless back door searches of Americans at the assessment stage, it wasn’t going to get those votes.
The story ends with a solitary quote purportedly representing the voices of “many” people.
But many see an NSA reform debate that rolls into next year as no sure bet, regardless of what party holds control of the Senate.
“If the USA Freedom Act is not passed this Congress, we are really in uncharted territory, and the process has to start all over again,” said Harley Geiger, senior counsel at the Center for Democracy & Technology, a pro-reform group. “All the elements for reform are in place now, but it just happens that we don’t have much time.”
Geiger is the same purpose mis-reading Clapper’s letter as a complete endorsement of the bill.
Note what doesn’t get mentioned in any of this, though?
Last we heard from the 2nd Circuit, it sounded very very skeptical that it was constitutional to, “collect everything there is to know about everybody and have it all in one big government cloud.” And while SCOTUS was happy to reverse precisely this court in Section 702, both ACLU’s standing and the details of the program are much clearer this time. Had Congress legislated quickly, it likely would moot this and several other challenges to this dragnet.
This way, at least, the courts will be forced to determine whether it is actually legal for the government to conduct dossiers of every American and store them on a cloud.
When Ron Wyden first asked John Brennan whether CIA had to comply with the Computer Fraud and Abuse Act, Brennan suggested they didn’t have to if they were conducting investigations.
The statute does apply. The Act, however, expressly “does not prohibit any lawfully authorized investigative, protective, or intelligence activity … of an intelligence agency of the United States.” 18 U.S.C. § 1030(f).
Then in March, after Senator Feinstein accused the CIA of improperly spying on her committee, Brennan claimed it was outside the realm of possibility.
As far as the allegations of, you know, CIA hacking into, you know, Senate computers, nothing could be further from the truth. I mean, we wouldn’t do that. I mean, that’s — that’s just beyond the — you know, the scope of reason in terms of what we would do.
Now that DOJ has decided not to investigate CIA’s illegal domestic spying, we learn it was well within the realm of possibility.
CIA employees improperly accessed computers used by the Senate Intelligence Committee to compile a report on the agency’s now defunct detention and interrogation program, an internal CIA investigation has determined.
Findings of the investigation by the CIA Inspector General’s Office “include a judgment that some CIA employees acted in a manner inconsistent with the common understanding reached between SSCI (Senate Select Committee on Intelligence) and the CIA in 2009,” CIA spokesman Dean Boyd said in a statement.
Brennan’s solution is to have corrupt hack Evan Bayh conduct an accountability review of the spying.
And yet again, the CIA proves it refuses to subsist within democratic structures.
Among the many posts I’ve written about Executive Order 12333 — the order that authorizes all non-domestic spying — includes this post, where I noted that proposed changes to NSA’s phone dragnet won’t affect programs authorized by EO 12333.
Obama was speaking only about NSA’s treatment of Section 215 metadata, not the data — which includes a great amount of US person data — collected under Executive Order 12333.
Section 215 metadata has different and significantly higher protections than EO 12333 phone metadata because of specific minimization procedures imposed by the FISC (arguably, the program doesn’t even meet the minimization procedure requirements mandated by the law). We’ve seen the implications of that, for example, when the NSA responded to being caught watch-listing 3,000 US persons without extending First Amendment protection not by stopping that tracking, but simply cutting off the watch-list’s ability to draw on Section 215 data.
Basically, the way NSA treats data collected under FISC-overseen programs (including both Section 215 and FISA Amendments Act) is to throw the data in with data collected under EO 12333, but add query screens tied to the more strict FISC-regulations governing production under it.
NSA’s spokeswoman will say over and over that “everyday” or “ordinary” Americans don’t have to worry about their favorite software being sucked up by NSA. But to the extent that collection happens under EO 12333, they have relatively little protection.
That’s precisely the point made in an important op-ed by the State Department’s former Internet freedom chief, John Napier Tye, who had access to data from EO 12333 collection.
Bulk data collection that occurs inside the United States contains built-in protections for U.S. persons, defined as U.S. citizens, permanent residents and companies. Such collection must be authorized by statute and is subject to oversight from Congress and the Foreign Intelligence Surveillance Court. The statutes set a high bar for collecting the content of communications by U.S. persons. For example, Section 215 permits the bulk collection only of U.S. telephone metadata — lists of incoming and outgoing phone numbers — but not audio of the calls.
Executive Order 12333 contains no such protections for U.S. persons if the collection occurs outside U.S. borders.
Unlike Section 215, the executive order authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person’s communications are “incidentally” collected (an NSA term of art) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.
As I noted on Friday, the Administration got a new phone dragnet order on the same day that Senators Wyden, Udall, and Heinrich pointed out that — so long as the Administration only wants to do what it claims to want to do — it could stop holding phone records right away, just as it implemented Obama’s 2-hop mandate and court review in February right away.
From ODNI’s announcement they got a new dragnet order Friday (which they congratulate themselves as a great show of transparency), it’s clear they have no intention of doing so. On the contrary, they’re going to hold out HR 3361 — and their unconvincing claim it ends bulk collection as normal people understand the term — with each new dragnet order.
After carefully considering the available options, the President announced in March that the best path forward is that the government should not collect or hold this data in bulk, and that it remain at the telephone companies with a legal mechanism in place which would allow the government to obtain data pursuant to individual orders from the FISC approving the use of specific numbers for such queries. The President also noted that legislation would be required to implement this option and called on Congress to enact this important change to the Foreign Intelligence Surveillance Act (FISA).
Consistent with the President’s March proposal, in May, the House of Representatives passed H.R. 3361, the USA FREEDOM Act, which would, if enacted, create a new mechanism for the government to obtain this telephony metadata pursuant to individual orders from the FISC, rather than in bulk. The bill also prohibits bulk collection through the use of Section 215, FISA pen registers and trap and trace devices, and National Security Letters.
Overall, the bill’s significant reforms would provide the public greater confidence in our programs and the checks and balances in the system, while ensuring our intelligence and law enforcement professionals have the authorities they need to protect the Nation. The Administration strongly supports the USA FREEDOM Act. We urge the Senate to swiftly consider it, and remain ready to work with Congress to clarify that the bill prohibits bulk collection as noted above, as necessary.
Given that legislation has not yet been enacted, and given the importance of maintaining the capabilities of the Section 215 telephony metadata program, the government has sought a 90-day reauthorization of the existing program, as modified by the changes the President announced earlier this year.
But here’s the bit I’m most struck by, particularly given that the government has not yet released the March 28, 2014 dragnet order which should be a slam dunk declassification process, given that its content has presumably all been released in the past.
In addition to a new primary order last Friday, FISC also wrote a memorandum opinion.
The Administration is undertaking a declassification review of this most recent court order and an accompanying memorandum opinion for publication.
I can think of two things that would explain a memorandum opinion: the program has changed in some way (perhaps they’ve changed how they interpret “selection term” or implement the automated process which they had previously never gotten running?), or the FISC considered some new legal issue before approving the dragnet.
As I noted last week, both US v. Quartavious Davis, in which the 11th Circuit ruled stored cell location data required a warrant), and US v Stavros Ganias, in which the 2nd Circuit ruled the government can’t use data it seized under an old warrant years later, might affect both the current and future dragnets, as well as other programs the NSA engages in.
Thing is, whatever the subject of the opinion, then it’d sure be nice to know what it says before we pass this legislation, as the legislation may have to correct the wacky secret decisions of the FISC (most members of Congress are still not getting unredacted dragnet orders). But if the last order is any indication, we won’t get this new order until months from now, long after the bill is expected to be rushed through the Senate.
Which is probably all by design.