PCLOB

NSA’s New “Privacy Officer” Releases Her First Propaganda

Over at Lawfare, Ken Anderson released the public comment on Section 702 the NSA Civil Liberties and Privacy Office have submitted to the Privacy and Civil Liberties and Oversight Board. Anderson notes that the comment doesn’t appear to be online yet, and the name of the Civil Liberties and Privacy Officer, Rebecca Richards, doesn’t appear on what Anderson posted (though that may be Lawfare’s doing).

The statement, generally, makes me sad. The comment repeatedly backed off including known, even unclassified details about Section 702, and as such this doesn’t so much read as an independent statement on the privacy assessment of the woman at the NSA mandated with overseeing it, but rather a highly scripted press release.

I will probably do a piece on some potential holes this statement may indicate in NSA’s oversight (though it is written in such hopeless bureaucratese, we can’t be sure). But for the moment, I wanted to point to what, in my opinion, is the most glaring example of how scripted this.

The statement describes back door searches this way:

Since October 2011 and consistent with other agencies’ Section 702 minimization procedures, NSA’s Section 702 minimization procedures have permitted NSA personnel to use U.S. person identifiers to query Section 702 collection when such a query is reasonably likely to return foreign intelligence information. NSA distinguishes between queries of communications content and communications metadata. NSA analysts must provide justification and receive additional approval before a content query using a U.S. person identifier can occur. To date, NSA analysts have queried Section 702 content with U.S. person identifiers less frequently than Section 702 metadata. For example, NSA may seek to query a U.S. person identifier when there is an imminent threat to life, such as a hostage situation. NSA is required to maintain records of U.S. person queries and the records are available for review by both OOJ [sic] and ODNI as part of the external oversight process for this authority. Additionally, NSA’s procedures prohibit NSA from querying Upstream data with U.S. person identifiers.

The only new piece of information provided here is that the NSA conducts more back door searches on 702 metadata than on 702 content.

But then the statement immediately provides the most defensible example of back door searches — searching for a US person’s identifier in content when they’ve been kidnapped, a scenario that derives from a pre-PAA problem with NSA’s kludged FISC approved program. Notably, this scenario is almost certainly not a metadata search! This is also the same scenario used by Dianne Feinstein’s aides in November to obscure the true extent of the searches, suggesting it is a propaganda line NSA has developed to spin back door searches.

What I find so frustrating about this statement is how it compares with statements others have already made … to PCLOB.

In November, for example, after ODNI General Counsel Robert Litt admitted that the Intelligence Community treats back door searches of 702 data (and probably, EO 12333 data) like they do all “legally collected” data, NSA General Counsel Raj De admitted that NSA doesn’t even require Reasonable Articulable Suspicion to do searches on US person data, because doing so would involve adopting a higher standard for back door searches than for other data.

Raj De: Our minimization procedures, including how we handle data, whether that’s collection, analysis, dissemination, querying are all approved by the Foreign Intelligence Surveillance Court. There are protections on the dissemination of information, whether as a result of a query or analysis. So in other words, U.S. person information can only be disseminated if it’s either necessary to understand the foreign intelligence value of the information,evidence of a crime and so forth. So I think those are the types of protections that are in place with this lawfully collected data.

[Center for Democracy and Technology VP James] DEMPSEY: But am I right, there’s no, on the query itself, other than it be for a foreign intelligence purpose, is there any other limitation? We don’t even have a RAS for that data.

MR. DE: There’s certainly no other program for which the RAS standard is applicable. That’s limited to the 215 program, that’s correct. But as to whether there is, and I think this was getting to the probable cause standard, should there be a higher standard for querying lawfully collected data. I think that would be a novel approach in this context, not to suggest reasonable people can’t disagree, discuss that. But I’m not aware of another context in which there is lawfully collected, minimized information in this capacity in which you would need a particular standard.

Then, in March, Litt objected to requiring court review before doing back door searches (and he was asked specifically about back door searches of US person data, though he reportedly tried to back off the application of this to US persons after the hearing) because the volume of back door searches is so high.

[Retired DC Circuit Judge] Patricia Wald: The President required, or, I think he required in his January directive that went to 215 that at least temporarily, the selectors in 215 for questioning the databank of US telephone calls–metadata–had to be approved by the FISA Court. Why wouldn’t a similar requirement for 702 be appropriate in the case where US person indicators are used to search the PRISM database? What big difference do you see there?

Robert Litt: Well, I think from a theoretical perspective it’s the difference between a bulk collection and a targeted collection which is that–

Wald: But I would think that, sorry for interrupting, [cross-chatter]  I would think that message since 702 has actually got the content.

Litt: Well, and the second point that I was going to make is that I think the operational burden in the context of 702 would far greater than in the context of 215.

Wald: But that would–

Litt: If you recall, the number of actual telephone numbers as to which a  RAS–reasonable articulable suspicion determination was made under Section 215 was very small. The number of times that we query the 702 database for information is considerably larger. I suspect that the Foreign Intelligence Surveillance Court would be extremely unhappy if they were required to approve every such query.

Wald: I suppose the ultimate question for us is whether or not the inconvenience to the agencies or even the unhappiness of the FISA Court would be the ultimate criteria.

Litt: Well I think it’s more than a question of convenience, I think it’s also a question of practicability.

Admittedly, Litt’s answer refers to all the back door searches conducted by the Intelligence Community, including the both the CIA and FBI (the latter of which other reporters seem to always ignore when discussing back door searches), as well as NSA. So it’s possible this volume of back door searches reflects FBI’s use of the practice, not NSA’s. (Recall that former presiding FISC Judge John Bates admits the Court has no clue how often or in what ways the Executive Branch is doing back door searches on US person data, but that it is likely so common as to be burdensome to require FISC involvement.)

Still, the combined picture already provided to PCLOB goes well beyond the hostage situation provided by the Privacy Office statement.

Even the President’s comment about back door searches in his January speech appears to go beyond what the NSA statement does (though again, imposing new limits on back door searches for law enforcement purposes probably speaks primarily to FBI’s back door searches, less so NSA’s).

 I am asking the Attorney General and DNI to institute reforms that place additional restrictions on government’s ability to retain, search, and use in criminal cases, communications between Americans and foreign citizens incidentally collected under Section 702.

We are slowly squeezing details about the reality of back door searches, so I wasn’t really relying on this statement in any case.

But it’s an issue of credibility. The Privacy Officer, to have a shred of credibility and therefore the PR value that Obama surely hopes it will have, must appear to be speaking from independent review within the scope permitted by classification restraints. That hasn’t happened here, not even close. Instead, Rebecca Richards appears to speaking under the constraint of censorship far beyond that imposed on other government witnesses on this issue.

That doesn’t bode well for her ability to make much difference at NSA.

RuppRoge Fake Dragnet Fix Requires Intel Community to Update 30 Year Old EO 12333 Procedures

One good aspect of the RuppRoge Fake Dragnet Fix is its measure requiring all elements of the Intelligence Community to comply with the EO that governs them.

At issue is this clause in EO 12333 requiring that any element of the Intelligence Community collecting data on US persons have Attorney General approved procedures for handling that data.

2.3 Collection of information. Elements of the Intelligence Community are authorized to collect, retain, or disseminate information concerning United States persons only in accordance with procedures established by the head of the Intelligence Community element concerned or by the head of a department containing such element and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order, after consultation with the Director.

This is something PCLOB asked Eric Holder and James Clapper to make sure got done back in August. In their letter, they disclosed some agencies in the IC have been stalling on these updates almost 3 decades.

The Privacy and Civil Liberties Oversight Board just sent a letter to Eric Holder and James Clapper requesting that they have all the Intelligence Committee agencies update what are minimization procedures (though the letter doesn’t call them that), “to take into account new developments including technological developments.”

As you know, Executive Order 12333 establishes the overall framework for the conduct of intelligence activities by U.S. intelligence agencies. Under section 2.3 of the Executive Order, intelligence agencies can only collect, retain, and disseminate information about U.S. persons if the information fits within one of the enumerated categories under the Order and if it is permitted under that agency’s implementing guidelines approved by the Attorney General after consultation with the Director of National Intelligence.

The Privacy and Civil Liberties Oversight Board has learned that key procedures that form the guidelines to protect “information concerning United States person” have not comprehensively been updated, in some cases in almost three decades, despite dramatic changes in information use and technology. [my update]

In other words, these procedures haven’t been updated, in some cases, since not long after Ronald Reagan issued this EO in 1981.

RuppRoge aims to require the IC elements to comply.

(1) REQUIREMENT FOR IMMEDIATE REVIEW.–Each head of an element of the intelligence community that has not obtained the approval of the Attorney General for the procedures, in their entirety, required by section 2.3 of Executive Order 12333 (50 U.S.C. 3001 note) within 5 years prior to the data of the enactment of the End Bulk Collection Act of 2014, shall initiate, not later than 180 days after such enactment, a review of the procedures for such element.

Mind you, asking agencies to initiate a review 6 months after passage of a bill to update procedures that are 30 years old isn’t exactly lighting a fire under IC arse. But then, the delay probably stems from some agencies hoarding agency records on US persons that are even older than the EO.

Bob Litt and Rachel Brand Redefine “Incidental”

Sometimes, especially with PCLOB, there’s an exchange that I wildly imagine (emphasis on imagine–I’m not saying this is actually the case) is intended solely for my benefit.

Such is the case with an exchange at last week’s PCLOB hearing.

PCLOB Board Member Rachel Brand was trying — as she seemed to be doing exclusively with her questioning — to cue the government witnesses to pitch descriptions of programs in such a way as to make them less troubling. So she walked them through how NSA keeps upstream about collection for a shorter period than it keeps PRISM data. This gave NSA General Counsel Raj De an opportunity to make it sound like NSA, out of the generosity of its own heart, decided to throw out data sooner, and also gave him the opportunity to claim that collection FISC Judge John Bates found to be intentional collection of US person data was actually incidentally collected data.

MS. BRAND: Okay. So you said in an earlier round of questioning that upstream, collection from upstream is retained for a shorter period of time than collection from PRISM and you said that the reason for that distinction is that there’s a potentially greater privacy concern with respect to upstream collection. Can you elaborate on why, whether the additional privacy concerns that pertain to upstream.

MR. DE: Sure. And a lot of this is laid out in this court opinion that’s now public. This is from the fall of 2011. I think because of the nature of abouts collections, which we have discussed, there is potentially a greater likelihood of implicating incidental U.S. person communication or inadvertently collecting wholly domestic communications that therefore must need to be purged.

And for a variety of circumstances the court evaluated the minimization procedures we had in place and as a consequence of that evaluation the government put forth a shorter retention period to be sure that the court could reach comfort with the compliance of those procedures with the Fourth Amendment. And so two years was one element of the revised procedures that are now public.

It’s a nice benign way of describing how NSA got busted for violating the Fourth Amendment, and the FISC’s only response was to force the NSA to violate it for 2 years of retention rather than for 5 years.

From there, Brand invited the witnesses an opportunity to redefine the word “incidental” so it also includes this practice, which Bates judged to be intentional. ODNI General Counsel Bob Litt rose to the challenge of Orwellianism.

MS. BRAND: Okay. I want to use the word incidental collection there again, and your definition earlier seemed to be that by incidental you mean, by incidental U.S. person collection you mean that the person on the other end of the phone from the non-U.S. person abroad is a U.S. person. That’s your definition, right? Is there another definition that you’re aware of? Because you seem to be — okay. I think there’s been some frustration with the use the term incidental in that context because it’s not accidental, it’s intentional. It’s actually unavoidable. And so I just wanted to make sure that we’re all on the same page, that by incidental you mean not accidental, not unintentional, but this is actually what we’re doing.

MR. LITT: It is incidental to the collection on the target. It is not accidental, it is not inadvertent. Incidental is the appropriate term for it.

And by thus redefining incidental, Bob Litt gets to pretend that intentional wiretapping Americans in the US is not a violation of the laws — including Section 702 — prohibiting the intentional wiretapping of Americans in the US.

Does FBI EVER Age Off Its Section 702 Data?

The Privacy and Civil Liberties Oversight Board has released the transcript of the first panel from its hearing on Wednesday.

And while I was concerned by the following exchange — between Principal Deputy Assistant Attorney General Brad Wiegmann and PCLOB Chair David Medine — in real time, I find it even more troubling on second pass.

MR. MEDINE: And could you address why the minimization procedures make it a reasonable form of collection under the Fourth Amendment?

[snip]

MR. WIEGMANN: You have retention rules. I believe in some cases, for NSA for example, you have a five year retention limit on how long the information can be retained. And so these are procedures that the courts have found protect U.S. privacy and make the collection reasonable for Fourth Amendment purposes.

MR. MEDINE: And under the minimization procedures I understand that the agency, the NSA, FBI, the CIA have their own minimization procedures and they’re not the same with each other?

MR. WIEGMANN: That’s right.

MR. MEDINE: Can you address why that shouldn’t be a concern that this information is not being subjected to the same minimization standards?

MR. WIEGMANN: So each of them have their own minimization procedures based on their unique mission, and the court reviews each of those for CIA, FBI, NSA, and it’s found them all reasonable for each different agency. They’re slightly different based on the operational needs, but they’re similar.

MR. MEDINE: Would it make more sense then if the same set of minimization procedures apply across the board for this kind of information?

MR. WIEGMANN: I don’t think. Again, just to contrast, for example, FBI and NSA that are using information in different ways. The FBI has a little more latitude with respect to U.S. person information in terms of criminal activity and evidence of a crime than NSA, which doesn’t have that law enforcement mission. So I think it is important to have some differences between the agencies in terms of how they handle the information.

We know what the NSA minimization procedures look like. Not only do they permit dissemination use of US person data in more than the examples described by Wiegmann, they’re frightfully permissive on other points (such as the retention of data for technical database purposes, or the limits on Attorney-Client privilege). Moreover, they permit the retention of data because of a threat to property, a clear expansion on the legal requirements.

But from Wiegmann’s description, it sounds like FBI’s minimization procedures (which are used as a basis for National Counterterrorism Center’s minimization procedures) are worse. Worse because they permit FBI even more leeway to use FISA authorized data in criminal investigations.

And worse because it’s not clear whether there’s even any retention time limits. Indeed, if you watch the clip above, it might be more accurate to punctuate that data retention sentence this way:

You have retention rules, I believe, in some cases. For NSA, for example, you have a five year retention limit.

In any case, the comment seems to suggest that in other cases — like, perhaps, the FBI and derivatively NCTC — you don’t have temporal limits. That would be consistent with FBI’s retention of many kinds of investigative data forever. But it would mean a great deal of data involving innocent Americans collected without a warrant remains in the FBI’s hands forever.

And all that’s before you consider that FBI has always, since the passage of FISA Amendments Act (or at least the first certifications later that year), been permitted to conduct backdoor searches on incidentally collected data. So they may not only be keeping this data forever, but performing warrantless back door searches on it.

NSA Conducts So Many Back Door Searches on US Persons It Would Be Impracticable to Approve Those Queries

While there wasn’t as much as I’d like, the Privacy and Civil Liberties Oversight Board hearing today focused somewhat on the issue of back door searches: which are when NSA searches on US person data on “incidentally” collected data under Section 702 of FISA.

DOJ National Security Director Deputy AAG Brad Wiegmann even suggested we should call them queries, perhaps to obscure all the obvious problems with them as searches under the Fourth Amendment.

The most telling exchange, however, came when PCLOB Board Member Patricia Wald suggested that the FISA Court conduct the same kind of oversight over these backdoor searches that it is now doing pursuant to the changes in Section 215 President Obama made in January. (CSPAN won’t let me embed this yet but here’s a link.) ODNI General Counsel Robert Litt shot that idea down aggressively, stating that is is not practicable.

Patricia Wald: The President required, or, I think he required in his January directive that went to 215 that at least temporarily, the selectors in 215 for questioning the databank of US telephone calls–metadata–had to be approved by the FISA Court. Why wouldn’t a similar requirement for 702 be appropriate in the case where US person indicators are used to search the PRISM database? What big difference do you see there?

Robert Litt: Well, I think from a theoretical perspective it’s the difference between a bulk collection and a targeted collection which is that–

Wald: But I would think that, sorry for interrupting, [cross-chatter]  I would think that message since 702 has actually got the content.

Litt: Well, and the second point that I was going to make is that I think the operational burden in the context of 702 would far greater than in the context of 215.

Wald: But that would–

Litt: If you recall, the number of actual telephone numbers as to which a  RAS–reasonable articulaable suspcion determination was made under Section 215 was very small. The number of times that we query the 702 database for information is considerably larger. I suspect that the Foreign Intelligence Surveillance Court would be extremely unhappy if they were required to approve every such query.

Wald: I suppose the ultimate question for us is whether or not the inconvenience to the agencies or even the unhappiness of the FISA Court would be the ultimate criteria.

Litt: Well I think it’s more than a question of convenience, I think it’s also a question of practicability.

NSA General Counsel Raj De, who has spent the better part of the last 9 months saying “it’s only metadata” went on to argue that somehow this “targeted” content program (which of course requires no advance review of selectors) is less intrusive than the metadata collection under Section 215.

Make up your damn mind!

To be fair, I suspect one of the issues is that after the Nidal Hasan attack (and this is just a very well educated guess), NSA rolled out a system whereby new communications between a targeted foreigner and an American automatically pulls up all previous communications involving that US person. That would count as a search, even though it would effectively feel like an automatic cross-referencing of all prior communications involving someone talking to a target, even if that is a US person.

Nevertheless, this means that NSA is conducting so many back door searches on US person data that it would be “impracticable” to actually give those searches some kind of review.

No wonder NSA refuses to give numbers on this practice to Ron Wyden.

Rosencrantz and Guildenstern Visit Pee-Clob

The first panel of an all-day Privacy and Civil Liberties Oversight Board hearing on Section 702 of FISA just finished.

It featured NSA General Counsel Raj De, ODNI General Counsel Robert Litt, Deputy AAG for National Security Brad Weigmann, and FBI General Counsel James Baker.

While there were a number of interesting disclosures — which I’ll get at in the future — the most striking aspect of the hearing was the tooth-pulling effort to get the panel to define the terms they use.

There were a slew of terms defined, among others including “minimization,” “bulk collection,” “PRISM,”

But the most interesting redefinitions were for “purge” and “search.”

After much tooth-pulling, James Dempsey got De to admit that NSA’s definition of the word “search” is different from the one used in the Fourth Amendment. Actually, that may not be entirely true: Sometimes the actual collection of data counts as a search, sometimes only the querying of it does. NSA gets to decide which is which, best as I can tell, in secret or in legal filings where it will serve to deprive someone of standing.

Then there’s “purge,” which I can’t hear anymore without seeing a pink speech bubble and scare quotes surrounding the word. Purge does not mean — as you might expect — “destroy.” Rather, it means only “remove from NSA systems in such a way that it cannot be used.” Which, best as I understand it, means they’re not actually destroying this data.

I do hope EFF figures that out before they argue the protection order for Section 215 today, as on those terms it seems increasingly clear NSA is not complying with the Jewel protection order.

“Purge.” To keep. Somewhere else.

In Nomination Hearing, DIRNSA Nominee Mike Rogers Continues James Clapper and Keith Alexander’s Obfuscation about Back Door Searches

Yesterday, the Senate Armed Services Committee held a hearing for Vice Admiral Mike Rogers to serve as head of Cyber Command (see this story from Spencer about how Rogers’ confirmation as Cyber Command chief serves as proxy for his role as Director of National Security Agency because the latter does not require Senate approval).

Many of the questions were about Cyber Command (which was, after all, the topic of the hearing), but a few Senators asked questions about the dragnet that affects us all.

In one of those exchanges — with Mark Udall — Rogers made it clear that he intends to continue to hide the answers to very basic questions about how NSA conducts warrantless surveillance of Americans, such as whether the NSA conducts back door searches on American people.

Udall: If I might, in looking ahead, I want to turn to the 702 program and ask a policy question about the authorities under Section 702 that’s written into the FISA Amendments Act. The Committee asked your understanding of the legal rationale for NASA [sic] to search through data acquired under Section 702 using US person identifiers without probable cause. You replied the NASA–the NSA’s court approved procedures only permit searches of this lawfully acquired data using US person identifiers for valid foreign intelligence purposes and under the oversight of the Justice Department and the DNI. The statute’s written to anticipate the incidental collection of Americans’ communications in the course of collecting the communications of foreigners reasonably believed to be located overseas. But the focus of that collection is clearly intended to be foreigners’ communications, not Americans. But declassified court documents show that in 2011 the NSA sought and obtained the authority to go through communications collected under Section 702 and conduct warrantless searches for the communications of specific Americans. Now, my question is simple. Have any of those searches been conducted?

Rogers: I apologize Sir, I’m not in a position to answer that as the nominee.

Udall: You–yes.

Rogers: But if you would like me to come back to you in the future if confirmed to be able to specifically address that question I will be glad to do so, Sir.

Udall: Let me follow up on that. You may recall that Director Clapper was asked this question in a hearing earlier this year and he didn’t believe that an open forum was the appropriate setting in which to discuss these issues. The problem that I have, Senator Wyden’s had, and others is that we’ve tried in various ways to get an unclassified answer — simple answer, yes or no — to the question. We want to have an answer because it relates — the answer does — to Americans’ privacy. Can you commit to answering the question before the Committee votes on your nomination?

Rogers: Sir, I believe that one of my challenges as the Director, if confirmed, is how do we engage the American people — and by extension their representatives — in a dialogue in which they have a level of comfort as to what we are doing and why. That is no insignificant challenge for those of us with an intelligence background, to be honest. But I believe that one of the takeaways from the situation over the last few months has been as an intelligence professional, as a senior intelligence leader, I have to be capable of communicating in a way that we are doing and why to the greatest extent possible. That perhaps the compromise is, if it comes to the how we do things, and the specifics, those are perhaps best addressed in classified sessions, but that one of my challenges is I have to be able to speak in broad terms in a way that most people can understand. And I look forward to that challenge.

Udall: I’m going to continue asking that question and I look forward to working with you to rebuild the confidence. [my emphasis]

The answer to the question Rogers refused to answer is clearly yes. We know that’s true because the answer is always yes when Wyden, and now Udall, ask such questions.

But we also know the answer is yes because declassified parts of last August’s Semiannual Section 702 Compliance Report state clearly that oversight teams have reviewed the use of this provision, which means there’s something to review.

As reported in the last semiannual assessment, NSA minimization procedures now permit NSA to query its databases containing telephony and non-upstream electronic communications using United States person identifiers in a manner designed to find foreign intelligence information. Similarly, CIA’s minimization procedures have been modified to make explicit that CIA may also query its databases using United States person identifiers to yield foreign intelligence information. As discussed above in the descriptions of the joint oversight team’s efforts at each agency, the joint oversight team conducts reviews of each agency’s use of its ability to query using United States person identifiers. To date, this review has not identified any incidents of noncompliance with respect to the use of United States person identifiers; as discussed in Section 4, the agencies’ internal oversight programs have, however, identified isolated instances in which Section 702 queries were inadvertently conducted using United States person identifiers. [my emphasis]

It even obliquely suggests there have been “inadvertent” violations, though this seems to entail back door searches on US person identifiers without realizing they were US person identifiers, not violations of the procedures for using back door searches on identifiers known to be US person identifiers.

Still, it is an unclassified fact that NSA uses these back door searches.

Yet the nominee to head the NSA refuses to answer a question on whether or not NSA uses these back door searches.

And it’s not just in response to this very basic question that Rogers channeled the dishonest approach of James Clapper and Keith Alexander.

As Udall alluded, at the end of a long series of questions about Cyber Command, the committee asked a series of questions about back door searches and other dragnet issues. They asked (see pages 42-43):

  • Whether NSA can conduct back door searches on data acquired under EO 12333 and if so under what legal rationale
  • Whether NSA can conduct back door searches on data acquired pursuant to traditional FISA and if so under what legal rationale
  • What the legal rationale is for back door searches on data acquired under FISA Amendments Act
  • What the legal rationale is for searches on the Section 215 query results in the “corporate store”

I believe every single one of Rogers’ answers — save perhaps the question on traditional FISA — involves some level of obfuscation. (See this post for further background on what NSA’s Raj De and ODNI’s Robert Litt have admitted about back door searches.)

Consider his answer on searches of the “corporate store” as one example.

What is your understanding of the legal rationale for searching through the “Corporate Store” of metadata acquired under section 215 using U.S. Persons identifiers for foreign intelligence purposes?

The section 215 program is specifically authorized by orders issued by the Foreign Intelligence Surveillance Court pursuant to relevant statutory requirements. (Note: the legality of the program has been reviewed and approved by more than a dozen FISC judges on over 35 occasions since 2006.) As further required by statute, the program is also governed by minimization procedures adopted by the Attorney General an d approved by the FISC. Those orders, and the accompanying minimization procedures, require that searches of data under the program may only be performed when there is a Reasonable Articulable Suspicion that the identifier to be queried is associated with a terrorist organization specified in the Court’s order.

Remember, not only do declassified Primary Orders make it clear NSA doesn’t need Reasonable Articulable Suspicion to search the corporate store, but PCLOB has explained the possible breadth of “corporate store” searches plainly.

According to the FISA court’s orders, records that have been moved into the corporate store may be searched by authorized personnel “for valid foreign intelligence purposes, without the requirement that those searches use only RAS-approved selection terms.”71 Analysts therefore can query the records in the corporate store with terms that are not reasonably suspected of association with terrorism. They also are permitted to analyze records in the corporate store through means other than individual contact-chaining queries that begin with a single selection term: because the records in the corporate store all stem from RAS-approved queries, the agency is allowed to apply other analytic methods and techniques to the query results.72 For instance, such calling records may be integrated with data acquired under other authorities for further analysis. The FISA court’s orders expressly state that the NSA may apply “the full range” of signals intelligence analytic tradecraft to the calling records that are responsive to a query, which includes every record in the corporate store.73

There is no debate over whether NSA can conduct back door searches in the “corporate store” because both FISC and PCLOB say they can.

Which is probably why SASC did not ask whether this was possible — it is an unclassified fact that it is — but rather what the legal rationale for doing so is.

And Rogers chose to answer this way:

  1. By asserting that the phone dragnet must comply with statutory requirements
  2. By repeating tired boilerplate about how many judges have approved this program (ignoring that almost all of these approvals came before FISC wrote its first legal opinion on the program)
  3. By pointing to AG-approved minimization procedures (note–it’s not actually clear that NSA’s — as distinct from FBI’s — dragnet specific procedures are AG-approved, though the more general USSID 18 ones are)
  4. By claiming FISA orders and minimization procedures “require that searches of data under the program may only be performed when there is a Reasonable Articulable Suspicion that the identifier to be queried is associated with a terrorist organization”

The last part of this answer is either downright ignorant (though I find that unlikely given how closely nominee responses get vetted) or plainly non-responsive. The question was not about queries of the dragnet itself — the “collection store” of all the data. The question was about the “corporate store” — the database of query results based off those RAS approved identifiers. And, as I said, there is no dispute that searches of the corporate store do not require RAS approval. In fact, the FISC orders Rogers points to say as much explicitly.

And yet the man Obama has picked to replace Keith Alexander, who has so badly discredited the Agency with his parade of lies, refused to answer that question directly. Much less explain the legal rationale used to conduct RAS-free searches on phone query results showing 3rd degree connections to someone who might have ties to terrorist groups, which is what the question was.

Which, I suppose, tells us all we need to know about whether anyone plans to improve the credibility or transparency of the NSA.

Goldilocks Porridge of NSA Reform

Since Obama’s speech on the dragnet, I’ve been skeptical the promise to obtain court review before conducting phone dragnet searches means anything. There’s nothing — not a thing — in the actual speech or the White House fact sheet accompanying it distinguishes the allegedly new court review from the review that already exists.

The President has directed the Attorney General to work with the Foreign Intelligence Surveillance Court so that during this transition period, the database can be queried only after a judicial finding, or in a true emergency.

After all, the FISC quarterly approves which terror (and Iranian) groups NSA can target in the dragnet. That’s a judicial finding! Without more specificity, there’s no reason to believe this is any further review than already occurs.

In off-the-record briefing before speech (I didn’t listen in but saw a transcript), anonymous Senior Administration Officials did insist this meant an individualized review of each identifier to be queried (though there were no details about whether the court had to approve each query using that identifier; also, the SAOs indicated no limits would be put on using Section 215 to engage in bulk collection or querying of other items). Though one reason Executive Branch officials like to do off the record briefings is so their credibility can’t be challenged if their secret assurances prove to be hollow. And how would anyone prove these claims to be hollow, in any case, given that all of these reviews are secret?

That background is one reason I’m intrigued by Siobhan Gorman’s tick-tock of how the White House included this review as a very last minute sop to the Review Group, in response to pushback in a January 15 meeting.

Top White House officials, including National Security Adviser Susan Rice, met the afternoon of Jan. 15 with the members of the NSA review panel, which had issued an influential report a month earlier calling for an overhaul of key surveillance programs. The meeting turned tense, though not combative.

The panel had proposed a restructuring that would store telephone data outside the U.S. government and require NSA to obtain approval from the secret Foreign Intelligence Surveillance Court to conduct a search of the database. Currently, NSA searches are governed by an internal process.

White House officials told panel members at the meeting that they were inclined to move the phone data out of the NSA’s hands. But they didn’t mention judicial review of the searches.

The panel’s response was “that’s half” of their recommendation, according to a person close to the review panel. Some panel members interpreted the White House officials’ failure to mention judicial review as a sign that the recommendation wouldn’t be adopted, said several people familiar with the talks.

Appealing to the White House officials, panel members said that without judicial approval, “there’s no way you can restore trust” from the public, said a person familiar with the talks.

[snip]

White House officials appeared “rattled” by the pushback, the person said. “It caused them to regroup.”

The next day—the day before Mr. Obama’s speech—White House officials inserted a new section into the speech that required judicial approval of a search from the secret court, which oversees many of NSA’s surveillance programs.

But even that evening, White House officials were struggling with whether the president could singlehandedly impose such requirements on another branch of government. They sought late-night advice from the Justice Department on how to structure the rule, trying to make it more collaborative than compulsory, a U.S. official said.

Which is how, Gorman goes on, they came up with language that on its face doesn’t impose any new review.

But there are several things that don’t make sense with this story.

First, the NSA Review Group didn’t recommend this kind of individualized review for Section 215, though they did say the intent of the law was to permit the government to query providers on individual orders after getting FISC authorization, suggesting such review is implicit.

As originally envisioned when section 215 was enacted, the government can query the information directly from the relevant service providers after obtaining an order from the FISC.

 

They did recommend judicial review for National Security Letters (and Gorman’s story makes it clear this discussion was wrapped up in a discussion of the Review Group’s recommendations for NSLs). But the Review Group’s recommendations focused on ending bulk collection and moving whatever remained out of government hands. Obama outright rejected the first recommendation and punted the second to a Congress that won’t adopt it.

PCLOB, on the other hand, did recommend something much closer to individualized review for the transition period (though they recommended it come after queries were made).

(c) submit the NSA’s “reasonable articulable suspicion” determinations to the FISC for review after they have been approved by NSA and used to query the database;

Though their last meeting with the White House was on January 8, well before this last-minute addition.

In any case, this last minute changed is pitched — by someone described as a “person familiar with the intelligence-agency discussions” —  as central to a Goldilocks “just right”  solution that left both privacy advocates and the intelligence community placated.

The White House strategy appears to have muted major criticism, both from privacy advocates and intelligence officials.

While privacy advocates said they had wanted Mr. Obama to require more privacy safeguards, their primary message has been that the true effect of the overhauls can’t be known until they are implemented.

Among the spy agencies, there’s relief that Mr. Obama’s speech didn’t criticize the surveillance operations.

“Nobody lost, nobody won,” said one person familiar with the intelligence-agency discussions. “That’s the nature of our government.”

Except the privacy advocate view portrayed here (with no source) doesn’t resemble the view I’m hearing from privacy advocates, who are focusing on Congress and on more pressure. That is, at least the Goldilocks conclusion, that this represents a happy middle, seems to be IC propaganda, perhaps designed to hide how little has actually changed (and unless we can trust Administration officials who would not speak on the record, this last minute solution is useless). It takes a story that claims the Review Group recommendation was to provide judicial review — not to end bulk collection –and declares the Review Group got what they wanted.

They didn’t.

All of this in an article published in the news hole of a Friday night.

Susan Collins Can’t Decide Whether to Abandon Her Infant, PCLOB

Politico has an article predicting civil liberties will become a big issue this year. I’m skeptical (I say that as someone whose Rep the GOP is trying to take out largely because of his defense of civil liberties).

But I am interested in what Susan Collins had to say about Democratic challenger Shenna Bellows’ criticism of her stance on civil liberties.

In a phone interview from Maine, Collins rebutted criticism that she has not done enough to protect against civil liberties, highlighting legislation she co-sponsored in 2004 that created the independent Privacy and Civil Liberties Board and her support for recent proposals to tighten oversight over the surveillance programs. But, she said, doing away with the ability of the government to collect phone records would cause great harm to the country’s ability to root out terrorism.

“We know that there were plots thwarted solely or partially by the programs, so doing away with it altogether would mean a less safe America,” said Collins, who sits on the Senate Select Committee on Intelligence and has supported the PATRIOT Act and legislation codifying broader electronic surveillance.

You see, it was only 4 days ago that Collins was disowning her infant creation, PCLOB, because it had presented a hard-hitting report that said the dragnet was not just bad policy, but against the law.

“As the mother of this board, that [split decision] is not what I’m looking for,” said Sen. Susan Collins (R., Maine), who co-wrote the post-Sept. 11 legislation creating the Privacy and Civil Liberties Oversight Board. The split in the board’s first major report “really weakens its recommendations and undermines the role that we envisioned it would play,” she said.

At the moment when Collins’ self-described offspring took its first step, the Senator felt it had not chosen bipartisanship over stating the truth. I guess we understand what role Collins felt it could play.

And as for her purported efforts to tighten oversight over the dragnet (which includes measures to strengthen PCLOB she probably now regrets), while she did support some improvements to DiFi’s Fake FISA Fix, she not only cast a decisive vote against limiting dragnet retention to 3 years, but even backed a failed Tom Coburn amendment to “eliminate restrictions on the retention of bulk metadata.”

 

The Impasse on Executive Spying

In an important post the other day, Steve Vladeck described what he believed to be the most important lesson Edward Snowden has taught us.

They miss the single most important lesson we’ve learned — or should have learned — from Snowden, i.e., that the grand bargain has broken down. Intelligence oversight just ain’t what it used to be, and the FISA Court, as an institution, seemed to have been far better suited to handle individualized warrant applications under the pre-2001 FISA regime than it has been to reviewing mass and programmatic surveillance under section 215 of the USA PATRIOT Act and section 702, as added by the FISA Amendments Act of 2008.

Thus, even if one can point to specific individual programs the disclosure of which probably has not advanced the ongoing public policy conversation, all of the disclosures therefore illuminate a more fundamental issue of public concern — and one that should be (and, arguably, has been) driving the reform agenda: Whatever surveillance authorities the government is going to have going forward, we need to rethink the structure of oversight, both internally within the Executive Branch, and externally via Congress and the courts. That’s not because the existing oversight and accountability mechanisms have been unlawful; it’s because so many of these disclosures have revealed them to be inadequate and/or ineffective. And inasmuch as such reforms may strengthen not just mechanisms of democratic accountability for our intelligence community, but also their own confidence in the propriety and forward-looking validity of their authorities, they will make all of us — including the NSA — stronger in the long term.

While I agree with Vladeck that’s an important lesson from Snowden, I don’t think it has been admitted by those who most need the lesson: most members of Congress (most of all, the Intelligence Committees) and the FISA Court, as well as the other Article III judges who are quickly becoming dragnet experts.

But I’m hopeful PCLOB — which is already under attack even from Susan Collins for having the audacity to conduct independent oversight — will press the issue.

As I have noted in the past, PCLOB has a better understanding of how the Executive uses EO 12333 than any other entity I’ve seen (I think the Review Group may have a similar understanding, but they won’t verbalize it).

That’s why I find their treatment of FISA as a compromise to put questions about separation of powers on hold so interesting.

In essence, FISA represented an agreement between the executive and legislative branches to leave that debate aside 600 and establish a special court to oversee foreign intelligence collection . While the statute has required periodic updates, national security officials have agreed that it created an appropriate balance among the interests at stake, and that judicial review provides an important mechanism regulating the use of very powerful and effective techniques vital to the protection of the country. 601

600 “[T]he bill does not recognize, ratify, or deny the existence of any Presidential power to authorize warrantless surveillance in the United States n the absence of the legislation. It would, rather, moot the debate over the existence or non – existence of this power[.]” HPSCI Report at 24. This agreement between Congress and the executive branch to involve the judiciary in the regulation of intelligence collection activities did not and could not resolve constitutional questions regarding the relationship between legislative and presidential powers in the area of national security . See In re: Sealed Case , 310 F.3d 717, 742 (FISA Ct. Rev. 2002) (“We take for granted that the President does have that authority [inherent authority to conduct warrantless searches to obtain foreign intelligence information] and, assuming that is so, FISA could not encroach on the President ’ s constitutional power.”).

When NSA chose to avoid First Amendment review on the 3,000 US persons it had been watch-listing by simply moving them onto a new list, when it refused to tell John Bates how much US person content it collects domestically off telecom switches, when it had GCHQ break into Google’s cables to get content it ought to be able to obtain through FISA 702, when it rolled out an Internet dragnet contact-chaining program overseas in part because it gave access to US person data it couldn’t legally have here, NSA made it clear it will only fulfill its side of the compromise so long as no one dares to limit what it can do.

That is, Snowden has made it clear that the “compromise” never was one. It was just a facade to make Congress and the Courts believe they had salvaged some scrap of separation of powers.

NSA has made it clear it doesn’t much care what its overseers in Congress or the Court think. It’ll do what it wants, whether it’s in the FISC  or at a telecom switch just off the US shore. And thus far, Obama seems to agree with them.

Which means we’re going to have to start talking about whether this country believes the Executive Branch should have relatively unfettered ability to spy on Americans. We’re going to have to take a step back and talk about separation of powers again.

Emptywheel Twitterverse
bmaz The NCAA quietly proposed a major structural reform yesterday. It's still horrid and here's why: http://t.co/kRKTgn5FDF
2hreplyretweetfavorite
bmaz Did Northwestern Unionizing Just Cause Real NCAA Reform? No, Not At All http://t.co/kRKTgn5FDF
2hreplyretweetfavorite
bmaz RT @SpyTalker: More on "Murder in Juarez" http://t.co/DNdOQl1ei2
2hreplyretweetfavorite
bmaz @MonaHol Little known fact: my wife and I went as Al and Peg Bundy one Halloween. Pretty funny.
2hreplyretweetfavorite
bmaz @MonaHol This is true!
2hreplyretweetfavorite
bmaz @yeselson Me too. Also shove on the hip during the shot.
2hreplyretweetfavorite
bmaz Tough blocking call in that situation, looks like a bad call.
3hreplyretweetfavorite
bmaz @ericisbeautiful Yes. And for all his reputation, it's about time he came thru in playoff clutch situation.
3hreplyretweetfavorite
bmaz .@misterdevans No question. And Cliven Bundy is a pernicious and racist dolt at that. But he didn't murder 30 young girls like Ted Bundy.
3hreplyretweetfavorite
bmaz RT @Olivianuzzi: Kelly Bundy > Ted Bundy > Cliven Bundy http://t.co/nuxmNUhT8p @thedailybeast
3hreplyretweetfavorite
bmaz Listen, Cliven Bundy is a horrible human being, granted; but if you are cute tweeting that he's worse than Ted Bundy, just get out.
3hreplyretweetfavorite
bmaz @BradMossEsq I have seen approximately none in the jurisdictions I practice in.
3hreplyretweetfavorite
April 2014
S M T W T F S
« Mar    
 12345
6789101112
13141516171819
20212223242526
27282930