Patrick Leahy

1 2 3 7

If Patrick Leahy Wants to End Bulk Collection, He Needs to Amend His USA Freedom Act

The other day, the government obtained another Primary Order to collect all our phone records.

In response, Senator Patrick Leahy released this statement:

Congress must ensure that this is the last time the government requests and the court approves the bulk collection of Americans’ records.  We can make this a reality in the Senate if we act swiftly to pass the bipartisan USA FREEDOM Act.  Stakeholders from across the political and ideological spectrum have urged us for months to do just that.  We cannot wait any longer, and we cannot defer action on this important issue until the next Congress.  This announcement underscores, once again, that it is time for Congress to enact meaningful reforms to protect individual privacy.

I heartily agree with Leahy that the government has to stop obtaining authorization to collect Americans’ records in bulk.

But I think Leahy is misleading when he says we can “make this a reality” by passing USA FREEDOM Act — at least as currently written. While USA Freedom Act prohibits the government from collecting Americans’ phone records in bulk, it doesn’t prevent the government from collection Americans’ records from non-communications companies in what normal people would call bulk.

The language in the bill prohibiting the use of a company name as a selector only applies to electronic communication service providers.

(II) a term identifying an electronic communication service provider (as that term is defined in section 701) or a provider of remote computing service (as that term is defined in section 2711 of title 18, United States Code), when not used as part of a specific identifier as described in clause (i), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

The limit of this language to communications companies makes it clear that the bill envisions the use of a corporate person (persons are permitted for traditional Section 215 orders) names — so long as they aren’t communications providers — as a selector. You can’t get all records from Verizon, as the government does, but you can get all one-side foreign records from Western Union, as the government also currently does.

In this case, the secret surveillance court has authorized the Federal Bureau of Investigation to work with the CIA to collect large amounts of data on international transactions, including those of Americans, as part of the agency’s terrorism investigations.

The data collected by the CIA doesn’t include any transactions that are solely domestic, and the majority of records collected are solely foreign, but they include those to and from the U.S., as well. In some cases, it does include data beyond basic financial records, such as U.S. Social Security numbers, which can be used to tie the financial activity to a specific person. That has raised concerns among some lawmakers who learned about the program this summer, according to officials briefed on the matter.

Former U.S. government officials familiar with the program said it has been useful in discovering terrorist relationships and financial patterns. If a CIA analyst searches the data and discovers possible suspicious terrorist activity in the U.S., the analyst provides that information to the FBI, a former official said.

[snip]

The data is obtained from companies in bulk, then placed in a dedicated database. Then, court-ordered rules are applied to “minimize,” or mask, the information about people in the U.S. unless that information is deemed to be of foreign-intelligence interest, a former U.S. official said.

Moreover, even if this is the only financial program that exists right now, the only limit on such programs would be the imagination of the Intelligence Community and the indulgence of the FISA Court. James Clapper and John Bates both objected to interpreting the transparency provisions of USAF to include similar applications to new targets. Particularly as the fearmongering surrounding ISIS increases, they’ll be ratcheting up the domestic spying again.

In any case, there is abundant reason to believe the government also collects the records of certain bomb precursors — fertilizer, acetone and hydrogen peroxide in large quantities, and pressure cookers — to cross-reference with suspect targets. And while the government collects flight information directly, there may well be bulk travel record collection as well.

The bill enables this kind of bulk collection in its “transparency” provisions as well. Those provisions only conduct individualized counts for communications related orders under traditional Section 215, not for non-communications related orders.

(D) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of—
(i) the number of targets of such orders;
(ii) the number of individuals whose communications were collected pursuant to such orders; and
(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

This is obviously all by design (otherwise these two passages wouldn’t have this symmetry). And perhaps all it does is serve to hide this one (probably two, maybe three) programs. But again, there’s no guarantee that won’t change in the future, and the transparency provisions don’t do enough to ensure  this would be properly briefed.

Of course the fix for this would be easy: extend the same prohibition against using a corporate person as a selector to all corporate persons, and extend the individualized reporting under traditional Section 215 to all Section 215 orders.

If Senator Leahy wants to prevent bulk collection, he needs to treat tangible things — the name of the provision at hand!!! — of all sorts, communications and non-communications — as the bill currently treats just communications-related orders.

Every Senator Who Supports USA Freedom May Be Affirmatively Ratifying a Financial Dragnet

Now that I’ve finally got around to reading the so-called transparency provisions in Patrick Leahy’s USA Freedom Act, I understand that one purpose of the bill, from James Clapper’s perspective, is to get Congress to ratify some kind of financial dragnet conducted under Section 215.

As I’ve laid out in detail before, there’s absolutely no reason to believe USA Freedom Act does anything to affect non-communications collection programs.

That’s because the definition of “specific selection term” permits (corporate) persons to be used as a selector, so long as they aren’t communications companies. So Visa, Western Union, and Bank of America could all be used as the selector; Amazon could be for anything not cloud or communications-related. Even if the government obtained all the records from these companies — as reports say it does with Western Union, at least — that would not be considered “bulk” because the government defines “bulk” as collection without a selector. Here, the selector would be the company.

And as I just figured out yesterday, the bill requires absolutely no individualized reporting on traditional Section 215 orders that don’t obtain communications. Here’s what the bill requires DNI to report on traditional 215 collection.

(D) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of—
(i) the number of targets of such orders;
(ii) the number of individuals whose communications were collected pursuant to such orders; and
(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

The bill defines “individuals whose communications were collected” this way:

(3) INDIVIDUAL WHOSE COMMUNICATIONS WERE COLLECTED.—The term ‘individual whose communications were collected’ means any individual—
(A) who was a party to an electronic communication or a wire communication the contents or noncontents of which was collected; or
(B)(i) who was a subscriber or customer of an electronic communication service or remote computing service; and
(ii) whose records, as described in subparagraph (A), (B), (D), (E), or (F) of section 2703(c)(2) of title 18, United States Code, were collected.

Thus, the 215 reporting only requires the DNI to provide individualized reporting on communications related orders. It requires no individualized reporting at all on actual tangible things (in the tangible things provision!). A dragnet order collecting every American’s Visa bill would be reported as 1 order targeting the 4 or so terrorist groups specifically named in the primary order. It would not show that the order produced the records of 310 million Americans.

I’m guessing this is not a mistake, which is why I’m so certain there’s a financial dragnet the government is trying to hide.

Under the bill, of course, Visa and Western Union could decide they wanted to issue a privacy report. But I’m guessing if it would show 310 million to 310,000,500 of its customers’ privacy was being compromised, they would be unlikely to do that.

So the bill would permit the collection of all of Visa’s records (assuming the government could or has convinced the FISC to rubber stamp that, of course), and it would hide the extent of that collection because DNI is not required to report individualized collection numbers.

But it’s not just the language in the bill that amounts to ratification of such a dragnet.

As the government has argued over and over and over, every time Congress passes Section 215′s “relevant to” language unchanged, it serves as a ratification of the FISA Court’s crazy interpretation of it to mean “all.” That argument was pretty dodgy for reauthorizations that happened before Edward Snowden came along (though its dodginess did not prevent Clare Eagan, Mary McLaughlin, and William Pauley from buying it). But it is not dodgy now: Senators need to know that after they pass this bill, the government will argue to courts that it ratifies the legal interpretations publicly known about the program.

While the bill changes a great deal of language in Section 215, it still includes the “relevant to” language that now means “all.” So every Senator who votes for USAF will make it clear to judges that it is the intent of Congress for “relevant to” to mean “all.”

And it’s not just that! In voting for USAF, Senators would be ratifying all the other legal interpretations about dragnets that have been publicly released since Snowden’s leaks started.

That includes the horrible John Bates opinion from February 19, 2013 that authorized the government to use Section 215 to investigate Americans for their First Amendment protected activities so long as the larger investigation is targeted at people whose activities aren’t protected under the First Amendment. So Senators would be making it clear to judges their intent is to allow the government to conduct investigations into Americans for their speech or politics or religion in some cases (which cases those are is not entirely clear).

That also includes the John Bates opinion from November 23, 2010 that concluded that, “the Right to Financial Privacy Act, … does not preclude the issuance of an order requiring the production of financial records to the Federal Bureau of Investigation (FBI) pursuant to the FISA business records provision.” Given that Senators know (or should — and certainly have the ability to — know) about this before they support USAF, judges would be correct in concluding that it was the intent of Congress to permit the government to collect financial records under Section 215.

So Senators supporting this bill must realize that supporting the bill means they are supporting the following:

  • The interpretation of “relevant to” to permit the government to collect all of a given kind of record in the name of a standing FBI terrorism investigation.
  • The use of non-communication company corporate person names, like Visa or Western Union, as the selector “limiting” collection.
  • The use of Section 215 to collect financial records.
  • Not requiring the government to report how many Americans get sucked up in any financial (or any non-communications) dragnet.

That is, Senators supporting this bill are not only supporting a possible financial dragnet, but they are helping the government hide the existence of it.

I can’t tell you what the dragnet entails. Perhaps it’s “only” the Western Union tracking reported by both the NYT and WSJ. Perhaps James Cole’s two discussions of being able to collect credit card records under this provision means they are. Though when Leahy asked him if they could collect credit card records to track fertilizer purchases, Cole suggested they might not need everyone’s credit cards to do that.

Leahy: But if our phone records are relevant, why wouldn’t our credit card records? Wouldn’t you like to know if somebody’s buying, um, what is the fertilizer used in bombs?

Cole: I may not need to collect everybody’s credit card records in order to do that.

[snip]

If somebody’s buying things that could be used to make bombs of course we would like to know that but we may not need to do it in this fashion.

We don’t know what the financial dragnet is. But we know that it is permitted — and deliberately hidden — under this bill.

Below the rule I’ve put the names of the 18 Senators who have thus far co-sponsored this bill. If one happens to be your Senator, it might be a good time to urge them to reconsider that support.


Patrick Leahy (202) 224-4242

Mike Lee (202) 224-5444

Dick Durbin (202) 224-2152

Dean Heller (202) 224-6244

Al Franken (202) 224-5641

Ted Cruz (202) 224-5922

Richard Blumenthal (202) 224-2823

Tom Udall (202) 224-6621

Chris Coons (202) 224-5042

Martin Heinrich (202) 224-5521

Ed Markey (202) 224-2742

Mazie Hirono (202) 224-6361

Amy Klobuchar (202) 224-3244

Sheldon Whitehouse (202) 224-2921

Chuck Schumer (202) 224-6542

Bernie Sanders (202) 224-5141

Cory Booker (202) 224-3224

Bob Menendez (202) 224-4744

Sherrod Brown (202) 224-2315

 

 

Supporters of USA Freedom Ignore the Courts

The National Journal reports that Leahy’s USA Freedom Act probably won’t move until after the election, if not next year.

A bill that would curtail the government’s broad surveillance authority is unlikely to earn a vote in Congress before the November midterms, and it might not even get a vote during the postelection lame-duck session.

The inaction amounts to another stinging setback for reform advocates, who have been agitating for legislation that would rein in the National Security Agency ever since Edward Snowden’s leaks surfaced last summer. It also deflates a sudden surge in pressure on Congress to pass the USA Freedom Act, which scored a stunning endorsement from Director of National Intelligence James Clapper last week.

Of course, contrary to what the NJ keeps reporting, that letter is not a stunning endorsement. On the contrary, it’s a signal James Clapper would change — at a minimum — the FISA Advocate position, and probably the Call Detail Record provision as well.

And even while the story suggests timing is the problem, further down the story suggests the bill doesn’t have the votes.

But beyond the calendar squeeze and geopolitical tensions, the Freedom Act has never had a clear path forward. It was not embraced by defense hawks such as Senate Intelligence Committee Chairwoman Dianne Feinstein or Sens. Ron Wyden and Mark Udall, who have become icons of the surveillance-reform movement. The two Democrats said they wanted to strengthen the bill to require warrants for “backdoor” searches of Americans’ Internet data that can be incidentally collected during foreign surveillance hauls. Sources indicated that their support for the Freedom Act remains a bridge too far.

“We were told to go after Republicans,” one industry said.

Wyden and Udall’s reticence to publicly back Leahy’s bill may stem from a conviction that they can get a better deal next Congress, with Section 215 of the USA Patriot Act—the legal underpinning for the NSA’s phone-records collection—due to expire on June 1, 2015.

Without the left flank of the Senate, this wasn’t going to pass. But so long as this bill endorsed warrantless back door searches of Americans at the assessment stage, it wasn’t going to get those votes.

The story ends with a solitary quote purportedly representing the voices of “many” people.

But many see an NSA reform debate that rolls into next year as no sure bet, regardless of what party holds control of the Senate.

“If the USA Freedom Act is not passed this Congress, we are really in uncharted territory, and the process has to start all over again,” said Harley Geiger, senior counsel at the Center for Democracy & Technology, a pro-reform group. “All the elements for reform are in place now, but it just happens that we don’t have much time.”

Geiger is the same purpose mis-reading Clapper’s letter as a complete endorsement of the bill.

Note what doesn’t get mentioned in any of this, though?

The Courts.

Last we heard from the 2nd Circuit, it sounded very very skeptical that it was constitutional to, “collect everything there is to know about everybody and have it all in one big government cloud.” And while SCOTUS was happy to reverse precisely this court in Section 702, both ACLU’s standing and the details of the program are much clearer this time. Had Congress legislated quickly, it likely would moot this and several other challenges to this dragnet. 

This way, at least, the courts will be forced to determine whether it is actually legal for the government to conduct dossiers of every American and store them on a cloud.

James Clapper, Bates-Stamp, and Gutting the FISA Advocate

As I noted the other day, in his letter purportedly “supporting” Patrick Leahy’s USA Freedom Act, James Clapper had this to say about the special advocate amicus curiae position laid out by the law.

We note that, consistent with the President’s request, the bill estsablishes a process for the appointment of an amicus curiae to assist the FISA Court and FISA Court of Review in matters that present a novel or significant interpretation of the law. We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

Clapper stretches the actual terms of all four provisions of the bill he discusses — he admits he’ll use selection terms outside those enumerated by the statute, he discusses collecting “metadata” rather than the much more limited “call detail records” laid out in the bill, and he facetiously claims FBI won’t count its back door searches because of technical rather than policy choices.

But I think Clapper’s comments about the FISC amicus curiae deserve particular attention, because the letter suggests strongly that Clapper will ignore the law on one of the key improvements in the bill.

Clapper claims, first of all, that Obama has called for the appointment of an amicus curiae.

That’s false.

Obama actually called for fully-independent advocates.

To ensure that the Court hears a broader range of privacy perspectives, I am calling on Congress to authorize the establishment of a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court.

That may seem like semantics. But in his letter, Clapper signals he will make the amicus curiae something different. First, he emphasized this amicus will not interfere with ex parte communications between the court and the government. That may violate this passage of Leahy’s bill, which guarantees the special advocate have access to anything that is “relevant” to her duties.

(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—

[snip]

(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;

Given that in other parts of 50 USC 1861, “relevant” has come to mean “all,” it’s pretty amazing that Clapper says the advocate won’t have access to all communication between the government and the court.

There are just two bases on which the advocate can be denied access to documents she would need.

(i) IN GENERAL.—A special advocate, experts appointed to assist a special advocate, or any other amicus or technical expert appointed by the court may have access to classified documents, information, and other materials or proceedings only if that individual is eligible for access to classified information and to the extent consistent with the national security of the United States.

(ii) RULE OF CONSTRUCTION.— Nothing in this section shall be construed to require the Government to provide information to a special advocate, other amicus, or technical expert that is privileged from disclosure.

If we could believe that Clapper were operating on good faith, this language would be fairly innocuous. But given that Clapper has made it very explicit he wants to continue to conduct ex parte communication, and given that the Director of National Intelligence has a significant role in both need to know determinations and privilege claims, this language — and Clapper’s commitment to retain ex parte communications — is a pretty good indication he plans to deny access based on these two clauses.

And all that’s before Clapper says he plans to continue to work with Leahy to address some of John Bates purported concerns.

As a reminder, in Bates’ most recent letter, he claimed to be speaking “on behalf of the Judiciary” and used the royal “we” throughout. In response to the letter, Steve Vladeck raised real questions what basis Bates had to use that royal “we.”

Judge Bates’s latest missive … raises the question of why Judge Bates believes he’s entitled to speak “on behalf of the Judiciary”–especially when at least two former FISA judges have expressly endorsed reforms far more aggressive than those envisaged by the Senate bill, and when the substance of Judge Bates’s objections go principally to burdens on the Executive Branch, not the courts.

Then Senior 9th Circuit Chief Judge Alex Kozinski weighed in. While he professed not to have studied the matter, he made it quite clear that he

was not aware of Director Bates’s letter before it was sent, nor did [he] receive a copy afterwards.

[snip]

having given the matter little consideration, and having had no opportunity to deliberate with the other members of the Judicial Conference, I have serious doubts about the views expressed by Judge Bates. Insofar as Judge Bates’s August 5th letter may be understood as reflecting my views, I advise the Committee that this is not so.

In other words, Bates decided to speak for the Judiciary without consulting them.

And, as Vladeck correctly notes, what he said seemed to represent the views of the Executive, not the Judiciary. I think that conclusion is all the more compelling when you consider the 3 big opinions we know Bates wrote while serving on FISC:

  • Around July 2010: After noting that the Executive had violated the PRTT orders from 2004 until 2009 when it was shut down, including not disclosing that virtually every record collected included unauthorized collection, he reauthorized and expanded the program 11- to 24-fold, expanding both the types of data permitted and the breadth of the collection. Bates did prevent the government from using some of what it had illegally collected in the past, but told them if they didn’t know it was illegal they could use it.
  • October 3, 2011: The year after he had reauthorized PRTT in spite of the years of violation, the government informed him they had been illegally collecting US person content for 3 years. Bates authorized some of this collection prospectively (though more assertively required them to get rid of the past illegal collection). At the same time, Bates permitted NSA and CIA to conduct back door searches of US person PRISM content.
  • February 19, 2013: Bates unilaterally redefined the PATRIOT Act to permit the government to collect on US persons solely for their First Amendment activities, so long as the activities of their associates were not protected by the First Amendment.

In short, even though Bates knew better than anyone but perhaps Reggie Walton of the Executive’s persistent violations of FISA orders, he repeatedly expanded these programs in dangerous ways even as he found out about new violations.

That’s they guy lecturing Leahy on how the FISC needs to work, invoking the royal “we” he hasn’t gotten permission to use.

And consider the things Bates asked for in his most recent letter – which, by invocation, Clapper is suggesting he’ll demand from Leahy.

  • The advocate should not be mandated to speak for privacy and civil liberties.
  • The advocate should not be adversarial because that might lead the government to stop sharing information it is required to share.
  • The advocate should not be required to be consulted on all novel issues [I wonder now if Bates considers the First Amendment application a novel issue?] because that might take too long.

Basically, Bates says Leahy should replace his language with the House language.

In our view, the greater flexibility and control that the FISA courts would have under the amicus provision in H.R. 3361 make it a better fit for FISA court proceedings than the special advocate provision of S. 2685. As discussed above, the House bill would give the FISA courts substantial flexibility not only in deciding when to appoint an amicus in the first place, but also in tailoring the nature and scope of the assistance provided to the circumstances of a particular matter.

So the guy who Bates-stamped so many dangerous decisions wants FISC to retain the authority to continue doing so.

Again, Clapper is absolutely wrong when he claims this kind of thing — a role the FISC can sharply limit what advice it gets and the DNI can sustain ex parte proceedings by claiming privilege or need to know — is what President Obama endorsed 8 months ago.

Which raises the question: is the President going to tell his DNI to implement his own policy choices? Or is he going to let James Clapper and Bob Litt muddle up a democratic bill again?

Clapper’s Claim that FBI Cannot Count Back Door Searches for Technical Reasons Probably Bullshit

I wanted to explain why I think it’s such a big deal that James Clapper specifically highlighted the carve out for transparency reporting on FBI’s back door searches in Leahy’s version of Freedom Act’s in his letter supporting the bill.

As I described, the bill requires reporting on back door searches, but then exempts the FBI from that reporting.

But that’s not the part of the bill that disturbs me the most. It’s this language:

‘(3) FEDERAL BUREAU OF INVESTIGATION.—

Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

The language refers, in part,  to requirements that the government report to Congress:

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

These are back door searches on US person identifiers of Section 702 collected data — both content (iv) and metadata (v).

In other words, after having required the government to report how many back door searches of US person data it conducts, the bill then exempts the FBI.

In his letter, Clapper says,

[W]e are comfortable with the transparency provisions in this bill because, among other things, they recognize the technical limitations on our ability to report certain types of information.

FBI back door searches are the most obvious limit on transparency guidelines, and FBI told PCLOB they couldn’t count them for technical reasons.

So effectively, Clapper is suggesting that Congress has recognized that FBI is incapable — for technical reasons — of counting how often it conducts back door searches.

That technical claim is almost certainly bullshit.

As a reminder, here’s what the government told PCLOB about FBI’s back door searches.

Because they are not identified as such in FBI systems, the FBI does not track the number of queries using U.S. person identifiers. The number of such queries, however, is substantial for two reasons.

First, the FBI stores electronic data obtained from traditional FISA electronic surveillance and physical searches, which often target U.S. persons, in the same repositories as the FBI stores Section 702–acquired data, which cannot be acquired through the intentional targeting of U.S. persons. As such, FBI agents and analysts who query data using the identifiers of their U.S. person traditional FISA targets will also simultaneously query Section 702–acquired data.

Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts. In the case of an assessment, an assessment may be initiated “to detect, obtain information about, or prevent or protect against federal crimes or threats to the national security or to collect foreign intelligence information.”254 If the agent or analyst conducting these queries has had the training required for access to unminimized Section 702–acquired data, any results from the Section 702 data would be returned in these queries. If an agent or analyst does not have access to unminimized Section 702–acquired data — typically because this agent or analyst is assigned to non-national security criminal matters only — the agent or analyst would not be able to view the unminimized data, but would be notified that data responsive to the query exists and could request that an agent or analyst with the proper training and access to review the unminimized Section 702–acquired data.

Continue reading

The Holder-Clapper Letter Ought to Make You Worry about Leahy’s USA Freedom

As the press is reporting right now, James “Too Cute by Half” Clapper and Eric Holder have written Patrick Leahy a letter endorsing his version of the dragnet reform bill. Reports claim this shows that Clapper supports reform.

Consider me unimpressed.

To understand why, it helps to understand what this letter was once supposed to do. According to a Senate source who is skeptical this reform does enough, it was supposed to provide language that would endorse civil libertarians’ understanding of key terms of the bill. I’m not sure if the letter is still supposed to do that work — if it is not, that is a story unto itself. But the language in this letter doesn’t make any commitments on the key points of concern.

As an initial matter, I was told this letter would include language making it clear that the “connection chaining” language I’ve been so concerned about would limit contact chaining to actual calls made. The letter doesn’t address connection chaining at all. Huh. How about that?

Here’s what Clapper’s letter says about the prospective call detail record (CDR) collection:

The bill also provides a mechanism to obtain telephone metadata records in order to identify potential contacts of suspected terrorists inside the United States. The Intelligence Community believes that, based on communications providers’ existing practices in retaining metadata, the bill will retain the essential operational capabilities of the existing bulk telephone metadata program while eliminating bulk collection.

It’s good news the IC is not asking for data retention requirements — but you ought to ask why, given that the most important provider, Verizon, has told the Senate Intelligence Committee that it only keeps billing records — not CDRs – for 18 months.

Note, however, that Clapper doesn’t use CDR language here — he uses “metadata,” which is actually broader — potentially far broader — than CDRs as defined by the bill. We know, for example, that the IC considers location data metadata — and James Cole told Mark Warner they might ask for hybrid orders to get location data. We know from the ICREACH documents that the IC admits it uses a different definition of metadata than the FISA Court does (the IC’s definition of metadata not only includes content, but also substantive information about people). We know that providers store customer things-that-count-as-metadata on their clouds, indefinitely. Adopting metadata here, in short, may back off the otherwise limited definition of CDR, which is one of the bills laudable limiting factors.

The letter’s claim to end bulk collection does nothing to reflect that the IC’s definition of bulk — anything without a discriminator — has nothing to do with the common English definition of it; it certainly doesn’t promise to end the English language definition of bulk. Moreover, it only promises to limit bulk collection to the “greatest extent practicable.”

[T]he bill permits collection under Section 215 of the USA PATRIOT Act using a specific selection term that narrowly limits the scope of the tangible things sought to the greatest extent reasonably practicable, consistent with the purposes for seeking the tangible things. Recognizing that the terms enumerated in the statute may not always meet operational needs, the bill permits the use of other terms, provided there are court-approved minimization procedures that prohibit the dissemination and require the destruction within a reasonable period of time of any information that has not been determined to satisfy certain specific requirements.

That “reasonably practicable” language is a direct quote from the bill. It adds nothing, and given that Bob Litt refuses to limit FBI back door searches because it’s not practicable, what the IC means by practicable could very easily encompass gross privacy violations — ones that have already been approved by FISC! And remember–the IC can use corporate persons as selection terms.

Then the letter all but admits it will use selection terms that violate this principle, but points to the minimization procedures required by the law to rationalize that. As I’ve pointed out, there’s no reason to believe the minimization procedures will be any more stringent than what the FISC currently requires — and there’s at least some reason to suspect they might be weaker than current minimization procedures. (And remember, the retention requirements for the CDR authority almost certainly broadens permitted dissemination to foreign intelligence purpose, which might lead to a similar broadening of it elsewhere under the authority.)

The transparency paragraph includes this language.

the transparency provisions  in this bill … among other things, [] recognize the technical limitations on our ability to report certain types of information.

This is James Clapper saying quite clearly to anyone willing to listen that he sees this bill — which explicitly carves out FBI back door searches from any transparency reporting — as Congressional endorsement of the idea that we should never demand the number of FBI back door searches. This language, by itself, ought to make the bill toxic.

Congratulations NGOs. You’re backing the idea that the FBI should be able to use 702 and 12333 collected information in criminal contexts with zero oversight or accountability.

Finally, Clapper’s letter makes it clear that Leahy’s bill will do nothing to stop ex parte communication between the Executive and FISC. And he even points to John Bates’ ridiculous letter (huh, now we have a better sense of who put Bates up to that!) to warn he’ll carve out even more.

We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

Especially after we learned Bates single-handedly rewrote PATRIOT last year to make it okay to spy on Americans for their protected speech, we should do nothing to accommodate Bates’ wishes, especially since he didn’t speak with the authority of his position. The FISC, as Bates envisions it, doesn’t resemble a real court at all.

In short, there’s one piece of good news in this letter — that the IC won’t ask for data retention requirements — and a whole lot of reason to be even more skeptical of the bill.

ICREACH and FBI’s PRTT Program

I’ll have a more substantive post about what we learn about NSA’s broader dragnet from the Intercept’s ICREACH story.

But for the moment I want to reiterate a point I made the other day. ICREACH is important not just because it makes NSA data available to CIA and FBI. But also because it makes CIA and FBI data available for the metadata analysis the NSA conducts.

The documents describe that to include things like clandestine intelligence and flight information.

But there’s one other program that ought to be of particular concern with regards to NSA’s programs. As I laid out here, FBI had a Pen Register/Trap and Trace “program” that shared information with the NSA at least until February 2012, several months after NSA had ended its PRTT Internet dragnet program.

The secrecy behind the FBI’s PRTT orders on behalf of NSA

PRTT1

Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.

These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.

But that the FBI PR/TT program – which seems different than these individual orders — was considered TS/SI/NOFORN.

PRTT2

If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level)  – is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.

This is considered one of the most sensitive secrets in the whole FISA package.

PRTT3

Even minimized PRTT data is considered TS/SCI.

PRTT4

Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.

So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.

Except there’s the date.

This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)

That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.

I have no idea what this program entailed — and no one else has even picked up on this detail. It’s possible NSA’s Internet dragnet just moved under the FBI’s control. It’s possible (this is my current operative wildarseguess) that FBI’s PRTT program collects location data; the Bureau uses PRTT orders to get individualized location data, after all.

Whatever it is, though, the existence of ICREACH would make that data available to NSA in a form it could use to include it in contact chaining of metadata (which may be why it figures so prominently in NSA’s classification guide). And note: FBI’s minimization procedures are far more lenient than NSA’s, so whatever this data is, NSA may be able to do more with it given that FBI collected it.

And as with a number of other things, even the Pat Leahy version of USA Freedom would weaken protections for PRTT data.

USA Freedom Must Explicitly Require NSA and CIA to Comply with Law’s Minimization Procedures

I know I’ve had a lot of mostly unenthusiastic things to say about even Pat Leahy’s version of the USA Freedom Act.

  • It explicitly exempts FBI from counting back door searches
  • It may not do anything to existing non-electronic communication bulk programs, because it probably permits the use of corporate persons as Specific Selection Terms
  • The “connection chaining” may permit expanded access to smart phone data
  • It retains USA Freedumber’s “foreign intelligence” retention language

Having read about half of last week’s Internet Dragnet document dump so far, I’m increasingly worried about two details I’ve already raised.

I suspect, unless the law explicitly imposes minimization procedures on NSA (and CIA, which reportedly operates the bulky Western Union dragnet), they will evade the bill’s most stringent minimization procedures.

As I noted in November and PCLOB noted in January, the business records provision was explicitly written for FBI, not other intelligence agencies. As a result, the language in it requiring minimization procedures did not — and still would not under Leahy Freedom (to say nothing of USA Freedumber) — require minimization procedures from Agencies beyond FBI. For example, unless I’m misreading how the law would be implemented, this is what would still be in place with regards to minimization procedures.

Applications have to lay out minimization procedures. But the law only requires they apply to FBI.

(D) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

The judge reviews the minimization procedures in the application to make sure they comply with (g), and then includes an order they be followed in his order approving the application.

(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b) and that the minimization procedures submitted in accordance with subsection (b)(2)(D) meet the definition of minimization procedures under subsection (g), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.

And as I’ve already noted, the entire section (g) devoted to minimization explicitly applies to just FBI.

The Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this subchapter.

What’s particularly crazy about this is that the clause was changed to take out deadlines imposed in the 2006 renewal. In other words, they changed this clause, but left in the limits for most minimization procedures to just FBI.

Continue reading

Leahy’s Freedom Act May Not Change Status Quo on Records Other than Call Records

Update: According to the DOJ IG NSL Report released today, the rise in number of Section 215 orders stems from some Internet companies refusing to provide certain data via NSL; FBI has been using Section 215 instead. However they’re receiving it now, Internet companies, like telephone companies, should not be subject to bulk orders as they are explicitly exempted. 

WaPo’s MonkeysCage blog just posted a response I did to a debate between H.L. Pohlman and Gabe Rottman over whether Patrick Leahy’s USA Freedom includes a big “backdoor” way to get call records. The short version: the bill would prevent bulk — but not bulky — call record collection. But it may do nothing to end existing programs, such as the reported collection of Western Union records.

In the interest of showing my work, he’s a far more detailed version of that post.

Leahy’s Freedom still permits phone record collection under the existing authority

Pohlman argues correctly that the bill specifically permits the government to get phone records under the existing authority. So long as it does so in a manner different from the Call Detail Record newly created in the bill, it can continue to do so under the more lenient business records provision.

To wit: the text “carves out” the government’s authority to obtain telephone metadata from its more general authority to obtain “tangible things” under the PATRIOT Act’s so-called business records provision. This matters because only phone records that fit within the specific language of the “carve out” are subject to the above restrictions on the government’s collection authority.  Those restrictions apply only “in the case of an application for the production on a daily basis of call detail records created before, on, or after the date of the application relating to an authorized investigation . . . to protect against international terrorism.”

This means that if the government applies for a production order of phone records on a weekly basis, rather than on a “daily basis,” then it is falls outside the restrictions. If the application is for phone records created “before, on, [and] after” (instead of “or after”) the date of the application, ditto. If the investigation is not one of international terrorism, ditto.

However, neither Pohlman nor Rottman mention the one limitation that got added to USA Freedumber in Leahy’s version which should prohibit the kind of bulk access to phone records that currently goes on.

Leahy Freedom prohibits the existing program with limits on electronic service providers

The definition of Specific Selection Term “does not include a term that does not narrowly limit the scope of the tangible things … such as–… a term identifying an electronic communication service provider … when not used as part of a specific identifier … unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.”

In other words, the only way the NSA can demand all of Verizon’s call detail records, as they currently do, is if they’re investigating Verizon. They can certainly require Verizon and every other telecom to turn over calls two degrees away from, say, Julian Assange, as part of a counterintelligence investigation. But that language pertaining to electronic communication service provider would seem to prevent the NSA from getting everything from a particular provider, as they currently do.

So I think Rottman’s largely correct, though not for the reasons he lays out, that Leahy’s Freedom has closed the back door to continuing the comprehensive phone dragnet under current language.

But that doesn’t mean it has closed a bunch of other loopholes Rottman claims have been closed.

FISC has already dismissed PCLOB (CNSS) analysis on prospective collection 

For example, Rottman points to language in PCLOB’s report on Section 215 stating that the statutory language of Section 215 doesn’t support prospective collection. I happen to agree with PCLOB’s analysis, and made some of the same observations when the phone dragnet order was first released. More importantly, the Center for National Security Studies made the argument in an April amicus brief to the FISC. But in an opinion released with the most recent phone dragnet order, Judge James Zagel dismissed CNSS’ brief (though, in the manner of shitty FISC opinions, without actually engaging the issue).

In other words, while I absolutely agree with Rottman’s and PCLOB’s and CNSS’ point, FISC has already rejected that argument. Nothing about passage of the Leahy Freedom would change that analysis, as nothing in that part of the statute would change. FISC has already ruled that objections to the prospective use of Section 215 fail.

Minimization procedures may not even protect bulky business collection as well as status quo

Then Rottman mischaracterizes the limits added to specific selection term in the bill, and suggests the government wouldn’t bother with bulky collection because it would be costly.

The USA Freedom Act would require the government to present a phone number, name, account number or other specific search term before getting the records—an important protection that does not exist under current law. If government attorneys were to try to seek records based on a broader search term—say all Fedex tracking numbers on a given day—the government would have to subsequently go through all of the information collected, piece by piece, and destroy any irrelevant data. The costs imposed by this new process would create an incentive to use Section 215 judiciously.

As I pointed out in this post, those aren’t the terms permitted in Leahy Freedom. Rather, it permits the use of “person, account, address, or personal device, or another specific identifier.” Not a “name” but a “person,” which in contradistinction from the language in the CDR provision — which replaces “person” with “individual” — almost certainly is intended to include “corporate persons” among acceptable SSTs for traditional Section 215 production.

Like Fedex. Or Western Union, which several news outlets have reported turns over its records under Section 215 orders.

FISC already imposes minimization procedures on most of its orders

Rottman’s trust that minimization procedures will newly restrain bulky collection is even more misplaced. That’s because, since 2009, FISC has been imposing minimization procedures on Section 215 collection with increasing frequency; the practice grew in tandem with greatly expanded use of Section 215 for uses other than the phone dragnet.

While most of the minimization procedure orders in 2009 were likely known orders fixing the phone dragnet violations, the Attorney General reports covering 2010 and 2011 make it clear in those years FISC modified increasing percentages of orders by imposing minimization requirements and required a report on compliance with them

The FISC modified the proposed orders submitted with forty-three such applications in 2010 (primarily requiring the Government to submit reports describing implementation of applicable minimization procedures).

The FISC modified the proposed orders submitted with 176 such applications in 2011 (requiring the Government to submit reports describing implementation of applicable minimization procedures).

That means the FISC was already requiring minimization procedures for 176 orders in 2011, only 5 of which are known to be phone dragnet orders. Continue reading

A Better Reform than USA Freedom: Get Rid of the FISA Court

As he did once before, John Bates has written a letter in the guise of raising concerns about the resources of the FISA Court (though in this case, not actually raising any such concerns) to provide his – or someone else’s – policy views on Patrick Leahy’s version of USA Freedom (see Steve Vladeck’s great post arguing that this letter presents solely Bates defending the executive; though I think Vladeck misreads claimed cooperation with the Administration on Leahy’s bill for assent to it). But also as his earlier letter did, this does nothing so much as make a compelling case to eliminate the FISC.

While Bates raises legitimate concerns about whether summaries of court opinions are better than redacted versions (he would prefer the most sensitive ones remain secret) and the constitutionality of the appeals process, his chief gripe arises from the increased independence Leahy’s bill gives a special advocate.

Bates maintains that by requiring the FISC special advocate to advocate for privacy or civil liberties would not further the interests of privacy or civil liberties.

That’s because actually requiring the advocate to advocate for something would put her in an adversarial position vis-a-vis the government. And that, Bates is sure, would lead the government to withhold information from the Court.

Introducing an adversarial special advocate in FISA proceedings creates the risk that representatives of the Executive Branch — who, as noted, have a heightened duty of candor in ex parte FISA court procedings — would be reluctant to disclose to the courts particularly sensitive factual information, or information detrimental to a case, because doing so would also disclose the information to an independent adversary.

Mind you, the public record shows the government already withholds crucial information, such as how many Americans get collected under upstream collection, as well as how the government is actually using back door searches and how prevalent they are, as well as the torture from which some of their evidence introduced at FISC derives, as well as that EFF had a protection order for data that might incorporate the Section 215 program. So the notion that ex parte proceedings currently give the FISC all the information it needs is farcical.

But Bates worries that requiring the government to expose all the information about its plans to an adversary might lead the government to forgo “potentially valuable intelligence-gathering activities under FISA.” That’s an admission that some of the government’s current programs could not have withstood even the classified scrutiny of someone not positioned as a partner in implementing all the possible intelligence gather activities. The FISC has become, Bates makes clear, the government’s partner in approving every possible collection program that might be valuable.

And all of this complaint is an admission from Bates that it never intended to provide the advocate, as described under USA Freedumber, all the information she needed to do her job.

Bates had already made that complaint in his last letter. In this one, he adds a new one: that because Leahy’s USA Freedom requires the special advocate to be involved in novel cases — and actually defines what novel means — she would be involved in too many.

Section 401 would seem to apply to a potentially large number of cases. The requirement to designate a special advocate would be triggered in the first instance in any matter involving a “novel or significant interpretation of the law.” That term is defined expansively to include, among other things, matters involving the “application … of settled law to novel … circumstances.” Because nearly every application involves distinct (i.e., “novel”) facts and circumstances, Section 401 could be read as applying in a broad swath of cases.

Bates’ former colleagues disagree on this point. James Robertson and James Carr have said the vast majority of what FISC judges approve are fairly simple warrants.

Both and his colleagues, however, may be right: that is, it may well be the FISC has now gotten to the point where each application represents an expansion or a new tweak of previous approvals. I would actually be shocked if the expanding number of Section 215 orders — accompanied as they have been by FISC-imposed minimization procedures — don’t represent such an expansion.

Given Deputy Attorney General James Coles’ confirmation of Zoe Lofgren and Mark Warner’s questions about what Section 215 may be used for — including credit card data, URL searches, and location data — this morphing use of 215 now likely provides the government access programmatically to things they previously needed individualized warrants for.

Even with the opinions and applications we’ve seen — most of which pre-date the significant 2010 expansion of 215-based programs — it becomes clear the FISC judges (or at least those in DC who review the more novel applications) have become a rubber stamp for programs that far surpass the language of the law and likely conflict with other laws. With the vast expansion of dragnets starting in 2004, the FISC has become a court of reasonableness generally, not reasonableness within the letter of the law as written by Congress. The series of plaintive and laughably weak FISC opinions since the exposure of the Section 215 program underscores this: exposed as having far exceeded the law and intent of the Section 215 program, the FISC was left trying to invent the law post hoc.

Bates has, even more than his earlier letter, made it clear that he, at least, believes the FISC is and should be a partner with the Executive, providing legal cover for novel new surveillance that may not fit the intent of Congress. I’d say, too, that even in the area of individualized warrants, it has presided over the redefinition of things like “agent of foreign power,” such that confused Muslim young men become legitimate targets for invasive surveillance that can never be checked in the context of criminal proceedings.

So let’s get rid of it!

It may be the case that in 1978 traditional Title III courts couldn’t handle the secrecy required by FISC proceedings. But they can and do now, routinely. There’s no reason judges throughout the country couldn’t be asked to weigh FISC probable cause as they currently weigh criminal probable cause; and having more judges do so might stay closer to the definition of foreign power as intended by Congress, and if it doesn’t (which given the rubber stamp of magistrates, might well happen), it would be more likely to be reviewed at the appellate level.

Similarly, the courts have and are proving able to deal with new applications, as their treatment of FBI’s request for nationwide warrants to hack makes clear. But they do so in deliberative fashion, actual weighing the language of the law, rather than just secretly approving an application that pretty clearly violates Congress’ intent.

Eliminating the FISC wouldn’t fix all the problems of out-of-control surveillance. Requiring notice for EO 12333 collection is another necessary step, as is actual prosecution for violations of surveillance law. But it seems that just eliminating the FISC would be a far better fix for the problems exposed by Snowden’s leaking than USA Freedom would be.

1 2 3 7
Emptywheel Twitterverse
bmaz Okay, CNN International simulcast is great. Just did a report on the scary clown ban in France. Now that is news I can use. #BanClowns
2hreplyretweetfavorite
bmaz @LegallyErin The report I just saw on CNN looked pretty awesome. Wind and waves onto roads and all kinds of good stuff.
2hreplyretweetfavorite
bmaz @LegallyErin Bundle up baybee!
3hreplyretweetfavorite
bmaz @LegallyErin Say, my tee-bee says you have some kind weather thing going on there.
3hreplyretweetfavorite
bmaz @walterwkatz @gideonstrumpet @ScottGreenfield @LilianaSegura @roomfordebate Yes, that was a nice little touch, no? Jeebus.
3hreplyretweetfavorite
bmaz RT @LegallyErin: There's something very sexy about Anthony Hopkins as Hannibal. I always date the worst guys.
5hreplyretweetfavorite
bmaz @imraansiddiqi You seemed like such a respectable chap, and now here you are talking about Kardashians. #Shame
6hreplyretweetfavorite
bmaz @cody_k I went as a Pando journalist blowing shit out of my ass about Greenwald.
6hreplyretweetfavorite
bmaz @dcbigjohn @erinscafe In or out of the furry costume?
6hreplyretweetfavorite
bmaz RT @AntheaButler: Hands up, don't shoot. RT @deray: Superhero protest. #Ferguson http://t.co/ejnhDLq7jv
6hreplyretweetfavorite
bmaz @JoshuaADouglas @rickhasen @chrislhayes And I ask because that was why I blew off the injunction+contemplated whether were provable damages.
6hreplyretweetfavorite
bmaz @JoshuaADouglas @rickhasen @chrislhayes Question since you are in state there, is hearing even possible before the injunction would be moot?
6hreplyretweetfavorite
November 2014
S M T W T F S
« Oct    
 1
2345678
9101112131415
16171819202122
23242526272829
30