PCLOB

1 2 3 5

34 Years Later, Treasury Is Still Operating without Procedures to Protect Americans under EO 12333

With almost no explanation, PCLOB just released this table ODNI compiled showing the status of procedures Agencies follow to protect US person information when using data obtained under EO 12333. This is something PCLOB has been pushing for since August 2013, when it sent a letter to Attorney General Holder pointing out that some agencies weren’t in compliance with the EO.

As you know, Executive Order 12333 establishes the overall framework for the conduct of intelligence activities by U.S. intelligence agencies. Under section 2.3 of the Executive Order, intelligence agencies can only collect, retain, and disseminate information about U.S. persons if the information fits within one of the enumerated categories under the Order and if it is permitted under that agency’s implementing guidelines approved by the Attorney General after consultation with the Director of National Intelligence.

The Privacy and Civil Liberties Oversight Board has learned that key procedures that form the guidelines to protect “information concerning United States person” have not comprehensively been updated, in some cases in almost three decades, despite dramatic changes in information use and technology.

So I assume the release of this table is designed to pressure the agencies that have been stalling this process.

The immediate takeaway from this table is that, 34 years after Ronald Reagan ordered agencies to have such procedures in Executive Order 12333 and 18 months after PCLOB pushed for agencies to follow the EO, several intelligence agencies still don’t have Attorney General approved procedures. Those agencies and the interim procedures they’re using are:

The Department of Homeland Security’s notoriously shoddy Office of Intelligence and Analysis: Pending issuance of final procedures, I&A is operating pursuant to Interim Intelligence Oversight Procedures, issued jointly by the Under Secretary for Intelligence and Analysis and the Associate General Counsel for Intelligence (April 3, 2008).

United States Coast Guard (USCG)- Intelligence and counterintelligence elements: Pending issuance of final procedures, operating pursuant to Commandant Instruction – COMDINST 3820.12, Coast Guard Intelligence Activities (August 28, 2003).

Department of Treasury Office of Intelligence and Analysis (OIA): Pending issuance of final procedures. While draft guidelines are being reviewed in the interagency approval process, the Office of Intelligence and Analysis conducts intelligence operations pursuant to EO 12333 and statutory responsibilities of the IC element, as advised by supporting legal counsel.

Drug Enforcement Administration, Office of National Security Intelligence (ONSI): Pending issuance of final procedures, operates pursuant to guidance of the Office of Chief Counsel, other guidance, and: Attorney General approved “Guidelines for Disclosure of Grand Jury and Electronic, Wire, and Oral Interception Information Identifying United States Persons” (September 23, 2002); Attorney General approved “Guidelines Regarding Disclosure to the Director of Central Intelligence and Homeland Security Officials of Foreign Intelligence Acquired in the Course of a Criminal Investigation” (September 23, 2002).

I’m not surprised about DHS I&A because — as I noted — most people who track it know that it has never managed to do what it claims it should be doing. And I’m not all that worried about the Coast Guard; how much US person spying are they really doing, after all?

One should always worry about the DEA, and the fact that DEA has only had procedures affecting some of its use of EO 12333 intelligence is par for the course. I mean, limits on what it can share with CIA, but no guidelines on what it can share with FBI? And no guidelines on what it has dragnet collected overseas, where it is very active?

But I’m most troubled by Treasury OIA. In part, that’s because it doesn’t have anything in place — it has just been operating on EO 12333, apparently, in spite of EO 12333′s clear requirement that agencies have more detailed procedures in place. But Treasury’s failure to develop and follow procedures to protect US persons is especially troubling given the more central role OIA has — which expanded in 2004 — in researching and designating terrorists, weapons proliferators, and drug kingpins.

OIA makes intelligence actionable by supporting designations of terrorists, weapons proliferators, and drug traffickers and by providing information to support Treasury’s outreach to foreign partners. OIA also serves as a unique and valuable source of information to the Intelligence Community (IC), providing economic analysis, intelligence analysis, and Treasury intelligence information reports to support the IC’s needs.

As it is, such designations and the criminalization of US person actions that might violation sanctions imposed pursuant to such designations are a black box largely devoid of due process (unless you’re a rich Saudi business man). But Treasury’s failure to establish procedures to protect US persons is especially troubling given how central these three topics — terrorists, weapons proliferation, and drugs — are in the intelligence communities overseas collection. This is where bulk collection happens. And yet any US persons suck up in the process and shared with Treasury have only ill-defined protections?

Treasury’s role in spying on Americans may be little understood. But it is significant. And apparently they’ve been doing that spying without the required internal controls.

 

The NSA’s Funny Numbers, Again

Back when the WaPo published a quarterly NSA compliance audit from 2012, I caught the largest math organization in the world failing basic arithmetic. I’ve been comparing that report with the Intelligence Oversight Board report covering the same period, and I’m finding the numbers might, once again, not add up (though it’s hard to tell given the redactions).

According to NSA’s internal numbers, the organization had 865 violations in the first quarter of calendar year 2012 (670 EO 12333 violations and 195 FISA violations). Yet NSA described just 163 violations in depth (75 EO 12333 violations and 88 FISA violations, though further violations are likely hidden behind redactions in bulk descriptions).

Here’s how the numbers compare, broken down by category (I used the categories used in the IOB Report heading, unless the violation was clearly a roamer or a US Person).

Screen Shot 2015-01-05 at 5.12.52 PM

Whereas some numbers are very close — such as for the illegal targeting of a US Person — there were other things, such as sharing a US person’s data or some fairly troubling unauthorized access violations not explicitly mentioned in the internal audit. Nor are unauthorized targeting and access mentioned as such.

And then there are all the “roamer” incidences, which apparently don’t all get reported to IOB (though you can definitely see an increase in them over the years), and which often look a lot less accidental when explained in the IOB report.

Then there are the rather measured descriptions the NSA gives IOB (which we’ve seen in other areas, as with the Internet dragnet, and which might be worst with the upstream violations).

Here’s what the NSA reported internally:

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

Here’s what NSA told the IOB about this violation:

[redacted] NSA determined that a technical service contained BR call detail records older than the approved five years. Approximately [redacted] records comprising approximately [fairly big redaction] records were retained for more than five years. The records were found on an access-controlled server that is used exclusively  by technical personnel and is not accessible to intelligence analysts. [2 lines redacted]

Here’s what PCLOB had to say about this violation:

In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit. The technical server in question was not available to intelligence analysts.

While it appears NSA managed to give IOB (completely redacted) numbers for the files involved, it appears PCLOB never got a clear count of how many were involved. It’s not clear that NSA ever admitted this data may have gotten mixed in with Stellar Wind data. No one seems to care that this was a double violation, because techs are supposed to destroy data when they’re done with it.

Though, if you ask me, you should wait to figure out why so many records were lying around a tech server before you destroy them all. But I’m kind of touchy that way.

One thing I realize is consistent between the internal audit and the IOB report. The NSA, probably the owner of the most powerful computing power in the world, consistently uses the term “glitch” to describe software that doesn’t do what it is designed to to keep people out of data they’re not supposed to have access to.

The glitches are letting us down.

 

DOJ Changed Its FISA Disclosure Policy on January 10, 2008

While wandering through FBI’s Domestic Investigations and Operations Guide today, I realized that on January 10, 2008, DOJ changed its FISA use policy (at PDF 104) . In a memo announcing the new policy, Ken Wainstein explained that “this revised policy includes significant changes from current practice that will streamline the process for using FISA information in certain basic investigative processes, while still ensuring that important intelligence and law enforcement interests are protected.”

It then lists 4 (entirely redacted) investigative processes for which FISA information could be used.

While I’m sure this letter has been reported in the past, it has far greater significance given several newly disclosed facts.

First, just days earlier, Attorney General Michael Mukasey reversed existing policy by permitting NSA to contact chain on US person data in EO 12333-collected information. That decision would make it far easier to identify existing communications implicating Americans.

Even more importantly, this move took place just weeks before the government revamped the PRISM program, such that FBI had a much more central role in the process and obtained selected PRISM material directly. In effect, Mukasey made it easier to use FISA information just weeks before FBI started getting a lot more of it, and getting it directly.

This change adds to the already significant evidence that the FBI started back door searches on PRISM information with that change in January 2008.

It’s interesting, too, that FBI had already decided to make these changes before Colleen Kollar-Kotelly ruled the initial Protect America Act certifications met the statute on January 15, 2008. There’s growing evidence that DOJ long planned to involve FBI more centrally, but waited on her decision (and the day the PAA was originally scheduled to expire) to roll out the change formally.

One more critical detail: The letter indicated that the new policy would be tied to a new interpretation of information “derived from” FISA.

The revised policy requires that it be reviewed one year from its effective date and requires NSD to issue guidance on what constitutes information “derived from” FISA collections by March 31, 2008.

Note that that initial annual review date would mean Bush’s DOJ would conduct such a review in the last days before Obama came in.

In any case, the redacted parts of this letter are probably, arguably, unclassified and FOIAble at this point, since PCLOB has revealed that FBI uses its back door searches for assessments.

Clapper’s Claim that FBI Cannot Count Back Door Searches for Technical Reasons Probably Bullshit

I wanted to explain why I think it’s such a big deal that James Clapper specifically highlighted the carve out for transparency reporting on FBI’s back door searches in Leahy’s version of Freedom Act’s in his letter supporting the bill.

As I described, the bill requires reporting on back door searches, but then exempts the FBI from that reporting.

But that’s not the part of the bill that disturbs me the most. It’s this language:

‘(3) FEDERAL BUREAU OF INVESTIGATION.—

Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

The language refers, in part,  to requirements that the government report to Congress:

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

These are back door searches on US person identifiers of Section 702 collected data — both content (iv) and metadata (v).

In other words, after having required the government to report how many back door searches of US person data it conducts, the bill then exempts the FBI.

In his letter, Clapper says,

[W]e are comfortable with the transparency provisions in this bill because, among other things, they recognize the technical limitations on our ability to report certain types of information.

FBI back door searches are the most obvious limit on transparency guidelines, and FBI told PCLOB they couldn’t count them for technical reasons.

So effectively, Clapper is suggesting that Congress has recognized that FBI is incapable — for technical reasons — of counting how often it conducts back door searches.

That technical claim is almost certainly bullshit.

As a reminder, here’s what the government told PCLOB about FBI’s back door searches.

Because they are not identified as such in FBI systems, the FBI does not track the number of queries using U.S. person identifiers. The number of such queries, however, is substantial for two reasons.

First, the FBI stores electronic data obtained from traditional FISA electronic surveillance and physical searches, which often target U.S. persons, in the same repositories as the FBI stores Section 702–acquired data, which cannot be acquired through the intentional targeting of U.S. persons. As such, FBI agents and analysts who query data using the identifiers of their U.S. person traditional FISA targets will also simultaneously query Section 702–acquired data.

Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts. In the case of an assessment, an assessment may be initiated “to detect, obtain information about, or prevent or protect against federal crimes or threats to the national security or to collect foreign intelligence information.”254 If the agent or analyst conducting these queries has had the training required for access to unminimized Section 702–acquired data, any results from the Section 702 data would be returned in these queries. If an agent or analyst does not have access to unminimized Section 702–acquired data — typically because this agent or analyst is assigned to non-national security criminal matters only — the agent or analyst would not be able to view the unminimized data, but would be notified that data responsive to the query exists and could request that an agent or analyst with the proper training and access to review the unminimized Section 702–acquired data.

→']);" class="more-link">Continue reading

Did Anthony Coppolino Fib about NSA’s New Architecture?

On Tuesday, EFF told the tale of yet another government freak-out over purportedly classified information. The DOJ lawyer litigating their multiple dragnet challenges, Anthony Coppolino, accidentally uttered classified information in a hearing in June. So the government tried to take the classified information out of the transcript without admitting they did so. After Judge Jeffrey White let EFF have a say about all this, the government ultimately decided the information wasn’t classified after all. So the Court finally released the transcript.

My wildarseguess is that this is the passage in question:

Judge Bates never ultimately held that the acquisition violated the Constitution. The problem in that case was the minimization procedures were not sufficient to protect the Fourth Amendment interests of the people of the United States.

And so he ordered that they be changed, and they were changed. And he approved them. And in addition, in the process of not only approving the minimization procedures, NSA implemented new system architecture that did a better job at assuring that those communications were minimized and ultimately destroyed, which is the goal here. It’s part of the statutory framework not to collect on U.S. citizens and when you’ve incidentally done it, destroy it. [my emphasis]

According to the John Bates opinions relating to this incident, the NSA implemented a new system of ingesting this data, marking it, checking it before it gets moved into the general repository of data, and purging it if it includes entirely domestic commuincations. But does that count as new architecture? I’m not sure.

Meanwhile, the NSA has been upgrading their architecture. We learned that (among other places) in the most recent Theresa Shea declaration on NSA systems in EFF’s Jewel case. It doesn’t mention new architecture pertaining to  upstream  702, though she does discuss a more general architecture upgrade and how it affects Section 215 specifically.

Then there’s this language, addressing the NSA’s inability to filter US person data reliably, from PCLOB.

The NSA’s acquisition of MCTs is a function of the collection devices it has designed. Based on government representations, the FISC has stated that the “NSA’s upstream Internet collection devices are generally incapable of distinguishing between transactions containing only a single discrete communication to, from, or about a tasked selector and transactions containing multiple discrete communications, not all of which are to, from, or about a tasked selector.”155 While some distinction between SCTs and MCTs can be made with respect to some communications in conducting acquisition, the government has not been able to design a filter that would acquire only the single discrete communications within transactions that contain a Section 702 selector. This is due to the constant changes in the protocols used by Internet service providers and the services provided.156 If time were frozen and the NSA built the perfect filter to acquire only single, discrete communications, that filter would be out-of-date as soon as time was restarted and a protocol changed, a new service or function was offered, or a user changed his or her settings to interact with the Internet in a different way. Conducting upstream Internet acquisition will therefore continue to result in the acquisition of some communications that are unrelated to the intended targets.

The fact that the NSA acquires Internet communications through the acquisition of Internet transactions, be they SCTs or MCTs, has implications for the technical measures, such as IP filters, that the NSA employs to prevent the intentional acquisition of wholly domestic communications. With respect to SCTs, wholly domestic communications that are routed via a foreign server for any reason are susceptible to Section 702 acquisition if the SCT contains a Section 702 tasked selector.157 With respect to MCTs, wholly domestic communications also may be embedded within Internet transactions that also contain foreign communications with a Section 702 target. The NSA’s technical means for filtering domestic communications cannot currently discover and prevent the acquisition of such MCTs.158 

The footnotes in this section all cite to John Bates’ 2011 opinion (including, probably, some language that remains redacted in the public copy, such as on page 47). So we might presume it is out of date.  Except that PCLOB has done independent work on these issues and the end of the first paragraph includes language not sourced at all.

That is, PCLOB seems to think there remain technical problems with sorting out US person data, the filtering problem cannot be solved. (Which makes the ridiculous John Bates more skeptical on this point than PCLOB.)

So do the data segregation techniques implemented in 2011 amount to new architecture? Does the larger architecture upgrade going on going to affect upstream collection in some more meaningful fashion?

I don’t know. One other reason I think this might be the language is because Coppolino was — as he frequently does — running his mouth. Bates did rule the US person data collected before 2011 violated the Fourth Amendment, even if the task before him was solely to judge whether the minimization procedures before him did. More importantly, Bates was quite clear that this US person collection was intentional, not incidental.

So Coppolino was making claims about one of the practices (the PRTT collection is another) that is most likely to help EFF win their suit, upstream collection, which actually does entail domestic wiretapping of US person content. He made a claim that suggested — with the fancy word “architecture” — that NSA had made technical fixes. But PCLOB, at least, doesn’t believe they’ve gotten to the real issue.

Who knows? It’s just a guess. What’s not a guess is that Coppolino seems to recognize upstream 702 presents a real problem in this suit.

USA Freedom Does Not Rein in the Spies

Honest. I started writing about this David Cole column asking, “Can Congress rein in the spies?” before John Brennan admitted that, contrary to his earlier assurances, his spooks actually had been spying on their Congressional overseers and also before President Obama announced that, nevertheless, he still has confidence in Brennan.

Cole’s column isn’t about the the Senate Intelligence Committee’s struggles to be able to document CIA torture, however. It’s about how Patrick Leahy introduced his version of USA Freedom Act “not a moment too soon.”

I don’t want to gripe with the column’s presentation of Leahy’s version of Freedom; with a few notable exceptions (one which I’ll get to), it accurately describes how Leahy’s bill improves on the bill the spies gutted in the House.

I first wanted to point to why Cole says Leahy’s bill comes not a moment too soon.

Leahy’s bill comes not a moment too soon. Two reports issued on Monday bring into full view the costs of a system that allows its government to conduct dragnet surveillance without specific suspicions of wrongdoing. In With Liberty to Monitor All, Human Rights Watch and the ACLU make a powerful case that mass surveillance has already had a devastating effect on journalists’ ability to monitor and report on national security measures, and on lawyers’ ability to represent victims of government overreaching. And the same day, the New America Foundation issued Surveillance Costs, a report noting the widespread economic harm to US tech companies that NSA surveillance has inflicted, as potential customers around the world take their business elsewhere.

Together, these reports make concrete the damaging effects of out-of-control surveillance, even to those with “nothing to hide.” Our democracy has long rested on a vibrant and vigorous press and open legal system. On matters of national security, journalists probably serve as a more important check on the executive than even the courts or Congress.

[snip]

And, it turns out, tech companies also need to be able to promise confidentiality. Customers of Internet services or cloud computing storage programs, for example, expect and need to be certain that their messages and stored data will be private. Snowden’s revelations that the NSA has been collecting vast amounts of computer data, and has exploited vulnerabilities in corporate encryption programs, have caused many to lose confidence in the security of American tech companies in particular.

Cole describes the great costs out-of-control surveillance imposes on journalists, lawyers, and cloud providers, and implies we cannot wait to reverse those costs.

Then he embraces a bill that would not protect journalists’ conversations with whistleblowers (Leahy’s Freedom still permits the traditional access of metadata for counterintelligence purposes as well as the Internet dragnet conducted overseas) or alleged terrorists, would not protect lawyers’ discussions with their clients (the known attorney-client protected collections happened under traditional FISA, EO 12333, and possibly Section 702, none of which get changed in this bill), and would expose American companies’ clouds even further to assisted government access under the new Call Detail Record provision.

Cole does admit the bill does not address Section 702; he doesn’t mention EO 12333 at all, even though both the HRW and NAF reports did.

Senator Leahy’s bill is not a cure-all. It is primarily addressed to the collection of data within the United States, and does little to reform Section 702, the statute that authorizes the PRISM program and allows the government to collect the content of electronic communications of noncitizens abroad, even if they are communicating with US citizens here. And it says nothing about the NSA’s deeply troubling practice of inserting vulnerabilities into encryption programs that can be exploited by any hacker. It won’t, therefore, solve all the problems that the HRW and New American Foundation reports identify. But it would mark an important and consequential first step.

But he doesn’t admit the bill does little to address the specific sources of the costs identified in the two reports. It’s not a minute too soon to address these costs, he says, but then embraces a bill that doesn’t really address the actual sources of the costs identified in the reports.

That is mostly besides the point of whether Leahy’s bill is a fair apples-to-oranges trade-off with the status quo as to represent an improvement – an answer to which I can’t yet give, given some of the obvious unanswered questions about the bill. It is, however, a testament to how some of its supporters are overselling this bill and with it anyone’s ability to rein in the intelligence community.

But it’s one testament to that that bugs me most about Cole’s column. As I noted, he does mention Leahy’s failure to do anything about Section 702. Nowhere in his discussion of 702, however, does he mention that it permits warrantless access to Americans’ content, one which FBI uses when conducting mere assessments of Americans. Which of course means Cole doesn’t mention the most inexcusable part of the bill — its exemption on already soft reporting requirements to provide the numbers for how many Americans get exposed to these back door searches.

I’m not a fancy Georgetown lawyer, but I strongly believe the back door searches — conducted as they are with no notice to anyone ultimately prosecuted based off such information — are illegal, and probably unconstitutional. When retired DC Circuit Court judge Patricia Wald raised these problems with the practice, Director of National Intelligence Counsel Bob Litt simply said it would be “impracticable” to add greater oversight to back door searches. And in spite of the fact that both the President’s Review Group and PCLOB advised significant controls on this practice (which implicates the costs identified in both the HRW and NAF reports), the version of USA Freedom Act crafted by the head of the Senate Judiciary Committee — the Committee that’s supposed to ensure the government follows the law — not only doesn’t rein in the practice, but it exempts the most egregious part of the practice from the transparency applauded by people like Cole, thereby tacitly endorsing the worst part of the practice.

And all that’s before you consider that the IC also conducts back door searches of EO 12333 collected information — as first reported by me, but recently largely confirmed by John Napier Tye. And before you consider the IC’s explicit threat — issued during the passage of the Protect America Act — that if they don’t like any regulation Congress passes, they’ll just move the program to EO 12333.

The point is, Congress can’t rein in the IC, and that’s only partly because (what I expect drives the Senate’s unwillingness to deal with back door searches) many members of Congress choose not to. The have not asserted their authority over the IC, up to and including insisting that the protections for US persons under FISA Amendments Act actually get delivered.

In response to the news that Brennan’s spies had been spying on its Senate overseers, Patrick Leahy (who of course got targeted during the original PATRIOT debate with a terrorist anthrax attack) issued a statement insisting on the importance of Congressional oversight.

Congressional oversight of the executive branch, without fear of interference or intimidation, is fundamental to our Nation’s founding principle of the separation of powers.

Yet his bill — which is definitely an improvement over USA Freedumber but not clearly, in my opinion, an improvement on the status quo — tacitly endorses the notion that FBI can conduct warrantless searches on US person communications without even having real basis for an investigation.

That’s not reining in the spies. That’s blessing them.

A Good Idea that May Backfire: FISCR Fast Track

I’ve written several posts about Leahy’s USA Freedom already. To recap:

  • The bill is definitely an improvement off of USA Freedumber, though it retains “connection” chaining language I’m seriously concerned about
  • The bill permits the government to collect “bulky” collections in at least two ways: the use of IP addresses and non-individual persons (aka corporations)
  • The bill inexplicably exempts the FBI from reporting requirements on back door searches

My last new concern about the bill pertains to a measure that means well, but might backfire.

The bill includes language designed to provide for appeals of significant issues, first to the FISA Court of Review, and then to SCOTUS.

(j) REVIEW OF FISA COURT DECISIONS.—After issuing an order, a court established under subsection (a) shall certify for review to the court established under subsection (b) any question of law that the court determines warrants such review because of a need for uniformity or because consideration by the court established under subsection (b) would serve the interests of justice. Upon certification of a question of law under this paragraph, the court established under subsection (b) may give binding instructions or require the entire record to be sent up for decision of the entire matter in controversy.

(k) REVIEW OF FISA COURT OF REVIEW DECISIONS.—

(1) CERTIFICATION.—For any decision issued by the court of review established under subsection (b) approving, in whole or in part, an application by the Government under this Act, such court may certify at any time, including after a decision, a question of law to be reviewed by the Supreme Court of the United States.

(2) SPECIAL ADVOCATE BRIEFING.—Upon certification of an application under paragraph (1), the court of review established under subsection (b) may designate a special advocate to provide briefing as prescribed by the Supreme Court.

(3) REVIEW.—The Supreme Court may review any question of law certified under paragraph (1) by the court of review established under subsection (b) in the same manner as the Supreme Court reviews questions certified under section 1254(2) of title 28, United States Code.

That is, it provides a way for FISC to ask FISCR to review their work, and for FISCR to ask SCOTUS to review their work.

To some degree, the more eyes that look at these novel decisions, the better.

But neither the FISCR review nor the SCOTUS review requires even the Special Advocate. While FISCR has, in the past, permitted amici, they (and Yahoo, in the case where Yahoo appealed FISC’s 2007 recision on Protect America Act) were shooting in the dark. the new advocate, such as it exists, would be able to argue before FISCR if the court wanted it.

So to a significant extent that would result in the same people (the government and the Court’s permanent staff, on one side, and the unproven advocate on the other) arguing the same issue over and over. with the courts themselves choosing to have their own decisions certified by the higher courts.

With the potential result that you’d have appellate decisions or even a SCOTUS instruction without ever giving a real adversary a shot at the issue. If FISC responded to the phone dragnet question before the way they have since Snowden leaked details of it, they would have gotten it certified to confirm their authority.

One addition to Leahy’s bill could exacerbate that. His bill requires the FISC to consult with PCLOB on appointees as  Advocates. With today’s PCLOB, that’d be a good thing. But if Republicans win back the Senate — especially if Mitch McConnell retains his seat — you’d see another PCLOB member the likes of Elisabeth Collins Cook and Rachel Brand. Both are really smart. But both were architects of the surveillance regime while serving as DOJ Policy AAGs. Add a third of that ilk, and PCLOB could load up the Advocates corp with people like Steven Bradbury.

Moreover, for the foreseeable future, Justice John Roberts will be handpicking these judges, which doesn’t give me a lot of confidence.

I just think the Advocate system is unproven right now. It may work out, it may be gamed to reinforce the dysfunction of the court. And the record of the FISCR — especially Laurence Silberman’s efforts to rule FISA illegal in 2002 — give me no confidence this kind of self-appeal would do anything but sanction bad decisions.

Mind you, the Leahy bill also permits the government to go on denying aggrieved people of review of Section 215 collection, so it’s not clearly anyone else will get standing to challenge this program in particular.

But it seems like the FISC system is so dysfunctional, there’s no reason to pre-empt the possibility of real adversarial court function.

Update: Orin Kerr thinks this is unconstitutional.

NSA Only Finds 59% of Its Targeting of US Persons

This will be a minor point, but one that should be made.

The Privacies and Civil Liberties Oversight Board report on Section 702 included this little detail:

In 2013, the DOJ undertook a review designed to assess how often the foreignness determinations that the NSA made under the targeting procedures as described above turned out to be wrong — i.e., how often the NSA tasked a selector and subsequently realized after receiving collection from the provider that a user of the tasked selector was either a U.S. person or was located in the United States. The DOJ reviewed one year of data and determined that 0.4% of NSA’s targeting decisions resulted in the tasking of a selector that, as of the date of tasking, had a user in the United States or who was a U.S. person. As is discussed in further detail below, data from such taskings in most instances must be purged. The purpose of the review was to identify how often the NSA’s foreignness determinations proved to be incorrect. Therefore, the DOJ’s percentage does not include instances where the NSA correctly determined that a target was located outside the United States, but post-tasking, the target subsequently traveled to the United States.

0.4% of NSA’s targeting decisions falsely determine someone is a foreigner who is in fact a US person.

That’s a pretty low amount. Though based on ODNI’s number — showing 89,138 people were targeted in 2013 — that means 356 US persons get wrongly targeted each year. Again, still not a huge number, but it compares rather interestingly with the 1,144 people targeted under FISA each year. Those wrongly targeted under Section 702 actually make up 24% of those targeted in a year.

Just as interesting is comparing the NSA’s internal audit (see page 6)  with DOJ’s results. For a period presumably covering some of the same time period, NSA discovered 20 US persons tasked (for some reason there was a big increase in this number for the last quarter of the report) and 191 incidences of “other inadvertent” tasking violations, which are described as, “situations where targets were believed to be foreign but who later turn out to be U.S. persons and other incidents that do not fit into the previously identified categories” (my emphasis). Not all of those 191 incidents should be counted as wrongly targeted US persons — the description includes other inadvertent targeting. But even counting them all as such, that means NSA only found 211 of the potential wrongly targeted US persons in a year, while DOJ found 356.

Again, in a country of 310 million people, these numbers are small, particularly as compared to the collection of US person communications under upstream collection, which is thousands of times higher.

But it does say that NSA’s internal reviews don’t find all the Americans who get wrongly targeted.

Correction: I originally mistranscribed DOJ’s number as .o4%–though I had calculated using .4%.

WaPo and PCLOB Agree: NSA Does Not Comply with Its Minimization Procedures

There are a number of issues with Marc Ambinder’s interpretation of the WaPo’s analysis of the content of NSA’s 702 collections as a “bust.” Ambinder:

  • Overstates the specificity of the certifications, particularly in light of the general “foreign government” one recently revealed by WaPo
  • Makes the same email rather than overwhelmingly IM mistake Stewart Baker made
  • Doesn’t deal with the fact that the bulk of US identifiers that got minimized — the largest category, constituting over 57,000 instances — is IP address, which presents different privacy concerns than what he addresses
  • Suggests this collection includes traditional FISA warrants; WaPo suggests it is all 702 collection, which ought to mean it includes less US person content (but apparently doesn’t)
  • Ignores how readily the NSA provides unaudited access to raw data for tech personnel and SIGDEV, and therefore how (in)secure we should expect this data to be in practice

But the most troublesome problem with it is Ambinder’s treatment of the NSA’s minimization obligations and practices. Here are some statements Ambinder makes about NSA’s minimization requirements.

Ok, so: having run the data through an automatic minimization system of some sort, the NSA analysts are required to minimize every U.S.-person communication that they see. Minimize does not “to get rid of.” It means to anonymize the U.S.-based non-target source.

[snip]

Maybe I could be a customer service representative from the pizza place that got his order wrong, and I’m e-mailing him to apologize for it. The NSA and the FBI are required by statute to minimize the communication if they determine it has no intelligence value. (And why would the NSA waste time reading a conversation about pizza anyway?)

[snip]

The analyst’s judgment can be subjective. On the first instance, the analyst has to figure out whether the communication is relevant to a foreign intelligence purpose.

First he states that minimization does not mean “get rid of,” then states NSA is required by statute to get rid of communications that have no intelligence value, then notes an analyst has to determine whether a communication has foreign intelligence value. Overall, though, Ambinder suggests that NSA does get rid of communications involving US persons without foreign intelligence value.

Ambinder is absolutely right the law requires the government to get rid of US person data that has no foreign intelligence value.

Here’s what one version of the minimization requirements say:

(1) specific procedures, which shall be adopted by the Attorney General, that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(2) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in subsection (e)(1) of this section, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance;

(3) notwithstanding paragraphs (1) and (2), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes; and

(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.

And here’s how that translates into the minimization procedures approved in 2011.

Personnel will exercise reasonable judgment in determining whether information acquired must be minimized and will destroy inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle at which such communication can be identified either: as clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information); or, as not containing evidence of a crime which may be disseminated under these procedures. Except as provided for in subsection 3(c)(2) below, such inadvertently acquired communications of or concerning a United States person may be retained no longer than five years from the expiration date of the certification authorizing the collection in any event.

Both the law and the minimization procedures approved by the FISC require NSA to get rid of US person communications that have no foreign intelligence purpose.

But here’s what the WaPo reveals about what NSA analysts do when they determine collection has no foreign intelligence value (note, however, these passages do not specify how many of these conversations include US person communications, though almost half of these communications involve US person identifiers).

Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless.

[snip]

“None of the hits that were received were relevant,” two Navy cryptologic technicians write in one of many summaries of nonproductive surveillance. “No additional information,” writes a civilian analyst. [my emphasis]

While these passages are not quantifiable — both because WaPo didn’t say how many files NSA had determined to be “useless” and because WaPo didn’t identify how many of those include US persons — they do suggest that NSA is not complying with the legal requirement that they destroy communications involving US persons that don’t have foreign intelligence value. Not even for communications they describe as “useless” or “not relevant.”

That’s not surprising. As I noted the other day, PCLOB found that NSA “rarely” complies with this requirement and CIA and FBI never do.

[A]lthough a communication must be “destroyed upon recognition” when an NSA analyst recognizes that it involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,531 in reality this rarely happens. Nor does such purging occur at the FBI or CIA: although their minimization procedures contain age-off requirements, those procedures do not require the purging of communications upon recognition that they involve U.S. persons but contain no foreign intelligence information.

Ambinder is absolutely right that WaPo’s sample shows that NSA is pretty good, but not perfect, at masking US person identities in their data.

But both WaPo’s detailed analysis and PCLOB’s general review show that NSA does not comply with another key part of its legally required minimization obligations, to destroy communications involving US persons that have no foreign intelligence value. US person identifiers may be masked, but many of them shouldn’t be in the NSA’s databases at all. That needs to be acknowledged in any discussion of the NSA’s minimization procedures. The law requires them to get rid of US person communications with no intelligence value. But they don’t.

That’s why the sheer volume of very personal information in this sample is of concern (aside from the concern we should have for foreigners’ privacy; though again, WaPo doesn’t say how much of the US person data includes that personal information). Because the NSA and FBI and CIA can access this data without needing any suspicion of wrongdoing.

NYT Mischaracterizes PCLOB Report While Transcribing NSA Pushback to WaPo

The NYT has a story transcribing Administration efforts to “play down new disclosures” from the WaPo showing that the bulk of people whose communications were collected in a sample provided by Edward Snowden were not targets. The key claim NYT transcribes is that NSA “filters out” US person communications.

Administration officials said the agency routinely filters out the communications of Americans and information that is clearly of no intelligence value.

In addition, the NYT claims that PCLOB had no problems with the way the government minimized all this data.

Just days before the Post article, an independent federal privacy board had largely endorsed the N.S.A.’s execution of the program. The Privacy and Civil Liberties Oversight Board concluded last week that the “minimizing” of that data was largely successful, at least under the current law, which Congress passed six years ago.

Um, no.

I hope to explain this at more length, but the WaPo suggests that the government did not comply with targeting and minimization requirements in two ways: first, because the standards for foreignness were not as stringent as witnesses have claimed for a year (something which NYT’s sources apparently don’t even try to rebut). But also, WaPo showed the NSA was not destroying communications that — at least from their own and even some of the analysts’ own descriptions of it — had no foreign intelligence value. Here are some analysts judging the data collected irrelevant.

“None of the hits that were received were relevant,” two Navy cryptologic technicians write in one of many summaries of nonproductive surveillance. “No additional information,” writes a civilian analyst.

It’s this second detail NYT’s sources attempt to rebut.

But NYT’s claim that PCLOB concluded minimization “was largely successful” ignores a number of concerns they raised about it, a number of which pertain to back door searches and upstream collection.

In addition to those concerns (which about four of PCLOB’s recommendations address), PCLOB raised this issue:

Therefore, although a communication must be “destroyed upon recognition” when an NSA analyst recognizes that it involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,531 in reality this rarely happens. Nor does such purging occur at the FBI or CIA: although their minimization procedures contain age-off requirements, those procedures do not require the purging of communications upon recognition that they involve U.S. persons but contain no foreign intelligence information.

A communication must be destroyed upon recognition if it’s a US person communication with no intelligence value — PCLOB restates the standard that NYT’s sources claim is actually used. But after laying out that standard, PCLOB immediately says meeting that requirement “rarely happens.”

NYT’s sources say it routinely happens. PCLOB says it rarely happens at NSA, and not at all at CIA and FBI.

PCLOB, incidentally, recommends addressing this issue by having FISC review what tasking standards are actually used and then reviewing a subset of the data returned — precisely what the WaPo just did, though we have no way of knowing if WaPo had a representative sample.

But the story here should have been, “Administration’s rebuttal has already been refuted by PCLOB’s independent review.”

PCLOB and WaPo disagree about the tasking — PCLOB sides with past Administration witnesses on the assiduousness of NSA’s targeting.

But PCLOB entirely backs WaPo on how many worthless communications NSA is keeping and documenting.

1 2 3 5
Emptywheel Twitterverse
emptywheel RT @nickshaxson: #HSBC and the world’s oldest drug cartel http://t.co/j90dtgSpti What an inglorious, bloody, druggy history that scandalhou…
1mreplyretweetfavorite
emptywheel @bartongellman I keep prepping snarky tweets abt it but then coming back to that point. What's his gig? @JameelJaffer
23mreplyretweetfavorite
emptywheel @TimothyS Very good skill everywhere. Too much college writing instruction is abt English papers, not even--say--science lab reports.
28mreplyretweetfavorite
emptywheel @TimothyS Tho I will say I approve of teaching kids in college to write memos.
29mreplyretweetfavorite
emptywheel @TimothyS Also: Petraeus failed with the last two surges. Let's consult with him on the ISIL surge!
31mreplyretweetfavorite
emptywheel Clapper's description of the unpredictable instability of the world is pretty damning if you're the world's hegemon. https://t.co/EZw06bBcoC
45mreplyretweetfavorite
emptywheel @steve_vladeck I'd be at least as interested in whether it would cover DNA, bc I've suspected they've done that, too.
1hreplyretweetfavorite
emptywheel @michaelwhitney Don't think that's please. At least in my house that's "Cmon, how many times do I have to remind you morning routine?"
2hreplyretweetfavorite
emptywheel @DaveedGR I'm not sure ANY of that follows. Press is very selective abt what and where it covers.
2hreplyretweetfavorite
emptywheel @sbagen You're complaining about sun? You can have light or heat. Not both. Until June.
3hreplyretweetfavorite
February 2015
S M T W T F S
« Jan    
1234567
891011121314
15161718192021
22232425262728