Posts

The “Foreign Intelligence” Dragnet May Not Be about “Foreign Intelligence”

There’s one more totally weedy change in the phone dragnet orders I wanted to point out: the flimsy way the program has, over time, tied into “foreign intelligence.”

To follow along, it’s helpful to use the searchable versions of the phone dragnet orders ACLU has posted.

Start by searching on this order — from December 11, 2008, just before FISC started cleaning up the dragnet problems — for “foreign intelligence” (all the earlier orders are, I believe, identical in this respect). You should find 5 instances: 3 references to the FISC, a reference to the language from the Section 215 statute requiring the tangible things be either for foreign intelligence or to protect against international terrorism (¶1 on page 2), and a discussion tying dissemination of US person data to understanding foreign intelligence (¶(3)D on page 9).

In the last instance, the order introduces foreign intelligence, but then drops it. The very next sentence shifts the measure of whether the US person information can be disseminated from “foreign intelligence” to “counterterrorism” — and counterterrorism here is not explicitly tied to international terrorism, although the statute requires it to be.

Before information identifying a U.S. person may be disseminated outside of NSA, a judgment must be made that the identity of the U.S. person is necessary to understand the foreign intelligence information or to assess its importance. Prior to the dissemination of any U.S. person identifying information, the Chief of Information Sharing Services in the Signals Intelligence Directorate must determine that the information identifying the U.S. person is in fact related to counterterrorism information and that it is necessary to understand the counterterrorism information or assess its importance.

Significantly, ¶(3)C on page 8 — the main paragraph restricting NSA’s access to the dragnet data — says nothing about foreign intelligence.

This language would, I believe, have permitted the government to search on and disseminate US person information for reasons without a foreign nexus (and they played word games with other language in the original orders, notably with the word “archives”).

Now check out the next order, dated March 5, 2009. In this — the first of the primary orders dealing with the dragnet problems — the language potentially tying the FBI investigation to foreign intelligence is eliminated (I talked about that change here).The language on dissemination remains the same — that is, the paragraph does not tie dissemination of US person information to terrorism with an international nexus.  But ¶(3)C — the key paragraph regulating access — now specifies that NSA can only “query the BR metadata for purposes of obtaining foreign intelligence.”

In the process of very narrowly limiting what NSA could do with the phone dragnet, Judge Reggie Walton added language limiting queries to foreign intelligence purposes, not just terrorism purposes (though I believe it still could be read as permitting dissemination of information without a foreign nexus).

As a reminder, during the interim period, the government had admitted to tracking 3,000 US persons without submitting them to a First Amendment review.

The orders for the following year changed regularly (and the Administration has withheld what are surely the most interesting orders from that year), but they retained that restriction on queries to foreign intelligence purposes.

But now look what that language in ¶(3)C has since evolved into, starting with the order dated October 29, 2010, though the language below comes from the April 25, 2013 order (the October 29 one has “raw data” hand-written into it, making it clear these requirements, including auditability, only applies to the collection store, not the corporate store).

NSA shall access the BR metadata for purposes of obtaining foreign intelligence information only through contact chaining queries of the BR metadata as described in paragraph 17 of the [redacted] Declaration attached to the application as Exhibit A, using selection terms approved as “seeds” pursuant to the RAS approval process described below.5 NSA shall ensure, through adequate and appropriate technical and management controls, that queries of the BR metadata for intelligence analysis purposes will be initiated using only a selection term that has been RAS-approved. Whenever the BR metadata is accessed for foreign intelligence analysis purposes or using foreign intelligence analysis query tools, an auditable record of the activity shall be generated.

At first glance, this paragraph would seem to add protections that weren’t in the orders previously, ensuring that the phone dragnet only be accessed for foreign, not domestic, intelligence.

But it’s actually only partly a protection.

In fact, the “foreign intelligence” language here serves to distinguish this controlled access from the “data integrity” access (though they no longer call it that), which is described in the previous paragraph.

Appropriately trained and authorized tedmical personnel may access the BR metadata to perform those processes needed to make it usable for intelligence analysis. Technical personnel may query the BR metadata using selection terms4 that have not been RAS-approved (described below) for those purposes described above, and may share the results of those queries with other authorized personnel responsible for these purposes, but the results of any such queries will not be used for intelligence analysis purposes. An authorized technician may access the BR metadata to ascertain those identifiers that may be high volume identifiers. The technician may share the results of any such access, i.e., the identifiers and the fact that they are high volume identifiers, with authorized personnel (including those responsible for the identification and defeat of high volume and other unwanted BR metadata from any 9f NSA’ s various metadata repositories), but may not share any other information from the results of that access for intelligence analysis purposes. In addition, authorized technical personnel may access the BR metadata for purposes of obtaining foreign intelligence information pursuant to the requirements of subparagraph (3)C below.

Footnote 4, discussing “selection terms” is a fairly long, entirely redacted paragraph. And the last sentence, allowing these technical personnel to also conduct foreign intelligence information queries, is fairly recent.

This language would seem to describe the data integrity role more than it had previously been, specifying the search for high volume numbers, plus whatever appears in footnote 4. And it would seem to limit the use of such information, since it doesn’t permit “intelligence analysis” (notwithstanding the fact that figuring out which selectors are high volume is intelligence analysis, to say nothing about the underlying technical decisions that shape automated search functions). But the first use of the dragnet in current descriptions pertains not to contact chaining at all, but as a resource for tech personnel to identify certain characteristics of call patterns using raw data.

Further, these tech personnel now get to double dip: access raw data in intelligible form to get it ready for querying and something else, and access it to conduct queries. That they even have that authority — explicitly — ought to raise alarm bells. Anything data integrity analysts see while doing data integrity, they can run as a query to access in a form that can be disseminated.

Now, perhaps this alarming structural issue is not being abused or exploited. Perhaps it shouldn’t concern us that a dragnet purportedly serving “foreign intelligence” purposes seems to serve, even before that, a different role entirely, not only tied to any foreign purpose.

But we have had assurances over and over in the last 8 months that the NSA can only access this database for certain narrowly defined foreign intelligence purposes. That wasn’t, by letter of the order, at least, true for the first three years. And by the letter of the order, it’s not true now.

For the Purposes of Analytical Efficiency, Making Copies of the Dragnet

In 2008, NSA started (or started telling the FISA Court) it was copying the dragnet.

Starting with the January docket BR 08-01 (the date is illegible but it should be around January 4, 2008), the orders added a footnote saying,

5 The Court understands that for the purposes of analytical efficiency a copy of meta data obtained pursuant to the Court’s Orders in this matter will be stored in the same database with data obtained pursuant to other NSA authorities and data provided to NSA from other sources. Access to such records shall be strictly limited in accordance with the procedures set forth in paragraphs A – G.

The footnote would appear in four more orders that year:  BR 08-04 4/3/08; BR 08-07 6/26/08; BR 08-08 9/19/08?. Then it disappeared in the December 11,  2008 docket, BR 08-13 12/11/08. It did not appear in any other orders, though starting with the October 29, 2010 docket BR 10-70, a different footnote noted that “NSA will maintain the BR metadata in recovery back-up systems.”

The change almost certainly relates to the federated query system, in which all the data from EO 12333 collection (and, given the reference to “data provided to NSA from other sources,” probably GCHQ collection) was and, at least until 2011, remained accessible from one interface.

The footnote almost certainly does reflect a change in the way NSA handled the data (that is, in this case NSA informed FISC in timely fashion), because by April of that year, 31 “newly trained” NSA analysts were caught querying domestic phone data using 2,373 identifiers without knowing they were doing so, which seems to indicate the “newly trained” analysts just kept querying metadata as they would have using EO 12333 collected data. Though NSA didn’t tell FISC about that until 6 months later. In the interim (in August 2008), NSA also told FISC about how it correlated numbers — which we know works across data sources, not exclusively within the domestic data collection.

In other words, NSA was slowly integrating the phone dragnet in with its larger metadata collection, and informing — perhaps even more slowly — FISC what that meant.

In spite of the disappearance of the footnote in the first orders dealing with the dragnet problems in 2009, the NSA did not segregate the data from the federated interface. That’s clear from a memorandum of understanding NSA issued sometime after March 18, 2009 indicating that access to one metadata repository had been shut down, but four were still accessible:

  • SIGINT dating back to 1998
  • [redacted — which could be STELLAR WIND data or could be foreign-supplied data]
  • BRFISA dating back to May 2006
  • PR/TT dating back to a redacted date that public records show to be July 2004

Given the previous inclusion of 3,000 US persons in with other queries, it’s possible the newly excluded collection consisted of GCHQ collected data that included significant US person data.

I raise all this to point out one of the inherent dangers with the dragnet. A program that was billed as a simple collection designed to serve FBI needs got integrated within 2 years of inception, creating a great deal of problems, without reconsideration of whether the stated purpose of the dragnet still matched what the by-then clearly different intent was. And this from a program that was supposed to be closely minimized.

Oh by the way, NSA told the FISC, we made an extra copy of the database of all phone-based relationships in the United States. Because it’s more efficient to have two databases.

When Judge Reggie Walton Disappeared the FBI Director: The Tell that FISC Wasn’t Following the Law

SEN. MIKULSKI: General Clapper, there are 36 different legal opinions.

DIR. CLAPPER: I realize that.

SEN. MIKULSKI: Thirty-six say the program’s constitutional. Judge Leon said it’s not.

Thirty-six “legal opinions” have deemed the dragnet legal and constitutional, its defenders say defensively, over and over again.

But that’s not right — not by a long shot, as ACLU’s Brett Max Kaufman pointed out in a post yesterday. In its report, PCLOB confirmed what I first guessed 4 months ago: the FISA Court never got around to writing an opinion considering the legality or constitutionality of the dragnet until August 29, 2013.

FISC judges, on 33 occasions before then, signed off on the dragnet without bothering to give it comprehensive legal review.

Sure, after the program had been reauthorized 11 times, Reggie Walton considered the more narrow question of whether the program violates the Stored Communications Act (I suspect, but cannot yet prove, that the government presented that question because of concerns raised by DOJ IG Glenn Fine). But until Claire Eagan’s “strange” opinion in August, no judge considered in systematic fashion whether the dragnet was legal or constitutional.

And the thing is, I think FISC judge — now Presiding Judge — Reggie Walton realized around about 2009 what they had done. I think he realized the program didn’t fit the statute.

Consider a key problem with the dragnet — another one I discussed before PCLOB (though I was not the first or only one to do so). The wrong agency is using it.

Section 215 does not authorize the NSA to acquire anything at all. Instead, it permits the FBI to obtain records for use in its own investigations. If our surveillance programs are to be governed by law, this clear congressional determination about which federal agency should obtain these records must be followed.

Section 215 expressly allows only the FBI to acquire records and other tangible things that are relevant to its foreign intelligence and counterterrorism investigations. Its text makes unmistakably clear the connection between this limitation and the overall design of the statute. Applications to the FISA court must be made by the director of the FBI or a subordinate. The records sought must be relevant to an authorized FBI investigation. Records produced in response to an order are to be “made available to,” “obtained” by, and “received by” the FBI. The Attorney General is directed to adopt minimization procedures governing the FBI’s retention and dissemination of the records it obtains pursuant to an order. Before granting a Section 215 application, the FISA court must find that the application enumerates the minimization procedures that the FBI will follow in handling the records it obtains. [my emphasis, footnotes removed]

The Executive convinced the FISA Court, over and over and over, to approve collection for NSA’s use using a law authorizing collection only by FBI.

Which is why I wanted to point out something else Walton cleaned up in 2009, along with watchlists of 3,000 Americans who had not received First Amendment Review. Judge Reggie Walton disappeared the FBI Director.

>>>Poof!<<<

Gone.

The structure of all the dragnet orders released so far (save Eagan’s opinion) follow a similar general structure:

  • An (unnumbered, unlettered) preamble paragraph describing that the FBI Director made a request
  • 3-4 paragraphs measuring the request against the statute, followed by some “wherefore” language
  • A number of paragraphs describing the order, consisting of the description of the phone records required, followed by 2 minimization paragraphs, the first pertaining to FBI and,
  • The second paragraph introducing minimization procedures for NSA, followed by a larger number of lettered paragraphs describing the treatment of the records and queries (this section got quite long during the 2009 period when Walton was trying to clean up the dragnet and remains longer to this day because of the DOJ oversight Walton required)

Here’s how the first three paragraphs looked in the first order and (best as I can tell) the next 11 orders, including Walton’s first order in December 2008:

An application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (the Act), Title 50, United States Code (U.S.C.), § 1861, as amended, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, the Court finds that:

1. The Director of the FBI is authorized to make an application for an order requiring the production of any tangible thing for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the First Amendment to the Constitution of the United States. [50 U.S.C. § 1861 (c)(1)]

2. The tangible things to be produced are all call-detail records or “telephone metadata” created by [the telecoms]. Telephone metadata includes …

[snip]

3. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12,333 to protect against international terrorism, … [my emphasis]

Here’s how the next order and all (released) following orders start [save the bracketed language, which is unique to this order]:

An verified application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (FISA), as amended, 50 U.S.C. § 1861, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, [as well as the government’s filings in Docket Number BR 08-13 (the prior renewal of the above-captioned matter),] the Court finds that:

1. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12333 to protect against international terrorism, …

That is, Walton took out the paragraph — which he indicated in his opinion 3 months earlier derived from the statutory language at 50 U.S.C. § 1861 (c)(1) — pertaining to the FBI Director. The paragraph always fudged the issue anyway, as it doesn’t discuss the FBI Director’s authority to obtain this for the NSA. Nevertheless, Walton seems to have found that discussion unnecessary or unhelpful.

Walton’s March 5, 2009 order and all others since have just 3 statutory paragraphs, which basically say:

  1. The tangible things are relevant to authorized FBI investigations conducted under EO 12333 — Walton cites 50 USC 1861 (c)(1) here
  2. The tangible things could be obtained by a subpoena duces tecum (50 USC 1861 (c)(2)(D)
  3. The application includes an enumeration of minimization procedures — Walton doesn’t cite statute in this May 5, 2009 order, but later orders would cite 50 USC 1861 (c)(1) again

Here’s what 50 USC 1861 (c)(1), in its entirety, says:

(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.

And here are two key parts of subsections (a) and (b) — in addition to “relevant” language that has always been included in the dragnet orders.

(a) Application for order; conduct of investigation generally

(1) Subject to paragraph (3), the Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things

[snip]

(2) shall include—

[snip]

(B) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

FBI … FBI … FBI.

The language incorporated in 50 USC 1861 (c)(1) that has always been cited as the standard judges must follow emphasizes the FBI repeatedly (PCLOB laid out that fact at length in their analysis of the program). And even Reggie Walton once admitted that fact.

And then, following his lead, FISC stopped mentioning that in its statutory analysis altogether.

Eagan didn’t even consider that language in her “strange” opinion, not even when citing the passages (here, pertaining to minimization) of Section 215 that directly mention the FBI.

Section 215 of the USA PATRIOT Act created a statutory framework, the various parts of which are designed to ensure not only that the government has access to the information it needs for authorized investigations, but also that there are protections and prohibitions in place to safeguard U.S. person information. It requires the government to demonstrate, among other things, that there is “an investigation to obtain foreign intelligence information … to [in this case] protect against international terrorism,” 50 U.S.C. § 1861(a)(1); that investigations of U.S. persons are “not conducted solely upon the basis of activities protected by the first amendment to the Constitution,” id.; that the investigation is “conducted under guidelines approved by the Attorney General under Executive Order 12333,” id. § 1861(a)(2); that there is “a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant” to the investigation, id. § 1861(b)(2)(A);14 that there are adequate minimization procedures “applicable to the retention and dissemination” of the information requested, id. § 1861(b)(2)(B); and, that only the production of such things that could be “obtained with a subpoena duces tecum” or “any other order issued by a court of the United States directing the production of records” may be ordered, id. § 1861(c)(2)(D), see infra Part III.a. (discussing Section 2703(d) of the Stored Communications Act). If the Court determines that the government has met the requirements of Section 215, it shall enter an ex parte order compelling production.

This Court must verify that each statutory provision is satisfied before issuing the requested Orders. For example, even if the Court finds that the records requested are relevant to an investigation, it may not authorize the production if the minimization procedures are insufficient. Under Section 215, minimization procedures are “specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” Id. § 1861(g)(2)(A)

Reggie Walton disappeared the FBI Director as a statutory requirement (he retained that preamble paragraph, the nod to authorized FBI investigations, and the perfunctory paragraph on minimization of data provided from NSA to FBI) on March 5, 2009, and he has never been heard from in discussions of the FISC again.

Now I can imagine someone like Steven Bradbury making an argument that so long as the FBI Director actually signed the application, and so long as the FBI had minimization procedures for the as few as 16 tips they receive from the program in a given year, it was all good to use an FBI statute to let the NSA collect a dragnet potentially incorporating all the phone records of all Americans. I can imagine Bradbury pointing to the passive construction of that “things to be made available” language and suggest so long as there were minimization procedures about FBI receipt somewhere, the fact that the order underlying that passive voice was directed at the telecoms didn’t matter. That would be a patently dishonest argument, but not one I’d put beyond a hack like Bradbury.

The thing is, no one has made it. Not Malcolm Howard in the first order authorizing the dragnet, not DOJ in its request for that order (indeed, as PCLOB pointed out, the application relied heavily on Keith Alexander’s declaration about how the data would be used). The closest anyone has come is the white paper written last year that emphasizes the relevance to FBI investigations.

But no one I know of has affirmatively argued that it’s cool to use an FBI statute for the NSA. In the face of all the evidence that the dragnet has not helped the FBI thwart a single plot — maybe hasn’t even helped the FBI catch one Somali-American donating less than $10,000 to al-Shabaab, as they’ve been crowing for months — FBI Director Jim Comey has stated to Congress that the dragnet is useful to the FBI primarily for agility (though the record doesn’t back Comey’s claim).

Which leaves us with the only conclusion that makes sense given the Executive’s failure to prove it is useful at all: it’s not the FBI that uses it, it’s NSA. They don’t want to tell us how the NSA uses it, in part, because we’ll realize all their reassurances about protections for Americans fall flat for the millions of Americans who are 3 degrees away from a potential suspect.

But they also don’t want to admit that it’s the NSA that uses it, because then it’ll become far more clear how patently illegal this program has been from the start.

Better to just disappear the FBI Director and hope no one starts investigating the disappearance.

Is NSA Wiretapping Now Rather than Tipping?

One of the news bits a number of outlets took away from the phone dragnet order document dump 10 days ago is that the NSA averages(d) about 3 tips a day to the FBI.

That’s actually not news. It’s consistent with a series of accountings NSA gave to Reggie Walton in 2009, as when, in February 2009, they provided more exact numbers (though they’d get tweaked a bit during that summer) that were smaller, but still in the range of 2-3 tips a day.

Demonstrating the value of the BR metadata to the U.S. Intelligence Community, the NSA has disseminated 275 reports and tipped over 2,500 telephone identifiers to the FBI and CIA for further investigative action since the inception of this collection in docket number BR 06-05.

That said, at least according to Geoffrey Stone, the scale of the referrals may have gone down dramatically.

Under the FISA statute, the NSA queried 288 numbers in 2012 and had only 16 instances where matches were analyzed, confirmed, and then forwarded to the FBI. According to Stone, these queries only produced about 6,000 numbers that were “touched” by the analysis, of the millions of numbers whose meta-data the NSA stores for up to five years.

In general and specifically here, there are reasons I don’t entirely trust Stone’s comments on the dragnet. He has said a lot that is inconsistent with other public (and legally sworn) claims, notably on the volume of phone records collected. And his silences about certain aspects of the dragnet make me wonder how complete an understanding he has.

Plus, the “16 instances” may — as was true in the earlier period — represent reports that include more than one number. If, as occurred until 2009, each report had roughly 10 numbers, then this might amount to 160 identifiers (which is still far below the pace of the 2006-2009 period, but then during that period they weren’t enforcing RAS).

Then there’s the complete lack of definition for “touch” with regards to his 6,000 number.

In addition, 2012 might be a new baseline (or perhaps outlier) year, as the rollout of the new automated system at the end of 2011 would likely have changed the treatment of phone identifiers entirely.

And as I’ve said, I expect the use of the phone dragnet for a “peace of mind” query after the Boston Marathon attack to result in a huge number of tips (though perhaps in just one or several reports), given how wired the Tsarnaevs were and had been for the five years leading up to the attack.

Moreover, in a development that may or may not be entirely unrelated, the number of telephone taskings under Section 702 have started to go up again starting in 2012, after having been down since 2009.

As the chart demonstrates, the number of newly tasked telephone numbers decreased after 2009, but began to increase again in 2012. The average number of telephone numbers tasked each month for the first 11 months of 2012 [redacted].

There are admittedly a number of possible explanations (increasing collection of text messages, different kind of upstream collection, potentially even a fourth certificate in addition to the terror, proliferation, and cyber ones we know about). But one possibility is that the new alert system has led NSA to move toward wiretapping interesting numbers, rather than sending them to FBI for investigation. Moreover, by wiretapping someone, NSA could share data with FBI and CIA in relatively unfettered fashion, as both are permitted to receive unminimized content under 702 in certain circumstances, and both have the authority to do backdoor searches on US person content on all but upstream collected 702 data.

The NSA can’t give phone numbers to FBI without review, but according to section 702 minimization procedures, in some cases they can let CIA and FBI read wiretap content without such review.

That is, wiretapping someone could be a way to evade data dissemination restrictions in place on actual phone dragnet queries.

The Impasse on Executive Spying

In an important post the other day, Steve Vladeck described what he believed to be the most important lesson Edward Snowden has taught us.

They miss the single most important lesson we’ve learned — or should have learned — from Snowden, i.e., that the grand bargain has broken down. Intelligence oversight just ain’t what it used to be, and the FISA Court, as an institution, seemed to have been far better suited to handle individualized warrant applications under the pre-2001 FISA regime than it has been to reviewing mass and programmatic surveillance under section 215 of the USA PATRIOT Act and section 702, as added by the FISA Amendments Act of 2008.

Thus, even if one can point to specific individual programs the disclosure of which probably has not advanced the ongoing public policy conversation, all of the disclosures therefore illuminate a more fundamental issue of public concern — and one that should be (and, arguably, has been) driving the reform agenda: Whatever surveillance authorities the government is going to have going forward, we need to rethink the structure of oversight, both internally within the Executive Branch, and externally via Congress and the courts. That’s not because the existing oversight and accountability mechanisms have been unlawful; it’s because so many of these disclosures have revealed them to be inadequate and/or ineffective. And inasmuch as such reforms may strengthen not just mechanisms of democratic accountability for our intelligence community, but also their own confidence in the propriety and forward-looking validity of their authorities, they will make all of us — including the NSA — stronger in the long term.

While I agree with Vladeck that’s an important lesson from Snowden, I don’t think it has been admitted by those who most need the lesson: most members of Congress (most of all, the Intelligence Committees) and the FISA Court, as well as the other Article III judges who are quickly becoming dragnet experts.

But I’m hopeful PCLOB — which is already under attack even from Susan Collins for having the audacity to conduct independent oversight — will press the issue.

As I have noted in the past, PCLOB has a better understanding of how the Executive uses EO 12333 than any other entity I’ve seen (I think the Review Group may have a similar understanding, but they won’t verbalize it).

That’s why I find their treatment of FISA as a compromise to put questions about separation of powers on hold so interesting.

In essence, FISA represented an agreement between the executive and legislative branches to leave that debate aside 600 and establish a special court to oversee foreign intelligence collection . While the statute has required periodic updates, national security officials have agreed that it created an appropriate balance among the interests at stake, and that judicial review provides an important mechanism regulating the use of very powerful and effective techniques vital to the protection of the country. 601

600 “[T]he bill does not recognize, ratify, or deny the existence of any Presidential power to authorize warrantless surveillance in the United States n the absence of the legislation. It would, rather, moot the debate over the existence or non – existence of this power[.]” HPSCI Report at 24. This agreement between Congress and the executive branch to involve the judiciary in the regulation of intelligence collection activities did not and could not resolve constitutional questions regarding the relationship between legislative and presidential powers in the area of national security . See In re: Sealed Case , 310 F.3d 717, 742 (FISA Ct. Rev. 2002) (“We take for granted that the President does have that authority [inherent authority to conduct warrantless searches to obtain foreign intelligence information] and, assuming that is so, FISA could not encroach on the President ’ s constitutional power.”).

When NSA chose to avoid First Amendment review on the 3,000 US persons it had been watch-listing by simply moving them onto a new list, when it refused to tell John Bates how much US person content it collects domestically off telecom switches, when it had GCHQ break into Google’s cables to get content it ought to be able to obtain through FISA 702, when it rolled out an Internet dragnet contact-chaining program overseas in part because it gave access to US person data it couldn’t legally have here, NSA made it clear it will only fulfill its side of the compromise so long as no one dares to limit what it can do.

That is, Snowden has made it clear that the “compromise” never was one. It was just a facade to make Congress and the Courts believe they had salvaged some scrap of separation of powers.

NSA has made it clear it doesn’t much care what its overseers in Congress or the Court think. It’ll do what it wants, whether it’s in the FISC  or at a telecom switch just off the US shore. And thus far, Obama seems to agree with them.

Which means we’re going to have to start talking about whether this country believes the Executive Branch should have relatively unfettered ability to spy on Americans. We’re going to have to take a step back and talk about separation of powers again.

Project Minaret 2.0: Now, with 58% More Illegal Targeting!

Screen shot 2014-01-06 at 1.03.11 PM

For weeks, I have been trying to figure out why the NSA, in a training program it created in August 2009, likened one of its “present abuses” to Project Minaret. What “unauthorized targeting of suspected terrorists in the US” had they been doing, I wondered, that was like “watch-listing U.S. people for evidence of foreign influence.”

Until, in a fit of only marginally related geekdom, I re-read the following passage in Keith Alexander’s declaration accompanying the End-to-End review submitted to the FISA Court on August 19, 2009 (that is, around the same time as the training program).

Between 24 May 2006 and 2 February 2009, NSA Homeland Mission Coordinators (HMCs) or their predecessors concluded that approximately 3,000 domestic telephone identifiers reported to Intelligence Community agencies satisfied the RAS standard and could be used as seed identifiers. However, at the time these domestic telephone identifiers were designated as RAS-approved, NSA’s OGC had not reviewed and approved their use as “seeds” as required by the Court’s Orders. NSA remedied this compliance incident by re-designating all such telephone identifiers as non RAS-approved for use as seed identifiers in early February 2009. NSA verified that although some of the 3,000 domestic identifiers generated alerts as a result of the Telephony Activity Detection Process discussed above, none of those alerts resulted in reports to Intelligence Community agencies. 7

7 The alerts generated by the Telephony Activity Detection Process did not then and does not now, feed the NSA counterterrorism target knowledge database described in Part I.A.3 below. [my emphasis]

As I’ll explain below, this passage means 3,000 US persons were watch-listed without the NSA confirming that they hadn’t been watch-listed because of their speech, religion, or political activity.

Here’s the explanation.

Read more

FISA Warranted Targets and the Phone Dragnet

The identifiers (such as phone numbers) of people or facilities for which a FISA judge has approved a warrant can be used as identifiers in the phone dragnet without further review by NSA.

From a legal standpoint, this makes a lot of sense. The standard to be a phone dragnet identifier is just Reasonable Articulable Suspicion of some tie to terrorism — basically a digital stop-and-frisk. The standard for a warrant is probable cause that the target is an agent of a foreign government — and in the terrorism context, that US persons are preparing for terrorism. So of course RAS already exists for FISC targets.

So starting with the second order and continuing since, FISC’s primary orders include language approving the use of such targets as identifiers (see ¶E starting on page 8-9).

But there are several interesting details that come out of that.

Finding the Americans talking with people tapped under traditional FISA

First, consider what it says about FISC taps. The NSA is already getting all the content from that targeted phone number (along with any metadata that comes with that collection). But NSA may, in addition, find cause to run dragnet queries on the same number.

In its End-to-End report submission to Reggie Walton to justify the phone dragnet, NSA claimed it needed to do so to identify all parties in a conversation.

Collections pursuant to Title I of FISA, for example, do not provide NSA with information sufficient to perform multi-tiered contact chaining [redacted]Id. at 8. NSA’s signals intelligence (SIGINT) collection, because it focuses strictly on the foreign end of communications, provides only limited information to identify possible terrorist connections emanating from within the United States. Id. For telephone calls, signaling information includes the number being called (which is necessary to complete the call) and often does not include the number from which the call is made. Id. at 8-9. Calls originating inside the United States and collected overseas, therefore, often do not identify the caller’s telephone number. Id. Without this information, NSA analysts cannot identify U.S. telephone numbers or, more generally, even determine that calls originated inside the United States.

This is the same historically suspect Khalid al-Midhar claim, one they repeat later in the passage.

The language at the end of that passage emphasizing the importance of determining which calls come from the US alludes to the indexing function NSA Signals Intelligence Division Director Theresa Shea discussed before — a quick way for the NSA to decide which conversations to read (and especially, if the conversations are not in English, translate).

Section 215 bulk telephony metadata complements other counterterrorist-related collection sources by serving as a significant enabler for NSA intelligence analysis. It assists the NSA in applying limited linguistic resources available to the counterterrorism mission against links that have the highest probability of connection to terrorist targets. Put another way, while Section 215 does not contain content, analysis of the Section 215 metadata can help the NSA prioritize for content analysis communications of non-U.S. persons which it acquires under other authorities. Such persons are of heightened interest if they are in a communication network with persons located in the U.S. Thus, Section 215 metadata can provide the means for steering and applying content analysis so that the U.S. Government gains the best possible understanding of terrorist target actions and intentions. [my emphasis]

Though, as I have noted before, contrary to what Shea says, this by definition serves to access content of both non-US and US persons: NSA is admitting that the selection criteria prioritizes calls from the US. And in the case of a FISC warrant it could easily be entirely US person content.

In other words, the use of the dragnet in conjunction with content warrants makes it more likely that US person content will be read.

Excluding bulk targets

Now, my analysis about the legal logic of all this starts to break down once the FISC approves bulk orders. In those programs — Protect America Act and FISA Amendments Act — analysts choose targets with no judicial oversight and the standard (because targets are assumed to be foreign) doesn’t require probable cause. But the FISC recognized this. Starting with BR 07-16, the first order approved (on October 18, 2007) after the PAA  until the extant PAA orders expired, the primary orders included language excluding PAA targets. Starting with 08-08, the first order approved (on October 18, 2007) after FAA until the present, the primary orders included language excluding FAA targets.

Of course, this raises a rather important question about what happened between the enactment of PAA on August 5, 2007 and the new order on October 18, 2007, or what happened between enactment of FAA on July 10, 2008 and the new order on August 19, 2008. Read more

The Phone Metadata Program Metadata

ODNI released a bunch of the remaining phone dragnet primary orders (and amendments) here. I will have more to say about this later. Of particular note, though, they seem to be withholding the BR 09-15 primary order, which was right in the middle of PATRIOT reauthorization, when NSA kept disseminating results in violation of Reggie Walton’s orders.

  1. Howard, Malcolm BR 06-05 (5/24/06)
  2. Howard, Malcolm BR 06-08 (8/18/06)
  3. Scullin, Frederick, BR 06-12 (11/15/06)
  4. Broomfield, Robert, BR 07-04 (2/02/07)
  5. Gorton, Nathaniel, BR 07-10 (5/03/07)
  6. Gorton, Nathaniel, BR 07-14 (7/23/07)
  7. Vinson, Roger, BR 07-16 (10/18/07)
  8. Howard, Malcolm, BR 08-01 (1/?/08)
  9. Kollar-Kotelly, Colleen, BR 08-04 (4/3/08)
  10. Zagel, James, BR 08-07 (6/26/08)
  11. Zagel, James, BR 08-08 (8/19/08) [or 9/19/08]
  12. Walton, Reggie, BR 08-13 (12/12/08)
  13. Walton, Reggie, BR 09-01 (3/5/09)
  14. Walton, Reggie, BR 09-06 (5/29/09)
  15. Walton, Reggie (?) BR 09-09 (7/8/09) [see also]
  16. Walton, Reggie, BR 09-13 (9/3/09)
  17. Walton, Reggie (?) BR 09-15 (10/30/09) [See also]
  18. Walton, Reggie (?) BR 09-19 [see also]
  19. Walton, Reggie, BR 10-10 (2/26/10)
  20. Walton, Reggie, BR 10-17 (5/14/10)
  21. Walton, Reggie, BR 10-49 (8/04/10)
  22. Walton, Reggie, BR 10-70 (10/29/10)
  23. Bates, John, BR, 11-07 (1/20/11)
  24. Feldman, Martin, BR 11-57 (4/13/11)
  25. Bates, John, BR 11-107 (6/22/11)
  26. ~9/20/11?
  27. BR-11-191 [see also]
  28. ~1/29/12?
  29. ~4/29/12?
  30. ~7/28/12?
  31. ~10/26/12?
  32. ~1/25/13?
  33. Vinson, Roger, BR 13-80, (4/25/13)
  34. Eagan, Claire, BR 13-109, (7/18/13)
  35. McLaughlin, Mary, BR 13-158 (10/11/13)
  36. 1/3/14

1/19: Updated to add the 7/9/09 order and BR 09-19.

1/20: There is one more missing primary order. In an NSA declaration dated November 12, SID Director Theresa Shea said there had been 34 approvals. As shown above, the McLaughlin order is the 33rd of identified orders.

1/26: I think I’ve corrected all the date errors I originally hate (the date stamp is not all that accurate). For the 2011-2013 dates, I’ve worked backwards of the 4/25/13 order.

Former Presiding Judge, John Bates, Makes Compelling Case to Eliminate FISA Court

As you read John Bates’ “comments” about the NSA Review Group’s recommendations, it’s worth keeping two things in mind about him:

  • He has a history of dismissing legally important cases out of caution — arguably excess caution — over getting involved in matters reserved for the political branches, a caution he did not exercise here.
  • In August 2011, after Bates asked NSA to tell him how many entirely domestic communications were being caught via upstream collection (and after Bates had told NSA domestic collection of US person data was only illegal if they acknowledged it), they did not provide the number. And he didn’t make them. He did however, in the same exchange, rubber stamp NSA’s authority to conduct back door searches into US person communications.

In other words, Bates has long been overly solicitous of Executive power, and contrary to some claims, his work on the FISC actually reinforces, rather than refutes, claims that the Court is a rubber stamp.

Perhaps it’s not surprising, then, that his comments actually make a fairly compelling — albeit unintentional — case for eliminating the FISC (at least for all its expanded uses since 2001) altogether.

Don’t get me wrong. I’m sympathetic to some of Bates’ stated concerns. The concerns about workload (which Bates raises in his first and second bullets, but relegates to his last paragraphs) are real, and have been recognized by a number of people in the FISC debate. Bates points to some real constitutional issues in constructing an advocate for the court (which, again, have been pointed out, with potential solutions, by others).

But ultimately Bates’ comments (which may also reflect the concerns of Chief Justice John Roberts, whose authority he invokes in commenting on FISC matters) object to anything that might make FISC more of a … court.

Consider his argument against a Special Advocate. He worries a special advocate would harm what he (the same guy who couldn’t get the government to divulge how many Americans are getting swept up in domestic upstream collection) claims is candor.

Perhaps most troubling, however, is our concern that providing an institutional opponent to FISA applications would alter the process in other ways that would be detrimnetal to the FISC’s timely receipt of full and accurate information. As noted above, the current process benefits from the government’s taking on — and generally abiding by — a heightened duty of candor to the Court. Providing for an adversarial process in run-of-the-mill, fact-driven cases may erode this norm of governmental behavior, thereby impeding the Court’s receipt of relevant facts. (As noted above, the advocate would rarely, if ever, serve as a separate source of factual information.) Instead, intelligence agencies may become reluctant to voluntarily provide to the Court highly sensitive information, or information detrimental to a case, because doing so would also disclose that information to a permanent bureaucratic adversary.

Even setting aside the number of times I’ve been able to find factual problems with claims made in the few FISC filings so far released (suggesting advocates could provide factual and technical details the government doesn’t want to), this is a tacit admission that the FISC is not considered a bureaucratic adversary by the government.

This is particularly troubling given that, as Bates portrays the process, the “FISC may request or receive information from the applicant informally through the legal staff” (which according to Judge Walton’s portrayal of the process, means via the phone). The only paper trail of the process, then, are (again relying in part on Walton) the written analysis of the FISC’s staff attorneys. Which would mean an advocate would require “broad access” to these “draft decisions and memoranda from legal staff,” would would violate “ethical canons and separation-of-powers principles,” in turn “infring[ing] on the independence of the judges’ decisionmaking.”

One reason Bates objects to a Special Advocate, then, is that the Government would have to write all its requests down, which might affect their candor.

If that isn’t already troubling, Bates’ observation that “even relatively routine national security investigations involve changing facts” raises additional concerns. Bates describes FISC judges making decisions on a sometimes undocumented set of moving facts, facts which the targets of such surveillance have never been permitted to see, much less challenge, in court.

Then there’s Bates’ stated worries about the problems an advocate would present for the FISA Court of Review (and again, some of this may reflect John Roberts’ concern, as SCOTUS is the ultimate court of appeal). Some of this, again, reflects resource concerns. But even those resource concerns — such as the possibility the FISCR would have “to hire its own staff” reveals that the FISCR relies on the same staffers who drive FISC decisions in the first place. It is not, as it turns out, an independent court of its own.

Which makes the Constitutional concerns raised by the wacky decisions of the FISC, starting with its secret redefinition of “relevance” (without even benefit of independent dictionary definitions), all the more urgent. There is no standing to challenge these issues outside of the courts; with the FISC structure, there is apparently no fully independent court of appeal. And the Chief Justice wants to keep it that way.

Which means part of what Bates is defending is the authority for a bunch of District Court Judges to serve as Appellate Judges for some of the most Constitutionally novel issues raised by national security.

Yet Bates also seems to be defending the Court’s ability to remain ignorant about some things the Executive does. He rejects any proposal to serve as an oversight check on the Executive (this is another concern I have some sympathy for). But he does so in a document including this disclosure raised in objection to requiring warrants to conduct back door searches. (Snoopdido noted this passage last night.)

Decisions about querying Section 702 information are now made within the Executive Branch. As a result, the Courts do not know how often the government performs queries of data previously acquired under Section 702 in order to retrieve information about a particular U.S. person. It seems likely to us, however, that the practice would be common for U.S. persons suspected of activities of foreign intelligence interest, e.g., engaging in international terrorism, so that the burden on the FISC of entertaining this new kind of application could be substantial.

Remember: Bates is the guy who first approved NSA and CIA’s use of these back door searches (relying in part on the prior 3-year history of FBI’s use of them). But he has apparently never gotten enough “candor” from the Executive — either before or after he approved this — to know how and how often the Executive is using these searches!

Then he goes on to explain that the Executive might need to use back door searches to get the content of Americans they can’t otherwise target under FISA.

For a variety of reasons, a U.S. person suspected of such activity may not otherwise be a FISA target. For example, there may be probable cause to believe that a U.S. person is engaged in international terrorism, but intelligence agencies may not have the ability to implement current forms of FISA collection against that person because of the person’s location or lack of information about particular facilities.

Granted, what Bates is describing is the use of reverse targeting to get around technical difficulties, not legal ones (though I wonder how he’s sure about the legal case if the government has never made it).

But it is reverse targeting, the use of a back door search to get to the US person content, without a warrant, via collection on another target. This is forbidden by the law. Yet he describes it as one reason why the FISC shouldn’t get involved in reviewing warrants for this kind of search, which (as he describes it) violates the law.

Against the background of admitting that the FISC doesn’t always require the government to write down its requests and that it doesn’t want to approve warrants for activity that by his description violates the statute because the government should be permitted to continue violating the statute, Bates then objects to the recommendations to eliminate bulk collection and provide more review of 215 and NSLs, in part because of the burdens they’d pose for the Court. Most curiously, Bates says that if reforms eliminated NSL gag orders, the government would begin to use Section 215.

Those changes would like result in the government’s decreasing its reliance on NSLs for records subject to such a disclosure requirement and instead bringing to the FISC more applications under Section [215] for production of such records, in order to avoid disclosure of such information to private parties.

If the government could still get bulk Section 215 orders, I agree, they might well use those instead.

But Jim Comey — to the extent he can be believed in comments that were clearly misleading — said he’d end up using grand jury subpoenas instead. So a guy with years of involvement in prosecuting terrorism cases at least claims that he not only could — but would prefer to — use grand jury subpoenas for this information over the FISC.

Which would alleviate the need to routinely eliminate gags, because review in any criminal proceedings would provide the kind of transparency and review necessary for such things (this is a point Peter Swire made in yesterday’s hearing).

The reason we need a FISC is because the government — often through inadequate notice to defendants — has succeeded in avoiding the kind of review courts normally bring. But John Bates reveals a number of ways in which the court that is supposed to be providing that review has failed to do so. And Jim Comey, at least, thinks some of this could move back to real courts.

So why not? Why not move this, with all the gags grand jury subpoenas get and the national security experience judges have acquired over the last decade and all the normal constitutionally required review process, back to normal Title III Courts?

I admit it. Bates makes an excellent case for eliminating the FISC case, at least for all the exotic bulk programs the government has been inventing in secret.

The Source of the Section 702 Limitations: Special Needs?

Way back in 2013, in Marty Lederman’s review of the NSA Review Group’s Report, he pointed to the Report’s suggestion that Section 702 collection was limited to use with counterterrorism, counterproliferation, and cybersecurity.

The Report contains an interesting clue about how the government is presently using Section 702 that I do not recall being previously disclosed—and raises a related question about legal authorities under that provision of the FAA:

The Report explains (page 136) that in implementing Section 702, “NSA identifies specific ‘identifiers’ (for example, e-mail addresses or telephone numbers) that it reasonably believes are being used by non-United States persons located outside of the United States to communicate foreign intelligence information within the scope of the approved categories (e.g., international terrorism, nuclear proliferation, and hostile cyber activities).

[snip]

Later, on pages 152-53, the authors “emphasiz[e] that, contrary to some representations,section 702 does not authorize NSA to acquire the content of the communications of masses of ordinary people.  To the contrary, section 702 authorizes NSA to intercept communications of non-United States persons who are outside the United States only if it reasonably believes that a particular ‘identifier’ (for example, an e-mail address or a telephone number) is being used to communicate foreign intelligence information related to such matters as international terrorism, nuclear proliferation, or hostile cyber activities.”  (Italics in original.)

I may be mistaken, but I don’t believe that there’s anything in the statute itself that imposes the limitations in bold–neither that the NSA must use such “identifiers,” nor that international terrorism, nuclear proliferation, and hostile cyber activities are the only topics of acceptable foreign intelligence information that can be sought.  Perhaps the FISC Court has insisted upon such limits; but, as far as I know, the Section 702 authority as currently codified is not so circumscribed.

Of course, if you’re a regular emptywheel reader, you likely know where this has been suggested in the past, since I’ve been pointing out this apparent limitation to Section 702 since June 10 and discussed some implications of it here, here, and here.

In a response to Lederman, Julian Sanchez provided some specific cautions about treating these category limits as true “limitations.” He suggests it is unlikely that the Intelligence Community or the FISA Court would impose such limitations.

The 702 language, codified at 50 U.S.C. §1881a, permits the NSA to acquire any type of “foreign intelligence information,” which is defined extraordinarily broadly to encompass, inter alia, anything that relates to the “conduct of the foreign affairs of the United States.” But here we have the Review Group suggesting repeatedly that 702 surveillance is only for acquiring certain specific types of foreign intelligence information, related to nuclear proliferation, international terrorism, or cybersecurity. Have the intelligence agencies or the FISC imposed a more restricted reading of “foreign intelligence information” than the FISA statute does? I doubt it.

While I agree with most of Sanchez’ other cautions, I actually do think it likely that the FISC conducts a review that ends up in such limited certifications. They did it for application of Section 215 to the phone dragnet (which legally could have been used for counterintelligence purposes) and I think they may well have done so with Section 702.

FISCR only ruled bulk content collection legal for “national security” foreign intelligence purposes

We’ll learn whether I’m right or not when the FISC releases more of the 2008 Yahoo challenge to Protect America Act directives. But there is enough detail in the unclassified August 22, 2008 FISA Court of Review opinion released in early 2009 to suggest where that limitation may have come from.

The FISCR opinion, written by Bruce Selya, describes the certifications before the Court as limited to “foreign intelligence for national security purposes,” a limitation that already circumscribes PAA (and the FISA Amendments Act, as Sanchez has laid out), which allow their use for foreign intelligence generally.

In essence, as implemented, the certifications permit surveillances conducted to obtain foreign intelligence for national security purposes when those surveillances are directed against foreign powers or agents of foreign powers reasonably believed to be located outside the United States. [my emphasis]

This limitation is important because of the way Selya deals with the affirmation, in the FISC ruling before the FISCR, that there is a foreign intelligence exception to the Fourth Amendment: by instead finding a special needs exception to the Fourth tied to national security. Read more