As part of my ongoing focus on Executive Order 12333, I’ve been reviewing how the Bush Administration changed the EO when, shortly after the passage of the FISA Amendments Act, on July 30, 2008, they rolled out a new version of the order, with little consultation with Congress. Here’s the original version Ronald Reagan issued in 1981, here’s the EO making the changes, here’s how the new and improved version from 2008 reads with the changes.
While the most significant changes in the EO were — and were billed to be — the elaboration of the increased role for the Director of National Intelligence (who was then revolving door Booz executive Mike McConnell), there are actually several changes that affected NSA.
Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.
The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,
In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.
The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.
In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.
Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.
In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.
And a more subtle change goes even further. Section 2.5 of the EO delegates authority to the AG to “approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes.” In both the original and the revised EO, that delegation must be done within the scope of FISA (or FISA as amended, in the revision). But in 1981, FISA surveillance had to be “conducted in accordance with that Act [FISA], as well as this Order,” meaning that the limits on US person collection and dissemination from the EO applied, on top of any limits imposed by FISA. The 2008 EO dropped the last clause, meaning that such surveillance only has to comply with FISA, and not with other limits in the EO.
That’s significant because there are at least three things built into known FISA minimization procedures — the retention of US person data to protect property as well as life and body, the indefinite retention of encrypted communications, and the broader retention of “technical data base information” — that does not appear to be permitted under the EO’s more general guidelines but, with this provision, would be permitted (and, absent Edward Snowden, would also be hidden from public view in minimization procedures no one would ever get to see).
In December, I wrote a post noting that NSA personnel performing analysis on PATRIOT-authorized metadata (both phone or Internet) can choose to contact chain on just that US-collected data, or — in what’s call a “federated query” — on foreign collected data, collected under Executive Order 12333, as well. It also appears (though I’m less certain of this) that analysts can do contact chains that mix phone and Internet data, which presumably is made easier by the rise of smart phones.
Section 215 is just a small part of the dragnet
This is one reason I keep complaining that journalists reporting the claim that NSA only collects 20-30% of US phone data need to specify they’re talking about just Section 215 collection. Because we know, in part because Richard Clarke said this explicitly at a Senate Judiciary Committee hearing last month, that Section “215 produces a small percentage of the overall data that’s collected.” At the very least, the EO 12333 data will include the domestic end of any foreign-to-domestic calls it collects, whether made via land line or cell. And that doesn’t account for any metadata acquired from GCHQ, which might include far more US person data.
The Section 215 phone dragnet is just a small part of a larger largely-integrated global dragnet, and even the records of US person calls and emails in that dragnet may derive from multiple different authorities, in addition to the PATRIOT Act ones.
SPCMA provided NSA a second way to contact chain on US person identifiers
With that background, I want to look at one part of that dragnet: “SPCMA,” which stands for “Special Procedures Governing Communications Metadata Analysis,” and which (the screen capture above shows) is one way to access the dragnet of US-collected (“1st person”) data. SPCMA provides a way for NSA to include US person data in its analysis of foreign-collected intelligence.
According to what is currently in the public record, SPCMA dates to Ken Wainstein and Steven Bradbury’s efforts in 2007 to end some limits on NSA’s non-PATRIOT authority metadata analysis involving US persons. (They don’t call it SPCMA, but the name of their special procedures match the name used in later years; the word, “governing,” is for some reason not included in the acronym)
Wainstein and Bradbury were effectively adding a second way to contact chain on US person data.
They were proposing this change 3 years after Collen Kollar-Kotelly permitted the collection and analysis of domestic Internet metadata and 1 year after Malcolm Howard permitted the collection and analysis of domestic phone metadata under PATRIOT authorities, both with some restrictions, By that point, the NSA’s FISC-authorized Internet metadata program had already violated — indeed, was still in violation — of Kollar-Kotelly’s category restrictions on Internet metadata collection; in fact, the program never came into compliance until it was restarted in 2010.
By treating data as already-collected, SPCMA got around legal problems with Internet metadata
Against that background, Wainstein and Bradbury requested newly confirmed Attorney General Michael Mukasey to approve a change in how NSA treated metadata collected under a range of other authorities (Defense Secretary Bob Gates had already approved the change). They argued the change would serve to make available foreign intelligence information that had been unavailable because of what they described as an “over-identification” of US persons in the data set.
NSA’s present practice is to “stop” when a chain hits a telephone number or address believed to be used by a United States person. NSA believes that it is over-identifying numbers and addresses that belong to United States persons and that modifying its practice to chain through all telephone numbers and addresses, including those reasonably believed to be used by a United States person, will yield valuable foreign intelligence information primarily concerning non-United States persons outside the United States. It is not clear, however, whether NSA’s current procedures permit chaining through a United States telephone number, IP address or e-mail address.
They also argued making the change would pave the way for sharing more metadata analysis with CIA and other parts of DOD.
The proposal appears to have aimed to do two things. First, to permit the same kind of contact chaining — including US person data — authorized under the phone and Internet dragnets, but using data collected under other authorities (in 2007, Wainstein and Bradbury said some of the data would be collected under traditional FISA). But also to do so without the dissemination restrictions imposed by FISC on those PATRIOT-authorized dragnets.
In addition (whether this was one of the goals or not), SPCMA defined metadata in a way that almost certainly permitted contact chaining on metadata not permitted under Kollar-Kotelly’s order.
“Metadata” also means (1) information about the Internet-protocol (IP) address of the computer from which an e-mail or other electronic communication was sent and, depending on the circumstances, the IP address of routers and servers on the Internet that have handled the communication during transmission; (2) the exchange of an IP address and e-mail address that occurs when a user logs into a web-based e-mail service; and (3) for certain logins to web-based e-mail accounts, inbox metadata that is transmitted to the user upon accessing the account.
Some of this information — such as the web-based email exchange — almost certainly would have been excluded from Kollar-Kotelly’s permitted categories because it would constitute content, not metadata, to the telecoms collecting it under PATRIOT Authorities.
Wainstein and Bradbury appear to have gotten around that legal problem — which was almost certainly the legal problem behind the 2004 hospital confrontation — by just assuming the data was already collected, giving it a sort of legal virgin birth.
Doing so allowed them to distinguish this data from Pen Register data (ironically, precisely the authority Kollar-Kotelly relied on to authorize PATRIOT-authorized Internet metadata collection) because it was no longer in motion.
First, for the purpose of these provisions, “pen register” is defined as “a device or process which records or decodes dialing, routing, addressing or signaling information.” 18 U.S.C. § 3127(3); 50 U.S.C. § 1841 (2). When NSA will conduct the analysis it proposes, however, the dialing and other information will have been already recorded and decoded. Second, a “trap and trace device” is defined as “a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing and signaling information.” 18 U.S.C. § 3127(4); 50 U.S.C. § 1841(2). Again, those impulses will already have been captured at the point that NSA conducts chaining. Thus, NSA’s communications metadata analysis falls outside the coverage of these provisions.
And it allowed them to distinguish it from “electronic surveillance.”
The fourth definition of electronic surveillance involves “the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication …. ” 50 U.S.C. § 1802(f)(2). “Wire communication” is, in turn, defined as “any communication while it is being carried by a wire, cable, or other like com1ection furnished or operated by any person engaged as a common carrier …. ” !d. § 1801 (1). The data that the NSA wishes to analyze already resides in its databases. The proposed analysis thus does not involve the acquisition of a communication “while it is being carried” by a connection furnished or operated by a common carrier.
This legal argument, it seems, provided them a way to carve out metadata analysis under DOD’s secret rules on electronic surveillance, distinguishing the treatment of this data from “interception” and “selection.”
For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto, contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”
This approach reversed an earlier interpretation made by then Counsel of DOJ’s Office of Intelligence and Policy Review James A Baker.
Baker may play an interesting role in the timing of SPCMA. He had just left in 2007 when Bradbury and Wainstein proposed the change. After a stint in academics, Baker served as Verizon’s Assistant General Counsel for National Security (!) until 2009, when he returned to DOJ as an Associate Deputy Attorney General. Baker, incidentally, got named FBI General Counsel last month.
NSA implemented SPCMA as a pilot in 2009 and more broadly in 2011
It wasn’t until 2009, amid NSA’s long investigation into NSA’s phone and Internet dragnet violations that NSA first started rolling out this new contact chaining approach. I’ve noted that the rollout of this new contact-chaining approach occurred in that time frame.
Comparing the name …
SIGINT Management Directive 424 (“SIGINT Development-Communications Metadata Analysis”) provides guidance on the NSA/ CSS implementation of the “Department of Defense Supplemental Procedures Governing Communications Metadata Analysis” (SPCMA), as approved by the U.S. Attorney General and the Secretary of Defense. [my emphasis]
And the description of the change …
Specifically, these new procedures permit contact chaining, and other analysis, from and through any selector, irrespective of nationality or location, in order to follow or discover valid foreign intelligence targets. (Formerly analysts were required to determine whether or not selectors were associated with US communicants.) [emphasis origina]
,,, Make it clear it is the same program.
NSA appears to have made a few changes in the interim. Continue reading
As I noted in my last post, seven Bush dead-enders plus KS Representative and House Intelligence member Mike Pompeo wrote a letter to … someone … pushing back against the RNC condemnation of the NSA dragnet. As I noted in that post, along with waggling their collective national security experience, the dead-enders used the same old stale tricks to deny that the dragnet surveils US person content.
The stale tricks, by now, are uninteresting. I find the list of the dead-enders (Eli Lake fleshed it out here) more so.
Here’s the list of the dead-enders:
Some of these we expect. Michael Hayden and Stewart Baker have been two of the main cheerleaders for NSA since the start of Snowden’s leaks, and Michael Chertoff’s firm (at which Hayden works) seems to be working under some kind of incentive to have as many of its top people defend the dragnet as well. Further, both Bradbury and Wainstein have testified to various entities along the way.
So in some senses, it’s the usual gang of dead-enders.
But I find the collection of Michael Mukasey, Bradbury, and Wainstein, to be particularly interesting.
After all, they’re the 3 names (and in Mukasey’s case, authorizing signature) on this memo, which on January 3, 2008 authorized NSA to contact chain Internet (and phone) “metadata” of Americans collected via a variety of means, including FISA, broadly defined, which would include Protect America Act, and EO 12333 and potentially other means — but let’s just assume it was collected legally, Bradbury and Wainstein say twice in the memo.
They implemented this change, in part, to make it easier to share “United States communications metadata” outside of the NSA, including with CIA, by name (though CIA made that request in 2004, before Hayden had moved over to CIA).
When implementing the change, they defined Internet “metadata” this way:
b) For electronic communications, “metadata” includes the information appearing on the “to,” “from,” “cc,” and “bcc” lines of a standard e-mail or other electronic communication. For e-mail communications, the “from” line contains the e-mail address of the sender, and the “to,” “cc,” and “bcc” lines contain the e-mail addresses of the recipients. “Metadata” also means (1) information about the Internet-protocol (IP) address of the computer from which an e-mail or other electronic communication was sent and, depending on the circumstances, the IP address of routers and servers on the Internet that have handled the communication during transmission; (2) the exchange of an IP address and e-mail address that occurs when a user logs into a web-based e-mail service; and (3) for certain logins to web-based e-mail accounts, inbox metadata that is transmitted to the user upon accessing the account. “Metadata” associated with electronic communications does not include information from the “subject” or “re” line of an e-mail or information from the body of an e-mail.
It includes IP (both sender and recipient, as well as interim), email address, inbox metadata which has reported to include content as well.
But let’s take a step back and remember some timing.
In 2004 DOJ tried to clean up NSA’s Internet metadata problem which legally implicated Michael Hayden directly (because he personally continued it after such time as DOJ said it was not legal). The solution was to get Colleen Kollar-Kotelly sign an opinion (dated July 14, 2004) approving the Internet collection as a Pen Register/Trap and Trace order. But she limited what categories of “metadata” could be collected, almost certainly to ensure the metadata in question was actually metadata to the telecoms collecting it.
Before the very first order expired — so before October 12, 2004 — the NSA already started breaking those rules. When they disclosed that violation, they provided some of the same excuses as when they disclosed the phone dragnet violations in 2009: that the people who knew the rules didn’t communicate them adequately to the people implementing the rules (see page 10ff of this order). As part of those disclosures, however, they falsely represented to the FISC that they had only collected the categories of “metadata” Kollar-Kotelly had approved.
The Court had specifically directed the government to explain whether this unauthorized collection involved the acquisition of information other than the approved Categories [redacted] Order at 7. In response, the Deputy Secretary of Defense [Paul Wolfowitz] stated that the “Director of NSA [Michael Hayden] has informed me that at no time did NSA collect any category of information … other than the [redacted] categories of meta data” approved in the [redacted] Opinion, but also note that NSA’s Inspector General [Joel Brenner] had not completed his assessment of this issue. [redacted] Decl. at 21.13 As discussed below, this assurance turned out to be untrue.
While a number of the changes to Section 215 passed just before the government started relying on it to create a database of all phone-based relationships in the United States watered down the law, one provision made the law stricter.
The 2006 Reauthorization required the Attorney General to establish minimization procedures for the data collected under the program.
(g) Minimization Procedures and Use of Information- Section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) is further amended by adding at the end the following new subsections:
(g) Minimization Procedures-
(1) IN GENERAL- Not later than 180 days after the date of the enactment of the USA PATRIOT Improvement and Reauthorization Act of 2005, the Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this title.
(2) DEFINED- In this section, the term `minimization procedures’ means–
(A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;
(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 101(e)(1), shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and
(C) notwithstanding subparagraphs (A) and (B), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.
(h) Use of Information- Information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title concerning any United States person may be used and disclosed by Federal officers and employees without the consent of the United States person only in accordance with the minimization procedures adopted pursuant to subsection (g). No otherwise privileged information acquired from tangible things received by the Federal Bureau of Investigation in accordance with the provisions of this title shall lose its privileged character. No information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title may be used or disclosed by Federal officers or employees except for lawful purposes.’.
But from the very start, the FISA Court and the Administration set out to ignore this requirement. After all, well before anyone did any analysis about the foreign intelligence value of the phone dragnet data, the FBI disseminated all of it, by having the telecoms hand it over directly to the NSA. And phone numbers are US person identifiers (best demonstrated by NSA’s use of phone numbers as identifiers to conduct searches in other contexts).
Thus, before any Agency even touched the data, the phone dragnet scheme violated this provision by disseminating non-publicly available information about US person identifiers on every single American without their consent.
According to FISC’s original Section 215 phone dragnet order, the NSA only had to abide by the existing SID-18 minimization procedures.
[D]issemination of U.S. person information shall follow the standard NSA minimization procedures found in the Attorney General-approved guidelines (U.S. Signals Intelligence Directive 18). [link added]
And the FBI only applied the minimization procedures it used to fulfill the statute after the NSA had already run queries on it.
With respect to any information the FBI receives as a result of this Order (information that is passed or “tipped” to it by NSA), the FBI shall follow as minimization procedures the procedures set forth in The Attorney General’s Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (October 31, 2003). [link added]
Even after this initial order, the Attorney General did not comply with the mandate to come up with minimization procedures specific to Section 215. Instead, then Attorney General Alberto Gonzales just adopted four sections of the National Security Investigations Guidelines.
In analysis included in a 2008 review of the FBI’s use of Section 215, DOJ Inspector General Glenn Fine deemed this measure to fall short of the statute’s requirements.
These interim minimization procedures use general hortatory language stating that all activities conducted in relation to national security investigations must be “carried out in conformity with the Constitution.” However, we believe this broad standard does not provide the specific guidance for minimization procedures that the Reauthorization Act appears to contemplate.
[T]he Reauthorization Act required the Department to adopt “specific procedures” reasonably designed to “minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” We believe that the interim procedures do not adequately address this requirement, and we recommend that the Department continue its efforts to construct specific minimization procedures relating to Section 215 orders, rather than rely on general language in the Attorney General’s NSI Guidelines.
As I’ll show in a follow-up post, presumably in response to Fine’s report, Attorney General Michael Mukasey adopted new, arguably even more general guidelines to fulfill this requirement, the AG Guidelines for Domestic FBI Operations. (I strongly suspect the August 20, 2008 FISC opinion the government won’t release authorizes the language that would appear in those Guidelines).
But the implications of this have more immediate significance.
After all, the only known American who got busted based on a Section 215 tip, Basaaly Moalin, argues for a new trial tomorrow. And he was tipped based on dissemination that took place in 2007 — that is, before DOJ even tried to address these problematic minimization procedures. He was tipped based on dissemination that — under the letter of the PATRIOT Act — should never have happened.
Update: With regards to Moalin’s case, this seems pertinent.
As of early December 2007, the [Director of National Intelligence] working group [trying to harmonize defintions] had not defined “U.S. person identifying information.
This means that, at the time he was identified in the dragnet, the entire intelligence community was still fighting over whether phone numbers constituted US person identifying information entitled to additional protection.
Update: In an address to the EU Parliament, Jim Sensenbrenner accuses NSA of ignoring civil liberty protections in the PATRIOT Act.
“I firmly believe the Patriot Act saved lives by strengthening the ability of intelligence agencies to track and stop potential terrorists, but in the past few years, the National Security Agency has weakened, misconstrued and ignored the civil liberty protections we drafted into the law,” he said, adding that the NSA “ignored restrictions painstakingly crafted by lawmakers and assumed a plenary authority we never imagined.”
Back in 2009 when the government released what we now know is a FISA Court of Review decision ordering Yahoo to cooperate in PRISM, I questioned a passage of the decision that relied on the government’s claim that it doesn’t keep a database of incidentally collected conversations involving US persons.
In this post, I just want to point to a passage that deserves more scrutiny:
The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26)
To translate, if the government collects information from a US citizen (here or abroad), a legal permanent US resident, a predominantly US organization, or a US corporation in the course of collecting information on someone it is specifically targeting, it it claims it does not keep that in a database (I’ll come back and parse this in a second). In other words, if the government has a tap on your local falafel joint because suspected terrorists live off their falafels, and you happen to call in a take out order, it does not that have in a database.
There are reasons to doubt this claim.
In the rest of the post, I showed how a response from Michaels Mukasey and McConnell to Russ Feingold’s efforts to protect US person incidental collection during the FISA Amendments Act had made it clear having access to this incidentally collected data was part of the point, meaning the government’s reassurances to the FISCR must have been delicate dodges in one way or another. (Feingold’s Amendments would have prevented 3 years of Fourth Amendment violative collection, by the way.)
Did the court ask only about a database consisting entirely of incidentally collected information? Did they ask whether the government keeps incidentally collected information in its existing databases (that is, it doesn’t have a database devoted solely to incidental data, but neither does it pull the incidental data out of its existing database)? Or, as bmaz reminds me below but that I originally omitted, is the government having one or more contractors maintain such a database? Or is the government, rather, using an expansive definition of targeting, suggesting that anyone who buys falafels from the same place that suspected terrorist does then, in turn, becomes targeted?
McConnell and Mukasey’s objections to Feingold’s amendments make sense only in a situation in which all this information gets dumped into a database that is exposed to data mining. So it’s hard to resolve their objections with this claim–as described by the FISA Appeals Court.
Which is part of the reason I’m so intrigued by this passage of John Bates’ October 3, 2011 decision ruling some of NSA’s collection and retention practices violated the Fourth Amendment. In a footnote amending a passage explaining why the retention of entirely US person communications with the permissive minimization procedures the government had proposed is a problem, Bates points back to that earlier comment.
The Court of Review plaining limited its holding regarding incidental collection to the facts before it. See In re Directives at 30 (“On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.” (emphasis added). The dispute in In re Directives involved the acquisition by NSA of discrete to/from communications from an Internet Service Provider, not NSA’s upstream collection of Internet transactions. Accordingly, the Court of Review had occasion to consider NSA’s acquisition of MCTs (or even “about” communications, for that matter). Furthermore, the Court of Review noted that “[t]he government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary.” Id. Here, however, the government proposes measures that will allow NSA to retain non-target United States person information in its databases for at least five years.
Ultimately, Bates’ approval for the government to query on US person identifiers on existing incidentally collected Section 702 material (see pages 22-23) show that he hasn’t really thought through what happens to US person incidental collection; he actually has a shocking (arguably mis-) understanding of how permissive the existing minimization rules are, and therefore how invasive his authorization for searching on incidentally collected information will actually be.
But his complaint with the proposed minimization procedures shows what he believes they should be.
The measures proposed by the government for MCTs, however, largely dispense with the requirement of prompt disposition upon initial review by an analyst. Rather than attempting to identify and segregate information “not relevant to the authorized purpose of the acquisition” or to destroy such information promptly following acquisition, NSA’s proposed handling of MCTs tends to maximize the retention of such information, including information of or concerning United States persons with no direct connection to any target.
As Bates tells it, so long as he’s paying close attention to an issue, the government should ideally destroy any US person data it collects that is not relevant to the authorized purpose of the acquisition. (His suggestion to segregate it actually endorses Russ Feingold’s fix from 2008.)
But the minimization rules clearly allow the government to keep such data (after this opinion, they made an exception only for the multiple communication transactions in question, but not even for the other search identifiers involving entirely domestic communication so long as that’s the only communication in the packet).
All the government has to do, for the vast majority of the data it collects, is say it might have a foreign intelligence or crime or encryption or technical data or threat to property purpose, and it keeps it for 5 years.
In a database.
Back when the FISCR used this language, it allowed the government the dodge that, so long as it didn’t have a database dedicated to solely US person communications incidentally, it was all good. But the language Bates used should make all the US person information sitting in databases for 5 year periods (which Bates seems not to understand) problematic.
Not least, the phone dragnet database, which — after all — includes the records of 310 million people even while only 12 people’s data has proved useful in thwarting terrorist plots.
Update: Fixed the last sentence to describe what the Section 215 dragnet has yielded so far.
I was going to leave this speculation well enough alone. But George W Bush decided to interrupt his dog painting to defend Obama’s surveillance dragnet.
Bush also defended the surveillance program, which began during his administration after 9/11, saying the programs guarantee civil liberties are protected.
“I put the program in place to protect the country and one of the certainties is civil liberties were guaranteed,” Bush said.
So here goes.
In his book, Jack Goldsmith describes Alberto Gonzales siding against David Addington in a debate just once, only to have George Bush override the then White House Counsel.
Addington’s hard-line nonaccommodation stance always prevailed when the lawyers met to discuss legal policy issues in Alberto Gonzales’ office. During these meetings, Gonzales himself would sit quietly in his wing chair, occasionally asking questions but mostly listening as the querulous Addington did battle with whomever was seeking to “go soft.” It was Gonzales’ responsibility to determine what to advise the president after the lawyers had kicked the legal policy matters around. But I only knew him to disagree with Addington once, on an issue I cannot discuss, and on that issue the president overruled Gonzales and sided with the Addington position. [my emphasis]
The issue Goldsmith could not discuss could be torture or prisoner transfers or something entirely unknown, but the data mining at the heart of the hospital confrontation is clearly one candidate.
There’s no overt evidence Gonzales tried to do the right thing on the illegal surveillance program. After all, even after Bush agreed to put the program right on March 12, 2004, Gonzales still objected to Goldsmith and Jim Comey’s first advice on the program. After Goldsmith laid out his initial advice on March 15, Gonzales wrote a memo saying,
Your memorandum appears to have been based on a misunderstanding of the President’s expectations regarding the conduct of the Department of Justice. While the President was, and remains, interested in any thoughts the Department of Justice may have on alternative ways to achieve effectively the goals of the activities authorized by the Presidential Authorization of March 11, 2004, the President has addressed definitively for the Executive Branch in the Presidential Authorization the interpretation of the law.
This led Comey to write up his resignation letter on March 16. “[A]lthough I believe this has been one of [DOJ's] finest hours, we have been unable to right that wrong.” Three days later, Bush modified his March 11 Authorization, directing NSA to stop collecting Internet metadata within a week.
Of course, three months later, the Administration resumed collection of Internet metadata using the FISC PR/TT order. That was within days of Goldsmith’s departure, though he had announced his departure a month earlier and Comey, obviously, stuck around for over a year longer.
So still no evidence the Internet data mining was the issue on which Gonzales tried to stand up to Addington.
But let’s jump ahead to the circumstances of Alberto Gonzales’ resignation in August 2007. At the time, his sudden and confusing resignation was attributed to the multiple scandals embroiling him — chiefly the US Attorney firing scandal, but also Gonzales’ Clapper-like lies about the illegal wiretap program before the Senate a month earlier. But for some reason, Gonzales did not benefit from the kind of sinecure every other former Bush official — even James Comey, who went to Lockheed — enjoyed upon departure, which you would have thought he’d get after lying to protect the President.
Then, a year after Gonzales’ departure, we learned that in the weeks before he resigned, White House Counsel Fred Fielding had narced him out for storing a bunch of Top Secret CYA documents in a briefcase in his closet. Continue reading
The Guardian has their next big NSA scoop, and it is meatier than the earlier ones. The headline is that President Obama continued a 2-degrees of separation analysis of Internet metadata under Section 702 for two years after he came into office. The practice morphed into something else in 2011, making it highly likely the October 3, 2011 FISC opinion finding FAA 702 activities violated the Fourth Amendment pertained to this practice.
Along with their story, the released two documents, one of which has two appendices. Altogether they’ve released:
I’ll have far, far more to say going forward.
But I wanted to point to language that reinforces my fears about how they’re controlling the still extant database of US person telephone metadata.
The documents describe the great oversight of the Internet metadata twice. First in the November 20, 2007 letter itself:
When logging into the electronic data system users will view a banner that re-emphasizes key points regarding use of the data, chaining tools, and proper dissemination of results. NSA will also create an audit trail of every query made in each database containing U.S. communications metadata, and a network of auditors will spot-check activities in the database to ensure compliance with all procedures. In addition, the NSA Oversight and Compliance Office will conduct periodic super audits to verify that activities remain properly controlled. Finally, NSA will report any misuse of the information to the NSA’s Inspector General and Office of GEneral Counsel for inclusion in existing or future reporting mechanisms related to NSA’s signals intelligence activities.
And in the September 28, 2006 Amendment:
5. Before accessing the data, users will view a banner, displayed upon login and positively acknowledged by the user, that re-emphasizes the key points regarding use of the data and chaining tools, and proper dissemination of any results obtained.
6. NSA creates audit trails of every query made in each database containing U.S. communications metadata, and has a network of auditors who will be responsible for spot-checking activities in the database to ensure that activities remain compliant with the procedures described for the data’s use. The Oversight and Compliance Office conducts periodic super audits to verify that activities remain properly controlled.
7. NSA will report any misuse of the information to NSA’s Inspector General and Office of General Counsel for inclusion in existing or future reporting mechanisms relating to NSA’s signals intelligence activities.
These descriptions are consistent with what we’ve been told still exists with the telephone metadata, so it is likely (though not certain) the process remains the same.
There are two big problems, as I see it. First, note that the Oversight and Compliance Office appears to be within NSA’s operational division, not part of the Inspector General’s Office. This means it reports up through the normal chain of command. And, presumably, its actions are not required to be shared with Congress. The IG, by contrast, has some statutory independence. And its activities get briefed to Congress.
In other words, this initial check on the metadata usage appears to be subject to managerial control.
But my other worry is even bigger. See where the descriptions talk about the fancy banner? The description says nothing about how that log-in process relates to the audit trail created for these searches. Indeed, in both of these documents, “the NSA” “creates” the audit trails. They don’t appear to be generated automatically, as they easily could be and should be.
That is, it appears (and this is something that has always been left vague in these descriptions) that these are manual audit trails, not automatic ones. (Though I hope they go back and compare them with keystrokes.)
When FBI had this kind of access to similar data, they simply didn’t record a lot of what they were doing, which means we have almost no way of knowing whether there’s improper usage.
This may have changed. These “audit trails” may have been automatically generated at this time (though that’s not what the process describes). Though the NSA IG’s inability to come up with a number of how many US person records are access suggests there’s nothing automated about it.
And if that’s true, still true, then the telephone metadata still in place is an invitation for abuse.
Glenn Greenwald has a great post on the Administration’s refusal to say whether it can kill Americans inside the US. But he misstates how extreme Obama’s refusal to share Office of Legal Counsel memos is. That’s because he equates an Administration sharing OLC memos with the intelligence committee and sharing them with the public.
Critically, the documents that are being concealed by the Obama administration are not operational plans or sensitive secrets. They are legal documents that, like the leaked white paper, simply purport to set forth the president’s legal powers of execution and assassination. As Democratic lawyers relentlessly pointed out when the Bush administration also concealed legal memos authorizing presidential powers, keeping such documents secret is literally tantamount to maintaining “secret law”. These are legal principles governing what the president can and cannot do – purported law – and US citizens are being barred from knowing what those legal claims are.
You know who once claimed to understand the grave dangers from maintaining secret law? Barack Obama. On 16 April 2009, it was reported that Obama would announce whether he would declassify and release the Bush-era OLC memos that authorized torture. On that date, I wrote: “today is the most significant test yet determining the sincerity of Barack Obama’s commitment to restore the Constitution, transparency and the rule of law.” When it was announced that Obama would release those memos over the vehement objections of the CIA, I lavished him with praise for that, writing that “the significance of Obama’s decision to release those memos – and the political courage it took – shouldn’t be minimized”. The same lofty reasoning Obama invoked to release those Bush torture memos clearly applies to his own assassination memos, yet his vaunted belief in transparency when it comes to “secret law” obviously applies only to George Bush and not himself.
But it is not the case that Bush always sat on OLC memos. In fact, as Dianne Feinstein noted in John Brennan’s confirmation hearing, at least by the last year of the Bush Administration, Democrats had gotten Steven Bradbury to start turning over even the most sensitive OLC memos to Congress.
I wanted to talk about, just for a moment, the provision of documents. Senator Wyden and others have had much to do about this. But our job is to provide oversight to try to see that the CIA and intelligence communities operate legally.
In order to do that, it is really necessary to understand what the legal — the official legal interpretation is. So the Office of Legal Counsel opinions becomes very important.
We began during the Bush administration with Mr. Bradbury to ask for OLC opinions. Up til last night, when the president called the vice chairman, Senator Wyden and myself and said that they were providing the OLC opinions, we have not been able to get them. It makes our job to interpret what is legal or not legal much more difficult if we do not have those opinions.
Which made it possible to — as DiFi did in an exchange with Michael Mukasey on April 10, 2008 — force the (Bush) Administration to publicly disavow some of the more extreme positions endorsed by John Yoo. Continue reading
Steven Aftergood suggests there’s disagreement among Senate Intelligence Committee members about whether or not the FISA Amendments Act allows the government to get US person content without a warrant.
The dispute was presented but not resolved in a new Senate Intelligence Committee report on the Foreign Intelligence Surveillance Act Amendments Act (FAA) Sunsets Extension Act, which would renew the provisions of the FISA Amendments Act through June 2017.
“We have concluded… that section 702 [of the Act] currently contains a loophole that could be used to circumvent traditional warrant protections and search for the communications of a potentially large number of American citizens,” wrote Senators Ron Wyden and Mark Udall.
But Senator Dianne Feinstein, the Committee chair, denied the existence of a loophole. Based on the assurances of the Department of Justice and the Intelligence Community, she said that the Section 702 provisions “do not provide a means to circumvent the general requirement to obtain a court order before targeting a U.S. person under FISA.”
I don’t think there is a conflict. Rather, I think DiFi simply responded to Wyden and Udall’s assertions with the same spin the government has used for some time. That’s because DiFi is talking about “targeting” and Wyden and Udall are talking about “searching” US person communications.
DiFi quotes much of the language from Section 702 earlier in her statement on FAA, repeating, repeating the word “target” three times.
In enacting this amendment to FISA, Congress ensured there would be important protections and oversight measures to safeguard the privacy and civil liberties of U.S. persons, including specific prohibitions against using Section 702 authority to: “intentionally target any person known at the time of acquisition to be located in the United States;” “intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;” “intentionally target a United States person reasonably believed to be located outside the United States;” or “intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States.” As an additional measure the law also requires that an acquisition under Section 702 “shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.” [my emphasis]
Her specific retort to the problem Wyden and Udall differentiates clearly between “querying information collected under Section 702 to find communications of a particular United States person” and “conduct[ing] queries to analyze data already in its possession” and “targeting.”
Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. As already noted, the Intelligence Community is strictly prohibited from using Section 702 to target a U.S. person, which must at all times be carried out pursuant to an individualized court order based upon probable cause. Continue reading
The Senate Judiciary Committee is holding a hearing today to review the results of the Schuelke report on the prosecutorial misconduct in the Ted Stevens case and to entertain the Lisa Murkowski bill requiring disclosure. In response, DOJ submitted a statement for the record, opposing any legislation enforcing its discovery obligations.
When concerns were first raised about the handling of the prosecution of Senator Stevens, the Department immediately conducted an internal review. The Attorney General recognized the importance of ensuring trust and confidence in the work of Department prosecutors and took the extraordinary step of moving to dismiss the case when errors were discovered. Moreover, toensure that the mistakes in the Stevens case would not be repeated, the Attorney General convened a working group to review discovery practices and charged the group with developing recommendations for improving such practices so that errors are minimized. As a result of the working group’s efforts, the Department has taken unprecedented steps, described more fully below, to ensure that prosecutors, agents, and paralegals have the necessary training and resources to fulfill their legal and ethical obligations with respect to discovery in criminal cases. These reforms include a sweeping training curriculum for all federal prosecutors and the requirement–for the first time in the history of the Department of Justice–that every federal prosecutor receive refresher discovery training each year.
In light of these internal reforms, the Department does not believe that legislation is needed to address the problems that came to light in the Stevens prosecution. Such a legislative proposal would upset the careful balance of interests at stake in criminal cases, cause significant harm to victims, witnesses, and law enforcement efforts, and generate substantial and unnecessary litigation that would divert scarce judicial and prosecutorial resources.
In short, DOJ is saying, “trust us. We don’t need a law requiring us to do what case law says we need to.”
Right off the bat, I can think of 5 major problem with this statement:
No one has been held accountable
We are three years past the time when Stevens’ case was thrown out. Yet none of the prosecutors involved have been disciplined in any meaningful way.
No doubt DOJ would say that it will hold prosecutors responsible if and when the Office of Professional Responsibility finds they committed misconduct. But in the interim three years, DOJ as a whole has sent clear messages that it prefers protecting its case to doing anything about misconduct. And–as Chuck Grassley rightly pointed out at the hearing–thus far no one has been held responsible.
This statement may claim DOJ is serious about prosecutorial misconduct. But its actions (and inaction) says the opposite.
Even after this training, discovery problems remain
As the DOJ statement lays out, in response to the Stevens debacle, DOJ rolled out annual training programs for prosecutors to remind them of their discovery obligations.
And yet, last year, Leonie Brinkema found that prosecutors in the Jeff Sterling case had failed to turn over critical evidence about prosecution witnesses–one of the problems with the Stevens prosecution. The prosecutor involved? William Welch, whom Schuelke accused of abdicating his leadership role in the Stevens case (note, DOJ says the CIA is at fault for the late discovery; but Welch is, after all, the prosecutor who bears responsibility for it).
If William Welch can’t even get discovery right after his involvement in this case and, presumably, undergoing the training DOJ promises will fix the problem, then training is not enough to fix the problem.
Eric Holder won’t run DOJ forever
The statement focuses on Holder’s quick decision to dismiss the case against Stevens, as if that, by itself, guards against any similar problems in the future. But before Holder was AG, Michael Mukasey was–and Judge Emmet Sullivan grew so exasperated with Mukasey’s stonewalling on this case, he ordered him to personally respond to questions about the case.