Reggie Walton

1 2 3 9

The Last Time NSA Submitted Secret Authorities, It Was Actively Hiding Illegal Wiretapping

Via Mike Masnick, I see that in addition to submitting a new state secrets declaration and a filing claiming EFF’s clients in Jewel v. NSA don’t have standing, the government also submitted a secret supplemental brief on its statement of authorities, which EFF has challenged.

The secret supplemental brief is interesting given the government’s outrageous state secrets claim in the lawsuit against United Against a Nuclear Iran, in which it refuses to explain why it must protect the intelligence sources and methods of an allegedly independent NGO. It seems the government’s state secrets claims are getting even more outrageous than they already were.

That’s particularly interesting given what appears to be the outlines of a claim that if the court recognizes Jewel’s standing, then all hell will break loose.

Due to the failings of Plaintiffs’ evidence described above, the Court need not consider the impact of the state secrets privilege on the standing issue. However, if the Court were to find Plaintiffs’ declarations admissible and sufficiently probative of Plaintiffs’ standing to raise a genuine issue meriting further inquiry (which it should not), adjudication f the standing issue could not proceed without risking exceptionally grave damage to national security (a threshold issue on which the Court requested briefing). That is so because operational details of Upstream collection that are subject to the DNI’s assertion of the state secrets privilege in this case are necessary to address Plaintiffs’ theory of standing. The Government presented this evidence to the Court in the DNI’s and NSA’s classified declarations of December 20, 2013, and supplements it with the Classified Declaration of Miriam P., NSA, submitted in camera, ex parte, herewith. Disclosure of this evidence would risk informing our Nation’s adversaries of the operational details of the NSA’s Upstream collection, including the identities of electronic-communications-service providers assisting with Upstream collection.

Behind these claims of grave harm are the reality that if US persons started to get standing under the dragnet, then under John Bates’ rules (in which illegal wiretapping is only illegal if the government knows US persons are targeted), the entire program would become illegal. So I suspect the government is ultimately arguing that Jewel can’t have standing because it would make the entire program illegal (which is sort of the point!).

But the biggest reason I’m intrigued by the government’s sneaky filing is because of what happened the last time it submitted such a sneaky filing.

I laid out in this post how a state secrets filing submitted in EFF’s related Shubert lawsuit by Keith Alexander on October 30, 2009 demonstrably lied. Go back and read it–it’s a good one. A lot of what I show involves Alexander downplaying the extent of the phone dragnet problems.

But we now know more about how much more Alexander was downplaying in that declaration.

As I show in this working thread, it is virtually certain that on September 30, 2009, Reggie Walton signed this order, effectively shutting down the Internet dragnet (I’m just now noticing that ODNI did not — as it has with the other FISC dragnet orders — release a copy with the timestamp that goes on all of these orders, which means we can’t determine what time of the day this was signed). Some time in the weeks before October 30, DOJ had submitted this notice, admitting that NSA had been violating the limits on “metadata” collection from the very start, effectively meaning it had been collecting content in the US for 5 years.

Precisely the kind of illegal dragnet Virginia Shubert was suing the government to prevent.

Mind you, there are hints of NSA’s Internet dragnet violations in Alexander’s declaration. In ¶59, Alexander says of the dragnet, “The FISC Telephone Business Records Order was most recently reauthorized on September 3, 2009, with authority continuing until October 30, 2009″ (Walton signed the October 30, 2009 phone dragnet order around 2:30 ET, which would be 11:30 in NDCA where this declaration was filed). In ¶58, he says, “The FISC Pen Register Order was most recently reauthorized on [redacted], 2009, and requires continued assistance by the providers through [redacted] 2009″ (this is a longer redaction than October 30 would take up, so it may reflect the 5PM shutdown Walton had imposed). So it may be that one of the redacted passages in Alexander’s declaration admitted that FISC had ordered the Internet dragnet shut down.

In addition, footnote 24 is quite long (note it carries onto a second page); particularly given that the tense used to describe the dragnets in the referenced paragraph differ (the Internet dragnet is in the past tense, the phone dragnet is in the present tense), it is possible Alexander admitted to both the compliance violation and that NSA had “voluntarily” stopped querying the dragnet data.

Further, in his later discussions, he refers to this data as “non-content metadata” and “records about communication transactions,” which may reflect a tacit (or prior) acknowledgment that the NSA had been collecting more than what, to the telecoms who were providing it, was legally metadata, or, if you will, was in fact “content as metadata.”

To the extent that the plaintiffs “dragnet” allegations also implicate other NSA activities, such as the bulk collection of non-content communications meta data or the collection of communications records, see, e.g., Amended Compl ¶58, addressing their assertions would require disclosure of NSA sources and methods that would cause exceptionally grave harm to national security.

[snip]

Accordingly, adjudication of plaintiffs’ allegations concerning the collection of non-content meta data and records about communication transactions would risk or require disclosure of critical NSA sources and methods for [redacted] contacts of terrorist communications as well as the existence of current NSA activities under FISC Orders. Despite media speculation about those activities, official confirmation and disclosure of the NSA’s bulk collection and targeted analysis of telephony meta data would confirm to all of our foreign adversaries [redacted] the existence of these critical intelligence capabilities and thereby severely undermine NSA’s ability to gather information concerning terrorist connections and cause exceptionally grave harm to national security.

So it seems that Alexander provided some glimpse to Vaughn Walker of the troubles with the Internet dragnet program. So when after several long paragraphs describing the phone dragnet problems (making no mention even of the related Internet dragnet ones), Alexander promised to work with the FISC on the phone dragnet “and other compliance issues,” he likely invoked an earlier reference to the far more egregious Internet dragnet ones.

NSA is committed to working with the FISC on this and other compliance issues to ensure that this vital intelligence tool works appropriately and effectively. For purposes of this litigation, and the privilege assertions now made by the DNI and by the NSA, the intelligence sources and methods described herein remain highly classified and the disclosure that [redacted] would compromise vital NSA sources and methods and result in exceptionally grave harm to national security.

I find it tremendously telling how closely Alexander ties the violations themselves to the state secrets invocation.

The thing is, at this point in the litigation, the only honest thing to submit would have been a declaration stating, “Judge Walker? It turns out we’ve just alerted the FISC that we’ve been doing precisely what the plaintiffs in this case have accused of us — we’ve been doing it, in fact, for 5 years.” An honest declaration would have amounted to concession of the suit.

But it didn’t.

And that state secrets declaration, like the one the government submitted at the end of September, was accompanied by a secret statement of authorities, a document that (unless I’m mistaken) is among the very few that the government hasn’t released to EFF.

Which is why I find it so interesting that the government is now, specifically with reference to upstream collection, following the same approach.

Do these secret statements of authority basically say, “We admit it, judge, we’ve been violating the law in precisely the way the plaintiffs claim we have. But you have to bury that fact behind state secrets privilege, because our dragnets are more important than the Fourth Amendment”? Or do they claim they’re doing this illegal dragnettery under EO 12333 so the court can’t stop them?

If so, I can see why the government would want to keep them secret.

Update: I originally got the name of Shubert wrong. Virginia Shubert is the plaintiff.

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

If the documents relating to Yahoo’s challenge of Protect America Act released last month are accurate reflections of the documents actually submitted to the FISC and FISCR, then the government submitted a misleading document on June 5, 2008 that was central to FISCR’s ultimate ruling.

As I laid out here in 2009, FISCR relied on the the requirement  in EO 12333 that the Attorney General determine there is probable cause a wiretapping technique used in the US is directed against a foreign power to judge the Protect America Act met probable cause requirements.

The procedures incorporated through section 2.5 of Executive Order 12333, made applicable to the surveillances through the certifications and directives, serve to allay the probable cause concern.

The Attorney General hereby is delegated the power to approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes, provided that such techniques shall not be undertaken unless the Attorney General has determined in each case that there is probable cause to believe that the technique is directed against a foreign power or an agent of a foreign power.

44 Fed. Reg. at 59,951 (emphasis supplied). Thus, in order for the government to act upon the certifications, the AG first had to make a determination that probable cause existed to believe that the targeted person is a foreign power or an agent of a foreign power. Moreover, this determination was not made in a vacuum. The AG’s decision was informed by the contents of an application made pursuant to Department of Defense (DOD) regulations. See DOD, Procedures Governing the Activities of DOD Intelligence Components that Affect United States Persons, DOD 5240.1-R, Proc. 5, Pt. 2.C.  (Dec. 1982).

Yahoo didn’t buy this argument. It had a number of problems with it, notably that nothing prevented the government from changing Executive Orders.

While Executive Order 12333 (if not repealed), provides some additional protections, it is still not enough.

[snip]

Thus, to the extent that it is even appropriate to examine the protections in the Executive Order that are not statutorily required, the scales of the reasonableness determination sway but do not tip towards reasonableness.

Yahoo made that argument on May 29, 2008.

Sadly, Yahoo appears not to have noticed the best argument that Courts shouldn’t rely on EO 12333 because the President could always change it: Sheldon Whitehouse’s revelation on December 7, 2007 (right in the middle of this litigation) that OLC had ruled the President could change it in secret and not note the change publicly. Whitehouse strongly suggested that the Executive in fact had changed EO 12333 without notice to accommodate its illegal wiretap program.

But the government appears to have intentionally withheld further evidence about how easily it could change EO 12333 — and in fact had, right in the middle of the litigation.

This is the copy of the Classified Annex to EO 12333 that (at least according to the ODNI release) the government submitted to FISCR in a classified appendix on June 5, 2008 (that is, after Yahoo had already argued that an EO, and the protections it affords, might change). It is a copy of the original Classified Appendix signed by Ed Meese in 1988.

As I have shown, Michael Hayden modified NSA/CSS Policy 1-23 on March 11, 2004, which includes and incorporates EO 12333, the day after the hospital confrontation. The content of the Classified Annex released in 2013 appears to be identical, in its unredacted bits, to the original as released in 1988 (see below for a list of the different things redacted in each version). So the actual content of what the government presented may (or may not be) a faithful representation of the Classified Appendix as it currently existed.

But the version of NSA/CSS Policy 1-23 released last year (starting at page 110) provides this modification history:

This Policy 1-23 supersedes Directive 10-30, dated 20 September 1990, and Change One thereto, dated June 1998. The Associate Director for Policy endorsed an administrative update, effective 27 December 2007 to make minor adjustments to this policy. This 29 May 2009 administrative update includes changes due to the FISA Amendments Act of 2008 and in core training requirements.

That is, Michael Hayden’s March 11, 2004 modification of the Policy changed to the Directive as existed before 2 changes made under Clinton.

Just as importantly, the modification history reflects “an administrative update” making “minor adjustments to this policy” effective December 27, 2007 — a month and a half after this challenge started.

By presenting the original Classified Appendix — to which Hayden had apparently reverted in 2004 — rather than the up-to-date Policy, the government was presenting what they were currently using. But they hid the fact that they had made changes to it right in the middle of this litigation. A fact that would have made it clear that Courts can’t rely on Executive Orders to protect the rights of Americans, especially when they include Classified Annexes hidden within Procedures.

In its language relying on EO 12333, FISCR specifically pointed to DOD 5240.1-R. The Classified Annex to EO 12333 is required under compliance with part of that that complies with the August 27, 2007 PAA compliance.

That is, this Classified Annex is a part of the Russian dolls of interlocking directives and orders that implement EO 12333.

And they were changing, even as this litigation was moving forward.

Only, the government appears to have hidden that information from the FISCR.

Update: Clarified that NSA/CSS Policy 1-23 is what got changed.

Update: Hahaha. The copy of DOD 5240.1 R which the government submitted on December 11, 2007, still bears the cover sheet labeling it as an Annex to NSA/CSS Directive 10-30. Which of course had been superseded in 2004.

Note how they cut off the date to hide that it was 1990?

Note how they cut off the date to hide that it was 1990?

Continue reading

Protect America Act Was Designed to Collect on Americans, But DOJ Hid that from the FISC

The government released a document in the Yahoo dump that makes it clear it intended to reverse target Americans under Protect America Act (and by extension, FISA Amendments Act). That’s the Department of Defense Supplemental Procedures Governing Communications Metadata Analysis.

The document — as released earlier this month and (far more importantly) as submitted belatedly to the FISC in March 2008 — is fairly nondescript. It describes what DOD can do once it has collected metadata (irrespective of where it gets it) and how it defines metadata. It also clarifies that, “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communcations, nor to they qualify as ‘us[ing] a selection term’.”

The procedures do not once mention US persons.

There are two things that should have raised suspicions at FISC about this document. First, DOJ did not submit the procedures to FISC in a February 20, 2008 collection of documents they submitted after being ordered to by Judge Walton after he caught them hiding other materials; they did not submit them until March 14, 2008.

The signature lines should have raised even bigger suspicions.

Gates Mukasey

First, there’s the delay between the two dates. Robert Gates, signing as Secretary of Defense, signed the document on October 17, 2007. That’s after at least one of the PAA Certifications underlying the Directives submitted to Yahoo (the government is hiding the date of the second Certification for what I suspect are very interesting reasons), but 6 days after Judge Colleen Kollar-Kotelly submitted questions as part of her assessment of whether the Certifications were adequate. Michael Mukasey, signing as Attorney General, didn’t sign the procedures until January 3, 2008, two weeks before Kollar-Kotelly issued her ruling on the certifications, but long after it started trying to force Yahoo to comply and even after the government submitted its first ex parte submission to Walton. That was also just weeks before the government redid the Certifications (newly involving FBI in the process) underlying PAA on January 29. I’ll come back to the dates, but the important issue is they didn’t even finalize these procedures until they were deep into two legal reviews of PAA and in the process of re-doing their Certifications.

Moreover, Mukasey dawdled two months before he signed them; he started at AG on November 9, 2007.

Then there’s the fact that the title for his signature line was clearly altered, after the fact.

Someone else was supposed to sign these procedures. (Peter Keisler was Acting Attorney General before Mukasey was confirmed, including on October 17, when Gates signed these procedures.) These procedures were supposed to be approved back in October 2007 (still two months after the first PAA Certifications) but they weren’t, for some reason.

The backup to those procedures — which Edward Snowden leaked in full — may explain the delay.

Those procedures were changed in 2008 to reverse earlier decisions prohibiting contact chaining on US person metadata. 

NSA had tried to get DOJ to approve that change in 2006. But James Baker (who was one of the people who almost quit over the hospital confrontation in 2004 and who is now FBI General Counsel) refused to let them.

After Baker (and Alberto Gonzales) departed DOJ, and after Congress passed the Protect America Act, the spooks tried again. On November 20, 2007, Ken Wainstein and Steven Bradbury tried to get the Acting Deputy Attorney General Craig Morford (not Mukasey, who was already AG!) to approve the procedures. The entire point of the change, Wainstein’s memo makes clear, was to permit the contact chaining of US persons.

The Supplemental Procedures, attached at Tab A, would clarify that the National Security Agency (NSA) may analyze communications metadata associated with United States persons and persons believed to be in the United States.

What the government did, after passage of the PAA, was make it permissible for NSA to figure out whom Americans were emailing.

And this metadata was — we now know — central to FISCR’s understanding of the program (though perhaps not FISC’s; in an interview today I asked Reggie Walton about this document and he simply didn’t remember it).

The new declassification of the FISCR opinion makes clear, the linking procedures (that is, contact chaining) NSA did were central to FISCR’s finding that Protect America Act, as implemented in directives to Yahoo, had sufficient particularity to be reasonable.

The linking procedures — procedures that show that the [redacted] designated for surveillance are linked to persons reasonably believed to be overseas and otherwise appropriate targets — involve the application of “foreign intelligence factors” These factors are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. As attested by affidavits  of the Director of the National Security Agency (NSA), the government identifies [redacted] surveillance for national security purposes on information indicating that, for instance, [big redaction] Although the FAA itself does not mandate a showing of particularity, see 50 U.S.C. § 1805(b). This pre-surveillance procedure strikes us as analogous to and in conformity with the particularly showing contemplated by Sealed Case.

In fact, these procedures were submitted to FISC and FISCR precisely to support their discussion of particularity! We know they were using these precise procedures with PAA because they were submitted to FISC and FISCR in defense of a claim that they weren’t targeting US persons.

Except, by all appearances, the government neglected to tell FISC and FISCR that the entire reason these procedures were changed, subsequent to the passage of the PAA, was so NSA could go identify the communications involving Americans.

And this program, and the legal authorization for it? It’s all built into the FISA Amendments Act.

Hiding Yahoos: ORCON and the FISC Special Advocate

Some weeks ago, I noted the language in James Clapper’s letter purportedly “supporting” Patrick Leahy’s USA Freedom Act making it clear he intended to retain the information asymmetry that currently exists in the FISA Court — specifically, ex parte communication with the court.

We note that, consistent with the President’s request, the bill estsablishes a process for the appointment of an amicus curiae to assist the FISA Court and FISA Court of Review in matters that present a novel or significant interpretation of the law. We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

The Yahoo documents released a few weeks back illustrate how this might work in practice.

We’ve known since January 2009 that Yahoo (which we then only knew was an Internet company) didn’t receive the materials — perhaps most importantly, the minimization procedures — it needed to adequately challenge the program.

The cover sheet to the ex parte appendix provided to the FISCR illustrates the range of things withheld from Yahoo’s attorney, Marc Zwillinger, who apparently had a Top Secret clearance. In addition to the minimization procedures for NSA and FBI, the government withheld the “linking” procedures used to identify targets (the titles of these documents are redacted in the released version, but this post explains why at least some must pertain to these procedures; note, I think the government also withheld these from Judge Reggie Walton at the FISC level!), and a January 15, 2008 Colleen Kollar-Kotelly FISC opinion assessing the adequacy of the original certifications.

Comparing two versions of Walton’s April 25, 2008 opinions — a version redacted for Yahoo’s use in 2008, and the version redacted for public release now — provides context on the key issues obscured or suppressed entirely from Yahoo’s view. (Note two things about these redactions: first, with the exception of language on the information the government demanded from Yahoo, we’re receiving more information than Yahoo’s cleared attorney received when he was fighting this case. And the older document actually includes two sets of redactions: the more faded redactions used for Yahoo, and a more opaque set done for this release, the latter of which hide details about the Directives given to Yahoo.)

Effectively, the government hid what they changed when they rewrote Certifications underlying their demands to Yahoo just 2 weeks before the law expired. A significant part of those changes involves getting FBI involved in the process (I increasingly suspect those January 29, 2008 Certifications are when the government first obtained official permission for FBI back door searches).

Notice of the new Certificates was given to Yahoo on February 16, 2008, the day PAA expired, and signed by then Solicitor General Paul Clement, though signed as Acting Attorney General (see page 81). One day earlier, Judge Walton had given the government an ex parte order requiring them to address whether the ex parte materials they had submitted to him in December “constitutes the complete and up-to-date set of certifications … applicable to the directives that are at issue in this proceeding.” Walton also required the government to provide notice to Yahoo they were going to submit a new classified appendix.

Apparently, Walton had gotten wind of the fact — but had not been told formally — that the government had submitted entirely new Certifications affecting their treatment of the data they would obtain from Yahoo. So he ordered them to update the record so his review actually considered the surveillance as it would be implemented.

I’ve listed most of the differences between the two memoranda below. While much of it pertains to prior classified decisions and the operation of FISC generally, the biggest sections redacted from Yahoo but released in part to us now describe the new certifications, including FBI’s new role in the process.  Of particular concern, the government withheld Walton’s comment admonishing the government for changing the certifications, “without appropriately informing the Court or supplementing the record in this matter until ordered to do so” (page 4), though footnote 4 and page 35 make it clear that Walton revealed some details of the government’s belated disclosures in a February 29 order for more briefing.

More troubling still, they hid Walton’s still significantly-redacted assessment that the changes in the Certifications would not change the nature of the government’s demand from Yahoo (page 38).

Neither type of amendment altered the nature of the assistance to be rendered by Yahoo,40

40 Yahoo has submitted a sworn statement that, prior to serving the directives on Yahoo, representatives of the government “indicated that, at the outset, it only would expect…

I wrote about these changing requests here. And while on paper the changing requests couldn’t have been a result of the changed Certification — Yahoo’s Manager of Legal Compliance described them in a January 23 submission, and the new Certifications were issued the following week — I find the timing, and the government’s failure to notice Walton on them, suspect enough that it’s the kind of thing that should have been briefed. Plus, as I’ll show in a follow-up post, I’m fairly certain the government hid  from both FISC and FISCR the degree to which this was about targeting Americans.

Once Walton learned that the government’s requests to Yahoo had changed between the date of Kollar-Kotelly’s initial approval and the expiration of the law, it seems it should have merited more direct briefing, but that would have required admitting that the changes put domestic law enforcement in the center of the program, which presents (or should present) significantly different Fourth Amendment concerns, notably increasing the importance of prior interpretations of the “significant purpose” language instituted under the PATRIOT Act.

In other words, not only did the ex parte nature of this proceeding hide the details Yahoo would have needed to make a robust Fourth Amendment argument, as well as evidence that the government was not being entirely forthcoming to FISC (which would have bolstered Yahoo’s separation of powers claim), it also hid what may be specifically pertinent details behind the government’s last minute changed certifications.

In theory, this shouldn’t happen with the USA Freedom Advocate, because the bill specifically requires the Advocate have access to certifications necessary for her to complete her duties.

(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—

[snip]

(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;

By comparison, the government was challenging Yahoo’s legal standing to take this challenge in the first place.

But I find the apparent basis for withholding information from Yahoo to be relevant. This memorandum, at least, was originally classified Top Secret/ORCON (Originator Controlled); the redacted memorandum given to Yahoo was classified Secret. That means that the changes arose, at least in part, from the ability of the originator (which may be DOJ’s National Security Division, given that Mark Bradley conducted the declassification review) to determine who gets the document. As I noted, there are two bases in USAF that would permit the government to withhold information, classification and privilege. Withholding information under an ORCON claim likely stems from both (though I am checking this).

So while the government should not be able to treat the advocate the same way they treated Yahoo (which, after all, FISC treated as a Congressionally sanctioned challenger to the orders, just as it would the advocate), they seem to have the prerogative to. (Update: I should add that Walton permitted the government to do all the ex parte briefing here under FISA’s ex parte briefing language; given that USAF doesn’t change that for any of the authorities in question, we should assume this precedent will apply to the advocate.)

To be clear, the USAF advocate is not one of the things that I believe sets back a slow reform process (as, for example, I believe the “transparency” provisions and some weakened minimization procedures do). I think it most likely that the advocate will evolve the way PCLOB has, which was first authorized in 2004, thwarted by Executive obstruction (on precisely these kinds of issues), reauthorized as a more effective body in 2007, then slow-walked again — partly by President Obama, though partly by Congress — for another 6 years. That is, if the advocate is at least as self-respecting as Lanny Davis (!), she will quit if the Executive ignores the intent of Congress that she have access to the materials she needs to do her job, exposing the inefficacy of the existing system. All that, of course, assumes she will cop onto what has been withheld. Clearly, Yahoo got a sense of it during this process, though FISC and FISCR seem to have realized only some of the other stuff withheld from them.

That is, judging by the PCLOB example, if all goes well and if USAF were to pass this year, we might have a fully functional advocate by 2023!

The Yahoo materials released show that the government withheld pertinent information from Yahoo, FISC, and FISCR until forced to provide it, and they never provided any of them with all the information they should have.

That it retains the ability to do so under USAF doesn’t bode well for the advocate. But that’s really just a subset to a larger issue that, even when authorized by Congress to provide oversight of this executive spying, the government has consistently, for years, been less than fully cooperative with FISC’s authority to do so.

As I’ve said, the surest way to reform surveillance is to eliminate the FISA Court.

Continue reading

The Curious Timing of FBI’s Back Door Searches

The very first thing I remarked on when I read the Yahoo FISCR opinion when it was first released in 2009 was this passage.

The petitioner’s concern with incidental collections is overblown. It is settled beyond peradventure that incidental collections occurring as a result of constitutionally permissible acquisitions do not render those acquisitions unlawful.9 See, e.g., United States v. Kahn, 415 U.S. 143, 157-58 (1974); United States v. Schwartz, 535 F.2d 160, 164 (2d Cir. 1976). The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26 in original release; 30 in current release)

The government claimed to FISCR that it did not maintain a database of incidentally collected information from non-targeted US persons.

Barring some kind of neat parse, I didn’t buy the claim, not even in 2009.

Since then, we’ve found out that — barring some kind of neat parse — I was absolutely right. In fact, they are doing back door searches on this data, especially at FBI.

What I’m particularly intrigued by, now, is the timing.

FISCR said that in an opinion dated August 22, 2008 — over a month after the July 10, 2008 passage of the FISA Amendments Act. I have not yet found evidence of when the government said that to FISCR. It doesn’t appear in the unredacted part of their Jun 5, 2008 Merits brief (which cites Kahn but not Schwartz; see 49-50), though it might appear behind the redaction on 41. Of note, the April 25, 2008 FISC opinion doesn’t even mention the issue in its incidental collection discussion (starting at 95), though it does discuss amended certifications filed in February 2008.

So I’m guessing the government made that representation at the hearing in June, 2008.

We know, from John Bates’ rationale for authorizing NSA and CIA back door searches, such back door searches were first added to FBI minimization procedures in 2008.

When Bates approved back door searches in his October 3, 2011 opinion, he pointed to FBI’s earlier (and broader) authorities to justify approving it for NSA and CIA. While the mention of FBI is redacted here, at that point it was the only other agency whose minimization procedures had to be approved by FISC, and FBI is the agency that applies for traditional FISA warrants.

[redacted] contain an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information. See [redacted]. In granting [redacted] applications for electronic surveillance or physical search since 2008, including applications targeting United States persons and persons in the United States, the Court has found that the [redacted] meet the definitions of minimization procedures at 50 U.S.C. §§ 1801(h) and 1821(4). It follows that the substantially-similar querying provision found at Section 3(b)(5) of the amended NSA minimization procedures should not be problematic in a collection that is focused on non-United States persons located outside the United States and that, in aggregate, is less likely to result in the acquisition of nonpublic information regarding non-consenting United States persons.

So since 2008, FBI has had the ability to do back door searches on all the FISA-authorized data they get, including taps targeting US persons.

The FBI Minimization procedures submitted with the case all date to the 1990s, though a 2006 amendment changing how they logged the identities of US persons collected (note, in 2011, John Bates was bitching at FBI for having ignored an order to reissue all its minimization procedures with updates; I can see why he complained).

As described in the Government’s response of June 16, 2006, identities of U.S. persons that have not been logged are often maintained in FBI databases that contain unminimized information. The procedures now simply refer to “the identities” of U.S. persons, acknowledging that the FBI may not have previously logged such identities.

But there’s reason to believe the FBI minimization procedures — and this logging process — was changed in 2008, because a government document submitted in the Basaaly Moalin case — we know Moalin was wiretapped from December 2007 to April 2008, so during precisely the period of the Yahoo challenge, though he was not indicted until much later – referenced two sets of minimization procedures, seeming to reflect a change in minimization during the period of his surveillance (or perhaps during the period of surveillance of Aden Ayro, which is how Moalin is believed to have been identified).

That is, it all seems to have been happening in 2008.

The most charitable guess would be that explicit authorization for back door searches happened with the FAA, so before the FISCR ruling, but after the briefing.

Except in a letter to Russ Feingold during early debates  on the FAA, Mike Mukasey and Mike McConnell (the latter of whom was involved in this Yahoo fight) strongly shot down a Feingold amendment that would have required the government to segregate all communications not related to terrorism (and a few other things), and requiring a FISA warrant to access them.

The Mukasey-McConnell attack on segregation is most telling. They complain that the amendment makes a distinction between different kinds of foreign intelligence (one exception to the segregation requirement in the amendment is for “concerns international terrorist activities directed against the United States, or activities in preparation therefor”), even while they claim it would “diminish our ability swiftly to monitor a communication from a foreign terrorist overseas to a person in the United States.” In other words, the complain that one of the only exceptions is for communications relating terrorism, but then say this will prevent them from getting communications pertaining to terrorism.

Then it launches into a tirade that lacks any specifics:

It would have a devastating impact on foreign intelligence surveillance operations; it is unsound as a matter of policy; its provisions would be inordinately difficult to implement; and thus it is unacceptable.

As Feingold already pointed out, the government has segregated the information they collected under PAA–they’re already doing this. But to justify keeping US person information lumped in with foreign person information, they offer no affirmative reason to do so, but only say it’s too difficult and so they refuse to do it.

Even 5 years ago, the language about the “devastating impact” segregating non-terrorism data might have strongly suggested the entire point of this collection was to provide for back door searches.

But that letter was dated February 5, 2008, before the FISCR challenge had even begun. While not definitive, this seems to strongly suggest, at least, that the government planned — even if it hadn’t amended the FBI minimization procedures yet — to retain a database of incidentally data to search on, before the government told FISCR they did not.

Update: I forgot a very important detail. In a hearing this year, Ron Wyden revealed that NSA’s authority to do back door searches had been closed some time during the Bush Administration, before it was reopened by John “Bates stamp” Bates.

Let me start by talking about the fact that the House bill does not ban warrantless searches for Americans’ emails. And here, particularly, I want to get into this with you, Mr. Ledgett if I might. We’re talking of course about the backdoor search loophole, section 702 of the FISA statute. This allows NSA in effect to look through this giant pile of communications that are collected under 702 and deliberately conduct warrantless searches for the communications of individual Americans.  This loophole was closed during the Bush Administration, but it was reopened in 2011, and a few months ago the Director of National Intelligence acknowledged in a letter to me that the searches are ongoing today. [my emphasis]

When I noted that Wyden had said this, I guessed that the government had shut down back door searches in the transition from PAA to FAA, but that seems less likely, having begun to review these Yahoo documents, then that it got shut down in response to the hospital confrontation.

But it shows that more extensive back door searches had been in place before the government implied to the FISCR that they weren’t doing back door searches that they clearly were at least contemplating at that point. I’d really like to understand how the government believes they didn’t lie to the FISCR in that comment (though it wouldn’t be the last time they lied to courts about their databases of Americans).

How Abu Zubaydah’s Torture Put CIA and FBI in NSA’s Databases

I said yesterday that the plan, going as far back as 2002, was to let CIA and FBI tap right into NSA’s data. I base that on this explanation from Keith Alexander, which he included in his declaration accompanying the End to End Report that was submitted sometime after October 30, 2009.

By the fall of 2002, the Intelligence Community had grown increasingly concerned about the potential for further attacks on the United States. For example, during 10 to 24 September 2002, the Government raised the homeland security threat condition to “orange,” indicating a high likelihood of attack. In this context, in October 2002 the Directors of NSA, CIA, and FBI established an Inter-Agency Review Group to examine information sharing [redacted] The group’s top recommendation was that NSA create a common target knowledge database to allow joint research and information exchanges [redacted].

Of course, we now know that the threat level was high in September 2002 because the government was chasing down a bunch of false leads from Abu Zubaydah’s torture.

Abu Zubaida’s revelations triggered a series of alerts and sent hundreds of CIA and FBI investigators scurrying in pursuit of phantoms. The interrogations led directly to the arrest of Jose Padilla, the man Abu Zubaida identified as heading an effort to explode a radiological “dirty bomb” in an American city. Padilla was held in a naval brig for 3 1/2 years on the allegation but was never charged in any such plot. Every other lead ultimately dissolved into smoke and shadow, according to high-ranking former U.S. officials with access to classified reports.

“We spent millions of dollars chasing false alarms,” one former intelligence official said.

In other words, the justification for creating a database where CIA and FBI could directly access much of NSA’s data was a mirage, one created by CIA’s own torture.

All that’s separate from the question of whether CIA and FBI should have access directly to NSA’s data. Perhaps it makes us more responsive. Perhaps it perpetuates this process of chasing ghosts. That’s a debate we should have based on actual results, not the tortured false confessions of a decade past.

But it’s a testament to two things: the way in which torture created the illusion of danger, and the degree to which torture — and threat claims based on it — have secretly served as the basis the Executive uses to demand the FISA Court permit it to extend the dragnet.

Even the current CIA Director has admitted this to be true — though without explicitly laying out the import of it. Isn’t it time we start acknowledging this — and reassessing the civil liberties damage done because of it — rather than keeping it hidden under redactions?

USA Freedom Must Explicitly Require NSA and CIA to Comply with Law’s Minimization Procedures

I know I’ve had a lot of mostly unenthusiastic things to say about even Pat Leahy’s version of the USA Freedom Act.

  • It explicitly exempts FBI from counting back door searches
  • It may not do anything to existing non-electronic communication bulk programs, because it probably permits the use of corporate persons as Specific Selection Terms
  • The “connection chaining” may permit expanded access to smart phone data
  • It retains USA Freedumber’s “foreign intelligence” retention language

Having read about half of last week’s Internet Dragnet document dump so far, I’m increasingly worried about two details I’ve already raised.

I suspect, unless the law explicitly imposes minimization procedures on NSA (and CIA, which reportedly operates the bulky Western Union dragnet), they will evade the bill’s most stringent minimization procedures.

As I noted in November and PCLOB noted in January, the business records provision was explicitly written for FBI, not other intelligence agencies. As a result, the language in it requiring minimization procedures did not — and still would not under Leahy Freedom (to say nothing of USA Freedumber) — require minimization procedures from Agencies beyond FBI. For example, unless I’m misreading how the law would be implemented, this is what would still be in place with regards to minimization procedures.

Applications have to lay out minimization procedures. But the law only requires they apply to FBI.

(D) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

The judge reviews the minimization procedures in the application to make sure they comply with (g), and then includes an order they be followed in his order approving the application.

(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b) and that the minimization procedures submitted in accordance with subsection (b)(2)(D) meet the definition of minimization procedures under subsection (g), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.

And as I’ve already noted, the entire section (g) devoted to minimization explicitly applies to just FBI.

The Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this subchapter.

What’s particularly crazy about this is that the clause was changed to take out deadlines imposed in the 2006 renewal. In other words, they changed this clause, but left in the limits for most minimization procedures to just FBI.

Continue reading

Working Thread, Internet Dragnet 4: Later 2009 Documents

The early focus on the dragnet violations was on the phone dragnet. At the end of March, however, DOJ started preparing to look more closely at the PRTT program in late April 2009, which may be why some of the following violations got disclosed to Reggie Walton in conjunction with a May reauthorization application. The CIA, FBI, and NCTC access to the PRTT seems to have been a bigger issue than the BR  FISA data.

All that said, when the NSA completed its End-to-End report sometime in fall 2009, they didn’t report all that much beyond the violations noted in May (though they did note the NSA did not shut down some automatic process when it said it did), mostly by claiming they didn’t realize the original dragnet order meant what it said (in spite of the violation in the first dragnet order).

It was only after that that they noticed FISC NSA had been collecting content from the start of the program (see document O). Once they admitted that, NSA decided not to reapply for a Primary Order, and Reggie Walton issued a supplemental order (document E) ordering them not to collect any more, but also not to access the data they did have. Only after that did DOJ submit the End-to-End report, accompanied by DOJ and Keith Alexander reports that admitted the content violation.

See also Working Thread 1, Working Thread 2, Working Thread 3, and Internet Dragnet Timeline. No one else is doing this tedious work; if you find it useful, please support it.

Continue reading

WSJ Falsely Paints John “Bates Stamp” as Aggressive

WSJ wrote a badly flawed article yesterday describing John Bates’ 2010 opinion reauthorizing the Internet dragnet, claiming the memo — which was released last November — was just declassified.

Newly declassified court documents show one of the National Security Agency’s key surveillance programs was plagued by years of “systemic overcollection” of private Internet communications.

[snip]

Some of the problems with Internet metadata previously were reported and have been part of a broad critique of the NSA’s surveillance activities since the Sept. 11, 2001, terror attacks. The new document from Judge Bates offers the most detailed accounting—even with more than a dozen pages blacked out—of what those problems were.

Sure, ODNI didn’t explain that the opinion – and three other documents released — had been released before, one on multiple occasions. But those of us who read the opinion with the first release, rather than offering up unrepresentative quotes, recognized Bates’ memo as one of the seminal releases from last year. And contrary to WSJ’s claim, the public record (including Claire Eagan’s opinion, which cites from it) shows the opinion to date to 2010.

Even in this supposed actual reading of the document, however, WSJ gets it wrong.

The judge’s order ultimately reauthorized the program, with more stringent conditions than the government had sought.

Sure, Bates didn’t permit NSA unrestricted access to illegally collected records. But Bates also approved what was described as an 11- to 24-fold increase in collection.

The current application, in comparison with prior dockets, seeks authority to acquire a much larger volume of metadata at a greatly expanded range of facilities, while also modifying — and in some ways relaxing — the rules governing the handling of metadata.

Best as we can tell given the redactions, Bates approved that part of the request. Aside from imposing a few more training requirements, his biggest denial pertained to some — but not all — of the Internet dragnet data the government collected since the beginning of the program.

So while it is true that Bates wrote a lot of scathing things about the conduct of the program, he also turned around and vastly expanded it.

I raise all this not to be an asshole (though it would be nice if the WSJ had issued a correction, as its author retweeted my tweeted correction). I raise it for two reasons.

First, the WSJ pitches this as “the Judge who doesn’t like FISA reform was very critical of the Administration’s performance.”

Judge Bates has been the designated spokesman for the judiciary opposing several proposed changes to the structure of the Foreign Intelligence Surveillance Court, particularly the addition of a special advocate to represent privacy interests.

By not reporting that Bates vastly expanded this program in spite of its persistent violations, WSJ wrongly pitches him as a credible judge of what makes the FISC effective, rather than as Exhibit One for why it should be abolished.

Moreover, the documents that actually were newly released the other day suggest a very different narrative for what happened between 2009 and 2010, for how Bates came to summarize the many failings of the program but expand the program.

They show, first of all, that Reggie Walton was dealing with the phone and Internet dragnets in tandem throughout; Bates had no discernible role — aside from his intervention on August 4, 2009, after Reggie Walton had already shut down part of the phone dragnet program. The documents released this week make it clear Walton, not Bates, was the fact-finder who discovered the Internet dragnet had never complied with FISC guidelines. Bates had to repeat that scathing language in his opinion, because Walton had already laid it out.

And then, after Walton shut down the Internet dragnet, at a time when NSA continued to ignore his orders, when orders were terse, things began to change.

That’s when we begin to see solicitous letters — “Let me once again thank both you and your staff for  your consideration” —  to Bates, now the decision-maker on whether or not the government could resume a program that had illegally wiretapped Americans for 5 years.

It’s that guy who capitulated to pretty talk, expanding both the Internet dragnet and the upstream 702 collection, even as he laid out how both had been illegally wiretapping Americans, who says an advocate actually speaking for privacy would ruin the FISC. That’s the narrative we should get from this recent document dump, not that Bates was in any way anything but a Bates stamp.

Walton was by no means a perfect steward of the secret court. But Bates demonstrates why it cannot and does not fulfill its function.

Working Thread, Internet Dragnet Dump 2: 2004 Documents

This will be a closer working thread on documents released yesterday.

X: Initial Dragnet Application (prior to July 14, 2004)

(2) From the start, the government said they wanted to disseminate the dragnet info, perhaps to tag into FBI’s investigative authorities.

(2) The footnote defining metadata hides all the stuff not associated with “standard e-mails.”

(4) The application discusses the briefing I discussed here, attended by (among others) John Brennan.

(5) The application is not submitted by a lawyer, but by Michael Hayden.

(6) The government hasn’t released a Tenet submission; back in November it hid that this submission was from him.

(16) ODNI maintains that the fictional example of metadata is classified.

(18) Originally access was restricted by making the metadata accessible only by 2 admin login accounts. That’s probably a carry-over from the compartments of the illegal program.

(20) RAS approval assigned to the same 7 authorizers that were in place for the beginning of the phone dragnet in 2006.

(21) They’re hiding at least one kind of Internet metadata.

(23) Metadata originally accessible for only 18 months. Is that what they used for the illegal dragnet?

Y. Memo of Law in Support of Original Dragnet Application, before July 14, 2004

(4) The government claims that only email metadata related to terrorism will be seen. By definition, that means anything returned in a query would be related to counterterrorism and therefore game for dissemination.

(4) This is the jist of the illegal use of PRTT for the dragnet:

Nevertheless, it involves nothing more than adapting the traditional tools of FISA to meet an unprecedented challenge and does so in a way that promotes both of the twin goals of FISA: facilitating the foreign-intelligence collection needed to protect American lives while at the same time providing judicial oversight to safeguard American freedoms.

This claim is followed by a 5-page redaction, which is mighty interesting as it would have to explain why this judicial review was so useful.

(9) Footnote 5 again makes it clear that this involves email and other online communications.

(12) This language is remarkable for a secret court document.

Collecting and archiving meta data is thus the best avenue for solving this fundamental problem: although investigators do know know exactly where the terrorists’ communications are hiding in the billions of bits of data flowing through the United States today, we do know that they are there, and if we archive the data now, we will be able to use it in a targeted way to find the terrorists tomorrow.

(20) This language is particularly important given debates about USA Freedom.

Nothing in the definitions of pen registers or trap and trace devices requires that the “instrument” or “facility” on which the device is placed carry the communications solely of a single user.

(20) This section really tries to constrain the Court.

Unlike certain other certifications made in other contexts under the statute, see, e.g., U.S.C. § 1805(a)(5), FISA does not subject the certification of relevance to any review by the Court.

Continue reading

1 2 3 9
Emptywheel Twitterverse
emptywheel @HearingTrees Halloween costume. Ends on Saturday.
13mreplyretweetfavorite
emptywheel @pwnallthethings My privacy rights arise from the bureaucratic insurance they will be protected. Laws do that. @PatrickCToomey
16mreplyretweetfavorite
bmaz @PhilPerspective @walterwkatz Also, I was disappointed @NBCSN did not have any programming from #COTA in Austin today.
16mreplyretweetfavorite
bmaz @PhilPerspective @walterwkatz @NBCSN Nope, but if it is Road to Ferrari, I have seen it.
17mreplyretweetfavorite
bmaz In private papers a more candid Tim Geithner speaks out http://t.co/nNn7RjDkGK Tim Geithner is a liar+fundamentally dishonest public servant
18mreplyretweetfavorite
emptywheel RT @rahulsagar: NYTimes: Former Navy SEAL Team Member Investigated for Bin Laden Disclosures http://t.co/3JABCASiBu
59mreplyretweetfavorite
emptywheel RT @ppppolls: We'll have a new #VAsen poll out tomorrow showing Mark Warner with a 9 point lead heading into the final weekend
1hreplyretweetfavorite
emptywheel @PatrickCToomey If you're a Yemeni-American extremist cleric, you may enjoy your own life at his grace. @pwnallthethings
1hreplyretweetfavorite
emptywheel I want to be a professional onside kicker. Where do I apply?
1hreplyretweetfavorite
JimWhiteGNV Did Louisville do a Gator flop to get the ball back quickly?
1hreplyretweetfavorite
emptywheel @pwnallthethings Hmmm. [Looks left, looks right, looks under arm pit behind me.] I don't have one handy, do you? @PatrickCToomey
1hreplyretweetfavorite
October 2014
S M T W T F S
« Sep    
 1234
567891011
12131415161718
19202122232425
262728293031