Ron Wyden

1 2 3 18

Wyden Doesn’t Know What NSA Does with Its Dragnet Overseas

Kim Zetter has an interview with Ron Wyden that goes over a number of things I have already reported. She describes him hedging when asked when he first learned of the phone dragnet; as I have shown the government did not brief the Internet dragnet to the Intelligence Committees, not even during the PATRIOT reauthorization in 2005. Wyden describes the months — “literally months” –during which he tried to get the Intelligence Community to correct what Keith Alexander had said to DefCon before he asked James Clapper the question he is now so famous for; I laid that out here and here. Wyden describes how — “incredible as it sounds” — the Bush Administration shut down NSA’s back door search authorities., which I noted here. Zetter and Wyden also discuss how to manage zero day exploits.

But the most important detail in the interview, in my opinion, comes where Wyden makes clear he doesn’t know enough about what the government does under EO 12333.

But no one, not even lawmakers on Capitol Hill, have a full grasp of how EO 12333 is being used.

Wyden says, “I’m not sure we’re at the bottom or close to it” when it comes to understanding how it’s being used.” Wyden is suspicious that the White House and intelligence community have agreed to halt the phone records collection program, in the wake of intense criticism, only because the spy agency has other tricks to get the same data, possibly through EO 12333.

“The intelligence community is endorsing eliminating bulk-collection of phone records, and it makes me wonder what are the authorities under 12333 [through which they might do the same thing]?” he asks. “You can get a bill passed and everybody says, ‘Hey we banned bulk collection.’… [Then] we see the government go off in another direction. I will tell you that I don’t know today the full ramifications of 12333 on bulk collection. But I’m going to be spending a lot of time digging into it.”

I had pointed to Wyden’s concern about this issue when he raised it at the turn of the year and noted that the Administration made public its belief it can engage in the phone and Internet dragnet without any Congressional authorization just as the USA Freedom Act debate resumed.

But  Wyden’s confirmation that he doesn’t know what the government does overseas raises questions about, first, whether he knows what the government did with the Internet dragnet when he and Udall convinced the government to end the domestic collection of it in 2011. But it also underscores just how empty are the promises that there is adequate oversight of the NSA’s work.

If someone on the Intelligence Committees (a critic, admittedly, but he is one of the legal overseers of the Agency) doesn’t know, and doesn’t think he’d necessarily know, if the government replaced a congressionally limited program with the same program overseas, that means there’s no way the Intel Committees could ensure that the government had stopped practices Congress told it to stop.

Of course, given that Wyden got legislation passed in 2004 defunding any data mining of Americans only to have the Bush authorized dragnet continue, that must be a familiar position for the Senator.

No, Obama Doesn’t Need Legislation to Fix the Dragnet–Unless the “Fix” Isn’t One

In an editorial calling on Congress to pass the USA Freedom Act, the USA Today makes this claim.

Obama’s proposal last January — to leave the data with phone companies, instead of with the government — can’t happen without a new law. And, as in so many other areas, the deeply divided Congress has failed to produce one.

I don’t know whether that is or is not the case.

I do know 3 Senate Intelligence Committee members say it is not the case.

Ron Wyden, Mark Udall, and Martin Heinrich wrote Obama a letter making just this point in June. They argued that Obama could accomplish most, if not all, of what he claimed he wanted without legislation, largely with a combination of Section 215 Orders to get hops and Pen Registers to get prospective collection.

[W]e believe that, in the meantime, the government already has sufficient authorities today to implement most, if not all, of the Section 215 reforms laid out in your proposal without delay in a way that does not harm our national security. More comprehensive congressional action is vital, but the executive branch need not wait for Congress to end the dragnet collection of millions of Americans’ phone records for a number of reasons.

First, we believe that the Foreign Intelligence Surveillance Court’s (FISC) expansive interpretation of the USA PATRIOT Act to allow the collection of millions of Americans’ phone records makes it likely that the FISC would also agree to a more narrowly-drawn interpretation of the law, without requiring further congressional action. Certainly, it seems likely that the FISC would permit the executive branch to use its current authorities to obtain phone records up to two “hops” from a suspicious phone number or to compel technical assistance by and compensation for recipients of court orders. Unless the FISC has already rejected such a request from the government, it does not seem necessary for the executive branch to wait for Congress before taking action.

Second, we believe that the FISC would likely approve the defined and limited prospective searches for records envisioned under your proposal pursuant to current USA PATRIOT Act Section 214 pen register authorities, given how broadly it has previous interpreted these authorities. Again, we believe it is vital for Congress to enact reforms, but we also believe that the government has sufficient authorities today under the USA PATRIOT Act to conduct these targeted prospective searches in the interim.

Finally, although we have seen no evidence that the government has needed the bulk phone records collection program to attain any time-sensitive objectives, we agree that new legislation should provide clear emergency authorities to allow the government to obtain court approval of individual queries after the fact under specific circumstances. The law currently allows prospective emergency acquisitions of call records under Section 403 of the Foreign Intelligence Surveillance Act (FISA), and the acquisition of past records without judicial review under national security letter authorities. While utilizing a patchwork of authorities is not ideal, it could be done on an interim basis, while Congress works to pass legislation.

Just weeks before they sent this, Deputy Attorney General James Cole had seemed to say they could (if not already were) getting hybrid orders, in that case mixing phone and location. So it seems like DOJ is confident they could use such hybrid orders, using Section 215 for the hops and Pen Registers for the prospective collection (though, given that they’re already using Section 215 for prospective collection, I’m not sure why they’d need to use hybrids to get anything but emergency orders).

And it makes sense. After all, the public claims about what the Call Detail Record provision would do, at least, describe it as a kind of Pen Register on steroids, 2-degrees of Pen Register. As the Senators suggest, FBI already gets two-degree information of historical records with mere NSLs, so it’d be surprising if they couldn’t get 2 degrees prospectively with a court order.

So at least according to three members of the Senate Intelligence Committee, USA Today is simply wrong.

Mind you, I’m not entirely convinced they’re right.

That’s because I suspect the new CDR provision is more than a Pen Register on steroids, is instead something far more intrusive, one that gets far beyond mere call records. I suspect the government will ask the telecoms to chain on location, address books, and more — as they do overseas — which would require far more than a prospective Pen Register and likely would require super immunity, as the bill provides.

I suspect the Senators are wrong, but if they are, it’s because Obama (or his Intelligence Community) wants something that is far more invasive then they’ve made out.

Still, for USAF supporters, there seems no question. If all Obama wants to replace the phone dragnet is prospective 2-degree call (not connection) chaining on RAS targets, he almost certainly has that authority.

But if he needs more authority, then chances are very good he’s asking for something far more than he has let on.

Update: Note, USAT makes at least one other clear error in this piece, as where it suggests the “the program” — the phone dragnet — imposes costs on cloud companies like Microsoft and Google.

The Curious Timing of FBI’s Back Door Searches

The very first thing I remarked on when I read the Yahoo FISCR opinion when it was first released in 2009 was this passage.

The petitioner’s concern with incidental collections is overblown. It is settled beyond peradventure that incidental collections occurring as a result of constitutionally permissible acquisitions do not render those acquisitions unlawful.9 See, e.g., United States v. Kahn, 415 U.S. 143, 157-58 (1974); United States v. Schwartz, 535 F.2d 160, 164 (2d Cir. 1976). The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26 in original release; 30 in current release)

The government claimed to FISCR that it did not maintain a database of incidentally collected information from non-targeted US persons.

Barring some kind of neat parse, I didn’t buy the claim, not even in 2009.

Since then, we’ve found out that — barring some kind of neat parse — I was absolutely right. In fact, they are doing back door searches on this data, especially at FBI.

What I’m particularly intrigued by, now, is the timing.

FISCR said that in an opinion dated August 22, 2008 — over a month after the July 10, 2008 passage of the FISA Amendments Act. I have not yet found evidence of when the government said that to FISCR. It doesn’t appear in the unredacted part of their Jun 5, 2008 Merits brief (which cites Kahn but not Schwartz; see 49-50), though it might appear behind the redaction on 41. Of note, the April 25, 2008 FISC opinion doesn’t even mention the issue in its incidental collection discussion (starting at 95), though it does discuss amended certifications filed in February 2008.

So I’m guessing the government made that representation at the hearing in June, 2008.

We know, from John Bates’ rationale for authorizing NSA and CIA back door searches, such back door searches were first added to FBI minimization procedures in 2008.

When Bates approved back door searches in his October 3, 2011 opinion, he pointed to FBI’s earlier (and broader) authorities to justify approving it for NSA and CIA. While the mention of FBI is redacted here, at that point it was the only other agency whose minimization procedures had to be approved by FISC, and FBI is the agency that applies for traditional FISA warrants.

[redacted] contain an analogous provision allowing queries of unminimized FISA-acquired information using identifiers — including United States-person identifiers — when such queries are designed to yield foreign intelligence information. See [redacted]. In granting [redacted] applications for electronic surveillance or physical search since 2008, including applications targeting United States persons and persons in the United States, the Court has found that the [redacted] meet the definitions of minimization procedures at 50 U.S.C. §§ 1801(h) and 1821(4). It follows that the substantially-similar querying provision found at Section 3(b)(5) of the amended NSA minimization procedures should not be problematic in a collection that is focused on non-United States persons located outside the United States and that, in aggregate, is less likely to result in the acquisition of nonpublic information regarding non-consenting United States persons.

So since 2008, FBI has had the ability to do back door searches on all the FISA-authorized data they get, including taps targeting US persons.

The FBI Minimization procedures submitted with the case all date to the 1990s, though a 2006 amendment changing how they logged the identities of US persons collected (note, in 2011, John Bates was bitching at FBI for having ignored an order to reissue all its minimization procedures with updates; I can see why he complained).

As described in the Government’s response of June 16, 2006, identities of U.S. persons that have not been logged are often maintained in FBI databases that contain unminimized information. The procedures now simply refer to “the identities” of U.S. persons, acknowledging that the FBI may not have previously logged such identities.

But there’s reason to believe the FBI minimization procedures — and this logging process — was changed in 2008, because a government document submitted in the Basaaly Moalin case — we know Moalin was wiretapped from December 2007 to April 2008, so during precisely the period of the Yahoo challenge, though he was not indicted until much later – referenced two sets of minimization procedures, seeming to reflect a change in minimization during the period of his surveillance (or perhaps during the period of surveillance of Aden Ayro, which is how Moalin is believed to have been identified).

That is, it all seems to have been happening in 2008.

The most charitable guess would be that explicit authorization for back door searches happened with the FAA, so before the FISCR ruling, but after the briefing.

Except in a letter to Russ Feingold during early debates  on the FAA, Mike Mukasey and Mike McConnell (the latter of whom was involved in this Yahoo fight) strongly shot down a Feingold amendment that would have required the government to segregate all communications not related to terrorism (and a few other things), and requiring a FISA warrant to access them.

The Mukasey-McConnell attack on segregation is most telling. They complain that the amendment makes a distinction between different kinds of foreign intelligence (one exception to the segregation requirement in the amendment is for “concerns international terrorist activities directed against the United States, or activities in preparation therefor”), even while they claim it would “diminish our ability swiftly to monitor a communication from a foreign terrorist overseas to a person in the United States.” In other words, the complain that one of the only exceptions is for communications relating terrorism, but then say this will prevent them from getting communications pertaining to terrorism.

Then it launches into a tirade that lacks any specifics:

It would have a devastating impact on foreign intelligence surveillance operations; it is unsound as a matter of policy; its provisions would be inordinately difficult to implement; and thus it is unacceptable.

As Feingold already pointed out, the government has segregated the information they collected under PAA–they’re already doing this. But to justify keeping US person information lumped in with foreign person information, they offer no affirmative reason to do so, but only say it’s too difficult and so they refuse to do it.

Even 5 years ago, the language about the “devastating impact” segregating non-terrorism data might have strongly suggested the entire point of this collection was to provide for back door searches.

But that letter was dated February 5, 2008, before the FISCR challenge had even begun. While not definitive, this seems to strongly suggest, at least, that the government planned — even if it hadn’t amended the FBI minimization procedures yet — to retain a database of incidentally data to search on, before the government told FISCR they did not.

Update: I forgot a very important detail. In a hearing this year, Ron Wyden revealed that NSA’s authority to do back door searches had been closed some time during the Bush Administration, before it was reopened by John “Bates stamp” Bates.

Let me start by talking about the fact that the House bill does not ban warrantless searches for Americans’ emails. And here, particularly, I want to get into this with you, Mr. Ledgett if I might. We’re talking of course about the backdoor search loophole, section 702 of the FISA statute. This allows NSA in effect to look through this giant pile of communications that are collected under 702 and deliberately conduct warrantless searches for the communications of individual Americans.  This loophole was closed during the Bush Administration, but it was reopened in 2011, and a few months ago the Director of National Intelligence acknowledged in a letter to me that the searches are ongoing today. [my emphasis]

When I noted that Wyden had said this, I guessed that the government had shut down back door searches in the transition from PAA to FAA, but that seems less likely, having begun to review these Yahoo documents, then that it got shut down in response to the hospital confrontation.

But it shows that more extensive back door searches had been in place before the government implied to the FISCR that they weren’t doing back door searches that they clearly were at least contemplating at that point. I’d really like to understand how the government believes they didn’t lie to the FISCR in that comment (though it wouldn’t be the last time they lied to courts about their databases of Americans).

Supporters of USA Freedom Ignore the Courts

The National Journal reports that Leahy’s USA Freedom Act probably won’t move until after the election, if not next year.

A bill that would curtail the government’s broad surveillance authority is unlikely to earn a vote in Congress before the November midterms, and it might not even get a vote during the postelection lame-duck session.

The inaction amounts to another stinging setback for reform advocates, who have been agitating for legislation that would rein in the National Security Agency ever since Edward Snowden’s leaks surfaced last summer. It also deflates a sudden surge in pressure on Congress to pass the USA Freedom Act, which scored a stunning endorsement from Director of National Intelligence James Clapper last week.

Of course, contrary to what the NJ keeps reporting, that letter is not a stunning endorsement. On the contrary, it’s a signal James Clapper would change — at a minimum — the FISA Advocate position, and probably the Call Detail Record provision as well.

And even while the story suggests timing is the problem, further down the story suggests the bill doesn’t have the votes.

But beyond the calendar squeeze and geopolitical tensions, the Freedom Act has never had a clear path forward. It was not embraced by defense hawks such as Senate Intelligence Committee Chairwoman Dianne Feinstein or Sens. Ron Wyden and Mark Udall, who have become icons of the surveillance-reform movement. The two Democrats said they wanted to strengthen the bill to require warrants for “backdoor” searches of Americans’ Internet data that can be incidentally collected during foreign surveillance hauls. Sources indicated that their support for the Freedom Act remains a bridge too far.

“We were told to go after Republicans,” one industry said.

Wyden and Udall’s reticence to publicly back Leahy’s bill may stem from a conviction that they can get a better deal next Congress, with Section 215 of the USA Patriot Act—the legal underpinning for the NSA’s phone-records collection—due to expire on June 1, 2015.

Without the left flank of the Senate, this wasn’t going to pass. But so long as this bill endorsed warrantless back door searches of Americans at the assessment stage, it wasn’t going to get those votes.

The story ends with a solitary quote purportedly representing the voices of “many” people.

But many see an NSA reform debate that rolls into next year as no sure bet, regardless of what party holds control of the Senate.

“If the USA Freedom Act is not passed this Congress, we are really in uncharted territory, and the process has to start all over again,” said Harley Geiger, senior counsel at the Center for Democracy & Technology, a pro-reform group. “All the elements for reform are in place now, but it just happens that we don’t have much time.”

Geiger is the same purpose mis-reading Clapper’s letter as a complete endorsement of the bill.

Note what doesn’t get mentioned in any of this, though?

The Courts.

Last we heard from the 2nd Circuit, it sounded very very skeptical that it was constitutional to, “collect everything there is to know about everybody and have it all in one big government cloud.” And while SCOTUS was happy to reverse precisely this court in Section 702, both ACLU’s standing and the details of the program are much clearer this time. Had Congress legislated quickly, it likely would moot this and several other challenges to this dragnet. 

This way, at least, the courts will be forced to determine whether it is actually legal for the government to conduct dossiers of every American and store them on a cloud.

Clapper’s Claim that FBI Cannot Count Back Door Searches for Technical Reasons Probably Bullshit

I wanted to explain why I think it’s such a big deal that James Clapper specifically highlighted the carve out for transparency reporting on FBI’s back door searches in Leahy’s version of Freedom Act’s in his letter supporting the bill.

As I described, the bill requires reporting on back door searches, but then exempts the FBI from that reporting.

But that’s not the part of the bill that disturbs me the most. It’s this language:

‘(3) FEDERAL BUREAU OF INVESTIGATION.—

Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

The language refers, in part,  to requirements that the government report to Congress:

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

These are back door searches on US person identifiers of Section 702 collected data — both content (iv) and metadata (v).

In other words, after having required the government to report how many back door searches of US person data it conducts, the bill then exempts the FBI.

In his letter, Clapper says,

[W]e are comfortable with the transparency provisions in this bill because, among other things, they recognize the technical limitations on our ability to report certain types of information.

FBI back door searches are the most obvious limit on transparency guidelines, and FBI told PCLOB they couldn’t count them for technical reasons.

So effectively, Clapper is suggesting that Congress has recognized that FBI is incapable — for technical reasons — of counting how often it conducts back door searches.

That technical claim is almost certainly bullshit.

As a reminder, here’s what the government told PCLOB about FBI’s back door searches.

Because they are not identified as such in FBI systems, the FBI does not track the number of queries using U.S. person identifiers. The number of such queries, however, is substantial for two reasons.

First, the FBI stores electronic data obtained from traditional FISA electronic surveillance and physical searches, which often target U.S. persons, in the same repositories as the FBI stores Section 702–acquired data, which cannot be acquired through the intentional targeting of U.S. persons. As such, FBI agents and analysts who query data using the identifiers of their U.S. person traditional FISA targets will also simultaneously query Section 702–acquired data.

Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts. In the case of an assessment, an assessment may be initiated “to detect, obtain information about, or prevent or protect against federal crimes or threats to the national security or to collect foreign intelligence information.”254 If the agent or analyst conducting these queries has had the training required for access to unminimized Section 702–acquired data, any results from the Section 702 data would be returned in these queries. If an agent or analyst does not have access to unminimized Section 702–acquired data — typically because this agent or analyst is assigned to non-national security criminal matters only — the agent or analyst would not be able to view the unminimized data, but would be notified that data responsive to the query exists and could request that an agent or analyst with the proper training and access to review the unminimized Section 702–acquired data.

Continue reading

Under Clapper’s Continuous Monitoring CIA Could Continuously Monitor SSCI on CIA Network

As I pointed out the other day, the CIA IG Report on spying on the Senate Intelligence Committee appears to say the egregious spying happened after John Brennan told Dianne Feinstein and Saxby Chambliss on January 15 CIA had been spying on SSCI.

Agency Access to Files on the SSCI RDINet:

Five Agency employees, two attorneys and three information technology (IT) staff members, improperly accessed or caused access to the SSCI Majority staff shared drives on the RDINet.

Agency Crimes Report on Alleged Misconduct by SSCI Staff:

The Agency filed a crimes report with the DOJ, as required by Executive Order 12333 and the 1995 Crimes Reporting Memorandum between the DOJ and the Intelligence Community, reporting that SSCI staff members may have improperly accessed Agency information on the RDINet. However, the factual basis for the referral was not supported, as the author of the referral had been provided inaccurate information on which the letter was based. After review, the DOJ declined to open a criminal investigation of the matter alleged in the crimes report.

Office of Security Review of SSCI Staff Activity:

Subsequent to directive by the D/CIA to halt the Agency review of SSCI staff access to the RDINet, and unaware of the D/CIA’s direction, the Office of Security conducted a limited investigation of SSCI activities on the RDINet. That effort included a keyword search of all and a review of some of the emails of SSCI Majority staff members on the RDINet system.

With that in mind, consider this passage of James Clapper’s July 25, 2014 response to Chuck Grassley and Ron Wyden’s concerns about Clapper’s new ongoing spying on clearance holders.

With respect to your second question about monitoring of Members of Congress and Legislative Branch employees, in general those individuals will not be subject to [User Activity Monitoring] because their classified networks are not included in the definition of national security systems (NSS) for which monitoring is required.

[snip]

Because no internally owned or operated Legislative branch network qualifies as a national security system, UAM by the Executive Branch is accordingly neither required nor conducted. To be clear, however, when Legislative Branch personnel access a national security system used or operated by the Executive Branch, they are of course subject to UAM on that particular system.

CIA’s spying on SSCI took place on CIA’s RDI network, not on the SSCI one. SSCI had originally demanded they be given the documents pertaining to the torture program, but ultimately Leon Panetta required them to work on a CIA network, as Dianne Feinstein explained earlier this year.

The committee’s preference was for the CIA to turn over all responsive documents to the committee’s office, as had been done in previous committee investigations.

Director Panetta proposed an alternative arrangement: to provide literally millions of pages of operational cables, internal emails, memos, and other documents pursuant to the committee’s document requests at a secure location in Northern Virginia. We agreed, but insisted on several conditions and protections to ensure the integrity of this congressional investigation.

Per an exchange of letters in 2009, then-Vice Chairman Bond, then-Director Panetta, and I agreed in an exchange of letters that the CIA was to provide a “stand-alone computer system” with a “network drive” “segregated from CIA networks” for the committee that would only be accessed by information technology personnel at the CIA—who would “not be permitted to” “share information from the system with other [CIA] personnel, except as otherwise authorized by the committee.”

It was this computer network that, notwithstanding our agreement with Director Panetta, was searched by the CIA this past January,

Presumably, those limits on access should have prevented CIA’s IT guys from sharing information about what SSCI was doing on the network. But it’s not clear they would override Clapper’s UAM.

Remember, too, when Brennan first explained how this spying didn’t qualify as a violation of the Computer Fraud and Abuse Act, he said CIA could conduct “lawfully authorized … protective … activity” in the US. Presumably like UAM.

I have no idea whether this explains why CIA’s IG retracted what Feinstein said had been his own criminal referral or not. But I do wonder whether the CIA has self-excused some of its spying on SSCI in the interest of continuous user monitoring?

If so, it would be the height of irony, as UAM did not discover either Chelsea Manning’s or Edward Snowden’s leaks. Imagine if the only leakers the Intelligence Community ever found were their own overseers?

Having Been Absolved by DOJ, CIA Now Admits They Illegally Spied on SSCI

When Ron Wyden first asked John Brennan whether CIA had to comply with the Computer Fraud and Abuse Act, Brennan suggested they didn’t have to if they were conducting investigations.

The statute does apply. The Act, however, expressly “does not prohibit any lawfully authorized investigative, protective, or intelligence activity … of an intelligence agency of the United States.” 18 U.S.C. § 1030(f).

Then in March, after Senator Feinstein accused the CIA of improperly spying on her committee, Brennan claimed it was outside the realm of possibility.

As far as the allegations of, you know, CIA hacking into, you know, Senate computers, nothing could be further from the truth. I mean, we wouldn’t do that. I mean, that’s — that’s just beyond the — you know, the scope of reason in terms of what we would do.

Now that DOJ has decided not to investigate CIA’s illegal domestic spying, we learn it was well within the realm of possibility.

CIA employees improperly accessed computers used by the Senate Intelligence Committee to compile a report on the agency’s now defunct detention and interrogation program, an internal CIA investigation has determined.

Findings of the investigation by the CIA Inspector General’s Office “include a judgment that some CIA employees acted in a manner inconsistent with the common understanding reached between SSCI (Senate Select Committee on Intelligence) and the CIA in 2009,” CIA spokesman Dean Boyd said in a statement.

Brennan’s solution is to have corrupt hack Evan Bayh conduct an accountability review of the spying.

Mark Udall and Ron Wyden are furious. DiFi is less so. The Republicans on the Committee have been silent; apparently they’re okay with CIA breaching separation of powers.

And yet again, the CIA proves it refuses to subsist within democratic structures.

Leahy Freedom Act Exempts FBI from Counting Its Back Door Searches

As I said in my post last night, Pat Leahy’s version of USA Freedom Act is a significant improvement over USA Freedumber, the watered down House version. But it includes language that no one I’ve met has been able to explain. I believe it may permit the NSA to have its immunized telecom providers contact chain on (at least) location, and possibly worse. Thus, it may well be everyone applauding the bill — including privacy NGOs — are applauding increased use of techniques like location spying even as judges around the country are deeming such spying unconstitutional. I strongly believe this bill may expand the universe of US persons who will be thrown into the corporate store indefinitely, to be subjected to the full brunt of NSA’s analytical might.

But that’s not the part of the bill that disturbs me the most. It’s this language:

‘(3) FEDERAL BUREAU OF INVESTIGATION.—

Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

The language refers, in part,  to requirements that the government report to Congress:

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

These are back door searches on US person identifiers of Section 702 collected data — both content (iv) and metadata (v).

In other words, after having required the government to report how many back door searches of US person data it conducts, the bill then exempts the FBI.

The FBI — the one agency whose use of such data can actually result in a prosecution of the US person in question.

We already know the government has not provided all defendants caught using 702 data notice. And yet, having recognized the need to start counting how many Americans get caught in back door searches, Patrick Leahy has decided to exempt the agency that uses back door searches the most.

And if they’re not giving defendants notice (and they’re not), then this is an illegal use of Section 702.

There is no reason to exempt the FBI for this. On the contrary, if we’re going to count back door searches on US persons, the first place we should start counting is at FBI, where it likely matters most. But the Chair of the Senate Judiciary Committee has decided it’s a good idea to exempt precisely those back door searches from reporting requirements.

 

Were DiFi’s Aides Who Claimed “Only a Small Number” of Back Door Searches Ignorant or Lying?

Yesterday, we learned:

  • NSA conducted unwarranted back door searches on 198 US persons’ content last year and 9,500 back door searches on US person metadata
  • CIA conducted around 1,900 unwarranted back door searches on US person content, and an uncounted number of back door searches on US person metadata
  • FBI conducted a substantial number of unwarranted back door searches on US person content and metadata — so much so it doesn’t count it

Back in November, when Dianne Feinstein was trying to codify these unwarranted back door searches explicitly into law, here’s what anonymous sources described as Senate Intelligence Committee aides told the WaPo:

They say that there have been only a “small number” of such queries each year. Such searches are useful, for instance, if a tip arises that a terrorist group is plotting to kill or kidnap an American, officials have said.

“Only a small number.”

Over 2,000 counted searches between the CIA and NSA. Uncounted, but substantial, number of searches by FBI. “Only a small number.”

Were these anonymous sources ignorant — relying on false information from the Agencies? The actual number of unwarranted back door searches doesn’t appear in the unredacted portions of the one Semiannual Section 702 Compliance report we’ve seen (see page 13); there doesn’t appear to be a redacted section where they would end up.

So have the Agencies (CIA and NSA in this case; FBI’s back door searches get audited in a different way) simply hidden from their Congressional overseers how frequently they were doing these searches?

Or were these aides trying, once again, to pass legislation permitting the nation’s spy agencies to conduct intrusive searches on Americans by lying?

One way or another, it’s a damn good thing Ron Wyden asked for and insisted on getting an answer to his question of how common these back door searches are (even if the FBI still refuses to count them). Because the key people who are supposed to oversee them are either ignorant or lying about them.

Told You So, FBI Back Door Search Edition

For a long time, I’ve been noting that the October 3, 2011 John Bates Opinion and last August’s Semiannual Report on FISA make it clear that the FBI, like the CIA and NSA, conducts back door searches off Section 702 collected data.

ODNI’s response to Ron Wyden’s request for actual numbers of how many back door searches the government conducts makes it clear that I was correct.

The report is even worse than I imagined. It shows the following:

FBI 

FBI does back door searches for both foreign intelligence and criminal purposes. This means NSA’s language about keeping data for evidence of a crime is fairly meaningless, because they’re handing chunks of data off to FBI that it can troll for evidence of crime.

And the FBI doesn’t count these queries. In fact, FBI doesn’t even distinguish between when it is searching foreign and US person identifiers.They say only that “the number of queries is substantial.”

CIA 

I expected all that from the FBI. What amazes me is that the CIA — an Agency that is not supposed to conduct domestic intelligence collection — does not count how many metadata-only queries of US person data it does. So all those fears of NSA identifying whether you’re visiting an AIDS clinic or a pregnancy counseling center? The NSA may not do that kind of analysis, but the CIA might be checking what foreigners you’re talking to.

The CIA also conducts a bunch of content queries — “fewer than 1900″ — of which 40% are counterterrorism-related queries for other agencies. (Which leads me to wonder why neither NSA nor FBI are doing these queries, which would make more sense.) But that leaves 60% of 1900 — or around 1,100 queries a year of US person content that are for CIA’s own purposes and may not even be terrorism related.

NSA

The NSA conducts the fewest. It conducts 198 US person content queries (that is, not all that much fewer than the 248 US persons queried in the phone dragnet or collected on using another Section 215 order). It conducts 9,500 queries of metadata only queries, of which some are duplicative.

Compared to CIA’s uncountable number, that may not sound like a lot. But compare that to the phone dragnet, which also queried on fewer than 248 US person identifiers last year. That is, it is doing an order of magnitude more Internet metadata queries than it is phone queries.

One more thing: Last year’s FAA report revealed that CIA and NSA also sometimes accidentally query US person data. So the numbers of Americans sucked in via FAA may be significantly larger.

PCLOB

One more note about this report. PCLOB is due to release their Section 702 report on Wednesday. That is sure to have recommendations about how to protect US person privacy; Patricia Wald was quite clear in the most recent PCLOB hearing she believes the government should use a warrant to access this data. So Ron Wyden finally got a response, but it almost certain is only because PCLOB was about to make much of this public on their own.

(KS linked to this version of the Doors, thanks!)

1 2 3 18
Emptywheel Twitterverse
bmaz @gracels @dcbigjohn That is a given.
5hreplyretweetfavorite
bmaz @gracels Naw, I have sat with @dcbigjohn My bet is you would actually like him quite a bit! Seriously. And he has passion for border stories
5hreplyretweetfavorite
bmaz @KanysLupin @emptywheel @MonaHol Not sure of context or question, but I would imagine prior statuses or placements on a list. Sorry, dunno.
5hreplyretweetfavorite
bmaz @dcbigjohn This is fucking outrageous.
5hreplyretweetfavorite
bmaz @kdrum Yeah. This is just ugly. I am turning to the Boise State game on ESPN2 I think. Or Netflix and a beer.
6hreplyretweetfavorite
bmaz @cody_k You are NOT doing very well quarterbacking the USC Trojans tonight. Not very helpful for the ASU Sun Devils. Please do better!
6hreplyretweetfavorite
bmaz Will NOBODY rid me of these pesky Bruins?? Jeez. This is what I get for needing help from, and rooting for, ONE TIME, the USC Trojans. #Ugly
6hreplyretweetfavorite
bmaz @gracels @21law @jacklgoldsmith As much as I hate it, yeah, they are their own little fiefdoms. Again, I go off what I see where I practice.
6hreplyretweetfavorite
bmaz @21law @gracels @jacklgoldsmith If properly charged and within boundaries of state, yes amenable to process for Rule 8 state speedy trial
6hreplyretweetfavorite
bmaz @gracels @21law @jacklgoldsmith well, want the conviction for that purpose+willing to lock em up here even if no deport. thats my concern.
7hreplyretweetfavorite
bmaz @21law @gracels @jacklgoldsmith In fact, willfully itinerant and belligerent to Fed policy when they can be. Think lot of GOP places may be.
7hreplyretweetfavorite
bmaz @21law @gracels @jacklgoldsmith Ah, thanks. We shall see. But my experience here is county prosecutors are undeterred by Fed policies.
7hreplyretweetfavorite
November 2014
S M T W T F S
« Oct    
 1
2345678
9101112131415
16171819202122
23242526272829
30