You’ve no doubt heard that, last Friday (a pre-holiday Friday, as some people are already on their way to Thanksgiving), the Benghazi scandal ended with a fizzle.
The House Intelligence Committee released its report on the Benghazi attack, which basically says all the scandal mongering has been wrong, that Susan Rice’s talking points came from the CIA, that no one held up any rescue attempts, and so on and so on. This post will attempt to lay out why that might have happened. The short version, however, is that the report reveals (but does not dwell on) a number of failures on the part of the CIA that should raise real concerns about Syria.
Note that not all Republicans were as polite as the ultimate report. Mike Rogers, Jeff Miller, Jack Conaway, and Peter King released an additional views report, making precisely the points you’d expect them to — though it takes them until the 4th summary bullet to claim that Administration officials “perpetuated an inaccurate story that matched the Administration’s misguided view that the United States was nearing victory over al-Qa’ida.” Democrats released their own report noting that “there was no AQ mastermind” and that “extremists who were already well-armed and well-trained took advantage of regional violence” to launch the attack. Among the Republicans who presumably supported the middle ground were firebrands like Michele Bachmann and Mike Pompeo, as well as rising Chair Devin Nunes (as you’ll see, Nunes was a lot more interested in what the hell CIA was doing in Benghazi than Rogers). The day after the initial release Rogers released a second statement defending — and pointing to the limits of and Additional Views on — his report.
Now consider what this report is and is not.
The report boasts about the 1000s of hours of work and 1000s of pages of intelligence review, as well as 20 committee events, interviews with “senior intelligence officials” and 8 security personnel (whom elsewhere the report calls “the eight surviving U.S. personnel”) who were among the eyewitnesses in Benghazi. But the bulk of the report is sourced to 10 interviews (the 8 security guys, plus the Benghazi and Tripoli CIA Chiefs), and a November 15, 2012 presentation by James Clapper, Mike Morell, Matt Olsen, and Patrick Kennedy. (Here are the slides from that briefing: part one, part two.) As I’ll show, this means some of the claims in this report are not sourced to the people who directly witnessed the events. And the reports sources almost nothing to David Petraeus, who was CIA Director at the time.
One of the best explanations for why this is such a tempered report may be that FBI performed better analysis of the cause of the attack than CIA did. This is somewhat clear from the summary (though buried as the 4th bullet):
There was no protest. The CIA only changed its initial assessment about a protest on September 24, 2012, when closed caption television footage became available on September 18, 2012 (two days after Ambassador Susan Rice spoke), and after the FBI began publishing its interviews with U.S. officials on the ground on September 22, 2012.
That is, one reason Susan Rice’s talking points said what they did is because CIA’s analytical reports still backed the claim there had been a protest outside State’s Temporary Mission Facility.
Moreover, in sustaining its judgment there had been a protest as long as it did, CIA was actually ignoring both a report from Tripoli dated September 14, and the assessment of the Chief of Station in Tripoli, who wrote the following to Mike Morell on September 15.
We lack any ground-truth information that protest actually occurred, specifically in the vicinity of the consulate and leading up to the attack. We therefore judge events unfolded in a much different manner than in Tunis, Cairo, Khartoum, and Sanaa, which appear to the the result of escalating mob violence.
In a statement for the record issued in April 2014, Mike Morell explained that Chiefs of Station “do not/not make analytic calls for the Agency.” But it’s not clear whether Morell explained why CIA appears to have ignored their own officer.
While the report doesn’t dwell on this fact, the implication is that the FBI was more successful at interviewing people on the ground — including CIA officers!! — to rebut a common assumption arising from public reporting. That’s a condemnation of CIA’s analytical process, not to mention a suggestion FBI is better at collecting information from humans than CIA is. But HPSCI doesn’t seem all that worried about these CIA failures in its core missions.
Or maybe CIA failed for some other reason. Continue reading
On Sunday I asked who was crying wolf — JP Morgan itself, or Mike Rogers — about the claimed JP Morgan attack that might not be a serious attack at all and had been attributed to Russia without yet proof of that.
So who should crawl out of his sinecure but Keith Alexander?
Keith Alexander, the NSA director from 2005 until last March, said he had no direct knowledge of the attack though it could have been backed by the Russian government in response to sanctions imposed by the U.S. and EU over the crisis in Ukraine.
“How would you shake the United States back? Attack a bank in cyberspace,” said Alexander, a retired U.S. Army general who has started his own cybersecurity company to sell services to U.S. banks. “If it was them, they just sent a real message: ‘You’re vulnerable.’”
The hackers who attacked JPMorgan, the biggest U.S. bank, were “a group with exceptional skills or a nation-state backed group,” Alexander said in an interview yesterday at Bloomberg’s Washington bureau.
“If you wanted to send a message, do you think that was significant enough for the U.S. government to say one of the best banks that we have from a cybersecurity perspective was infiltrated by somebody?” Alexander asked. “And if they could get in to do that, even if they never use it, they could get in and collapse it. Does that cause you concern?”
Note how Alexander admits he has no personal knowledge of the attack but then opines about the skills of the hackers and goes from there to hypothesize how this was a response from Russia?
So maybe it wasn’t JP Morgan or Mike Rogers crying wolf. It sure looks like Alexander is willingly feeding the poorly evidenced claims about this hack.
But don’t worry, Keith Alexander doesn’t have a conflict of interest at all.
Let me say straight out: Privacy and Civil Liberties Oversight Board member Rachel Brand is no slouch. She’s very smart and very accomplished.
All that said, I am rather intrigued by the way she consulted NSA General Counsel Raj De several times – as illustrated by these emails Jason Leopold liberated from PCLOB — as she worked on her dissent to the Democratic PCLOB members’ conclusion that the Section 215 dragnet is illegal.
On January 6, Brand emailed De. “Do you have a couple minutes to talk about a PCLOB matter today or tomorrow?” They scheduled some time to talk at midday the next day — though a request from Keith Alexander appears to have forced De to delay. Nevertheless, by 1:30 on January 7, it appears De and Brand spoke, because De forwarded two things: I Con the Record’s press release announcing the FISA Court had reauthorized the dragnet even after Judge Richard Leon ruled it unconstitutional (De makes no mention in his email, but the order had considered Leon’s ruling before reauthorizing the program), and the GPO transcript of Robert Mueller’s claim in a June 2013 House Judiciary Committee hearing that the dragnet would have prevented 9/11.
Ten days later, on January 17, Brand was emailing De again, after having seen each other that morning (that was the morning President Obama announced his own reforms to the dragnet, so it may have been in that context). She sent NSA’s General Counsel a paragraph, with one sentence highlighted, asking if it was accurate. He responded with “some suggestions for accuracy for your consideration … Feel free to give a call if you want to discuss, or would like more detail.”
Then, over that weekend, Brand and De exchanged the following emails:
Saturday, January 18, 12:31: Brand sends “the current draft of my separate statement” stating she wants “to be sure there is nothing factually or legally inaccurate in it;” she says it is currently 5 pages and tells De she needs to give PCLOB Chair David Medine the final by Sunday night
Saturday, January 18, 2:11: De responds, “happy to”
Sunday, January 19, 10:51: De responds, saying, “not that you need or want my validation, but for what’s [sic] it is worth it really reads quite well.” De then provides 3 “additional factual details” which “might fit in if you wanted to use them;” those bullets are redacted
Sunday, January 19, 3:47: Brand replies, stating that Beth (Elisebeth Collins Cook, the other Republican on PCLOB) “explicitly makes the first two in her separate statement” and that she’s “trying to keep this short, so have to forego making every available point”
As expected, last night Justin Amash held off a challenge from a corporatist Republican, Brian Ellis (though the margin was closer than polls predicted). What has the local punditry surprised, however, is Amash’s victory speech, where he attacked Ellis and former Congressman Crazy Pete Hoekstra, who endorsed Ellis.
AMASH VICTORY SPEECH: U.S. Rep. Justin Amash’s win over 3rd District GOP primary challenger Brian Ellis wasn’t too surprising, but his victory speech was. Rather than simply celebrate, Amash reportedly refused to answer a concession phone call from Ellis and then unloaded on the businessman, who had run a TV ad calling him “Al Qaeda’s best friend” in Congress. “I ran for office to stop people like you,” Amash said to Ellis, who was not present. He also ripped former U.S. Rep. Pete Hoekstra, who backed Ellis in a separate commercial. “I’m glad we can hand you one more loss before you fade into total obscurity and irrelevance,” he said of Hoekstra. (more >>)
I get that you’re supposed to give a happy unity speech after you win (though I personally don’t much care if MI Republicans rip themselves apart, and MI’s Republican Congressmen already broke protocol by offering no support to Amash and in Mike Rogers’ case giving big support for Ellis). But not only is Crazy Pete a disgrace, Ellis did try to gain traction by smearing Amash.
From the coverage, I think Amash was most pissed that Ellis and Hoekstra treated a vote Amash refused to cast to defund Planned Parenthood on constitutional grounds as a pro-choice vote.
But in an interview with Fox, Amash also called Ellis’ ad rather famously repeating a claim he’s al Qaeda’s best friend in Congress disgusting.
“I’m an Arab-American, and he has the audacity to say I’m Al-Queda’s best friend in congress. That’s pretty disgusting.”
This ad, which played (among other prominent ad buys) during the World Cup, really pissed me off.
Not only for the treatment of Gitmo as anything but a terrible moneypit, all in the hopes of maintaining some extra-legal space to sustain the notion of war rather than law. But especially for the notion that anything but lock-step support for counterproductive counterterrorism policies makes you a friend of al Qaeda.
And yes, especially the suggestion that one of Congress’ only Arab-American members (Amash’s parents are Palestinian and Syrian Christians) might therefore be an Islamic terrorist.
For 12 years – ever since Saxby Chambliss used a similar technique to take out Max Cleland – our political culture has tolerated ads that invoke terror to short-circuit any real political debate about how we fight it. Those ads get treated as business as usual. Win or lose the race and then make nice with your opponent.
That such ads are still (were ever!) considered acceptable political discourse — that Amash, and not Ellis, is getting the scolds – damns our political system. By treating any debate over the efficacy of counterterrorism policy as terrorism itself, we foreclose potentially far more effective ways of keeping the country safe and potentially far smarter ways to spend limited resources. (Crazy Pete, for example, fear-mongered about moving Gitmo detainees to a prison threatened with closure in Michigan, thereby losing Michigan jobs, but also committing the US to continue to spend exorbitant amounts to keep our gulag open.)
At some point, it needs to be okay to call out such bullshit. Because until then, we’ll never be able to actually debate the best way to keep the country safe.
The ACLU and EFF normally do great work defending the Fourth Amendment. Both have fought the government’s expansive spying for years. Both have fought hard to require the government obtain a warrant before accessing your computer, cell phone, and location data.
But earlier this week, they may have taken action that directly undermines that good work.
On Wednesday, both civil liberties organizations joined in a letter supporting Patrick Leahy’s version of USA Freedom Act, calling it a necessary first step.
We support S. 2685 as an important first step toward necessary comprehensive surveillance reform. We urge the Senate and the House to pass it quickly, and without
making any amendments that would weaken the important changes described above.
ACLU’s Laura Murphy explained why ACLU signed onto the bill in a column at Politico, analogizing it to when, in 2010, ACLU signed onto a bill that lowered, but did not eliminate, disparities in crack sentencing.
Reform advocates were at a crossroads. Maximalists urged opposition despite the fact the bill would, in a very real way, make life better for thousands of people and begin to reduce the severe racial and ethnic inequality in our prison system. Pragmatists, fearing that opposition to the bill would preclude any reform at all, urged support.
It was a painful compromise, but the ACLU ultimately supported the bill. It passed, astoundingly, with overwhelming support in both chambers.
And then something amazing happened. Conservative lawmakers, concerned about government waste, increasingly came to the table to support criminal justice reform. Liberals realized they could vote their conscience on criminal justice without accusations of being “soft on crime.” It has not been easy and there have been many steps backward, but in recent years, we’ve seen greater public opposition to mandatory minimum sentences and real movement on things like reducing penalties for low-level drug offenses.
The analogy is inapt. You don’t end crack disparities by increasing the number of coke dealers in jail. But Leahy’s USA Freedom Act almost certainly will increase the number of totally innocent Americans who will be subjected to the full brunt of NSA’s analytical authorities indefinitely.
That’s because by outsourcing to telecoms, NSA will actually increase the total percentage of Americans’ telephone records that get chained on; sources say it will be more “comprehensive” than the current dragnet and Deputy NSA Director Richard Ledgett agrees the “the actual universe of potential calls that could be queried against is [potentially] dramatically larger.” In addition, the telecoms are unlikely to be able to remove all the noisy numbers like pizza joints — as NSA currently claims to – meaning more people with completely accidental phone ties to suspects will get sucked in. And USA Freedom adopts a standard for data retention — foreign intelligence purpose — that has proven meaningless in the past, so once a person’s phone number gets turned over to the NSA, they’ll be fair game for further NSA spying, the really invasive stuff, indefinitely.
But that’s not the reason I find ACLU and EFF’s early support for USA Freedom so astounding.
I’m shocked ACLU and EFF are supporting this bill because they don’t know what the NSA will be permitted to do at the immunized telecoms. They have blindly signed onto a bill permitting “connection chaining” without first understanding what connection chaining entails.
As I have reported extensively, while every witness who has talked about the phone dragnet has talked about chaining on phone calls made — all the calls Anwar al-Awlaki made, all the calls those people made — the language describing this chaining process has actually been evolving. Dianne Feinstein’s Fake FISA Fix last fall allowed the NSA to chain on actual calls — as witnesses had described — but also on communications (not just calls) “to or from any selector reasonably linked to the selector.” A February modification and the last two dragnet orders permitted NSA to chain on identifiers “with a contact and/or connection” with the seed, making it clear that a “connection” is something different than a “contact.” The House bill USA Freedumber adopted the same language in a legislative report. Leahy’s bill adopts largely the same language for chaining.
(iii) provide that the Government may require the prompt production of call detail records—
(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and
(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;
Now, it’s possible that this language does nothing more than what NSA illegally did until 2009: chain on both the identifier itself, but also on identifiers it has determined to be the same person. Back in 2009, NSA referred to a separate database to determine these other identifiers. Though that’s unlikely, because the bill language suggests the telecoms will be identifying these direct connections.
It’s possible, too, that this language only permits the telecoms to find “burner” phones — a new phone someone adopts after having disposed of an earlier one — and chain on that too.
But it’s also possible that this language would permit precisely what AT&T does for DEA in its directly analogous Hemisphere program: conduct analysis using cell site data. The bill does not permit NSA to receive cell site data, but it does nothing to prohibit NSA from receiving phone numbers identified using cell site data. When Mark Warner asked about this, Ledgett did not answer, and James Cole admitted they could use these orders (with FISC approval) to get access to cell location.
It’s possible, too, that the telecoms will identify direct connections using other data we know NSA uses to identify connections in EO 12333 data, including phone book and calendar data.
The point is, nobody in the public knows what “connections” NSA will be asking its immunized telecom partners to make. And nothing in the bill or even the public record prohibits NSA from asking telecoms to use a range of smart phone information to conduct their analysis, so long as they only give NSA phone identifiers as a result.
In response to questions from Senators about what this means, Leahy’s office promised a letter from James Clapper’s office clarifying what “connections” means (No, I don’t remember the part of Schoolhouse Rock where those regulated by laws get to provide “clarifications” that don’t make it into the laws themselves). That letter was reported to be due on Tuesday, by close of business — several days ago. It hasn’t appeared yet.
I asked people at both EFF and ACLU about this problem. EFF admitted they don’t know what this language means. ACLU calls the language “ambiguous,” but based on nothing they were able to convey to me, insists getting smart phone data under the guise of connection chaining would be an abuse. ACLU also pointed to transparency provisions in the bill, claiming that would alert us if the NSA starting doing something funky with its connection language; that of course ignores that “connection chaining” is an already-approved process, meaning that existing processes won’t ever be need to be released. It also ignores that the Administration has withheld what is probably a directly relevant phone dragnet opinion from both ACLU and EFF in their dragnet FOIA.
I get Laura Murphy’s point about using USA Freedom to start the process of reform. But what I don’t understand is why you’d do that having absolutely no idea whether that “reform” codifies the kind of warrantless probable cause-free access to device data that ACLU and EFF have fought so hard to prevent elsewhere.
ACLU and EFF are supposed to be leaders in protecting the privacy of our devices, including smart phones. I worry with their embrace of this bill, they’re leading NSA right into our smart phones.
Josh Gerstein already wrote about some of this Mike Rogers blather. But I wanted to transcribe the whole thing to display how utterly full of shit he is.
At a conference at Georgetown the other day, (see video 3), Rogers laid into the tech companies for opposing USA Freedumber, which he badly misrepresented just before this. The context of European opportunism beings at 1:06, the quote begins after 1:08.
We should be very mad at Google, and Microsoft, and Facebook, because they’re doing a very interesting, and I think, very dangerous thing. They’ve come out and said, “well, we oppose this new FISA bill because it doesn’t go far enough.” When you peel that onion back a little bit, and why are you doing this, this is a good bill, it’s safe, bipartisan, it’s rational, it meets all the requirements for Fourth Amendment protection, privacy protection, and allowing the system to work,
Rogers claims they’re doing so solely because they’re afraid to lose European business. And Rogers — a Republican! — is furious that corporations prioritize their profits (note, Rogers has never complained that some of these same companies use European tax shelters to cheat the tax man).
And they say, “well, we have to do this because we have to make sure we don’t lose our European business.” I don’t know about the rest of you, that offends me from the word, “European business.” Think about what they’re doing. They’re willing, in their minds, to justify the importance of their next quarter’s earnings in Europe, versus the National Security of the United States. Everybody on those boards should be embarrassed, and their CEOs should be embarrassed, and their stockholders should be embarrassed.That one quarter cannot be worth the National Security of the United States for the next 10 generations. And if we don’t get this part turned around very quickly, it will likely get a little ugly, and that emotional piece that we got by is going to be right back in the center of the room to no good advantage to our ability to protect the United States.
Mostly, he seems pissed because he knows the collective weight of the tech companies may give those of us trying to defeat USA Freedumber a fighting chance, which is what Rogers considers an emotional place because Democracy.
But Rogers’ rant gets truly bizarre later in the same video (after 1:23) where he explains what the security interest is:
We have one particular financial institution that clears, somewhere about $7 trillion dollars in global financial transactions every single day. Imagine if tomorrow that place gets in there and through an attack of which we know does exist, the potential does exist where the information is destroyed and manipulated, now you don’t know who owes what money, some of that may have lost transactions completely forever, imagine what that does to the economy, $7 trillion. Gone — right? Gone. It’s that serious.
Mind you, Rogers appears unaware that a banks shuffling of money — while an incredibly ripe target for hackers — does not really contribute to the American economy. This kind of daily volume is churn that only the very very rich benefit from. And one big reason it’s a target is because it is an inherently fragile thing.
To make all this even more hysterical, Rogers talks about risk driving insurance driving proper defensive measures from the target companies … yet he seems not to apply those rules to banks.
Mike Rogers, it seems, would rather kill Google’s business than permit this rickety vitality killing bank to feel the full brunt of the risk of its own business model.
One of the things I was most surprised about in the House Intelligence Authorization was a requirement that the Director of National Intelligence report violations of law or EO 12333 to the Intelligence Committees.
SEC. 510. ANNUAL REPORT ON VIOLATIONS OF LAW OR EXECUTIVE ORDER.
(a) Annual Reports Required.–The Director of National Intelligence shall annually submit to the congressional intelligence committees a report on violations of law or executive order by personnel of an element of the intelligence community that were identified during the previous calendar year.
(b) Elements.–Each report required under subsection (a) shall include a description of, and any action taken in response to, any violation of law or executive order (including Executive Order 12333 (50 U.S.C. 3001 note)) by personnel of an element of the intelligence community in the course of such employment that, during the previous calendar year, was determined by the director, head, general counsel, or inspector general of any element of the intelligence community to have occurred.
(b) Initial Report.–The first report required under section 510 of the National Security Act of 1947, as added by subsection (a), shall be submitted not later than one year after the date of the enactment of this Act.
The language was inserted into the bill by Jim Himes (who also added very laudable language requiring Senate approval for the NSA’s Inspector General).
The language appeared in the RuppRoge NSA “reform” bill; I presumed then that it was meant as false transparency — an effort to show off that just one NSA cleared individual a year gets caught stalking an ex-girlfriend using its authorities.
And it may well be.
But I’m intrigued that Mike Rogers dedicated most of a Manager’s Amendment to the bill to tighten language from that section (in part limiting the reporting to actions “relating to intelligence activities”). And the hackish Ted Yoho submitted an amendment requiring a version of the report be shared with the House Oversight and Senate Homeland Security and Government Affairs Committees. I can’t imagine Yoho asking for it unless there were partisan hay to make out of it.
Now I want that report!
I’m particularly puzzled by an Amendment Mike Rogers submitted at the last minute, after having proposed it in committee but withdrawn it. The description of what he proposed reads,
Chairman Rogers offered an amendment to the amendment in the nature of a substitute to require a “cooling off” period before former Intelligence Community senior employees could work for a foreign government or a company controlled by a foreign government. The amendment would also establish notification and reporting requirements for former IC senior employees. He subsequently withdrew the amendment.
After having withdrawn that he submitted this amendment, but did not list it as a Manager’s Amendment (see below for the text).
Effectively, the Amendment seems to do two things. First, it requires high ranking intelligence community personnel (and this includes Congress, presumably up to and including Rogers himself) to tell their Agency when they start negotiating a new job with a company with foreign ties.
It would also prohibit those high ranking people from working for a company with foreign ties for a year – or two, if it pertains to something they worked on. It also requires former employees to disclose any payment they get from a foreign country or foreign owned company.
Now, this Amendment seems like a total no-brainer (indeed, the reporting requirements should be in place for all employers). It’s a measure to prevent top IC officials to go work for foreign governments.
So why didn’t this pass through committee? And why is Rogers submitting it now? What former high ranking official went to work for a foreign entity, raising the need for such a no-brainer law?
One more question: I wonder whether Israel will be included among the covered countries. Sure, it’s a close ally — precisely the kind that might hire away top IC talent. But it’s also an aggressive spy targeting the US. Precisely the kind of country that would make this kind of amendment even remotely controversial.
Update: Via Matt Stoller and billmon, this is presumably what this about:
A longtime adviser to the U.S. Director of National Intelligence has resigned after the government learned he has worked since 2010 as a paid consultant for Huawei Technologies Ltd., the Chinese technology company the U.S. has condemned as an espionage threat, The Associated Press has learned.
Theodore H. Moran, a respected expert on China’s international investment and professor at Georgetown University, had served since 2007 as adviser to the intelligence director’s advisory panel on foreign investment in the United States. Moran also was an adviser to the National Intelligence Council, a group of 18 senior analysts and policy experts who provide U.S. spy agencies with judgments on important international issues.
Though I’m not convinced Moran would be covered under this law. Plus, he disclosed his tie to Huawei.
I fear, reading this Kevin Drum post, that my explanations of why USA Freedumber will not end what you and I think of as bulk collection have not been clear enough. So I’m going to try again.
It is now, with the bill in current form, a 4-part argument:
The intelligence versus the plain English definition of bulk collection
This entire bill is based on the intelligence community definition of bulk collection, not the common English definition of it. As defined by President Obama’s Presidential Policy Directive on SIGINT, bulk collection means,
the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).
Bulk collection, as defined by the intelligence commonly, only means collection that obtains all of a particular type of record: all phone records, all Internet metadata, all credit card records. Anything that stops short of that – all 202 Area Code phone records, all credit card records buying pressure cookers, all Internet metadata for email sent to Yemen — would not count as bulk collection under this definition.
A more commonsense meaning of bulk collection would be the collection of large volumes of data, sweeping up the data of totally innocent people, on which to do further (sometimes technically intrusive) searches to find the data of interest. What we call “Big Data,” for example, would very often not qualify as bulk collection as the intelligence community defines it (perhaps its starts with the health data of everyone born after 1946, for example, or the purchase records from just one online store) but would qualify as bulk collection as you and I would define it.
As I explained in this post, the means USA Freedumber uses to ensure that it does not permit bulk collection is to require the collection start from a “selection term.” Thus, by definition, it cannot be bulk collection because the technical (but not commonsense) definition of bulk collection is that which uses a selection term.
And because they defined it that way, it means that every time some well-intentioned Congressman (it was all men, pushing this bill) boasted that this bill “ends bulk collection” they were only laying a legislative record that would prohibit the intelligence community definition of bulk collection, not the commonsense meaning.
The bill retains the “relevant to” language that gave us bulk collection in the first place
Man, Jim Sensenbrenner must have complained about the way the FISA Court reinterpreted the plain meaning of “relevant to” from the 2006 reauthorization of the PATRIOT Act three or four times in the post-passage press conference. He’s still angry, you see, that a court, in secret, defined the term “relevant to” to mean “any data that could possibly include.”
But this bill does nothing to change that erroneous meaning of the term.
Worse, it relies on it!
For most authorities — the Pen Register (PRTT) authority, the non-call record Section 215 authority, and all National Security Letter authorities –USA Freedumber leaves that language intact. It now requires the use of a selection term, but unlike the new call record language, those authorities don’t require that the selection term be “associated with a foreign power or an agent of a foreign power.” (You can compare the language for traditional Section 215 and the new call records Section 215 at b2B and b2C in this post.) They don’t even require that the selection term itself be relevant to the investigation!
Thus, so long as there is a selection term — some term to ensure the NSA isn’t grabbing all of a certain kind of record — they’re going to still be able to get that data so long as they can argue that sorting through whatever data they get will yield useful information.
“Specific selection term” is too broad
Now, all that wouldn’t matter if the bill required specific selection terms to be tied to the individual or entity under investigation. Even the USA Freedumb bill didn’t require that.
But the language in USA Freedumber that got passed today makes things worse.
SPECIFIC SELECTION TERM.—The term ‘specific selection term’ means a discrete term, such as a term specifically identifying a person, entity, account, address, or device, used by the Government to limit the scope of the information or tangible things sought pursuant to the statute authorizing the provision of such information or tangible things to the Government.’
Again, note that the selection term only needs to limit the scope of production, not have a tie to the target of the investigation.
And while I actually find comfort from some of these terms — I’d be happy if the financial NSLs could only search on a specific account and the toll record NSL could only get phone records of a specific device (though FBI does use NSLs to get 2 degree separation, so this would return more than just that device’s records). As I’ve said in the past, “entity” is far too broad. It could include al Qaeda — allowing the NSA to obtain all data that might have al Qaeda data within it — or VISA — allowing the NSA to obtain all of that credit card entity’s data.
Working on a detailed comparison of the difference between the USA Freedumb and USA Freedumber bills, one of the most alarming changes is the gutting of Pen Register minimization procedures. They took language not only adding minimization procedures to Pen Register orders,
(b) APPLICATION.—Section 402(c) (50 U.S.C. 1842(c)), as amended by section 201 of this Act, is further amended by adding at the end the following new paragraph:
(4) a statement of proposed minimization procedures.
(c) ORDER.—Section 402(d) (50 U.S.C. 1842(d)) is amended—
(1) in paragraph (1), by inserting ‘‘and that the proposed minimization procedures meet the definition of minimization procedures under this title’’
But permitting the court to review whether the government met those minimization procedures.
(h) At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the minimization procedures by reviewing the circumstances under which information concerning United States persons was retained or disseminated.’
They even specified the government had to follow those minimization procedures!
USA Freedumber changed that by letting the Attorney General review what are are now called “privacy procedures.”
(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard non-publicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect national security, include protections for the collection, retention, and use of information concerning United States persons.
They limit the extent of these “privacy procedures” “to the extent practicable … with the need to protect national security.” That is, they don’t have to follow these “privacy procedures” if it’ll harm national security, and the change seems to show legislative intent to deprive the FISC of any review.
That’s alarming for a number of reasons:
NSA versus FISC
According to a footnote in the 2010 John Bates opinion on the Internet dragnet, when the government first applied to Colleen Kollar-Kotelly for a FISC order to authorize the dragnet, they claimed she had no authority to do anything but rubber stamp the application.
We know that, having made that argument, the government got caught in violating the rules Kollar-Kotelly placed on the collection, but then continued to violate the rules for at least 5 more years, until 2009, when it got shut down for a while.
It would seem that the original language in USA Freedom Act would have clarified this issue, and made clear the FISC could exercise real oversight over any PRTT collection.
Adopting RuppRoge’s Internet Dragnet language
This language adopts the nomenclature from the HPSCI’s RuppRoge bill. (See page 18.)
But these “privacy procedures” seem qualitatively worse than the RuppRoge bill in several ways. RuppRoge provides loosey goosey judicial review of the privacy procedures. And it did not include the “extent practicable” language.
Given the background — given the fact that the government has already told the FISC it shouldn’t have real oversight over PRTT — this language seems to lay clear legislative intent that FISC should have no role whatsoever, especially not with minimization procedures (which, after all, is what they fought with the FISC over for at least years).
The secrecy behind the FBI’s PRTT orders on behalf of NSA
Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.
These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.
But that the FBI PR/TT program – which seems different than these individual orders — was considered TS/SI/NOFORN.
If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level) – is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.
This is considered one of the most sensitive secrets in the whole FISA package.
Even minimized PRTT data is considered TS/SCI.
Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.
So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.
Except there’s the date.
This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)
That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.
If FBI had a PRTT program active in 2012 that was separate from the NSA PRTT program (I’m not sure that’s the case; it could be they just didn’t update this part of the classification guide), then is it still active? Has the Internet dragnet just moved to FBI?
If so, it’s no wonder why the Intelligence Community would want to guarantee that FISC had no review of it.
Update: Note, too, that the bill removes reporting requirements related to PRTT.