Patrick Leahy

1 2 3 6

A Good Idea that May Backfire: FISCR Fast Track

I’ve written several posts about Leahy’s USA Freedom already. To recap:

  • The bill is definitely an improvement off of USA Freedumber, though it retains “connection” chaining language I’m seriously concerned about
  • The bill permits the government to collect “bulky” collections in at least two ways: the use of IP addresses and non-individual persons (aka corporations)
  • The bill inexplicably exempts the FBI from reporting requirements on back door searches

My last new concern about the bill pertains to a measure that means well, but might backfire.

The bill includes language designed to provide for appeals of significant issues, first to the FISA Court of Review, and then to SCOTUS.

(j) REVIEW OF FISA COURT DECISIONS.—After issuing an order, a court established under subsection (a) shall certify for review to the court established under subsection (b) any question of law that the court determines warrants such review because of a need for uniformity or because consideration by the court established under subsection (b) would serve the interests of justice. Upon certification of a question of law under this paragraph, the court established under subsection (b) may give binding instructions or require the entire record to be sent up for decision of the entire matter in controversy.

(k) REVIEW OF FISA COURT OF REVIEW DECISIONS.—

(1) CERTIFICATION.—For any decision issued by the court of review established under subsection (b) approving, in whole or in part, an application by the Government under this Act, such court may certify at any time, including after a decision, a question of law to be reviewed by the Supreme Court of the United States.

(2) SPECIAL ADVOCATE BRIEFING.—Upon certification of an application under paragraph (1), the court of review established under subsection (b) may designate a special advocate to provide briefing as prescribed by the Supreme Court.

(3) REVIEW.—The Supreme Court may review any question of law certified under paragraph (1) by the court of review established under subsection (b) in the same manner as the Supreme Court reviews questions certified under section 1254(2) of title 28, United States Code.

That is, it provides a way for FISC to ask FISCR to review their work, and for FISCR to ask SCOTUS to review their work.

To some degree, the more eyes that look at these novel decisions, the better.

But neither the FISCR review nor the SCOTUS review requires even the Special Advocate. While FISCR has, in the past, permitted amici, they (and Yahoo, in the case where Yahoo appealed FISC’s 2007 recision on Protect America Act) were shooting in the dark. the new advocate, such as it exists, would be able to argue before FISCR if the court wanted it.

So to a significant extent that would result in the same people (the government and the Court’s permanent staff, on one side, and the unproven advocate on the other) arguing the same issue over and over. with the courts themselves choosing to have their own decisions certified by the higher courts.

With the potential result that you’d have appellate decisions or even a SCOTUS instruction without ever giving a real adversary a shot at the issue. If FISC responded to the phone dragnet question before the way they have since Snowden leaked details of it, they would have gotten it certified to confirm their authority.

One addition to Leahy’s bill could exacerbate that. His bill requires the FISC to consult with PCLOB on appointees as  Advocates. With today’s PCLOB, that’d be a good thing. But if Republicans win back the Senate — especially if Mitch McConnell retains his seat — you’d see another PCLOB member the likes of Elisabeth Collins Cook and Rachel Brand. Both are really smart. But both were architects of the surveillance regime while serving as DOJ Policy AAGs. Add a third of that ilk, and PCLOB could load up the Advocates corp with people like Steven Bradbury.

Moreover, for the foreseeable future, Justice John Roberts will be handpicking these judges, which doesn’t give me a lot of confidence.

I just think the Advocate system is unproven right now. It may work out, it may be gamed to reinforce the dysfunction of the court. And the record of the FISCR — especially Laurence Silberman’s efforts to rule FISA illegal in 2002 — give me no confidence this kind of self-appeal would do anything but sanction bad decisions.

Mind you, the Leahy bill also permits the government to go on denying aggrieved people of review of Section 215 collection, so it’s not clearly anyone else will get standing to challenge this program in particular.

But it seems like the FISC system is so dysfunctional, there’s no reason to pre-empt the possibility of real adversarial court function.

Update: Orin Kerr thinks this is unconstitutional.

Leahy USA Freedom’s Bulky Corporate Persons

As I said in my post the other day, the definition of Specific Selection Term in the Leahy version of USA Freedom addresses almost all my concerns about bulk collection under USA Freedom Act.

But not all of them.

I have two concerns.

First, some background. The bill actually uses two definitions of “specific selection term.” The definition as it applies to traditional Section 215, PRTT, and NSL collection is,

(i) means a term that specifically identifies a person, account, address, or personal device, or another specific identifier, that is used by the Government to narrowly limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things; and [my emphasis]

It defines “address” this way:

ADDRESS.—The term ‘address’ means a physical address or electronic address, such as an electronic mail address, temporarily assigned network address, or Internet protocol address.

That’s my first concern. IP addresses can represent entire companies. And who knows what the NSA might consider “temporarily assigned network addresses”?

Then there’s the difference between that definition of “specific selection term” and the more narrow one used with the prospective contact chaining at telecoms, which is:

CALL DETAIL RECORD APPLICATIONS.—For purposes of an application submitted under subsection (b)(2)(C), the term ‘specific selection term’ means a term that specifically identifies an individual, account, or personal device. [my emphasis]

You’ll note the bill targets “individual” for its contact chaining, but “person” for the rest of Section 215 collection. The obvious reason to do that is if you’re collecting on an entire corporate person, like Western Union (which WSJ and NYT reported CIA uses Section 215 to collect on).

The bill does include limits on what kinds of corporate persons can be collected. The bill explicitly prohibits using electronic communication service providers and cloud providers as specific selection terms, unless they are being investigated.

(II) a term identifying an electronic communication service provider (as that term is defined in section 701) or a provider of remote computing service (as that term is defined  in section 2711 of title 18, United States Code), when not used as part of a specific identifier as described in clause (i), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

That still seems to leave a whole slew of corporate persons who can be the selection term for collection.

The bill limits that collection in another way, through minimization procedures.

‘(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—

(i) a subject of an authorized investigation;

(ii) a foreign power or a suspected agent of a foreign power;

(iii) reasonably likely to have information about the activities of—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation; or

(iv) in contact with or known to—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation,

unless the tangible thing or information therein indicates a threat of death or serious bodily harm to any person or is disseminated to another element of the intelligence community for the sole purpose of determining whether the tangible thing or information therein relates to a person who is described in clause (i), (ii), (iii),  or (iv)

This language is almost certainly not new — as CDT’s otherwise decent analysis suggests. We know the FISC has been modifying orders more and more in recent years. We don’t know — we have to rely on Congress, blindly — whether these minimization procedures are more strict or (likely, because other parts of this bill are) less restrictive than what the FISC itself has been imposing.

But even the existence of this language — and the differential use of “person” and “individual” — makes it clear the bill still permits the bulk collection of data. It just requires the agency in question to purge the data … sometime.

The question is whether this “agency protocol” — what Chief Justice John Roberts said was not enough to protect Americans’ privacy — is sufficient to protect Americans’ privacy.

I don’t think it is.

First, it doesn’t specify how long the NSA and FBI and CIA can keep and sort through these corporate records (or what methods it can use to do so, which may themselves be very invasive).

It also permits the retention of data that gets pretty attenuated from actual targets of investigation: agents of foreign powers that might have information on subjects of investigation and people “in contact with or known to” suspected agents associated with a subject of an investigation.

Known to?!?! Hell, Barack Obama is known to all those people. Is it okay to keep his data under these procedures?

Also remember that the government has secretly redefined “threat of death or serious bodily harm” to include “threats to property,” which could be Intellectual Property.

So CIA could (at least under this law — again, we have no idea what the actual FISC orders this is based off of) keep 5 years of Western Union money transfer data until it has contact chained 3 degrees out from the subject of an investigation or any new subjects of investigation it has identified in the interim.

In other words, probably no different and potentially more lenient than what it does now.

Leahy Freedom Act Exempts FBI from Counting Its Back Door Searches

As I said in my post last night, Pat Leahy’s version of USA Freedom Act is a significant improvement over USA Freedumber, the watered down House version. But it includes language that no one I’ve met has been able to explain. I believe it may permit the NSA to have its immunized telecom providers contact chain on (at least) location, and possibly worse. Thus, it may well be everyone applauding the bill — including privacy NGOs — are applauding increased use of techniques like location spying even as judges around the country are deeming such spying unconstitutional. I strongly believe this bill may expand the universe of US persons who will be thrown into the corporate store indefinitely, to be subjected to the full brunt of NSA’s analytical might.

But that’s not the part of the bill that disturbs me the most. It’s this language:

‘(3) FEDERAL BUREAU OF INVESTIGATION.—

Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

The language refers, in part,  to requirements that the government report to Congress:

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

These are back door searches on US person identifiers of Section 702 collected data — both content (iv) and metadata (v).

In other words, after having required the government to report how many back door searches of US person data it conducts, the bill then exempts the FBI.

The FBI — the one agency whose use of such data can actually result in a prosecution of the US person in question.

We already know the government has not provided all defendants caught using 702 data notice. And yet, having recognized the need to start counting how many Americans get caught in back door searches, Patrick Leahy has decided to exempt the agency that uses back door searches the most.

And if they’re not giving defendants notice (and they’re not), then this is an illegal use of Section 702.

There is no reason to exempt the FBI for this. On the contrary, if we’re going to count back door searches on US persons, the first place we should start counting is at FBI, where it likely matters most. But the Chair of the Senate Judiciary Committee has decided it’s a good idea to exempt precisely those back door searches from reporting requirements.

 

Improved USA Freedom Retains “Connection” Chaining and “Foreign Intelligence” Retention

Thanks to this NYT editorial, everyone is talking about Patrick Leahy’s version of USA Freedom, which he will introduce tomorrow.

Given what I’ve heard, my impression is the editorial is correct that Leahy’s bill is a significant improvement off of USA Freedumber.

That’s not saying much.

It tightens the definition for Specific Selection Term significantly (though there may still be limited cause for concern).

It improves the FISA Advocate (but not necessarily enough that it would be meaningful).

It improves transparency (but there’s one aspect of “improved” transparency that actually disturbs me significantly).

It pretends to fix concerns I had about the PRTT minimization, but I don’t think it succeeds.

Still, an improvement off of the USA Freedumber.

I’m not convinced that makes it an acceptable improvement off of the status quo (especially the status quo requiring court approval for each seed). That’s because — from what I’ve heard — Leahy’s bill retains the language from USA Freedumber on contact chaining, which reads,

(iii) provide that the Government may require the prompt production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

Now, I have no idea what this language means, and no one I’ve talked to outside of the intelligence committees does either. It might just mean they will do the same contact chaining they do now, but if it does, why adopt this obscure language? It may just mean they will correlate identities, and do contact chaining off all the burner phones their algorithms say are the same people, but nothing more, but if so, isn’t there clearer language to indicate that (and limit it to that)?

But we know in the equivalent program for DEA – Hemisphere – the government uses location to chain people. So to argue this doesn’t include location chaining, you’d have to argue that NSA is satisfied with less than DEA gets and explain why the language of this bill specifically prohibits it. (The bill — as USA Freedumber before it did — requires NSA to use Call Detail Records at each step; that may or may not impose such limits.)

I remain concerned, too, that such obscure language would permit the contact chaining on phone books and calendars, both things we know NSA obtains overseas, both things NSA might have access to through their newly immunized telecom partners.

In addition, Leahy’s bill keeps USA Freedumber’s retention language tied to Foreign Intelligence purpose, allowing the NSA to keep all records that might have a foreign intelligence purpose.

Why, after having read PCLOB’s 702 report stating that, “when an NSA analyst recognizes that [a communication] involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,” destruction of it, which is required by the law, “rarely happens,” would anyone applaud a Section 215 bill that effectively expands retention using that very same utterly meaningless “foreign intelligence” language? And with it may expand the permitted dissemination of such data?

The bill is definitely an improvement over USA Freedumber. But until someone explains what that connection chaining language does — and includes limiting language to make sure that’s all it will ever do — I have no way of knowing whether Leahy’s bill is better than the status quo. As it is, however, it is certainly conceivable Leahy’s bill will result in more innocent Americans ending up in the corporate store.

(I may have two more new concerns about Leahy’s bill, but I’ll hold those until I see what precise language the bill uses for them.)

USA Freedumber Will Not Get Better in the “Prosecutors” Committee

Having been badly outmaneuvered on USA Freedumber — what was sold as reform but is in my opinion an expansion of spying in several ways — in the House, civil liberties groups are promising a real fight in the Senate.

“This is going to be the fight of the summer,” vowed Gabe Rottman, legislative counsel with the American Civil Liberties Union.

If advocates are able to change the House bill’s language to prohibit NSA agents from collecting large quantities of data, “then that’s a win,” he added.

“The bill still is not ideal even with those changes, but that would be an improvement,” Rottman said.

[snip]

“We were of course very disappointed at the weakening of the bill,” said Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute. “Right now we really are turning our attention to the Senate to make sure that doesn’t happen again.”

[snip]

One factor working in the reformers’ favor is the strong support of Senate Judiciary Chairman Patrick Leahy (D-Vt.).

Unlike House Judiciary Chairman Bob Goodlatte (R-Va.), who only came to support the bill after negotiations to produce a manager’s amendment, Leahy was the lead Senate sponsor of the USA Freedom Act.

The fact that Leahy controls the committee gavel means he should be able to guide the bill through when it comes up for discussion next month, advocates said.

“The fact that he is the chairman and it’s his bill and this is an issue that he has been passionate about for many years” is comforting, Greene said.

I hope they prove me wrong. But claims this will get better in the Senate seem to ignore the recent history of the Senate Judiciary Committee’s involvement in surveillance bills, not to mention the likely vote counts.

It is true Pat Leahy wants real reform. And he has a few allies on SJC. But in recent years, every surveillance-related bill that came through SJC has been watered down when Dianne Feinstein offered an alternative (which Leahy sometimes adopted as a manager’s amendment, perhaps realizing he didn’t have the votes). After DiFi offered reform, Sheldon Whitehouse (who a number of less sophisticated SJC members look to as a guide on these issues) enthusiastically embraced it, and everyone fell into line. Often, a Republican comes in and offers a “bipartisan reform” (meaning conservative Republicans joining with the Deep State) that further guts the bill.

This is how the Administration (shacking up with Jeff Sessions) defeated an effort to rein in Section 215 and Pen Registers in 2009.

This is how DiFi defeated an effort to close the backdoor loophole in 2012.

As this was happening in 2009, Russ Feingold called out SJC for acting as if it were the “Prosecutors Committee,” rather than the Judiciary Committee.

(Note, in both of those cases as well as on the original passage of Section 702, I understood fairly clearly what the efforts to stymie reform would do, up to 4 years before those programs were publicly revealed; I’ve got a pretty good record on this front!)

And if you don’t believe this is going to happen again, tell me why this whip count is wrong:

Screen shot 2014-05-26 at 5.18.49 PM

If my read here is right, the best case scenario — short of convincing Sheldon Whitehouse some of what the government wants to do is unconstitutional, which John Bates has already ruled that it is – is relying on people like Ted Cruz (whose posturing on civil liberties is often no more than that) and Jeff Flake (who was great on these issues in the House but has been silent and absent throughout this entire debate). And that’s all to reach a 9-9 tie in SJC.

Which shouldn’t be surprising. Had Leahy had the votes to move USA Freedom Act through SJC, he would have done so in October.

That was the entire point of starting in the House: because there was such a large number of people (albeit, for the  most part without gavels) supporting real reform in the House. But because reformers (starting with John Conyers and Jerry Nadler) uncritically accepted a bad compromise and then let it be gutted, that leverage was squandered.

Right now, we’re looking at a bill that outsources an expanded phone dragnet to the telecoms (with some advantages and some drawbacks), but along the way resets other programs to what they were before the FISC reined them in from 2009 to 2011. That’s the starting point. With a vote count that leaves us susceptible to further corruption of the bill along the way.

Edward Snowden risked his freedom to try to rein in the dragnet, and instead, as of right now it looks like Congress will expand it.

Update: I’ve moved Richard Blumenthal into the “pro reform” category based on this statement after the passage of USA Freedumber. Thanks to Katherine Hawkins for alerting me to the statement.

Sheldon Whitehouse: We Can’t Unilaterally Disarm, Even to Keep America Competitive

I have to say, the Senate Judiciary Committee hearing on the dragnet was a bust.

Pat Leahy was fired up — and even blew off a Keith Alexander attempt to liken the Internet to a library with stories of the library card he got when he was 4. While generally favoring the dragnet, Chuck Grassley at least asked decent questions. But because of a conflict with a briefing on the Iran deal, Al Franken was the only other Senator to show up for the first panel. And the government witnesses — Keith Alexander, Robert Litt, and James Cole — focused on the phone dragnet disclosed over 6 months ago, rather than newer disclosures like back door searches and the Internet dragnet, which moved overseas. Litt even suggested — in response to a question from Leahy — that they might still be able to conduct the dragnet if they could bamboozle the FISA Court on relevance, again (see Spencer on that). As a result, no one discussed the systemic legal abuses of the Internet dragnet or NSA’s seeming attempt to evade oversight and data sharing limits by moving their dragnet overseas.

Things went downhill when Leahy left for the Iran briefing and Sheldon Whitehouse presided over the second panel, with the Computer & Communications Industry Association’s Edward Black, CATO’s Julian Sanchez, and Georgetown professor (and former DOJ official) Carrie Cordero. Sanchez hit some key points on the why Internet metadata is not actually like phone pen registers. Cordero acknowledged that metadata was very powerful but then asserted that the metadata of the phone-based relationships of every American was not.

And Black tried to make the case that the spying is killing America.

Or, more specifically, his industry’s little but significant corner of America, the Internet. While only some of this was in his opening statement, Black made the case that the Internet plays a critical role in America’s competitiveness.

While these are critical issues, it is important that the Committee also concern itself with the fact that the behavior of the NSA, combined with the global environment in which this summer’s revelations were released, may well pose an existential threat to the Internet as we know it today, and, consequently, to many vital U.S. interests, including the U.S. economy.

[snip]

The U.S. government has even taken notice. A recent comprehensive re- port from the U.S. International Trade Commission (ITC) noted, “digital trade continues to grow both in the U.S. economy and globally” and that a “further increase in digital trade is probable, with the U.S. in the lead.” In fact, the re- port also shows, U.S. digital exports have exceeded imports and that surplus has continually widened since 2007.

[snip]

As a result, the economic security risks posed by NSA surveillance, and the international political reaction to it, should not be subjugated to traditional national security arguments, as our global competitiveness is essential to long-term American security. It is no accident that the official National Security Strategy of the United States includes increasing exports as a major component of our national defense strategy.

Then he laid out all the ways that NSA’s spying has damaged that vital part of the American economy: by damaging trust, especially among non-American users not granted to the protections Americans purportedly get, and by raising suspicion of encryption.

Black then talked about the importance of the Internet to soft power. He spoke about this generally, but also focused on the way that NSA spying was threatening America’s dominant position in Internet governance, which (for better and worse, IMO) has made the Internet the medium of exchange it is.

The U.S. government position of supporting the multi-stakeholder model of Internet governance has been compromised. We have heard increased calls for the ITU or the United Nations in general to seize Internet governance functions from organizations that are perceived to be too closely associated with the U.S. government, such as the Internet Corporation for Assigned Names and Numbers (ICANN).

And he pointed to proposals to alter the architecture of the Internet to minimize the preferential access the US currently has.

Let’s be honest, Black is a lobbyist, and he’s pitching his industry best as he can. I get that. Yet even still, he’s not admitting that these governance and architecture issues really don’t provide neutrality — though US stewardship may be the least-worst option, it provides the US a big advantage.

What Black hinted at (but couldn’t say without freaking out foreign users even more) is that our stewardship of the Internet is not just one of the few bright spots in our economy, but also a keystone to our power internationally. And it gives us huge spying advantages (not everyone trying to erode our control of the Internet’s international governance is being cynical — Edward Snowden has made it clear we have abused our position).

Which is why Whitehouse’s response was so disingenuous. He badgered Black, interrupting him consistently. He asked him to compare our spying with that of totalitarian governments, which Black responded was an unfair comparison. And Whitehouse didn’t let Black point out that American advantages actually do mean we spy more than others, because we can.

Basically, Whitehouse suggested that, in the era of Big Data,  if we didn’t do as much spying as we could — and to hell with what it did to our preferential position on the Internet — it would amount to unilaterally disarming in the face of Chinese and Russian challenges.

If we were to pass law that prevented us from operating in Big Data, would be unilaterally disarming.

Whitehouse followed this hubris up with several questions that Sanchez might have gladly answered but Black might have had less leeway to answer, such as whether a court had ever found these programs to be unconstitutional. (The answer is yes, John Bates found upstream collection to be unconstitutional, he found the Internet dragnet as conducted for 5 years to be illegal wiretapping, and in the Yahoo litigation in 2007, Yahoo never learned what the minimization procedures were, and therefore never had the opportunity to make the case.) Black suggested, correctly, I think, that Whitehouse’s position meant we were just in an arms race to be the Biggest Brother.

I get it. Whitehouse is one of those who believelike Keith Alexander (whose firing Whitehouse has bizarrely not demanded, given his stated concerns about the failure to protect our data during Alexander’s tenure) that the Chinese are plundering the US like a colony.

Not only does this stance seem to evince no awareness of how America used data theft to build itself as a country (and how America’s hardline IP stance will kill people, making America more enemies). But it ignores the role of the Internet in jobs and competition and trade in ideas and goods.

Sheldon Whitehouse, from a state suffering economically almost as much as Michigan, seems anxious to piss away what competitive advantages non-defense America has to conduct spying that hasn’t really produced results (and has made our networks less secure as a result — precisely the problem Whitehouse claims to be so concerned about). That’s an ugly kind of American hubris that doesn’t serve this country, even if you adopt the most jingoistic nationalism imaginable.

He should know better than this. But in today’s hearing, he seemed intent on silencing the Internet industry so he didn’t learn better.

Update: Fixed the Black quotation.

Update: Jack Goldsmith pushes back against the American double standards on spying and stealing here.

If the Executive Had Followed Clear Minimization Requirements of PATRIOT, Dragnet Abuses Might Have Been Avoided

For 4 years, it has been clear that DOJ Inspector General Glenn Fine used his 2008 report on the FBI’s use of Section 215 to address how it had been used for what was then a secret program. For that reason, I want to look more closely at what he had to say about minimization.

Glenn Fine reveals how FBI minimization procedures are self-referential nonsense

As I noted, as part of a congressionally-mandated review completed in March 2008, DOJ’s Inspector General Glenn Fine reviewed whether DOJ had complied with PATRIOT Reauthorization’s requirement that the Attorney General craft minimization procedures to use with Section 215 collection.

He described how, in advance of a September 5, 2006 deadline, two parts of DOJ squabbled over what the minimization procedures should be.

Several months after enactment of the Reauthorization Act, the Office of Intelligence Policy and Review (OIPR) and the FBI — both of whom had been developing minimization procedures related to Section 215 orders — exchanged draft procedures. The drafts differed in fundamental respects, ranging from definitions to the scope of the procedures.

The fight seems to have been significantly fought between OIPR’s Counsel James Baker (who had a record of trying to get DOJ to follow the law) and FBI’s General Counsel Valerie Caproni (who got confirmed as a Federal Judge for NY this year literally at the same moment the Administration started releasing the most damning details on the dragnet).

Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.

A couple of months would put this debate squarely in the time period when the first dragnet order would be signed (two months would be May 9; the first order was signed May 24).

And you can see how these issues would go squarely to the heart of whether or not the government could use Section 215 to authorize the dragnet. The dragnet introduces immediate retention issues, given that it authorizes collection on data not yet in existence; imagine if OIPR mandated an immediate search, with all non-responsive numbers to be destroyed. NSA itself treated phone numbers as “identifiers,” and yet this entire program fails to meet the most basic dissemination limits if you treat them as identifiers here. We know NSA had recurrent problem with receiving data that was beyond the scope, including credit card numbers and international data. Unloading this into the FBI database presents immense problems, given that the foreign intelligence value of a query is based on a algorithm, not more concrete evidence. And of course, Fine’s mention of the debate over “handling large or sensitive data collections” must implicate the dragnet, which is the quintessential large and sensitive data collection.

Almost the entirety of the detailed discussion of these issues is redacted.

Continue reading

Leahy-Sensenbrenner Would Shut the Section 702 Cybersecurity Loophole

Section 702 Reporting HighlightI’m going to have a few posts on the Leahy-Sensenbrenner bill, which is the most likely way we’ll be able to rein in NSA spying. In addition to several sections stopping bulk collection, it has a section on collection of US person data under FISA Amendments Act (I’ll return to the back-door loophole later).

But I’m particularly interested in what it does with upstream collection. It basically adds a paragraph to section d of Section 702 that limits upstream collection to two uses: international terrorism or WMD proliferation.

(C) limit the acquisition of the contents of any communication to those communications—

(i) to which any party is a target of  the acquisition; or

(ii) that contain an account identifier of a target of an acquisition, only if such communications are acquired to protect against international terrorism or the international proliferation of weapons of mass destruction.;

And adds a definition for “account identifier” limiting it to identifiers of people.

(1) ACCOUNT IDENTIFIER.—The term ‘account identifier’ means a telephone or instrument number, other subscriber number, email address, or  username used to uniquely identify an account.

I believe the effect of this is to prevent NSA from using Section 702 to conduct cyberdefense in the US.

As I have noted, there are reasons to believe that NSA uses Section 702 for just 3 kinds of targets:

  • International terrorism
  • WMD proliferation
  • Cybersecurity

There are many reasons to believe one primary use of Section 702 for cybersecurity involves upstream collection targeted on actual pieces of code (that is, the identifier for a cyberattack, rather than the identifier of a user). As an example, the slide above, which I discuss in more detail here, explains that one of the biggest Section 702 successes involves preventing an attacker from exfiltrating 150 Gigs of data from a defense contractor. The success involved both PRISM and STORMBREW, the latter of which is upstream collection in the US.

In other words, the government has been conducting upstream collection within the US to search for malicious code (I’m not sure how they determine whether the code originated in a foreign country though given that they refuse to count domestic communications collected via upstream collection, I doubt they care).

So what these two sections of Leahy-Sensenbrenner would do is 1) limit the use of upstream collection to terrorists and proliferators, thereby prohibiting its use for cybersecurity, and 2) define “account identifier” to exclude something like malicious code.

There’s one more interesting aspect of this fix. Unlike many other sections of the bill, it doesn’t go into effect right away.

EFFECTIVE DATE.—The amendments made by subsections (a) and (b) shall take effect on the date that is 180 days after the date of the enactment of this Act.

The bill gives the Executive 6 months to find an alternative to this use of Section 702 — presumably, to pass a cybersecurity bill explicitly labeled as such.

Keith Alexander and others have long talked about the need to scan domestic traffic to protect against cyberattacks. But it appears — especially given the 6 month effective date on these changes — they’re already doing that, all in the name of foreign intelligence.

Charles McCullough Too Busy Investigating Leakers to Investigate the Dragnet

As I noted back in September, Patrick Leahy and a bunch of other Senators asked the Intelligence Community Inspector General Charles McCullough to investigate the dragnet.

In particular, we urge you to review for calendar years 2010 through 2013:

  • the use and implementation of Section 215 and Section 702 authorities, including the manner in which information – and in particular, information about U.S. persons – is collected, retained, analyzed and disseminated;
  • applicable minimization procedures and other relevant procedures and guidelines, including whether they are consistent across agencies and the extent to which they protect the privacy rights of U.S. persons;
  • any improper or illegal use of the authorities or information collected pursuant to them; and
  • an examination of the effectiveness of the authorities as investigative and intelligence tools.

McCullough just answered.

No.

“At present, we are not resourced to conduct the requested review within the requested timeframe,” wrote McCullough, before adding he and other agency inspectors general are weighing now whether they can combine forces on a larger probe.

Leahy had asked McCullough to finish in what was then 15 months, December 2014, which would make it available for the PATRIOT Reauthorization due the next year.

Note, McCullough gave the same answer he and NSA’s IG gave when Ron Wyden asked how many Americans get caught up in the dragnet.

Not enough resources.

Mind you, he apparently has enough resources to do this:

Finally, we began to implement a program to lead IC-wide administrative investigations into unauthorized disclosures of classified information (i.e., “leak”) matters.

[snip]

The Investigations Division reviewed hundreds of closed cases from across the IC. Going forward, the division will engage in gap mitigation for those cases where an agency does not have the authority to investigate (multiple agencies or programs) or where DOJ declined criminal prosecution. The division will conduct administrative investigations with IG Investigators from affected IC elements to maximize efficiencies, expedite investigations, and enhance partnerships.

[snip]

The Investigations Division is reviewing 375 unauthorized disclosure case files.

But not enough resources to review a massive dragnet affecting every American in time to have results before the dragnet gets reauthorized.

Update: And apparently the Senate Intelligence Committee just told ODNI to investigate more leaks and pre-leaks.

  • Empowering the Director of National Intelligence to improve the government’s process to investigate (and reinvestigate) individuals with security clearances to access classified information;

“Folksy and Firm” Flummoxes Fancy NYT Journalists

Less than 10 days ago, Keith Alexander admitted to Patrick Leahy that the single solitary case in which the phone dragnet proved critical was that of Basaaly Moalin. But that was not an attack. Rather, it was an effort to send money to al-Shabaab (and others) because they were protecting Somalia against a US backed Ethiopian invasion.

And yet two crack “journalists” used this as the lead of their “interview” with Alexander with not a hint of pushback.

The director of the National Security Agency, Gen. Keith B. Alexander, said in an interview that to prevent terrorist attacks he saw no effective alternative to the N.S.A.’s bulk collection of telephone and other electronic metadata from Americans.

The phone dragnet has never — never! — been more than one tool in preventing any attack, and yet Alexander gets to imply, unchallenged, it is critical going forward.

Instead of actual reporting, we get platitudes like this.

General Alexander was by turns folksy and firm in the interview. But he was unapologetic about the agency’s strict culture of secrecy and unabashed in describing its importance to defending the nation.

That culture is embodied by two installations that greet visitors to Fort Meade. One is a wall to honor N.S.A. personnel killed on overseas missions. The other is a tribute to the Enigma program, the code-breaking success that helped speed the end of World War II and led to the creation of the N.S.A. The intelligence community kept Enigma secret for three decades.

The only thing remotely resembling a challenge came when these “reporters” note Alexander’s claim to have willingly shut down the Internet metadata program (which the NSA has largely kept secret, in spite of having been disclosed) ignores NSA claims it (like the phone dragnet now, purportedly) was critical.

But he said the agency had not told its story well. As an example, he said, the agency itself killed a program in 2011 that collected the metadata of about 1 percent of all of the e-mails sent in the United States. “We terminated it,” he said. “It was not operationally relevant to what we needed.”

However, until it was killed, the N.S.A. had repeatedly defended that program as vital in reports to Congress.

The rest consists of more of the same kind of rebuttal by redefinition. The claim that NSA shares data with Israel is wrong, this “journalism” says, because “the probability of American content in the shared data was extremely small” (which of course says nothing about the way it would violate minimization procedures in any case). The claim that NSA launched 200 offensive cyberattacks in 2011 is wrong because many of those were actually other “electronic missions.” Besides, Alexander claims,

“I see no reason to use offensive tools unless you’re defending the country or in a state of war, or you want to achieve some really important thing for the good of the nation and others,” he said. [my link, for shits and giggles]

We are not now nor were we in 2006 when StuxNet started “in a state of war” with Iran, so how credible are any of these claims?

Mostly though, this appears to be an attempt, four months after highlighting the importance of PRISM against cyberattacks but then going utterly silent about that function, to reassert the importance of NSA’s hacking to prevent hacking.

Even there, though, Alexander presented dubious claims that got no challenge.

General Alexander said that confronting what he called the two biggest threats facing the United States — terrorism and cyberattacks — would require the application of expanded computer monitoring. In both cases, he said, he was open to much of that work being done by private industry, which he said could be more efficient than government.

In fact, he said, a direct government role in filtering Internet traffic into the United States, in an effort to stop destructive attacks on Wall Street, American banks and the theft of intellectual property, would be inefficient and ineffective.

“I think it leads people to the wrong conclusion, that we’re reading their e-mails and trying to listen to their phone calls,” he said.

The NSA already is filtering Internet traffic into the United States (and also searching on and reading incidentally collected Internet traffic without a warrant) under Section 702 certificates supporting counterterrorism, counterproliferation and … cyberattacks.

But nosiree, Alexander can’t envision doing what he’s already doing — and had been doing in a way that violated statute and the Fourth Amendment for three years already by 2011 — in the name of protecting the banksters who’ve gutted our economy. Only all of that — including the retention of US person data in the name of protecting property (presumably including intellectual property) is baked right into the NSA’s minimization procedures.

And that bit about violating Section 702 and the Fourth Amendment for over three years with a practice that was also baked into NSA’s minimization procedures? Here’s the claim the NYT’s crack journalists allow Alexander to end this charade with.

“We followed the law, we follow our policies, we self-report, we identify problems, we fix them,” he said. “And I think we do a great job, and we do, I think, more to protect people’s civil liberties and privacy than they’ll ever know.”

1 2 3 6

Emptywheel Twitterverse
emptywheel RT @TimothyS: BAE buys IN-Q-TEL funded imagery and analytic company, firming up its intel ops. http://t.co/onrzEPCYpt
32mreplyretweetfavorite
emptywheel RT @mollyknefel: Misdemeanor arrests under de Blasio are higher than Bloomberg, with same racial disparity (86% black or Latino) http://t.c…
43mreplyretweetfavorite
emptywheel According to CIA Inspector General David Buckley, David Buckley didn't mean David Buckley's criminal referral to DOJ http://t.co/ThMsontX2z
44mreplyretweetfavorite
emptywheel @nickmanes1 It? You can get them all in one place without having to walk between gorges?
46mreplyretweetfavorite
emptywheel @nickmanes1 You gonna do it? It'd make a great storify if we cut it off before you exploded.
48mreplyretweetfavorite
emptywheel @sanasaleem "can" someone? Yup. But it'll get you branded a terrorist and jailed for decades.
1hreplyretweetfavorite
emptywheel RT @SAI: Google is taking apart its mystery barge that was going to be used for selling Google Glass http://t.co/OPlWfXt9wl
1hreplyretweetfavorite
JimWhiteGNV @bmaz @trog69 GNP had three versions when we bought. These were mid-price. Cat included for size reference. http://t.co/HOyOcpxLFE
1hreplyretweetfavorite
emptywheel Paul Ryan is lucky Eric Cantor exists to distract people from the fact he's almost as big of a clown.
1hreplyretweetfavorite
bmaz @JimWhiteGNV @trog69 Huh, just did little reading on GNP. Interesting! Looks interesting. Send me a picture of them, curious what look like
2hreplyretweetfavorite
emptywheel I learn from this Daily Beast article that John McCain is a Democrat. http://t.co/a9gGJYABms
2hreplyretweetfavorite
August 2014
S M T W T F S
« Jul    
 12
3456789
10111213141516
17181920212223
24252627282930
31