Posts

I Con the Record Transparency Bingo (2): The Inexplicable Drop in PRTT Numbers

As noted in this post, I’m going to start my review of the new I Con the Record Transparency Report by addressing misconceptions I’m seeing; then I’ll do a complete working thread. In this post, I’m going to address what appears to be a drop in FISA PRTT searches.

The report does, indeed, show a drop, both in total orders (from 131 to 60 over the last 4 years) and an even bigger drop in targets (from 319 to 41).

Some had speculated that this drop arises from DOJ’s September 2015 loophole-ridden policy guidance on Stingrays, requiring a warrant for prospective Stingrays. But that policy should have already in place on the FISC side (because FISC, on some issues, adopts the highest standard when jurisdictions start to deal with these issues). In March 2014, DOJ told Ron Wyden that it “elected” to use full content warrants for prospective location information (though as always with these things, there was plenty of room for squish, including on public safety usage).

As to the drop in targets: it’s unclear how meaningful that is for two reasons.

First, the ultimate number of unique identifiers collected has not gone down dramatically from last year.

Last year, the 134, 987 identifiers represented 243 identifiers collected per target, or 1,500 per order. This year, the 125,378 identifiers represents a whopping 3,078 per target or 3,756 per order. So it’s appears that each order is just sucking up more records.

But something else may be going on here. As I pointed out consistently though debates about these transparency guidelines, the law ultimately excluded everything we knew to include big numbers. And the law excludes from PRTT identifier reporting any FBI obtained identifier that is not a phone number or email address, as well as anything delivered in hard copy or portable media.

For all we know, the number of unique identifiers implicated last year is 320 million, or billions, but measuring IP addresses or something else. [Update: Reminder that the FBI used a criminal PRTT in the Kelihos botnet case to obtain the IP addresses of up to 100,000 infected computers, but that’s the kind of thing they might use a FISA PRTT for.]

Alternately, it’s possible some portion of what had been done with PRTTs in 2015 moved to some other authority in 2016. A better candidate for that than Stingrays would be CISA voluntary compliance on things like data flow.

One final note. Unless I misunderstand the count, we’re still missing one amicus brief appointment from 2015. The FISC report from that year (covering just 7 months) said there were four appointments across three amici.

During the reporting period, on four occasions individuals were appointed to serve as amicus curiae under 50 U.S.C. § 1803(i). The names of the three individuals appointed to serve as amicus curiae are as follows:  Preston Burton, Kenneth T. Cuccinelli II  (with Freedom Works), and Amy Jeffress. All four appointments in 2015 were made pursuant to § 1803(i)(2)(B). Five findings were made that an amicus curiae appointment was not appropriate under 50 U.S.C. § 1803(i)(2)(A) (however, in three of those five instances, the court appointed an amicus curiae under 50 U.S.C. § 1803(i)(2)(B) in the same matter).

Burton dealt with the resolution of the Section 215 phone data, Ken Cuccinelli dealt with FreedomWork’s challenge to the way USAF extended the phone dragnet, and Amy Jeffress dealt with the Section 702 certificates.

That leaves one appointment unaccounted for (and I’d bet money Jeffress dealt with that too). On June 18, 2015, FISC decided not to use an amicus with an individual PRTT order that was a novel interpretation of what counted as a selection term under USAF. It chose not to use an amicus because the PRTT had already expired and because there were no amici identified at that point to preside. If that issue recurred for a more permanent PRTT later in the year, it may have affected how ODNI counted PRTTs (or the still-hidden amicus use may be for another kind of individual order).

All of which is to say, the government appears to be obtaining fewer PRTT orders over the last two years. But it’s not yet clear whether that has any effect on privacy.

Ashcroft, Comey, Goldsmith, and Baker: “All” Is the “Best” Reading of “Relevant”

Four MusketeersTowards the end of the Memorandum of Law in support of the Internet dragnet — which was signed by those guys ———-> — DOJ makes a claim that its reading of “relevant” to mean “almost all” was the best possible reading.

Here, by contrast, reading the term “relevant” to permit the collection of this critical information during wartime is a construction rooted in the text that requires no stretching of the ordinary meaning of the terms of the statute at all. In fact, for all the reasons outlined above, interpreting section 402 to authorize the collection the Government has requested in the best reading of the plain terms of the Act.

This is why you should not have secret courts.

I get making an aggressive push to authorize dragnet surveillance.

I get mining old and foreign dictionaries to come up with a definition that suits your needs.

But after you’ve made your best ditch effort to stretch the meaning of words, secretly, beyond all recognition, don’t then, secretly, pat yourself on the back pretending that wasn’t the game you just pulled.

But hey. Who’s the chump? After all, we now know that Misters Ashcroft, Comey, Goldsmith, and Baker pulled this off.

Yet no one is making any effort to put the English language back on some kind of sane footing. Nothing in any of the “reform” efforts before Congress attempts to put sanity back into the word “relevant.”

USA Freedumber Appears to Strengthen RuppRoge’s Affirmative Endorsement of an Internet Dragnet

Working on a detailed comparison of the difference between the USA Freedumb and USA Freedumber bills, one of the most alarming changes is the gutting of Pen Register minimization procedures. They took language not only adding minimization procedures to Pen Register orders,

(b) APPLICATION.—Section 402(c) (50 U.S.C. 1842(c)), as amended by section 201 of this Act, is further amended by adding at the end the following new paragraph:

(4) a statement of proposed minimization procedures.

(c) ORDER.—Section 402(d) (50 U.S.C. 1842(d)) is amended—

(1) in paragraph (1), by inserting ‘‘and that the proposed minimization procedures meet the definition of minimization procedures under this title’’

But permitting the court to review whether the government met those minimization procedures.

(h) At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the minimization procedures by reviewing the circumstances under which information concerning United States persons was retained or disseminated.’

They even specified the government had to follow those minimization procedures!

USA Freedumber changed that by letting the Attorney General review what are are now called “privacy procedures.”

(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard non-publicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect  national security, include protections for the collection, retention, and use of information concerning United States persons.

They limit the extent of these “privacy procedures” “to the extent practicable … with the need to protect national security.” That is, they don’t have to follow these “privacy procedures” if it’ll harm national security, and the change seems to show legislative intent to deprive the FISC of any review.

That’s alarming for a number of reasons:

  • From the very beginning of the Internet dragnet, the government claimed FISC had almost no authority over the approval process (much less compliance) on Pen Registers
  • This language comes right out of — but makes worse — the section of Mike Rogers’ RuppRoge bill that affirmatively approves the (re)creation of an Internet dragnet
  • There’s a curious entry in the NSA classification guide showing FBI conducting a PRTT program after the time NSA’s program got shut down

NSA versus FISC

According to a footnote in the 2010 John Bates opinion on the Internet dragnet, when the government first applied to Colleen Kollar-Kotelly for a FISC order to authorize the dragnet, they claimed she had no authority to do anything but rubber stamp the application.

2010 Bates Opinion footnote

We know that, having made that argument, the government got caught in violating the rules Kollar-Kotelly placed on the collection, but then continued to violate the rules for at least 5 more years, until 2009, when it got shut down for a while.

It would seem that the original language in USA Freedom Act would have clarified this issue, and made clear the FISC could exercise real oversight over any PRTT collection.

Adopting RuppRoge’s Internet Dragnet language

This language adopts the nomenclature from the HPSCI’s RuppRoge bill. (See page 18.)

But these “privacy procedures” seem qualitatively worse than the RuppRoge bill in several ways. RuppRoge provides loosey goosey judicial review of the privacy procedures. And it did not include the “extent practicable” language.

Given the background — given the fact that the government has already told the FISC it shouldn’t have real oversight over PRTT — this language seems to lay clear legislative intent that FISC should have no role whatsoever, especially not with minimization procedures (which, after all, is what they fought with the FISC over for at least  years).

The secrecy behind the FBI’s PRTT orders on behalf of NSA

PRTT1

Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.

These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.

But that the FBI PR/TT program — which seems different than these individual orders — was considered TS/SI/NOFORN.

PRTT2

If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level)  — is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.

This is considered one of the most sensitive secrets in the whole FISA package.

PRTT3

Even minimized PRTT data is considered TS/SCI.

PRTT4

Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.

So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.

Except there’s the date.

This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)

That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.

If FBI had a PRTT program active in 2012 that was separate from the NSA PRTT program (I’m not sure that’s the case; it could be they just didn’t update this part of the classification guide), then is it still active? Has the Internet dragnet just moved to FBI?

If so, it’s no wonder why the Intelligence Community would want to guarantee that FISC had no review of it.

Update: Note, too, that the bill removes reporting requirements related to PRTT.

 

The 2009 Draft NSA IG Report Makes No Mention of One Illegal Practice

The 2009 Draft NSA IG Report released by the Guardian last week — and related reporting from Barton Gellman — seem to clarify and confirm what I’ve long maintained (12/19/057/29/07; 7/30/07): that one part of the illegal wiretap program that Jack Goldsmith and Jim Comey found “illegal” in 2004 was data-mining of Americans.

Eight days later on 19 March 2004, the President rescinded the authority to collect bulk Internet metadata and gave NSA one week to stop collection and block access to previously collected bulk Internet metadata. NSA did so on 26 March 2004. To close the resulting collection gap, DoJ and NSA immediately began efforts to recreate this authority in what became the PR/TT order.

Mind you, this bulk collection resumed after Colleen Kollar-Kotelly signed an order permitting NSA to collect the same data under a Pen Register/Trap & Trace order on July 14, 2004.

The FISC signed the first PR/TT order on 14 July 2004. ALthough NSA lost access to the bulk metadata from 26 March 2004 until the order was signed, the order essentially gave NSA the same authority to collect bulk Internet metadata that it had under the PSP, except that it specified the datalinks from which NSA could collect, and it limited the number of people that could access the data.

Indeed, we know the program was expanded again in 2007, to get 2 degrees of separation deep into US person Internet data. The Obama Administration claims it ended this in 2011, though there are also indications it simply got moved under a new shell.

Mystery solved, Scoob!

Not so fast.

It appears the bulk Internet metadata collection and mining is just one of two practices that Goldsmith and Comey forced Bush to at least temporarily halt in 2004. But the second one is not mentioned at all in the NSA IG Report.

I first noted that Bush made two modifications to the program in this post, where I noted that 6 pages (11-17) of Jack Goldsmith’s May 6, 2004 OLC opinion on the program described plural modifications made in March and one other month in 2004 (I correctly surmised that they had actually shifted parts of the program under parts of the PATRIOT Act, and that they had narrowed the scope somewhat, though over-optimistically didn’t realize that still included warrantless collection of known domestic content).

But there’s actually a far better authority than Goldsmith’s heavily redacted opinion that confirms Bush made two modifications to the program in this period.

Dick Cheney.

When his office disclosed to Patrick Leahy in 2007 what documents it had regarding authorizations for the illegal wiretap program, it listed two modifications to the program: the one on March 19 described in detail in the NSA IG Report, plus one on April 2.

[Cheney Counsel Shannen] Coffin’s letter indicates that Bush signed memos amending the program on March 19 and April 2 of that year.

But there’s no hint of a second modification in the NSA IG Report.

That could mean several things. It could mean the April 2 modification didn’t involve the NSA at all (and so might appear in a one of the other Agency IG Reports at the time — say, DNI — or might have been completed by an Agency, like some other part of DOD, that didn’t complete an IG Report). It could mean that part of the program was eliminated entirely on April 2, 2004. Or it could mean that in an effort to downplay illegality of the program, the IG simply didn’t want to talk about the worst prior practice eliminated in the wake of the hospital confrontation.

Goldsmith’s opinion does seem to indicate, however, that the modification pertained to an issue similar to the bulk metadata collection. He introduces that section, describing both modifications, by saying “it is necessary to understand some background concerning how the NSA accomplishes the collection activity authorized under” the program.

That may still pertain to the kind of data mining they were doing with the Internet metadata. After all, the fix of moving Internet metadata collection under the PR/TT order only eliminated the legal problem that the telecoms were basically permitting the government to steal Microsoft and Yahoo Internet content from their equipment. There still may have been a legal problem with the kind of data mining they were doing (perhaps arising out of Congress’ efforts in that year’s NDAA to prohibit funding for Total Information Awareness).

Whatever it is, one thing is clear. Even with the release of the unredacted Draft NSA IG Report, we still aren’t seeing all the details on what made the program so legally problematic.

Maybe it’s something the Senate Judiciary Committee might ask Jim Comey during his FBI Director confirmation hearing?