Reggie Walton

1 2 3 9

Hiding Yahoos: ORCON and the FISC Special Advocate

Some weeks ago, I noted the language in James Clapper’s letter purportedly “supporting” Patrick Leahy’s USA Freedom Act making it clear he intended to retain the information asymmetry that currently exists in the FISA Court — specifically, ex parte communication with the court.

We note that, consistent with the President’s request, the bill estsablishes a process for the appointment of an amicus curiae to assist the FISA Court and FISA Court of Review in matters that present a novel or significant interpretation of the law. We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

The Yahoo documents released a few weeks back illustrate how this might work in practice.

We’ve known since January 2009 that Yahoo (which we then only knew was an Internet company) didn’t receive the materials — perhaps most importantly, the minimization procedures — it needed to adequately challenge the program.

The cover sheet to the ex parte appendix provided to the FISCR illustrates the range of things withheld from Yahoo’s attorney, Marc Zwillinger, who apparently had a Top Secret clearance. In addition to the minimization procedures for NSA and FBI, the government withheld the “linking” procedures used to identify targets (the titles of these documents are redacted in the released version, but this post explains why at least some must pertain to these procedures; note, I think the government also withheld these from Judge Reggie Walton at the FISC level!), and a January 15, 2008 Colleen Kollar-Kotelly FISC opinion assessing the adequacy of the original certifications.

Comparing two versions of Walton’s April 25, 2008 opinions — a version redacted for Yahoo’s use in 2008, and the version redacted for public release now — provides context on the key issues obscured or suppressed entirely from Yahoo’s view. (Note two things about these redactions: first, with the exception of language on the information the government demanded from Yahoo, we’re receiving more information than Yahoo’s cleared attorney received when he was fighting this case. And the older document actually includes two sets of redactions: the more faded redactions used for Yahoo, and a more opaque set done for this release, the latter of which hide details about the Directives given to Yahoo.)

Effectively, the government hid what they changed when they rewrote Certifications underlying their demands to Yahoo just 2 weeks before the law expired. A significant part of those changes involves getting FBI involved in the process (I increasingly suspect those January 29, 2008 Certifications are when the government first obtained official permission for FBI back door searches).

Notice of the new Certificates was given to Yahoo on February 16, 2008, the day PAA expired, and signed by then Solicitor General Paul Clement, though signed as Acting Attorney General (see page 81). One day earlier, Judge Walton had given the government an ex parte order requiring them to address whether the ex parte materials they had submitted to him in December “constitutes the complete and up-to-date set of certifications … applicable to the directives that are at issue in this proceeding.” Walton also required the government to provide notice to Yahoo they were going to submit a new classified appendix.

Apparently, Walton had gotten wind of the fact — but had not been told formally — that the government had submitted entirely new Certifications affecting their treatment of the data they would obtain from Yahoo. So he ordered them to update the record so his review actually considered the surveillance as it would be implemented.

I’ve listed most of the differences between the two memoranda below. While much of it pertains to prior classified decisions and the operation of FISC generally, the biggest sections redacted from Yahoo but released in part to us now describe the new certifications, including FBI’s new role in the process.  Of particular concern, the government withheld Walton’s comment admonishing the government for changing the certifications, “without appropriately informing the Court or supplementing the record in this matter until ordered to do so” (page 4), though footnote 4 and page 35 make it clear that Walton revealed some details of the government’s belated disclosures in a February 29 order for more briefing.

More troubling still, they hid Walton’s still significantly-redacted assessment that the changes in the Certifications would not change the nature of the government’s demand from Yahoo (page 38).

Neither type of amendment altered the nature of the assistance to be rendered by Yahoo,40

40 Yahoo has submitted a sworn statement that, prior to serving the directives on Yahoo, representatives of the government “indicated that, at the outset, it only would expect…

I wrote about these changing requests here. And while on paper the changing requests couldn’t have been a result of the changed Certification — Yahoo’s Manager of Legal Compliance described them in a January 23 submission, and the new Certifications were issued the following week — I find the timing, and the government’s failure to notice Walton on them, suspect enough that it’s the kind of thing that should have been briefed. Plus, as I’ll show in a follow-up post, I’m fairly certain the government hid  from both FISC and FISCR the degree to which this was about targeting Americans.

Once Walton learned that the government’s requests to Yahoo had changed between the date of Kollar-Kotelly’s initial approval and the expiration of the law, it seems it should have merited more direct briefing, but that would have required admitting that the changes put domestic law enforcement in the center of the program, which presents (or should present) significantly different Fourth Amendment concerns, notably increasing the importance of prior interpretations of the “significant purpose” language instituted under the PATRIOT Act.

In other words, not only did the ex parte nature of this proceeding hide the details Yahoo would have needed to make a robust Fourth Amendment argument, as well as evidence that the government was not being entirely forthcoming to FISC (which would have bolstered Yahoo’s separation of powers claim), it also hid what may be specifically pertinent details behind the government’s last minute changed certifications.

In theory, this shouldn’t happen with the USA Freedom Advocate, because the bill specifically requires the Advocate have access to certifications necessary for her to complete her duties.

(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—

[snip]

(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;

By comparison, the government was challenging Yahoo’s legal standing to take this challenge in the first place.

But I find the apparent basis for withholding information from Yahoo to be relevant. This memorandum, at least, was originally classified Top Secret/ORCON (Originator Controlled); the redacted memorandum given to Yahoo was classified Secret. That means that the changes arose, at least in part, from the ability of the originator (which may be DOJ’s National Security Division, given that Mark Bradley conducted the declassification review) to determine who gets the document. As I noted, there are two bases in USAF that would permit the government to withhold information, classification and privilege. Withholding information under an ORCON claim likely stems from both (though I am checking this).

So while the government should not be able to treat the advocate the same way they treated Yahoo (which, after all, FISC treated as a Congressionally sanctioned challenger to the orders, just as it would the advocate), they seem to have the prerogative to. (Update: I should add that Walton permitted the government to do all the ex parte briefing here under FISA’s ex parte briefing language; given that USAF doesn’t change that for any of the authorities in question, we should assume this precedent will apply to the advocate.)

To be clear, the USAF advocate is not one of the things that I believe sets back a slow reform process (as, for example, I believe the “transparency” provisions and some weakened minimization procedures do). I think it most likely that the advocate will evolve the way PCLOB has, which was first authorized in 2004, thwarted by Executive obstruction (on precisely these kinds of issues), reauthorized as a more effective body in 2007, then slow-walked again — partly by President Obama, though partly by Congress — for another 6 years. That is, if the advocate is at least as self-respecting as Lanny Davis (!), she will quit if the Executive ignores the intent of Congress that she have access to the materials she needs to do her job, exposing the inefficacy of the existing system. All that, of course, assumes she will cop onto what has been withheld. Clearly, Yahoo got a sense of it during this process, though FISC and FISCR seem to have realized only some of the other stuff withheld from them.

That is, judging by the PCLOB example, if all goes well and if USAF were to pass this year, we might have a fully functional advocate by 2023!

The Yahoo materials released show that the government withheld pertinent information from Yahoo, FISC, and FISCR until forced to provide it, and they never provided any of them with all the information they should have.

That it retains the ability to do so under USAF doesn’t bode well for the advocate. But that’s really just a subset to a larger issue that, even when authorized by Congress to provide oversight of this executive spying, the government has consistently, for years, been less than fully cooperative with FISC’s authority to do so.

As I’ve said, the surest way to reform surveillance is to eliminate the FISA Court.

Continue reading

The Curious Timing of FBI’s Back Door Searches

The very first thing I remarked on when I read the Yahoo FISCR opinion when it was first released in 2009 was this passage.

The petitioner’s concern with incidental collections is overblown. It is settled beyond peradventure that incidental collections occurring as a result of constitutionally permissible acquisitions do not render those acquisitions unlawful.9 See, e.g., United States v. Kahn, 415 U.S. 143, 157-58 (1974); United States v. Schwartz, 535 F.2d 160, 164 (2d Cir. 1976). The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26 in original release; 30 in current release)

The government claimed to FISCR that it did not maintain a database of incidentally collected information from non-targeted US persons.

Barring some kind of neat parse, I didn’t buy the claim, not even in 2009.

Since then, we’ve found out that — barring some kind of neat parse — I was absolutely right. In fact, they are doing back door searches on this data, especially at FBI.

What I’m particularly intrigued by, now, is the timing.

FISCR said that in an opinion dated August 22, 2008 — over a month after the July 10, 2008 passage of the FISA Amendments Act. I have not yet found evidence of when the government said that to FISCR. It doesn’t appear in the unredacted part of their Jun 5, 2008 Merits brief (which cites Kahn but not Schwartz; see 49-50), though it might appear behind the redaction on 41. Of note, the April 25, 2008 FISC opinion doesn’t even mention the issue in its incidental collection discussion (starting at 95), though it does discuss amended certifications filed in February 2008.

So I’m guessing the government made that representation at the hearing in June, 2008.

We know, from John Bates’ rationale for authorizing NSA and CIA back door searches, such back door searches were first added to FBI minimization procedures in 2008.

When Bates approved back door searches in his October 3, 2011 opinion, he pointed to FBI’s earlier (and broader) authorities to justify approving it for NSA and CIA. While the mention of FBI is redacted here, at that point it was the only other agency whose minimization procedures had to be approved by FISC, and FBI is the agency that applies for traditional FISA warrants.

[redacted] contain an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information. See [redacted]. In granting [redacted] applications for electronic surveillance or physical search since 2008, including applications targeting United States persons and persons in the United States, the Court has found that the [redacted] meet the definitions of minimization procedures at 50 U.S.C. §§ 1801(h) and 1821(4). It follows that the substantially-similar querying provision found at Section 3(b)(5) of the amended NSA minimization procedures should not be problematic in a collection that is focused on non-United States persons located outside the United States and that, in aggregate, is less likely to result in the acquisition of nonpublic information regarding non-consenting United States persons.

So since 2008, FBI has had the ability to do back door searches on all the FISA-authorized data they get, including taps targeting US persons.

The FBI Minimization procedures submitted with the case all date to the 1990s, though a 2006 amendment changing how they logged the identities of US persons collected (note, in 2011, John Bates was bitching at FBI for having ignored an order to reissue all its minimization procedures with updates; I can see why he complained).

As described in the Government’s response of June 16, 2006, identities of U.S. persons that have not been logged are often maintained in FBI databases that contain unminimized information. The procedures now simply refer to “the identities” of U.S. persons, acknowledging that the FBI may not have previously logged such identities.

But there’s reason to believe the FBI minimization procedures — and this logging process — was changed in 2008, because a government document submitted in the Basaaly Moalin case — we know Moalin was wiretapped from December 2007 to April 2008, so during precisely the period of the Yahoo challenge, though he was not indicted until much later – referenced two sets of minimization procedures, seeming to reflect a change in minimization during the period of his surveillance (or perhaps during the period of surveillance of Aden Ayro, which is how Moalin is believed to have been identified).

That is, it all seems to have been happening in 2008.

The most charitable guess would be that explicit authorization for back door searches happened with the FAA, so before the FISCR ruling, but after the briefing.

Except in a letter to Russ Feingold during early debates  on the FAA, Mike Mukasey and Mike McConnell (the latter of whom was involved in this Yahoo fight) strongly shot down a Feingold amendment that would have required the government to segregate all communications not related to terrorism (and a few other things), and requiring a FISA warrant to access them.

The Mukasey-McConnell attack on segregation is most telling. They complain that the amendment makes a distinction between different kinds of foreign intelligence (one exception to the segregation requirement in the amendment is for “concerns international terrorist activities directed against the United States, or activities in preparation therefor”), even while they claim it would “diminish our ability swiftly to monitor a communication from a foreign terrorist overseas to a person in the United States.” In other words, the complain that one of the only exceptions is for communications relating terrorism, but then say this will prevent them from getting communications pertaining to terrorism.

Then it launches into a tirade that lacks any specifics:

It would have a devastating impact on foreign intelligence surveillance operations; it is unsound as a matter of policy; its provisions would be inordinately difficult to implement; and thus it is unacceptable.

As Feingold already pointed out, the government has segregated the information they collected under PAA–they’re already doing this. But to justify keeping US person information lumped in with foreign person information, they offer no affirmative reason to do so, but only say it’s too difficult and so they refuse to do it.

Even 5 years ago, the language about the “devastating impact” segregating non-terrorism data might have strongly suggested the entire point of this collection was to provide for back door searches.

But that letter was dated February 5, 2008, before the FISCR challenge had even begun. While not definitive, this seems to strongly suggest, at least, that the government planned — even if it hadn’t amended the FBI minimization procedures yet — to retain a database of incidentally data to search on, before the government told FISCR they did not.

Update: I forgot a very important detail. In a hearing this year, Ron Wyden revealed that NSA’s authority to do back door searches had been closed some time during the Bush Administration, before it was reopened by John “Bates stamp” Bates.

Let me start by talking about the fact that the House bill does not ban warrantless searches for Americans’ emails. And here, particularly, I want to get into this with you, Mr. Ledgett if I might. We’re talking of course about the backdoor search loophole, section 702 of the FISA statute. This allows NSA in effect to look through this giant pile of communications that are collected under 702 and deliberately conduct warrantless searches for the communications of individual Americans.  This loophole was closed during the Bush Administration, but it was reopened in 2011, and a few months ago the Director of National Intelligence acknowledged in a letter to me that the searches are ongoing today. [my emphasis]

When I noted that Wyden had said this, I guessed that the government had shut down back door searches in the transition from PAA to FAA, but that seems less likely, having begun to review these Yahoo documents, then that it got shut down in response to the hospital confrontation.

But it shows that more extensive back door searches had been in place before the government implied to the FISCR that they weren’t doing back door searches that they clearly were at least contemplating at that point. I’d really like to understand how the government believes they didn’t lie to the FISCR in that comment (though it wouldn’t be the last time they lied to courts about their databases of Americans).

How Abu Zubaydah’s Torture Put CIA and FBI in NSA’s Databases

I said yesterday that the plan, going as far back as 2002, was to let CIA and FBI tap right into NSA’s data. I base that on this explanation from Keith Alexander, which he included in his declaration accompanying the End to End Report that was submitted sometime after October 30, 2009.

By the fall of 2002, the Intelligence Community had grown increasingly concerned about the potential for further attacks on the United States. For example, during 10 to 24 September 2002, the Government raised the homeland security threat condition to “orange,” indicating a high likelihood of attack. In this context, in October 2002 the Directors of NSA, CIA, and FBI established an Inter-Agency Review Group to examine information sharing [redacted] The group’s top recommendation was that NSA create a common target knowledge database to allow joint research and information exchanges [redacted].

Of course, we now know that the threat level was high in September 2002 because the government was chasing down a bunch of false leads from Abu Zubaydah’s torture.

Abu Zubaida’s revelations triggered a series of alerts and sent hundreds of CIA and FBI investigators scurrying in pursuit of phantoms. The interrogations led directly to the arrest of Jose Padilla, the man Abu Zubaida identified as heading an effort to explode a radiological “dirty bomb” in an American city. Padilla was held in a naval brig for 3 1/2 years on the allegation but was never charged in any such plot. Every other lead ultimately dissolved into smoke and shadow, according to high-ranking former U.S. officials with access to classified reports.

“We spent millions of dollars chasing false alarms,” one former intelligence official said.

In other words, the justification for creating a database where CIA and FBI could directly access much of NSA’s data was a mirage, one created by CIA’s own torture.

All that’s separate from the question of whether CIA and FBI should have access directly to NSA’s data. Perhaps it makes us more responsive. Perhaps it perpetuates this process of chasing ghosts. That’s a debate we should have based on actual results, not the tortured false confessions of a decade past.

But it’s a testament to two things: the way in which torture created the illusion of danger, and the degree to which torture — and threat claims based on it — have secretly served as the basis the Executive uses to demand the FISA Court permit it to extend the dragnet.

Even the current CIA Director has admitted this to be true — though without explicitly laying out the import of it. Isn’t it time we start acknowledging this — and reassessing the civil liberties damage done because of it — rather than keeping it hidden under redactions?

USA Freedom Must Explicitly Require NSA and CIA to Comply with Law’s Minimization Procedures

I know I’ve had a lot of mostly unenthusiastic things to say about even Pat Leahy’s version of the USA Freedom Act.

  • It explicitly exempts FBI from counting back door searches
  • It may not do anything to existing non-electronic communication bulk programs, because it probably permits the use of corporate persons as Specific Selection Terms
  • The “connection chaining” may permit expanded access to smart phone data
  • It retains USA Freedumber’s “foreign intelligence” retention language

Having read about half of last week’s Internet Dragnet document dump so far, I’m increasingly worried about two details I’ve already raised.

I suspect, unless the law explicitly imposes minimization procedures on NSA (and CIA, which reportedly operates the bulky Western Union dragnet), they will evade the bill’s most stringent minimization procedures.

As I noted in November and PCLOB noted in January, the business records provision was explicitly written for FBI, not other intelligence agencies. As a result, the language in it requiring minimization procedures did not — and still would not under Leahy Freedom (to say nothing of USA Freedumber) — require minimization procedures from Agencies beyond FBI. For example, unless I’m misreading how the law would be implemented, this is what would still be in place with regards to minimization procedures.

Applications have to lay out minimization procedures. But the law only requires they apply to FBI.

(D) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

The judge reviews the minimization procedures in the application to make sure they comply with (g), and then includes an order they be followed in his order approving the application.

(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b) and that the minimization procedures submitted in accordance with subsection (b)(2)(D) meet the definition of minimization procedures under subsection (g), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.

And as I’ve already noted, the entire section (g) devoted to minimization explicitly applies to just FBI.

The Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this subchapter.

What’s particularly crazy about this is that the clause was changed to take out deadlines imposed in the 2006 renewal. In other words, they changed this clause, but left in the limits for most minimization procedures to just FBI.

Continue reading

Working Thread, Internet Dragnet 4: Later 2009 Documents

The early focus on the dragnet violations was on the phone dragnet. At the end of March, however, DOJ started preparing to look more closely at the PRTT program in late April 2009, which may be why some of the following violations got disclosed to Reggie Walton in conjunction with a May reauthorization application. The CIA, FBI, and NCTC access to the PRTT seems to have been a bigger issue than the BR  FISA data.

All that said, when the NSA completed its End-to-End report sometime in fall 2009, they didn’t report all that much beyond the violations noted in May (though they did note the NSA did not shut down some automatic process when it said it did), mostly by claiming they didn’t realize the original dragnet order meant what it said (in spite of the violation in the first dragnet order).

It was only after that that they noticed FISC NSA had been collecting content from the start of the program (see document O). Once they admitted that, NSA decided not to reapply for a Primary Order, and Reggie Walton issued a supplemental order (document E) ordering them not to collect any more, but also not to access the data they did have. Only after that did DOJ submit the End-to-End report, accompanied by DOJ and Keith Alexander reports that admitted the content violation.

See also Working Thread 1, Working Thread 2, Working Thread 3, and Internet Dragnet Timeline. No one else is doing this tedious work; if you find it useful, please support it.

Continue reading

WSJ Falsely Paints John “Bates Stamp” as Aggressive

WSJ wrote a badly flawed article yesterday describing John Bates’ 2010 opinion reauthorizing the Internet dragnet, claiming the memo — which was released last November — was just declassified.

Newly declassified court documents show one of the National Security Agency’s key surveillance programs was plagued by years of “systemic overcollection” of private Internet communications.

[snip]

Some of the problems with Internet metadata previously were reported and have been part of a broad critique of the NSA’s surveillance activities since the Sept. 11, 2001, terror attacks. The new document from Judge Bates offers the most detailed accounting—even with more than a dozen pages blacked out—of what those problems were.

Sure, ODNI didn’t explain that the opinion – and three other documents released — had been released before, one on multiple occasions. But those of us who read the opinion with the first release, rather than offering up unrepresentative quotes, recognized Bates’ memo as one of the seminal releases from last year. And contrary to WSJ’s claim, the public record (including Claire Eagan’s opinion, which cites from it) shows the opinion to date to 2010.

Even in this supposed actual reading of the document, however, WSJ gets it wrong.

The judge’s order ultimately reauthorized the program, with more stringent conditions than the government had sought.

Sure, Bates didn’t permit NSA unrestricted access to illegally collected records. But Bates also approved what was described as an 11- to 24-fold increase in collection.

The current application, in comparison with prior dockets, seeks authority to acquire a much larger volume of metadata at a greatly expanded range of facilities, while also modifying — and in some ways relaxing — the rules governing the handling of metadata.

Best as we can tell given the redactions, Bates approved that part of the request. Aside from imposing a few more training requirements, his biggest denial pertained to some — but not all — of the Internet dragnet data the government collected since the beginning of the program.

So while it is true that Bates wrote a lot of scathing things about the conduct of the program, he also turned around and vastly expanded it.

I raise all this not to be an asshole (though it would be nice if the WSJ had issued a correction, as its author retweeted my tweeted correction). I raise it for two reasons.

First, the WSJ pitches this as “the Judge who doesn’t like FISA reform was very critical of the Administration’s performance.”

Judge Bates has been the designated spokesman for the judiciary opposing several proposed changes to the structure of the Foreign Intelligence Surveillance Court, particularly the addition of a special advocate to represent privacy interests.

By not reporting that Bates vastly expanded this program in spite of its persistent violations, WSJ wrongly pitches him as a credible judge of what makes the FISC effective, rather than as Exhibit One for why it should be abolished.

Moreover, the documents that actually were newly released the other day suggest a very different narrative for what happened between 2009 and 2010, for how Bates came to summarize the many failings of the program but expand the program.

They show, first of all, that Reggie Walton was dealing with the phone and Internet dragnets in tandem throughout; Bates had no discernible role — aside from his intervention on August 4, 2009, after Reggie Walton had already shut down part of the phone dragnet program. The documents released this week make it clear Walton, not Bates, was the fact-finder who discovered the Internet dragnet had never complied with FISC guidelines. Bates had to repeat that scathing language in his opinion, because Walton had already laid it out.

And then, after Walton shut down the Internet dragnet, at a time when NSA continued to ignore his orders, when orders were terse, things began to change.

That’s when we begin to see solicitous letters — “Let me once again thank both you and your staff for  your consideration” —  to Bates, now the decision-maker on whether or not the government could resume a program that had illegally wiretapped Americans for 5 years.

It’s that guy who capitulated to pretty talk, expanding both the Internet dragnet and the upstream 702 collection, even as he laid out how both had been illegally wiretapping Americans, who says an advocate actually speaking for privacy would ruin the FISC. That’s the narrative we should get from this recent document dump, not that Bates was in any way anything but a Bates stamp.

Walton was by no means a perfect steward of the secret court. But Bates demonstrates why it cannot and does not fulfill its function.

Working Thread, Internet Dragnet Dump 2: 2004 Documents

This will be a closer working thread on documents released yesterday.

X: Initial Dragnet Application (prior to July 14, 2004)

(2) From the start, the government said they wanted to disseminate the dragnet info, perhaps to tag into FBI’s investigative authorities.

(2) The footnote defining metadata hides all the stuff not associated with “standard e-mails.”

(4) The application discusses the briefing I discussed here, attended by (among others) John Brennan.

(5) The application is not submitted by a lawyer, but by Michael Hayden.

(6) The government hasn’t released a Tenet submission; back in November it hid that this submission was from him.

(16) ODNI maintains that the fictional example of metadata is classified.

(18) Originally access was restricted by making the metadata accessible only by 2 admin login accounts. That’s probably a carry-over from the compartments of the illegal program.

(20) RAS approval assigned to the same 7 authorizers that were in place for the beginning of the phone dragnet in 2006.

(21) They’re hiding at least one kind of Internet metadata.

(23) Metadata originally accessible for only 18 months. Is that what they used for the illegal dragnet?

Y. Memo of Law in Support of Original Dragnet Application, before July 14, 2004

(4) The government claims that only email metadata related to terrorism will be seen. By definition, that means anything returned in a query would be related to counterterrorism and therefore game for dissemination.

(4) This is the jist of the illegal use of PRTT for the dragnet:

Nevertheless, it involves nothing more than adapting the traditional tools of FISA to meet an unprecedented challenge and does so in a way that promotes both of the twin goals of FISA: facilitating the foreign-intelligence collection needed to protect American lives while at the same time providing judicial oversight to safeguard American freedoms.

This claim is followed by a 5-page redaction, which is mighty interesting as it would have to explain why this judicial review was so useful.

(9) Footnote 5 again makes it clear that this involves email and other online communications.

(12) This language is remarkable for a secret court document.

Collecting and archiving meta data is thus the best avenue for solving this fundamental problem: although investigators do know know exactly where the terrorists’ communications are hiding in the billions of bits of data flowing through the United States today, we do know that they are there, and if we archive the data now, we will be able to use it in a targeted way to find the terrorists tomorrow.

(20) This language is particularly important given debates about USA Freedom.

Nothing in the definitions of pen registers or trap and trace devices requires that the “instrument” or “facility” on which the device is placed carry the communications solely of a single user.

(20) This section really tries to constrain the Court.

Unlike certain other certifications made in other contexts under the statute, see, e.g., U.S.C. § 1805(a)(5), FISA does not subject the certification of relevance to any review by the Court.

Continue reading

Internet Dragnet Timeline

This timeline provides known dates for the PRTT Internet dragnet, important related dates in the phone dragnet, upstream 702 collection, and SPCMA (overseas Internet dragnet). In addition, it provides links to the documents in this release; see this post for the listing of documents.

May 6, 2004: Jack Goldsmith opinion authorizes phone dragnet but not Internet dragnet.

Before July 14, 2004: Government applies for Internet dragnet. X. Application for Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes, Y. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes, Z. Declaration of General Michael V. Hayden, U.S Air Force, Director, NSA, in Support of Pen Register/Trap and Trace Application

July 14, 2004: Colleen Kollar-Kotelly approves Internet dragnet, specifies categories of metadata (Document A in 8/12 dump).

Before October 12, 2004: the government provides notice it exceeded scope included in first order, in follow-up declarations attributes overcollection to poor management (response probably includes Paul Wolfowitz, Michael Hayden, and Joel Brenner)

Around October 12, 2004: Government reapplies without some collection, promises monthly spot checks.

April 27, 2005: In briefing leading up to PATRIOT reauthorization, Alberto Gonzales makes no mention of PRTT Internet dragnet.

November 17, 2007: Executive begins (internal) approval process for contact chaining on already-collected data which will become SPCMA.

Continue reading

Internet Dragnet Materials, Working Thread 1

I Con the Record just released some ridiculously overclassified Internet dragnet documents it claims shows oversight but which actually shows how they evaded oversight. I’ve added letters to ID each document (I’ll do a post rearranging them into a timeline tomorrow or soon thereafter).

For a timeline I did earlier of the Internet dragnet program see this post.

This will be the first of several working threads, starting with descriptions of what we’ve got.

8/12: Note I will be updating this as I can clarify dates and content.

So-called Judicial oversight

A. FISC Opinion and Order: This is the Kollar-Kotelly order that initially approved the dragnet on July 14, 2004. A searchable version is here.

B. FISC Primary Order: This is an Internet dragnet order signed by Reggie Walton, probably in 2008 or very early 2009. It shows that the Internet dragnet program, which was almost certainly illegal in any case, had less oversight than the phone dragnet program (though at this point also collected fewer records). It was turned over pursuant to FAA requirements on March 13, 2009.

C. FISC Primary Order: This is an Internet dragnet order probably from May 29, 2009 (as identified in document D), signed by Reggie Walton. It shows the beginning of his efforts to work through the Internet violations. It appears to have been provided to Congress on August 31, 2009.

D. FISC Order and Supplemental Order: This is a version of the joint June 22, 2009 order released on several occasions before. It shows Reggie Walton’s efforts to work through the Internet dragnet violations. Here’s one version.

E. FISC Supplemental Order: This appears to be the dragnet order shutting down dragnet production. It would date to fall 2009 (production was likely shut down in October 2009, though this might reflect the initial shut-down).

F. FISC Primary Order: I’m fairly sure this is an order from after Bates turned the Internet dragnet back on in 2010 (and is signed by him), though I will need to verify that. It does require reports on how the NSA will segregate previously violative records, which is consistent with it dating to 2011 sometime (as is the requirement that the data be XML tagged).

G. FISC Memorandum Opinion Granting in Part and Denying in Part Application to Reinitiate, in Expanded Form, Pen Register/Trap and Trace Authorization: This is the order, from sometime between July and October 2010, where John Bates turned back on and expanded the Internet dragnet. Here’s the earlier released version (though I think it is identical).

H. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This was a report Walton required in document C, above, and so would be in the May-June 2009 timeframe. Update: Likely date June 18, 2009.

I. Government’s Response to the FISC’s Supplemental Order: This is the government’s response to an order from Walton, probably in his May 29, 2009 opinion (see this order for background), or even earlier in May.Update: This response dates to June 18, 2009 or slightly before.

J. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This appears to be the declaration submitted in support of Response I and cited in several places. Update: likely date June 18, 2009.

K. Supplemental Declaration of Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This appears to be the declaration that led to document C above.

L. Government’s Response to the FISC’s Supplemental Order Requesting a Corrective Declaration: This is a declaration admitting dissemination outside the rules responding to 5/29 order.

M. Government’s Response to a FISC Order: This is the government’s notice that it was using automatic queries on Internet metadata, just as it also was with the phone dragnet. This notice was provided to Congress in March 2009.

N. Declaration of Lieutenant General Keith B. Alexander, U.S. Army, Director, NSA, Concerning NSA’s Compliance with a FISC Order: After Walton demanded declarations in response to the initial phone dragnet violation, he ordered NSA to tell him whether the Internet dragnet also had the same problems. This is Keith Alexander’s declaration describing the auto scan for that program too. It was provided to Congress in March 2009.

O. Preliminary Notice of Potential Compliance Incident: This is the first notice of the categorical violations that ultimately led to the temporary shutdown of the dragnet, in advance of order E.

P. Notice of Filing: This is notice of a filing in response to inquiry from Judge Walton. It could be from any time during David Kris’ 2009 to early 2011 tenure.

Q: Government’s Application for Use of Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes: This appears to be the application following Order E, above. I don’t think it’s the 2010 application that led to the reauthorization of the dragnet, because it refers to facilities whereas the 2010 order authorized even broader collection. (Remember Bates’ 2010 order said the government applied, but then withdrew, an application.) Update and correction: this application must post-date December 2009, because that’s when NSA changed retention dates from 4.5 years to 5. Also note reference to change in program and request to access illegally collected data from before 10/09.

R. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes: This appears to be the memorandum of law accompanying application Q.

S. Declaration of General Keith B. Alexander, U.S. Army, Director, NSA, in Support of Pen Register/Trap and Trace Application: This is Alexander’s declaration accompanying Q.

T. Exhibit D in Support of Pen Register/Trap and Trace Application: This is a cover letter. I’m not sure whether it references prior communications or new ones.

U. First Letter in Response to FISC Questions Concerning NSA bulk Metadata Collection Using Pen Register/Trap and Trace Devices: This is the first of several letters in support of reinitiation of the program. The tone has changed dramatically here. For that reason, and because so much of it is redacted, I think this was part of the lead-up to the 2010 reauthorization.

V. Second Letter in Response to FISC Questions concerning NSA bulk Metadata Collection Using Pen Register/Trap and Trace Devices: This second letter is entirely redacted except for the sucking up to Bates stuff.

W. Third Letter in Response to FISC Questions Concerning NSA Bulk Metadata Collection Using Pen Register/Trap and Trace Devices: More sucking up. Some language about trying to keep access to the existing illegally collected data. 

X. Application for Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes: This is the first application for the Internet dragnet, from 2004. Very interesting. Note it wasn’t turned over until July 2009, after Congress was already learning of the new problems with it.

Y. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes: The memorandum of law accompanying X. Also turned over to Congress in 2009.

Z. Declaration of General Michael V. Hayden, U.S Air Force, Director, NSA, in Support of Pen Register/Trap and Trace Application: This goes with the initial application. NSA has left stuff unredacted that suggests they were access less bandwith than they, in the end, were. Also remember NSA violated this from the very beginning.

AA. Application for Use of Pen Register/Trap and Trace Devices for Foreign Intelligence PurposesThis appears to be the application for the second PRTT order. I’ll return to this tomorrow, but I don’t think it reflects the violation notice it should.

BB. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate: This is NSA’s declaration in conjunction with the first reapplication for the dragnet. This should have declared violations. It was turned over to Congress in March 2009. [update: these appear to be early 2009 application]

CC. Declaration Lieutenant General Keith B. Alexander, U.S. Army, Director, NSA, Concerning NSA’s Implementation of Authority to Collect Certain Metadata: This is Alexander’s declaration accompanying the End-to-End report, from sometime in fall 2009.

DD: NSA’s Pen Register Trap and Trace FISA Review Report: The end-to-end report itself. it was provided to Congress in January 2010.

EE: DOJ Report to the FISC NSA’s Program to Collect Metadata: DOJ’s accompaniment to the end-to-end report.

FF: Government’s First Letter to Judge Bates to Confirm Understanding of Issues Relating to the FISC’s Authorization to Collect Metadata: After Bates raauthorized the Internet dragnet, DOJ realized they might not be on the same page as him. Not sure if this was in the 2009 attempt or the 2010 reauthorization.

GG: Government’s Second Letter to Judge Bates to Confirm Understanding of Issues Relating to the FISC’s Authorization to Collect Metadata: A follow-up to FF.

HH: Tab 1 Declaration of NSA Chief, Special Oversight and Processing, Oversight and Compliance, Signals Intelligence: This appears to be the 90-day report referenced in document C. Update: Actually it is referenced in Document A: note the paragraphs describing the chaining that were discontinued before the dragnet approval.

II: Verified Memorandum of Law in Response to FISC Supplemental Order: This is one of the most fascinating documents of all. It’s a 2009-2011 (I think August 17, 2009, though the date stamp is unclear) document pertaining to 3 PRTT targets, relying on criminal PRTT law and a 2006 memo that might be NSA’s RAS memo (though the order itself is FBI, which makes me wonder whether it seeds the FBI program). It may have been what they used to claim that Internet content counted as metadata.

JJ: Memorandum of Law in Response to FISC Order: A September 25, 2006 response to questions from the FISC, apparently regarding whether rules from criminal pen registers apply to PATRIOT PRTT. While I think this addresses the application to Internet, I also think this language may be being used for location.

So-called Congressional oversight

KK: Government’s Motion to Unseal FISC Documents in Order to Brief Congressional Intelligence and Judiciary Committees: This is a request to unseal an order — I suspect document E — so it could be briefed to Congress.

LL:  Order Granting the Government’s Motion to Unseal FISC Documents in Order to Brief Congressional Intelligence and Judiciary Committees: Walton’s order to unseal KK for briefing purposes. 

MM: April 27, 2005 Testimony of the Attorney General and Director, FBI Before the Senate Select Committee on Intelligence: This is the 2005 testimony in which – I pointed out before — Alberto Gonzales did not brief Congress about the Internet dragnet.

So-called Internal oversight

NN: NSA IG Memo Announcing its Audit of NSA’s Controls to Comply with the FISA Court’s Order Regarding Pen Register/Trap and Trace Devices: This lays out an audit with PRTT compliance, noting that the audit also pertains to BR FISA (phone dragnet). It admits the audit was shut down when the order was not renewed. It’s unclear whether this was the 2009 or the 2011 shutdown, but the implication is it got shut down because it would not pass audit. 

OO: NSA IG Memo Suspending its Audit of NSA after the NSA’s PRTT Metadata Program Expired: the formal announcement they were shutting down the IG report. Again, it’s not clear whether this was the 2009 or the 2011 shutdown.

If you find this work valuable, please consider donating to support the work.  

NSA’s Disingenuous Claims about EO 12333 and the First Amendment

SIGINT and 215Thanks to John Napier Tye’s Sunday op-ed, some surveillance watchers are just now discovering EO 12333, which I’ve written some 50 posts about over the last year.

Back in January, I focused on one of the most alarming disclosures of the 2009 phone dragnet problems, that 3,000 presumed US person identifiers were on an alert list checked against each day’s incoming phone dragnet data. That problem — indeed, many of the problems reported at the beginning of 2009 — arose because the NSA dumped their Section 215 phone dragnet data in with all the rest of their metadata, starting at least as early as January 4, 2008. It took at least the better part of 2009 for the government to start tagging data, so the NSA could keep data collected under different authorities straight, though once they did that, NSA trained analysts to use those tags to bypass the more stringent oversight of Section 215.

One thing that episode revealed is that US person data gets collected under EO 12333 (that’s how those 3,000 identifiers got on the alert list), and there’s redundancy between Section 215 and EO 12333. That makes sense, as the metadata tied to the US side of foreign calls would be collected on collection overseas, but it’s a detail that has eluded some of the journalists making claims about the scope of phone dragnet.

Since I wrote that early January post, I’ve been meaning to return to a remarkable exchange from the early 2009 documents between FISC Judge Reggie Walton and the government. In his order for more briefing, Walton raised questions about tasking under NSA’s SIGNIT (that is, EO 12333) authority.

The preliminary notice from DOJ states that the alert list includes telephone identifiers that have been tasked for collection in accordance with NSA’s SIGINT authority. What standard is applied for tasking telephone identifiers under NSA’s SIGINT authority? Does NSA, pursuant to its SIGINT authority, task telephone identifiers associated with United States persons? If so, does NSA limit such identifiers to those that were not selected solely upon the basis of First Amendment protected activities?

The question reveals how little Walton — who had already made the key judgments on the Protect America Act program 2 years earlier — knew about EO 12333 authority.

I’ve put NSA’s complete response below the rule (remember “Business Records” in this context is the Section 215 phone dragnet authority). But basically, the NSA responded,

  • Even though the alert list included IDs that had not been assessed or did not meet Reasonable Articulable Suspicion of a tie to one of the approved terrorist groups, they at least had to have foreign intelligence value. And occasionally NSA’s counterterrorism people purge the list of non-CT IDs.
  • Usually, NSA can only task (a form of targeting!) a US person under a FISA authority.
  • Under EO 12333 and other related authorities, NSA can collect SIGINT information for foreign and counterintelligence purposes; its collection, retention, and dissemination of US person is governed by Department of Defense Regulation 5240.1-R and a classified annex. (see page 45 for the unclassified part of this)
  • Since 2008, if the NSA wants to target a US person overseas they need to get and comply with a FISA order.
  • NSA provides First Amendment protection in two ways — first, by training analysts to spy “with full consideration of the rights of United States persons.”
  • NSA provides First Amendment protection under EO 12333 by prohibiting NSA “from collecting or disseminating information concerning US persons’ ‘domestic activities’ which are defined as ‘activities that take place in the domestic United States that do not involve a significant connection to a foreign power, organization, or person.’”

The First Amendment claims in the last two bullets are pretty weak tea, as they don’t actually address First Amendment issues and contact chaining is, after all, chaining on associations.

That’s all the more true given what we know had already been approved by DOJ. In the last months of 2007, they approved the contact chaining through US person identifiers of already-collected data (including FISA data). They did so by modifying DOD 5240.1 and its classified annex so as to treat what they defined (very broadly) as metadata as something other than interception.

The current DOD procedures and their Classified Annex may be read to restrict NSA’s ability to conduct the desired communications metadata analysis, at least with respect to metadata associated with United States persons. In particular, this analysis may fall within the procedures’ definition of, and thus restrictions on, the “interception” and “selection” of communications. Accordingly, the Supplemental Procedures that would govern NSA’s analysis of communications metadata expressly state that the DOD Procedures and the Classified Annex do not apply to the analysis of communications metadata. Specifically, the Supplemental Procedures would clarify that “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communications, nor do they qualify as ‘us[ing] a selection term,’ including using a selection term ‘intended to intercept a communication on the basis of. .. [some] aspect of the content of the communication.” Once approved, the Supplemental Procedures will clarify that the communications metadata analysis the NSA wishes to conduct is not restricted by the DOD procedures and their Classified Annex.

Michael Mukasey approved that plan just as NSA was dumping all the Section 215 data in with EO 12333 data at the beginning of 2008 (though they did not really roll it out across the NSA until later in 2009).

Nowhere in the government’s self-approval of this alternate contact chaining do they mention First Amendment considerations (or even the domestic activities language included in their filing to Walton). And in the rollout, they explicitly permitted starting chains with identifiers of any nationality (therefore presumably including US person) and approved the use of such contact chaining for purposes other than counterterrorism. More importantly, they expanded the analytical function beyond simple contact chaining, including location chaining.

All with no apparent discussion of the concerns a FISC judge expressed when data from EO 12333 had spoiled Section 215 data.

We will, I expect, finally start discussing how NSA has been using EO 12333 authorities — and how they’ve represented their overlap with FISA authorized collection. This discussion is an important place to start. Continue reading

1 2 3 9

Emptywheel Twitterverse
emptywheel RT @peterwsinger: NJ man shot drone flying over his house, charged with unlawful *firearm use* https://t.co/WWA8py9D1I HT @burritojustice
21mreplyretweetfavorite
emptywheel Think I'll write a short story abt a govt that times its security agreements to the life expectancy of men it has in indefinite detention.
22mreplyretweetfavorite
JimWhiteGNV After this bit of hand-made yumminess, the bread machine is headed for the donation pile. No turning back now. http://t.co/2qFnxCRWYv
32mreplyretweetfavorite
emptywheel Once in a blue moon you really do need to find lipstick, but then all you see are batteries that need recharged.
33mreplyretweetfavorite
JimWhiteGNV RT @DaveJonesUFbeat: Last time #Vols beat #Gators was 30-28 in Knoxville in 2004 ... Ron Zook was fired a little over a month later. Ahem. …
2hreplyretweetfavorite
JimWhiteGNV Tide finally turning? Jordan Davis' murderer convicted! In Florida, no less.
2hreplyretweetfavorite
JimWhiteGNV RT @AP: BREAKING: Florida man convicted of 1st-degree murder for killing teenager after argument over loud music.
2hreplyretweetfavorite
emptywheel RT @alexisgoldstein: Shorter Eric Holder: "if only someone with power would do something about these oversized, unaccountable banks!" https…
2hreplyretweetfavorite
emptywheel @JimWhiteGNV To be fair, that kind of arrangement (cough, Bandar) is prolly one reason our intel on Syria is so bad.
3hreplyretweetfavorite
emptywheel @pwnallthethings Yep. But their number one rec was ... to do what Apple is now defaulting to. And Apples about half of stolen phones.
3hreplyretweetfavorite
JimWhiteGNV I understand that Louie Gohmert plans to hire the Khorasan Group as consultants to search for new head of SS.
3hreplyretweetfavorite
JimWhiteGNV RT @GreggJLevine: Ask not if sexism played a role in 30-year Secret Service vet Pierson's promotion; ask if it contributed to her ouster.
3hreplyretweetfavorite
October 2014
S M T W T F S
« Sep    
 1234
567891011
12131415161718
19202122232425
262728293031