Charlie Savage is catching no end of shit today because he reported on a provision in the PATRIOT Act (one I just noticed Tuesday, actually, when finding the sunset language for something else) that specifies ongoing investigations may continue even after a sunset.
The law says that Section 215, along with another section of the Patriot Act, expires on “June 1, 2015, except that former provisions continue in effect with respect to any particular foreign intelligence investigation that began before June 1, 2015, or with respect to any particular offense or potential offense that began or occurred before June 1, 2015.”
Michael Davidson, who until his retirement in 2011 was the Senate Intelligence Committee’s top staff lawyer, said this meant that as long as there was an older counterterrorism investigation still open, the court could keep issuing Section 215 orders to phone companies indefinitely for that investigation.
“It was always understood that no investigation should be different the day after the sunset than it was the day before,” Mr. Davidson said, adding: “There are important reasons for Congress to legislate on what, if any, program is now warranted. But considering the actual language of the sunset provision, no one should believe the present program will disappear solely because of the sunset.”
Mr. Davidson said the widespread assumption by lawmakers and executive branch officials, as well as in news articles in The New York Times and elsewhere, that the program must lapse next summer without new legislation was incorrect.
The exception is obscure because it was recorded as a note accompanying Section 215; while still law, it does not receive its own listing in the United States Code. It was created by the original Patriot Act and was explicitly restated in a 2006 reauthorization bill, and then quietly carried forward in 2010 and in 2011.
Now, I’m happy to give Savage shit when I think he deserves it. But I’m confident those attacking him now are wrong.
Before I get into why, let me first say that to some degree it is moot. The Administration believes that, legally, it needs no Congressional authorization to carry out the phone dragnet. None. What limits its ability to engage in the phone dragnet is not the law (at least not until some courts start striking the Administration’s interpretation down). It’s the willingness of the telecoms to cooperate. Right now, the government appears to have a significant problem forcing Verizon to fully cooperate. Without Verizon, you don’t have an effective dragnet, which is significantly what USA Freedom and other “reform” efforts are about, to coerce or entice Verizon’s full cooperation without at the same time creating a legal basis to kill the entire program.
That said, not only is Davidson likely absolutely correct, but there’s precedent at the FISA Court for broadly approving grandfathering claims that make dubious sense.
As Davidson noted elsewhere in Savage’s story, the FBI has ongoing enterprise investigations that don’t lapse — and almost certainly have not lapsed since 9/11. Indeed, that’s the investigation(s) the government appears, from declassified documents, to have argued the dragnet is “relevant” to. So while some claim this perverts the definition of “particular,” that’s not the word that’s really at issue here, it’s the “relevant to” interpretation that USAF leaves intact, effectively ratifying (this time with uncontested full knowledge of Congress) the 2004 redefinition of it that everyone agrees was batshit insane. If you want to prevent this from happening, you need to affirmatively correct that FISA opinion, not to mention not ratify the definition again, which USAF would do (as would a straight reauthorization of PATRIOT next year).
And as I said, there is precedent for this kind of grandfathering at FISA, all now in the public record thanks to the declassification of the Yahoo challenge documents (and all probably known to Davidson, given that he was a lead negotiator on FISA Amendments Act which included significant discussion about sunset procedures, which they lifted from PAA.
For starters, on January 15, 2008, in an opinion approving the certifications for Protect America Act submitted in August and September 2007, Colleen Kollar-Kotelly approved the grand-fathering of the earlier 2007 large content dockets based on the government’s argument that they had generally considered the same factors they promised to follow under the PAA certifications and would subject the data obtained to the post-collection procedures in the certifications. (See page 15ff)
Effectively then, this permitted them to continue collection under the older, weaker protections, under near year-long PAA certifications.
In the weeks immediately following Kollar-Kotelly’s approval of the underlying certifications (though there’s evidence they had planned the move as far back as October, before they served Directives on Yahoo), the government significantly reorganized their FAA program, bringing FBI into a central role in the process and almost certainly setting up the back door searches that have become so controversial. They submitted new certifications on January 31, 2008, on what was supposed to be the original expiration date of the PAA. As Kollar-Kotelly described in an June 18, 2008 opinion (starting at 30), that came to her in the form of new procedures received on February 12, 2008, 4 days before the final expiration date of PAA.
On February 12, 2008, the government filed in each of the 07 Dockets additional sets of procedures used by the Federal Bureau of Investigation(FBI) when that agency acquires foreign intelligence information under PAA authorities. These procedures were adopted pursuant to amendments made by the Attorney General and the Director of National Intelligence (DNI) on January 31, 2008 to the certifications in the 07 Dockets.
Then, several weeks later — and therefore several weeks after PAA expired on February 16, 2008 — the government submitted still new procedures.
On March 3, 2008, the government submitted NSA and FBI procedures in a new matter [redacted]
Because the FBI and NSA procedures submitted in Docket No. [redacted] are quite similar to the procedures submitted in the 07 Dockets, the Court has consolidated these matters for purposes of its review under 50 U.S.C. § 1805c.
For the reasons explained below, the Court concludes that it retains jurisdiction to review the above-described procedures under §1805c. On the merits, the Court finds that the FBI procedures submitted in each of the 07 Dockets, and the NSA and FBI procedures submitted in Docket No. [redacted] satisfy the applicable review for clear error under 50 U.S.C. § 1805c(b).
She regarded these new procedures, submitted well after the law had expired, a modification of existing certifications.
In all [redacted] of the above-captioned dockets, the DNI and the Attorney General authorized acquisitions of foreign intelligence information by making or amending certifications prior to February 16, 2009, pursuant to provisions of the PAA codified at 50 U.S.C. § 1805b.
She did this in part by relying on Reggie Walton’s interim April 25, 2008 opinion in the Yahoo case that the revisions affecting Yahoo were still kosher, without, apparently, considering the very different status of procedures changed after the law had expired.
The government even considered itself to be spying with Yahoo under a September 2007 certification (that is, the latter of at least two certifications affecting Yahoo) past the July 10, 2008 passage of FISA Amendments Act, which imposed additional protections for US persons.
These are, admittedly, a slightly different case. In two cases, they amount to retaining older, less protective laws even after their replacement gets passed by Congress. In the third, it amounts to modifying procedures under a law that has already expired but remains active because of the later expiration date of the underlying certificate.
Still, this is all stuff the FISC has already approved.
The FISC also maintains — incorrectly in my opinion, but I’m not a FISC judge so they don’t much give a damn — that the 2010 and 2011 PATRIOT reauthorizations ratified everything the court had already approved, even the dragnets not explicitly laid out in the law. This sunset language was public, and there’s nothing exotic about what they say. To argue the FISC wouldn’t consider these valid clauses grand-fathering the dragnet, you’d have to argue they don’t believe the 2010 and 2011 reauthorizations ratified even the secret things already in place. That’s highly unlikely to happen, as it would bring the validity of their 40ish reauthorizations under question, which they’re not going to do.
Again, I think it’s moot. The “reform” process before us is about getting Verizon to engage in a dragnet that is not actually authorized by the law as written. They’re not doing what the government would like them to do now, so there’s no reason to believe this grandfathered language would lead them to suddenly do so.
The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26)
That line, from the FISCR opinion finding the Protect America Act constitutional, gets to the core problem with the FISA Court scheme. Even in 2009, when the line was first made public, it was pretty clear the government had made a false claim to the FISA Court of Review.
Now that we know that FBI had already been given authority to keep PAA-collected content in databases that they could search at what is now called the assessment stage of investigations – warrantless searches of the content of Americans against whom the FBI has no evidence of wrong-doing — the claim remains one of the signature moments where the government got approval for a program by being less than candid to the court (the government has been caught doing so in both Title III courts and at FISC, and continues to do so).
That’s also why I find Greg McNeal’s paper on Reforming the FISC, while very important, ultimately unconvincing.
McNeal’s paper is invaluable for the way he assesses the decision — in May 2006 — to authorize the collection of all phone records under Section 215. Not only does the paper largely agree with the Democratic appointees on PCLOB that the program is not authorized by the Section 215 statute, McNeal conducts his own assessment of the government’s application to use Section 215 for that purpose.
The application does not fare well.
Moreover, the government recognized that not all records would be relevant to an investigation, but justified relevance on what could best be described as usefulness or necessity to enable the government’s metadata analysis, stating:
The Application fully satisfies all requirements of title V of FISA. In particular, the Application seeks the production of tangible things “for” an international terrorism investigation. 50 U.S.C. § 1861(a)(1). In addition, the Application includes a statement of facts demonstrating that there are reasonable grounds to believe that the business records sought are “relevant” to an authorized investigation. Id. § 1861(b)(2). Although the call detail records of the [redacted] contain large volumes of metadata, the vast majority of which will not be terrorist-related, the scope of the business records request presents no infirmity under title V. All of the business records to be collected here are relevant to FBI investigations into [redacted] because the NSA can effectively conduct metadata analysis only if it has the data in bulk.49
The government went even further, arguing that if the FISC found that the records were not relevant, that the FISC should read relevance out of the statute by tailoring its analysis in a way that would balance the government’s request to collect metadata in bulk against the degree of intrusion into privacy interests. Disregarding the fact that the balancing of these interests was likely already engaged in by Congress when writing section 215, the government wrote:
In addition, even if the metadata from non-terrorist communications were deemed not relevant, nothing in title V of FISA demands that a request for the production of “any tangible things” under that provision collect only information that is strictly relevant to the international terrorism investigation at hand. Were the Court to require some tailoring to fit the information that will actually be terrorist-related, the business records request detailed in the Application would meet any proper test for reasonable tailoring. Any tailoring standard must be informed by a balancing of the government interest at stake against the degree of intrusion into any protected privacy interests. Here, the Government’s interest is the most compelling imaginable: the defense of the Nation in wartime from attacks that may take thousands of lives. On the other side of the balance, the intrusion is minimal. As the Supreme Court has held, there is no constitutionally protected interest in metadata, such as numbers dialed on a telephone.50
Thus, what the government asked the court to disregard the judgment of the Congress as to the limitations and privacy interests at stake in the collection of business records. Specifically, the government asked the FISC to disregard Congress’s imposition of a statutory requirement that business records be relevant, and in disregarding that statutory requirement rely on the fact that there was no constitutionally protected privacy interest in business records. The government’s argument flipped the statute on its head, as the purpose of enhancing protections under section 215 was to supplement the constitutional baseline protections for privacy that were deemed inadequate by Congress.
McNeal is no hippie. That he largely agrees and goes beyond PCLOB’s conclusion that this decision was not authorized by the statute is significant.
But as I said, I disagree with his remedy — and also with his assessment of the single source of this dysfunction.
McNeal’s remedy is laudable. He suggests all FISC decisions should be presumptively declassified and any significant FISC decision should get automatic appellate review, done by FISCR. That’s not dissimilar to a measure in Pat Leahy’s USA Freedom Act, which I’ve written about here. With my cautions about that scheme noted, I think McNeal’s remedy may have value.
The reason it won’t be enough stems from two things.
First, the government has proven it cannot be trusted with ex parte proceedings in the FISC. That may seem harsh, but the Yahoo challenge — which is the most complete view we’ve ever had of how the court works, even with a weak adversary — really damns the government’s conduct. In addition to the seemingly false claim to FISCR about whether the government held databases of incidentally collected data, over the course of the Yahoo challenge, the government,
In short, the materials withheld or misrepresented over the course of the Yahoo challenge may have made the difference in FISCR’s judgment that the program was legal (even ignoring all the things withheld from Yahoo, especially regarding the revised role of FBI in the process). (Note, in his paper, McNeal rightly argues Congress and the public could have had a clear idea of what Section 702 does; I’d limit that by noting that almost no one besides me imagined they were doing back door searches before that was revealed by the Snowden leaks).
One problem with McNeal’s suggestion, then, is that the government simply can’t be trusted to engage in ex parte proceedings before the FISC or FISCR. Every major program we’ve seen authorized by the court has featured significant misrepresentations about what the program really entailed. Every one! Until we eliminate that problem, the value of these courts will be limited.
But then there is the other problem, my own assessment of the source of the problem with FISC. McNeal thinks it is that Congress wants to pawn its authority off onto the FISC.
The underlying disease is that Congress wants things to operate the way that they do; Congress wants the FISC and has incentives to maintain the status quo.
Why does Congress want the FISC? Because it allows them to push accountability off to someone else. If members ofCongress are responsible for conducting oversight of secretoperations, their reputations are on the line if the operations gotoo far toward violating civil liberties, or not far enoughtoward protecting national security. However, with the FISC conducting operations, Congress has the ability to dodge accountability by claiming they have empowered a court to conduct oversight.
I don’t, in general, disagree with this sentiment in the least. The last thing Congress wants to do is make a decision that might later be tied to an intelligence failure, a terrorist attack, a botched operation. Heck, I’d add that the last thing most members of Congress serving on the Intelligence Committees would want to do is piss off the contractors whose donations provide one of the perks of the seat.
But the dysfunction of the FISC stems, in significant part, from something else.
In his paper on the phone dragnet (which partly incorporates the Internet dragnet), David Kris suggests the original decision to bring the dragnets under the FISC (in the paper he was limited by DOJ review about what he could say of the Internet dragnet, so it is not entirely clear whether he means the Colleen Kollar-Kotelly opinion that paved the way for the flawed Malcolm Howard one McNeal critiques, or the Howard one) was erroneous. Continue reading
Via Mike Masnick, I see that in addition to submitting a new state secrets declaration and a filing claiming EFF’s clients in Jewel v. NSA don’t have standing, the government also submitted a secret supplemental brief on its statement of authorities, which EFF has challenged.
The secret supplemental brief is interesting given the government’s outrageous state secrets claim in the lawsuit against United Against a Nuclear Iran, in which it refuses to explain why it must protect the intelligence sources and methods of an allegedly independent NGO. It seems the government’s state secrets claims are getting even more outrageous than they already were.
That’s particularly interesting given what appears to be the outlines of a claim that if the court recognizes Jewel’s standing, then all hell will break loose.
Due to the failings of Plaintiffs’ evidence described above, the Court need not consider the impact of the state secrets privilege on the standing issue. However, if the Court were to find Plaintiffs’ declarations admissible and sufficiently probative of Plaintiffs’ standing to raise a genuine issue meriting further inquiry (which it should not), adjudication f the standing issue could not proceed without risking exceptionally grave damage to national security (a threshold issue on which the Court requested briefing). That is so because operational details of Upstream collection that are subject to the DNI’s assertion of the state secrets privilege in this case are necessary to address Plaintiffs’ theory of standing. The Government presented this evidence to the Court in the DNI’s and NSA’s classified declarations of December 20, 2013, and supplements it with the Classified Declaration of Miriam P., NSA, submitted in camera, ex parte, herewith. Disclosure of this evidence would risk informing our Nation’s adversaries of the operational details of the NSA’s Upstream collection, including the identities of electronic-communications-service providers assisting with Upstream collection.
Behind these claims of grave harm are the reality that if US persons started to get standing under the dragnet, then under John Bates’ rules (in which illegal wiretapping is only illegal if the government knows US persons are targeted), the entire program would become illegal. So I suspect the government is ultimately arguing that Jewel can’t have standing because it would make the entire program illegal (which is sort of the point!).
But the biggest reason I’m intrigued by the government’s sneaky filing is because of what happened the last time it submitted such a sneaky filing.
I laid out in this post how a state secrets filing submitted in EFF’s related Shubert lawsuit by Keith Alexander on October 30, 2009 demonstrably lied. Go back and read it–it’s a good one. A lot of what I show involves Alexander downplaying the extent of the phone dragnet problems.
But we now know more about how much more Alexander was downplaying in that declaration.
As I show in this working thread, it is virtually certain that on September 30, 2009, Reggie Walton signed this order, effectively shutting down the Internet dragnet (I’m just now noticing that ODNI did not — as it has with the other FISC dragnet orders — release a copy with the timestamp that goes on all of these orders, which means we can’t determine what time of the day this was signed). Some time in the weeks before October 30, DOJ had submitted this notice, admitting that NSA had been violating the limits on “metadata” collection from the very start, effectively meaning it had been collecting content in the US for 5 years.
Precisely the kind of illegal dragnet Virginia Shubert was suing the government to prevent.
Mind you, there are hints of NSA’s Internet dragnet violations in Alexander’s declaration. In ¶59, Alexander says of the dragnet, “The FISC Telephone Business Records Order was most recently reauthorized on September 3, 2009, with authority continuing until October 30, 2009″ (Walton signed the October 30, 2009 phone dragnet order around 2:30 ET, which would be 11:30 in NDCA where this declaration was filed). In ¶58, he says, “The FISC Pen Register Order was most recently reauthorized on [redacted], 2009, and requires continued assistance by the providers through [redacted] 2009″ (this is a longer redaction than October 30 would take up, so it may reflect the 5PM shutdown Walton had imposed). So it may be that one of the redacted passages in Alexander’s declaration admitted that FISC had ordered the Internet dragnet shut down.
In addition, footnote 24 is quite long (note it carries onto a second page); particularly given that the tense used to describe the dragnets in the referenced paragraph differ (the Internet dragnet is in the past tense, the phone dragnet is in the present tense), it is possible Alexander admitted to both the compliance violation and that NSA had “voluntarily” stopped querying the dragnet data.
Further, in his later discussions, he refers to this data as “non-content metadata” and “records about communication transactions,” which may reflect a tacit (or prior) acknowledgment that the NSA had been collecting more than what, to the telecoms who were providing it, was legally metadata, or, if you will, was in fact “content as metadata.”
To the extent that the plaintiffs “dragnet” allegations also implicate other NSA activities, such as the bulk collection of non-content communications meta data or the collection of communications records, see, e.g., Amended Compl ¶58, addressing their assertions would require disclosure of NSA sources and methods that would cause exceptionally grave harm to national security.
Accordingly, adjudication of plaintiffs’ allegations concerning the collection of non-content meta data and records about communication transactions would risk or require disclosure of critical NSA sources and methods for [redacted] contacts of terrorist communications as well as the existence of current NSA activities under FISC Orders. Despite media speculation about those activities, official confirmation and disclosure of the NSA’s bulk collection and targeted analysis of telephony meta data would confirm to all of our foreign adversaries [redacted] the existence of these critical intelligence capabilities and thereby severely undermine NSA’s ability to gather information concerning terrorist connections and cause exceptionally grave harm to national security.
So it seems that Alexander provided some glimpse to Vaughn Walker of the troubles with the Internet dragnet program. So when after several long paragraphs describing the phone dragnet problems (making no mention even of the related Internet dragnet ones), Alexander promised to work with the FISC on the phone dragnet “and other compliance issues,” he likely invoked an earlier reference to the far more egregious Internet dragnet ones.
NSA is committed to working with the FISC on this and other compliance issues to ensure that this vital intelligence tool works appropriately and effectively. For purposes of this litigation, and the privilege assertions now made by the DNI and by the NSA, the intelligence sources and methods described herein remain highly classified and the disclosure that [redacted] would compromise vital NSA sources and methods and result in exceptionally grave harm to national security.
I find it tremendously telling how closely Alexander ties the violations themselves to the state secrets invocation.
The thing is, at this point in the litigation, the only honest thing to submit would have been a declaration stating, “Judge Walker? It turns out we’ve just alerted the FISC that we’ve been doing precisely what the plaintiffs in this case have accused of us — we’ve been doing it, in fact, for 5 years.” An honest declaration would have amounted to concession of the suit.
But it didn’t.
And that state secrets declaration, like the one the government submitted at the end of September, was accompanied by a secret statement of authorities, a document that (unless I’m mistaken) is among the very few that the government hasn’t released to EFF.
Which is why I find it so interesting that the government is now, specifically with reference to upstream collection, following the same approach.
Do these secret statements of authority basically say, “We admit it, judge, we’ve been violating the law in precisely the way the plaintiffs claim we have. But you have to bury that fact behind state secrets privilege, because our dragnets are more important than the Fourth Amendment”? Or do they claim they’re doing this illegal dragnettery under EO 12333 so the court can’t stop them?
If so, I can see why the government would want to keep them secret.
Update: I originally got the name of Shubert wrong. Virginia Shubert is the plaintiff.
If the documents relating to Yahoo’s challenge of Protect America Act released last month are accurate reflections of the documents actually submitted to the FISC and FISCR, then the government submitted a misleading document on June 5, 2008 that was central to FISCR’s ultimate ruling.
As I laid out here in 2009, FISCR relied on the the requirement in EO 12333 that the Attorney General determine there is probable cause a wiretapping technique used in the US is directed against a foreign power to judge the Protect America Act met probable cause requirements.
The procedures incorporated through section 2.5 of Executive Order 12333, made applicable to the surveillances through the certifications and directives, serve to allay the probable cause concern.
The Attorney General hereby is delegated the power to approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes, provided that such techniques shall not be undertaken unless the Attorney General has determined in each case that there is probable cause to believe that the technique is directed against a foreign power or an agent of a foreign power.
44 Fed. Reg. at 59,951 (emphasis supplied). Thus, in order for the government to act upon the certifications, the AG first had to make a determination that probable cause existed to believe that the targeted person is a foreign power or an agent of a foreign power. Moreover, this determination was not made in a vacuum. The AG’s decision was informed by the contents of an application made pursuant to Department of Defense (DOD) regulations. See DOD, Procedures Governing the Activities of DOD Intelligence Components that Affect United States Persons, DOD 5240.1-R, Proc. 5, Pt. 2.C. (Dec. 1982).
Yahoo didn’t buy this argument. It had a number of problems with it, notably that nothing prevented the government from changing Executive Orders.
While Executive Order 12333 (if not repealed), provides some additional protections, it is still not enough.
Thus, to the extent that it is even appropriate to examine the protections in the Executive Order that are not statutorily required, the scales of the reasonableness determination sway but do not tip towards reasonableness.
Yahoo made that argument on May 29, 2008.
Sadly, Yahoo appears not to have noticed the best argument that Courts shouldn’t rely on EO 12333 because the President could always change it: Sheldon Whitehouse’s revelation on December 7, 2007 (right in the middle of this litigation) that OLC had ruled the President could change it in secret and not note the change publicly. Whitehouse strongly suggested that the Executive in fact had changed EO 12333 without notice to accommodate its illegal wiretap program.
But the government appears to have intentionally withheld further evidence about how easily it could change EO 12333 — and in fact had, right in the middle of the litigation.
This is the copy of the Classified Annex to EO 12333 that (at least according to the ODNI release) the government submitted to FISCR in a classified appendix on June 5, 2008 (that is, after Yahoo had already argued that an EO, and the protections it affords, might change). It is a copy of the original Classified Appendix signed by Ed Meese in 1988.
As I have shown, Michael Hayden modified NSA/CSS Policy 1-23 on March 11, 2004, which includes and incorporates EO 12333, the day after the hospital confrontation. The content of the Classified Annex released in 2013 appears to be identical, in its unredacted bits, to the original as released in 1988 (see below for a list of the different things redacted in each version). So the actual content of what the government presented may (or may not be) a faithful representation of the Classified Appendix as it currently existed.
But the version of NSA/CSS Policy 1-23 released last year (starting at page 110) provides this modification history:
This Policy 1-23 supersedes Directive 10-30, dated 20 September 1990, and Change One thereto, dated June 1998. The Associate Director for Policy endorsed an administrative update, effective 27 December 2007 to make minor adjustments to this policy. This 29 May 2009 administrative update includes changes due to the FISA Amendments Act of 2008 and in core training requirements.
That is, Michael Hayden’s March 11, 2004 modification of the Policy changed to the Directive as existed before 2 changes made under Clinton.
Just as importantly, the modification history reflects “an administrative update” making “minor adjustments to this policy” effective December 27, 2007 — a month and a half after this challenge started.
By presenting the original Classified Appendix — to which Hayden had apparently reverted in 2004 — rather than the up-to-date Policy, the government was presenting what they were currently using. But they hid the fact that they had made changes to it right in the middle of this litigation. A fact that would have made it clear that Courts can’t rely on Executive Orders to protect the rights of Americans, especially when they include Classified Annexes hidden within Procedures.
In its language relying on EO 12333, FISCR specifically pointed to DOD 5240.1-R. The Classified Annex to EO 12333 is required under compliance with part of that that complies with the August 27, 2007 PAA compliance.
That is, this Classified Annex is a part of the Russian dolls of interlocking directives and orders that implement EO 12333.
And they were changing, even as this litigation was moving forward.
Only, the government appears to have hidden that information from the FISCR.
Update: Clarified that NSA/CSS Policy 1-23 is what got changed.
Update: Hahaha. The copy of DOD 5240.1 R which the government submitted on December 11, 2007, still bears the cover sheet labeling it as an Annex to NSA/CSS Directive 10-30. Which of course had been superseded in 2004.
The government released a document in the Yahoo dump that makes it clear it intended to reverse target Americans under Protect America Act (and by extension, FISA Amendments Act). That’s the Department of Defense Supplemental Procedures Governing Communications Metadata Analysis.
The document — as released earlier this month and (far more importantly) as submitted belatedly to the FISC in March 2008 — is fairly nondescript. It describes what DOD can do once it has collected metadata (irrespective of where it gets it) and how it defines metadata. It also clarifies that, “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communcations, nor to they qualify as ‘us[ing] a selection term’.”
The procedures do not once mention US persons.
There are two things that should have raised suspicions at FISC about this document. First, DOJ did not submit the procedures to FISC in a February 20, 2008 collection of documents they submitted after being ordered to by Judge Walton after he caught them hiding other materials; they did not submit them until March 14, 2008.
The signature lines should have raised even bigger suspicions.
First, there’s the delay between the two dates. Robert Gates, signing as Secretary of Defense, signed the document on October 17, 2007. That’s after at least one of the PAA Certifications underlying the Directives submitted to Yahoo (the government is hiding the date of the second Certification for what I suspect are very interesting reasons), but 6 days after Judge Colleen Kollar-Kotelly submitted questions as part of her assessment of whether the Certifications were adequate. Michael Mukasey, signing as Attorney General, didn’t sign the procedures until January 3, 2008, two weeks before Kollar-Kotelly issued her ruling on the certifications, but long after it started trying to force Yahoo to comply and even after the government submitted its first ex parte submission to Walton. That was also just weeks before the government redid the Certifications (newly involving FBI in the process) underlying PAA on January 29. I’ll come back to the dates, but the important issue is they didn’t even finalize these procedures until they were deep into two legal reviews of PAA and in the process of re-doing their Certifications.
Moreover, Mukasey dawdled two months before he signed them; he started at AG on November 9, 2007.
Then there’s the fact that the title for his signature line was clearly altered, after the fact.
Someone else was supposed to sign these procedures. (Peter Keisler was Acting Attorney General before Mukasey was confirmed, including on October 17, when Gates signed these procedures.) These procedures were supposed to be approved back in October 2007 (still two months after the first PAA Certifications) but they weren’t, for some reason.
The backup to those procedures — which Edward Snowden leaked in full — may explain the delay.
Those procedures were changed in 2008 to reverse earlier decisions prohibiting contact chaining on US person metadata.
NSA had tried to get DOJ to approve that change in 2006. But James Baker (who was one of the people who almost quit over the hospital confrontation in 2004 and who is now FBI General Counsel) refused to let them.
After Baker (and Alberto Gonzales) departed DOJ, and after Congress passed the Protect America Act, the spooks tried again. On November 20, 2007, Ken Wainstein and Steven Bradbury tried to get the Acting Deputy Attorney General Craig Morford (not Mukasey, who was already AG!) to approve the procedures. The entire point of the change, Wainstein’s memo makes clear, was to permit the contact chaining of US persons.
The Supplemental Procedures, attached at Tab A, would clarify that the National Security Agency (NSA) may analyze communications metadata associated with United States persons and persons believed to be in the United States.
What the government did, after passage of the PAA, was make it permissible for NSA to figure out whom Americans were emailing.
And this metadata was — we now know — central to FISCR’s understanding of the program (though perhaps not FISC’s; in an interview today I asked Reggie Walton about this document and he simply didn’t remember it).
The new declassification of the FISCR opinion makes clear, the linking procedures (that is, contact chaining) NSA did were central to FISCR’s finding that Protect America Act, as implemented in directives to Yahoo, had sufficient particularity to be reasonable.
The linking procedures — procedures that show that the [redacted] designated for surveillance are linked to persons reasonably believed to be overseas and otherwise appropriate targets — involve the application of “foreign intelligence factors” These factors are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. As attested by affidavits of the Director of the National Security Agency (NSA), the government identifies [redacted] surveillance for national security purposes on information indicating that, for instance, [big redaction] Although the FAA itself does not mandate a showing of particularity, see 50 U.S.C. § 1805(b). This pre-surveillance procedure strikes us as analogous to and in conformity with the particularly showing contemplated by Sealed Case.
In fact, these procedures were submitted to FISC and FISCR precisely to support their discussion of particularity! We know they were using these precise procedures with PAA because they were submitted to FISC and FISCR in defense of a claim that they weren’t targeting US persons.
Except, by all appearances, the government neglected to tell FISC and FISCR that the entire reason these procedures were changed, subsequent to the passage of the PAA, was so NSA could go identify the communications involving Americans.
And this program, and the legal authorization for it? It’s all built into the FISA Amendments Act.
Some weeks ago, I noted the language in James Clapper’s letter purportedly “supporting” Patrick Leahy’s USA Freedom Act making it clear he intended to retain the information asymmetry that currently exists in the FISA Court — specifically, ex parte communication with the court.
We note that, consistent with the President’s request, the bill estsablishes a process for the appointment of an amicus curiae to assist the FISA Court and FISA Court of Review in matters that present a novel or significant interpretation of the law. We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.
The Yahoo documents released a few weeks back illustrate how this might work in practice.
We’ve known since January 2009 that Yahoo (which we then only knew was an Internet company) didn’t receive the materials — perhaps most importantly, the minimization procedures — it needed to adequately challenge the program.
The cover sheet to the ex parte appendix provided to the FISCR illustrates the range of things withheld from Yahoo’s attorney, Marc Zwillinger, who apparently had a Top Secret clearance. In addition to the minimization procedures for NSA and FBI, the government withheld the “linking” procedures used to identify targets (the titles of these documents are redacted in the released version, but this post explains why at least some must pertain to these procedures; note, I think the government also withheld these from Judge Reggie Walton at the FISC level!), and a January 15, 2008 Colleen Kollar-Kotelly FISC opinion assessing the adequacy of the original certifications.
Comparing two versions of Walton’s April 25, 2008 opinions — a version redacted for Yahoo’s use in 2008, and the version redacted for public release now — provides context on the key issues obscured or suppressed entirely from Yahoo’s view. (Note two things about these redactions: first, with the exception of language on the information the government demanded from Yahoo, we’re receiving more information than Yahoo’s cleared attorney received when he was fighting this case. And the older document actually includes two sets of redactions: the more faded redactions used for Yahoo, and a more opaque set done for this release, the latter of which hide details about the Directives given to Yahoo.)
Effectively, the government hid what they changed when they rewrote Certifications underlying their demands to Yahoo just 2 weeks before the law expired. A significant part of those changes involves getting FBI involved in the process (I increasingly suspect those January 29, 2008 Certifications are when the government first obtained official permission for FBI back door searches).
Notice of the new Certificates was given to Yahoo on February 16, 2008, the day PAA expired, and signed by then Solicitor General Paul Clement, though signed as Acting Attorney General (see page 81). One day earlier, Judge Walton had given the government an ex parte order requiring them to address whether the ex parte materials they had submitted to him in December “constitutes the complete and up-to-date set of certifications … applicable to the directives that are at issue in this proceeding.” Walton also required the government to provide notice to Yahoo they were going to submit a new classified appendix.
Apparently, Walton had gotten wind of the fact — but had not been told formally — that the government had submitted entirely new Certifications affecting their treatment of the data they would obtain from Yahoo. So he ordered them to update the record so his review actually considered the surveillance as it would be implemented.
I’ve listed most of the differences between the two memoranda below. While much of it pertains to prior classified decisions and the operation of FISC generally, the biggest sections redacted from Yahoo but released in part to us now describe the new certifications, including FBI’s new role in the process. Of particular concern, the government withheld Walton’s comment admonishing the government for changing the certifications, “without appropriately informing the Court or supplementing the record in this matter until ordered to do so” (page 4), though footnote 4 and page 35 make it clear that Walton revealed some details of the government’s belated disclosures in a February 29 order for more briefing.
More troubling still, they hid Walton’s still significantly-redacted assessment that the changes in the Certifications would not change the nature of the government’s demand from Yahoo (page 38).
Neither type of amendment altered the nature of the assistance to be rendered by Yahoo,40
40 Yahoo has submitted a sworn statement that, prior to serving the directives on Yahoo, representatives of the government “indicated that, at the outset, it only would expect…
I wrote about these changing requests here. And while on paper the changing requests couldn’t have been a result of the changed Certification — Yahoo’s Manager of Legal Compliance described them in a January 23 submission, and the new Certifications were issued the following week — I find the timing, and the government’s failure to notice Walton on them, suspect enough that it’s the kind of thing that should have been briefed. Plus, as I’ll show in a follow-up post, I’m fairly certain the government hid from both FISC and FISCR the degree to which this was about targeting Americans.
Once Walton learned that the government’s requests to Yahoo had changed between the date of Kollar-Kotelly’s initial approval and the expiration of the law, it seems it should have merited more direct briefing, but that would have required admitting that the changes put domestic law enforcement in the center of the program, which presents (or should present) significantly different Fourth Amendment concerns, notably increasing the importance of prior interpretations of the “significant purpose” language instituted under the PATRIOT Act.
In other words, not only did the ex parte nature of this proceeding hide the details Yahoo would have needed to make a robust Fourth Amendment argument, as well as evidence that the government was not being entirely forthcoming to FISC (which would have bolstered Yahoo’s separation of powers claim), it also hid what may be specifically pertinent details behind the government’s last minute changed certifications.
In theory, this shouldn’t happen with the USA Freedom Advocate, because the bill specifically requires the Advocate have access to certifications necessary for her to complete her duties.
(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—
(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;
By comparison, the government was challenging Yahoo’s legal standing to take this challenge in the first place.
But I find the apparent basis for withholding information from Yahoo to be relevant. This memorandum, at least, was originally classified Top Secret/ORCON (Originator Controlled); the redacted memorandum given to Yahoo was classified Secret. That means that the changes arose, at least in part, from the ability of the originator (which may be DOJ’s National Security Division, given that Mark Bradley conducted the declassification review) to determine who gets the document. As I noted, there are two bases in USAF that would permit the government to withhold information, classification and privilege. Withholding information under an ORCON claim likely stems from both (though I am checking this).
So while the government should not be able to treat the advocate the same way they treated Yahoo (which, after all, FISC treated as a Congressionally sanctioned challenger to the orders, just as it would the advocate), they seem to have the prerogative to. (Update: I should add that Walton permitted the government to do all the ex parte briefing here under FISA’s ex parte briefing language; given that USAF doesn’t change that for any of the authorities in question, we should assume this precedent will apply to the advocate.)
To be clear, the USAF advocate is not one of the things that I believe sets back a slow reform process (as, for example, I believe the “transparency” provisions and some weakened minimization procedures do). I think it most likely that the advocate will evolve the way PCLOB has, which was first authorized in 2004, thwarted by Executive obstruction (on precisely these kinds of issues), reauthorized as a more effective body in 2007, then slow-walked again — partly by President Obama, though partly by Congress — for another 6 years. That is, if the advocate is at least as self-respecting as Lanny Davis (!), she will quit if the Executive ignores the intent of Congress that she have access to the materials she needs to do her job, exposing the inefficacy of the existing system. All that, of course, assumes she will cop onto what has been withheld. Clearly, Yahoo got a sense of it during this process, though FISC and FISCR seem to have realized only some of the other stuff withheld from them.
That is, judging by the PCLOB example, if all goes well and if USAF were to pass this year, we might have a fully functional advocate by 2023!
The Yahoo materials released show that the government withheld pertinent information from Yahoo, FISC, and FISCR until forced to provide it, and they never provided any of them with all the information they should have.
That it retains the ability to do so under USAF doesn’t bode well for the advocate. But that’s really just a subset to a larger issue that, even when authorized by Congress to provide oversight of this executive spying, the government has consistently, for years, been less than fully cooperative with FISC’s authority to do so.
As I’ve said, the surest way to reform surveillance is to eliminate the FISA Court.
The very first thing I remarked on when I read the Yahoo FISCR opinion when it was first released in 2009 was this passage.
The petitioner’s concern with incidental collections is overblown. It is settled beyond peradventure that incidental collections occurring as a result of constitutionally permissible acquisitions do not render those acquisitions unlawful.9 See, e.g., United States v. Kahn, 415 U.S. 143, 157-58 (1974); United States v. Schwartz, 535 F.2d 160, 164 (2d Cir. 1976). The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26 in original release; 30 in current release)
The government claimed to FISCR that it did not maintain a database of incidentally collected information from non-targeted US persons.
Barring some kind of neat parse, I didn’t buy the claim, not even in 2009.
Since then, we’ve found out that — barring some kind of neat parse — I was absolutely right. In fact, they are doing back door searches on this data, especially at FBI.
What I’m particularly intrigued by, now, is the timing.
FISCR said that in an opinion dated August 22, 2008 — over a month after the July 10, 2008 passage of the FISA Amendments Act. I have not yet found evidence of when the government said that to FISCR. It doesn’t appear in the unredacted part of their Jun 5, 2008 Merits brief (which cites Kahn but not Schwartz; see 49-50), though it might appear behind the redaction on 41. Of note, the April 25, 2008 FISC opinion doesn’t even mention the issue in its incidental collection discussion (starting at 95), though it does discuss amended certifications filed in February 2008.
So I’m guessing the government made that representation at the hearing in June, 2008.
We know, from John Bates’ rationale for authorizing NSA and CIA back door searches, such back door searches were first added to FBI minimization procedures in 2008.
When Bates approved back door searches in his October 3, 2011 opinion, he pointed to FBI’s earlier (and broader) authorities to justify approving it for NSA and CIA. While the mention of FBI is redacted here, at that point it was the only other agency whose minimization procedures had to be approved by FISC, and FBI is the agency that applies for traditional FISA warrants.
[redacted] contain an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information. See [redacted]. In granting [redacted] applications for electronic surveillance or physical search since 2008, including applications targeting United States persons and persons in the United States, the Court has found that the [redacted] meet the definitions of minimization procedures at 50 U.S.C. §§ 1801(h) and 1821(4). It follows that the substantially-similar querying provision found at Section 3(b)(5) of the amended NSA minimization procedures should not be problematic in a collection that is focused on non-United States persons located outside the United States and that, in aggregate, is less likely to result in the acquisition of nonpublic information regarding non-consenting United States persons.
So since 2008, FBI has had the ability to do back door searches on all the FISA-authorized data they get, including taps targeting US persons.
The FBI Minimization procedures submitted with the case all date to the 1990s, though a 2006 amendment changing how they logged the identities of US persons collected (note, in 2011, John Bates was bitching at FBI for having ignored an order to reissue all its minimization procedures with updates; I can see why he complained).
As described in the Government’s response of June 16, 2006, identities of U.S. persons that have not been logged are often maintained in FBI databases that contain unminimized information. The procedures now simply refer to “the identities” of U.S. persons, acknowledging that the FBI may not have previously logged such identities.
But there’s reason to believe the FBI minimization procedures — and this logging process — was changed in 2008, because a government document submitted in the Basaaly Moalin case — we know Moalin was wiretapped from December 2007 to April 2008, so during precisely the period of the Yahoo challenge, though he was not indicted until much later – referenced two sets of minimization procedures, seeming to reflect a change in minimization during the period of his surveillance (or perhaps during the period of surveillance of Aden Ayro, which is how Moalin is believed to have been identified).
That is, it all seems to have been happening in 2008.
The most charitable guess would be that explicit authorization for back door searches happened with the FAA, so before the FISCR ruling, but after the briefing.
Except in a letter to Russ Feingold during early debates on the FAA, Mike Mukasey and Mike McConnell (the latter of whom was involved in this Yahoo fight) strongly shot down a Feingold amendment that would have required the government to segregate all communications not related to terrorism (and a few other things), and requiring a FISA warrant to access them.
The Mukasey-McConnell attack on segregation is most telling. They complain that the amendment makes a distinction between different kinds of foreign intelligence (one exception to the segregation requirement in the amendment is for “concerns international terrorist activities directed against the United States, or activities in preparation therefor”), even while they claim it would “diminish our ability swiftly to monitor a communication from a foreign terrorist overseas to a person in the United States.” In other words, the complain that one of the only exceptions is for communications relating terrorism, but then say this will prevent them from getting communications pertaining to terrorism.
Then it launches into a tirade that lacks any specifics:
It would have a devastating impact on foreign intelligence surveillance operations; it is unsound as a matter of policy; its provisions would be inordinately difficult to implement; and thus it is unacceptable.
As Feingold already pointed out, the government has segregated the information they collected under PAA–they’re already doing this. But to justify keeping US person information lumped in with foreign person information, they offer no affirmative reason to do so, but only say it’s too difficult and so they refuse to do it.
Even 5 years ago, the language about the “devastating impact” segregating non-terrorism data might have strongly suggested the entire point of this collection was to provide for back door searches.
But that letter was dated February 5, 2008, before the FISCR challenge had even begun. While not definitive, this seems to strongly suggest, at least, that the government planned — even if it hadn’t amended the FBI minimization procedures yet — to retain a database of incidentally data to search on, before the government told FISCR they did not.
Update: I forgot a very important detail. In a hearing this year, Ron Wyden revealed that NSA’s authority to do back door searches had been closed some time during the Bush Administration, before it was reopened by John “Bates stamp” Bates.
Let me start by talking about the fact that the House bill does not ban warrantless searches for Americans’ emails. And here, particularly, I want to get into this with you, Mr. Ledgett if I might. We’re talking of course about the backdoor search loophole, section 702 of the FISA statute. This allows NSA in effect to look through this giant pile of communications that are collected under 702 and deliberately conduct warrantless searches for the communications of individual Americans. This loophole was closed during the Bush Administration, but it was reopened in 2011, and a few months ago the Director of National Intelligence acknowledged in a letter to me that the searches are ongoing today. [my emphasis]
When I noted that Wyden had said this, I guessed that the government had shut down back door searches in the transition from PAA to FAA, but that seems less likely, having begun to review these Yahoo documents, then that it got shut down in response to the hospital confrontation.
But it shows that more extensive back door searches had been in place before the government implied to the FISCR that they weren’t doing back door searches that they clearly were at least contemplating at that point. I’d really like to understand how the government believes they didn’t lie to the FISCR in that comment (though it wouldn’t be the last time they lied to courts about their databases of Americans).
I said yesterday that the plan, going as far back as 2002, was to let CIA and FBI tap right into NSA’s data. I base that on this explanation from Keith Alexander, which he included in his declaration accompanying the End to End Report that was submitted sometime after October 30, 2009.
By the fall of 2002, the Intelligence Community had grown increasingly concerned about the potential for further attacks on the United States. For example, during 10 to 24 September 2002, the Government raised the homeland security threat condition to “orange,” indicating a high likelihood of attack. In this context, in October 2002 the Directors of NSA, CIA, and FBI established an Inter-Agency Review Group to examine information sharing [redacted] The group’s top recommendation was that NSA create a common target knowledge database to allow joint research and information exchanges [redacted].
Of course, we now know that the threat level was high in September 2002 because the government was chasing down a bunch of false leads from Abu Zubaydah’s torture.
Abu Zubaida’s revelations triggered a series of alerts and sent hundreds of CIA and FBI investigators scurrying in pursuit of phantoms. The interrogations led directly to the arrest of Jose Padilla, the man Abu Zubaida identified as heading an effort to explode a radiological “dirty bomb” in an American city. Padilla was held in a naval brig for 3 1/2 years on the allegation but was never charged in any such plot. Every other lead ultimately dissolved into smoke and shadow, according to high-ranking former U.S. officials with access to classified reports.
“We spent millions of dollars chasing false alarms,” one former intelligence official said.
In other words, the justification for creating a database where CIA and FBI could directly access much of NSA’s data was a mirage, one created by CIA’s own torture.
All that’s separate from the question of whether CIA and FBI should have access directly to NSA’s data. Perhaps it makes us more responsive. Perhaps it perpetuates this process of chasing ghosts. That’s a debate we should have based on actual results, not the tortured false confessions of a decade past.
But it’s a testament to two things: the way in which torture created the illusion of danger, and the degree to which torture — and threat claims based on it — have secretly served as the basis the Executive uses to demand the FISA Court permit it to extend the dragnet.
Even the current CIA Director has admitted this to be true — though without explicitly laying out the import of it. Isn’t it time we start acknowledging this — and reassessing the civil liberties damage done because of it — rather than keeping it hidden under redactions?
I know I’ve had a lot of mostly unenthusiastic things to say about even Pat Leahy’s version of the USA Freedom Act.
Having read about half of last week’s Internet Dragnet document dump so far, I’m increasingly worried about two details I’ve already raised.
I suspect, unless the law explicitly imposes minimization procedures on NSA (and CIA, which reportedly operates the bulky Western Union dragnet), they will evade the bill’s most stringent minimization procedures.
As I noted in November and PCLOB noted in January, the business records provision was explicitly written for FBI, not other intelligence agencies. As a result, the language in it requiring minimization procedures did not — and still would not under Leahy Freedom (to say nothing of USA Freedumber) — require minimization procedures from Agencies beyond FBI. For example, unless I’m misreading how the law would be implemented, this is what would still be in place with regards to minimization procedures.
Applications have to lay out minimization procedures. But the law only requires they apply to FBI.
(D) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.
The judge reviews the minimization procedures in the application to make sure they comply with (g), and then includes an order they be followed in his order approving the application.
(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b) and that the minimization procedures submitted in accordance with subsection (b)(2)(D) meet the definition of minimization procedures under subsection (g), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.
And as I’ve already noted, the entire section (g) devoted to minimization explicitly applies to just FBI.
The Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this subchapter.
What’s particularly crazy about this is that the clause was changed to take out deadlines imposed in the 2006 renewal. In other words, they changed this clause, but left in the limits for most minimization procedures to just FBI.
The early focus on the dragnet violations was on the phone dragnet. At the end of March, however, DOJ started preparing to look more closely at the PRTT program in late April 2009, which may be why some of the following violations got disclosed to Reggie Walton in conjunction with a May reauthorization application. The CIA, FBI, and NCTC access to the PRTT seems to have been a bigger issue than the BR FISA data.
All that said, when the NSA completed its End-to-End report sometime in fall 2009, they didn’t report all that much beyond the violations noted in May (though they did note the NSA did not shut down some automatic process when it said it did), mostly by claiming they didn’t realize the original dragnet order meant what it said (in spite of the violation in the first dragnet order).
It was only after that that they noticed FISC NSA had been collecting content from the start of the program (see document O). Once they admitted that, NSA decided not to reapply for a Primary Order, and Reggie Walton issued a supplemental order (document E) ordering them not to collect any more, but also not to access the data they did have. Only after that did DOJ submit the End-to-End report, accompanied by DOJ and Keith Alexander reports that admitted the content violation.