Posts

Three Things: It’s All About the Cable, Mabel. Oh, and the Mooch

If last night’s Twitter timeline was any measure, folks have a LOT to say about premium cable programming let alone the cable television industry. Add the crazy surrounding White House communications and it’s best if I just get out of the way and run like hell.

~ 3 ~

I simply can’t write fast enough or better about the situation than many folks have on Twitter already.

Basta.

~ 2 ~

Crazy amount of chatter about cable networks and M&A. Biggest stories:

Discovery to buy HGTV’s owner Scripps because of Scripps’ audience demographics — heavily weighted toward women.

Charter Communications will not merge with Sprint to expand into cell phone business; it already has a reseller agreement with Verizon.

However, Japan’s Softbank, Sprint’s parent, is interested in buying Charter Communications. This deserves debate in Congress as well as CFIUS review. There’s a reason why Charter isn’t Cable but Communications now; do we want additional foreign ownership of another communications network even if it isn’t fully into the cell phone business (yet)?

Should note here that a beef I have with my GOP representative on regulating cable networks is on this very point. Rep-who-will-not-be-named sent a pro forma response spouting what is probably party line: FTC has always regulated cable, shouldn’t increase regulation by allowing cable to be regulated by FCC.

Except that cable isn’t just a series of tubes distributing entertainment content. It’s also a series of tubes carrying our communications.

Again, do we want to allow foreign ownership of these particular communications tube in addition to existing cell phone network ownership?

~ 1 ~

By now you may have heard HBO’s most popular series, Game of Thrones, may have been affected by a breach of the cable network’s system. Based on conflicting reports, it’s not clear what was stolen from HBO, though unlike other recent hacks HBO itself was attacked and not a content creator/producer. It may sound reminiscent of the Sony Entertainment hack but HBO is nowhere as leaky as Sony.

Will winter still come after this hack? You’ll have to tell me — this isn’t a series I follow.

~ 0 ~

There you have it, your next open thread. Trump-Russia stuff in the last one, please. Everything else here.

What We Know about the Section 215 Phone Dragnet and Location Data

Last month’s squabble between Marco Rubio and Ted Cruz about USA Freedom Act led a number of USAF boosters to belatedly understand what I’ve been writing for years: that USAF expanded the universe of people whose records would be collected under the program, and would therefore expose more completely innocent people, along with more potential suspects, to the full analytical tradecraft of the NSA, indefinitely.

In an attempt to explain why that might be so, Julian Sanchez wrote this post, focusing on the limits on location data collection that restricted cell phone collection. Sanchez ignores two other likely factors — the probable inclusion of Internet phone calls and the ability to do certain kinds of connection chaining — that mark key new functionalities in the program which would have posed difficulties prior to USAF. But he also misses a lot of the public facts about location collection and cell phones under the Section 215 dragnet.  This post will lay those out.

The short version is this: the FISC appears to have imposed some limits on prospective cell location collection under Section 215 even as the phone dragnet moved over to it, and it was not until August 2011 that NSA started collecting cell phone records — stripped of location — from AT&T under Section 215 collection rules. The NSA was clearly getting “domestic” records from cell phones prior to that point, though it’s possible they weren’t coming from Section 215 data. Indeed, the only known “successes” of the phone dragnet — Basaaly Moalin and Adis Medunjanin — identified cell phones. It’s not clear whether those came from EO 12333, secondary database information that didn’t include location, or something else.

Here’s the more detailed explanation, along with a timeline of key dates:

There is significant circumstantial evidence that by February 17, 2006 — two months before the FISA Court approved the use of Section 215 of the PATRIOT Act to aspire to collect all Americans’ phone records — the FISA Court required briefing on the use of “hybrid” requests to get real-time location data from targets using a FISA Pen Register together with a Section 215 order. The move appears to have been a reaction to a series of magistrates’ rulings against a parallel practice in criminal cases. The briefing order came in advance of the 2006 PATRIOT Act reauthorization going into effect, which newly limited Section 215 requests to things that could be obtained with a grand jury subpoena. Because some courts had required more than a subpoena to obtain location, it appears, FISC reviewed the practice in the FISC — and, given the BR/PR numbers reported in IG Reports, ended, sometime before the end of 2006 though not immediately.

The FISC taking notice of criminal rulings and restricting FISC-authorized collection accordingly would be consistent with information provided in response to a January 2014 Ron Wyden query about what standards the FBI uses for obtaining location data under FISA. To get historic data (at least according to the letter), FBI used a 215 order at that point. But because some district courts (this was written in 2014, before some states and circuits had weighed in on prospective location collection, not to mention the 11th circuit ruling on historical location data under US v. Davis) require a warrant, “the FBI elects to seek prospective CSLI pursuant to a full content FISA order, thus matching the higher standard imposed in some U.S. districts.” In other words, as soon as some criminal courts started requiring a warrant, FISC apparently adopted that standard. If FISC continued to adopt criminal precedents, then at least after the first US v. Davis ruling, it would have and might still require a warrant (that is, an individualized FISA order) even for historical cell location data (though Davis did not apply to Stingrays).

FISC doesn’t always adopt the criminal court standard; at least until 2009 and by all appearances still, for example, FISC permits the collection, then minimization, of Post Cut Through Dialed Digits collected using FISA Pen Registers, whereas in the criminal context FBI does not collect PCTDD. But the FISC does take notice of, and respond to — even imposing a higher national security standard than what exists at some district levels — criminal court decisions. So the developments affecting location collection in magistrate, district, and circuit courts would be one limit on the government’s ability to collect location under FISA.

That wouldn’t necessarily prevent NSA from collecting cell records using a Section 215 order, at least until the Davis decision. After all, does that count as historic (a daily collection of records each day) or prospective (the approval to collect data going forward in 90 day approvals)? Plus, given the PCTDD and some other later FISA decisions, it’s possible FISC would have permitted the government to collect but minimize location data. But the decisions in criminal courts likely gave FISC pause, especially considering the magnitude of the production.

Then there’s the chaos of the program up to 2009.

At least between January 2008 and March 2009, and to some degree for the entire period preceding the 2009 clean-up of the phone and Internet dragnets, the NSA was applying EO 12333 standards to FISC-authorized metadata collection. In January 2008, NSA co-mingled 215 and EO 12333 data in either a repository or interface, and when the shit started hitting the fan the next year, analysts were instructed to distinguish the two authorities by date (which would have been useless to do). Not long after this data was co-mingled in 2008, FISC first approved IMEI and IMSI as identifiers for use in Section 215 chaining. In other words, any restrictions on cell collection in this period may have been meaningless, because NSA wasn’t heeding FISC’s restrictions on PATRIOT authorized collection, nor could it distinguish between the data it got under EO 12333 and Section 215.

Few people seem to get this point, but at least during 2008, and probably during the entire period leading up to 2009, there was no appreciable analytical border between where the EO 12333 phone dragnet ended and the Section 215 one began.

There’s no unredacted evidence (aside from the IMEI/IMSI permission) the NSA was collecting cell phone records under Section 215 before the 2009 process, though in 2009, both Sprint and Verizon (even AT&T, though to a much less significant level) had to separate out their entirely foreign collection from their domestic, meaning they were turning over data subject to EO 12333 and Section 215 together for years. That’s also roughly the point when NSA moved toward XML coding of data on intake, clearly identifying where and under what authority it obtained the data. Thus, it’s only from that point forward where (at least according to what we know) the data collected under Section 215 would clearly have adhered to any restrictions imposed on location.

In 2010, the NSA first started experimenting with smaller collections of records including location data at a time when Verizon Wireless was named on primary orders. And we have two separate documents describing what NSA considered its first collection of cell data under Section 215 on August 29, 2011. But it did so only after AT&T had stripped the location data from the records.

It appears Verizon never did the same (indeed, Verizon objected to any request to do so in testimony leading up to USAF’s passage). The telecoms used different methods of delivering call records under the program. In fact, in August 2, 2012, NSA’s IG described the orders as requiring telecoms to produce “certain call detail records (CDRs) or telephony metadata,” which may differentiate records that (which may just be AT&T) got processed before turning over. Also in 2009, part of Verizon ended its contract with the FBI to provide special compliance with NSLs. Both things may have affected Verizon’s ability or willingness to custom what it was delivering to NSA, as compared to AT&T.

All of which suggests that at least Verizon could not or chose not to do what AT&T did: strip location data from its call records. Section 215, before USAF, could only require providers to turn over records they kept, it could not require, as USAF may, provision of records under the form required by the government. Additionally, under Section 215, providers did not get compensated after the first two dragnet orders.

All that said, the dragnet has identified cell phones! In fact, the only known “successes” under Section 215 — the discovery of Basaaly Moalin’s T-Mobile cell phone and the discovery of Adis Medunjanin’s unknown, but believed to be Verizon, cell phone — did, and they are cell phones from companies that didn’t turn over records. In addition, there’s another case, cited in a 2009 Robert Mueller declaration preceding the Medunjanin discovery, that found a US-based cell phone.

There are several possible explanations for that. The first is that these phones were identified based off calls from landlines and/or off backbone records (so the phone number would be identified, but not the cell information). But note that, in the Moalin case, there are no known land lines involved in the presumed chain from Ayro to Moalin.

Another possibility — a very real possibility with some of these — is that the underlying records weren’t collected under Section 215 at all, but were instead collected under EO 12333 (though Moalin’s phone was identified before Michael Mukasey signed off on procedures permitting the chaining through US person records). That’s all the more likely given that all the known hits were collected before the point in 2009 when the FISC started requiring providers to separate out foreign (EO 12333) collection from domestic and international (Section 215) collection. In other words, the Section 215 phone dragnet may have been working swimmingly up until 2009 because NSA was breaking the rules, but as soon as it started abiding by the rules — and adhering to FISC’s increasingly strict limits on cell location data — it all of a sudden became virtually useless given the likelihood that potential terrorism targets would use exclusively cell and/or Internet calls just as they came to bypass telephony lines. Though as that happened, the permissions on tracking US persons via records collected under EO 12333, including doing location analysis, grew far more permissive.

In any case, at least in recent years, it’s clear that by giving notice and adjusting policy to match districts, the FISC and FBI made it very difficult to collect prospective location records under FISA, and therefore absent some means of forcing telecoms to strip their records before turning them over, to collect cell data.

Read more

Marco Rubio Leaks that the Phone Dragnet Has Expanded to “A Large Number of Companies”

Last night, Marco Rubio went on Fox News to try to fear-monger over the phone dragnet again.

He repeated the claim that the AP also idiotically parroted uncritically — that the government can only get three years of records for the culprits in the San Bernardino attack.

In the case of these individuals that conducted this attack, we cannot see any phone records for the first three years in which — you can only see them up to three years. You’ll not be able to see the full five-year picture.

Again, he’s ignoring the AT&T backbone records that cover virtually all of Syed Rizwan Farook’s 28-year life that are available, that 215 phone dragnet could never have covered Tashfeen Malik’s time in Pakistan and Saudi Arabia, and that EO 12333 collection not only would cover Malik’s time before she came to the US, but would also include Farook’s international calls going back well over 5 years.

So he’s either an idiot or he’s lying on that point.

I’m more interested in what he said before that, because he appears to have leaked a classified detail about the ongoing USA Freedom dragnet: that they’ve been issuing orders to a “large and significant number of companies” under the new dragnet.

There are large and significant number of companies that either said, we are not going to collect records at all, we’re not going to have any records if you come asking for them, or we’re only going to keep them on average of 18 months. When the intelligence community or law enforcement comes knocking and subpoenas those records, in many cases there won’t be any records because some of these companies already said they’re not going to hold these records. And the result is that we will not be able in many cases to put together the full puzzle, the full picture of some of these individuals.

Let me clear: I’m certain this fact, that the IC has been asking for records from “a large number of companies,” is classified. For a guy trying to run for President as an uber-hawk, leaking such details (especially in appearance where he calls cleared people who leak like Edward Snowden “traitors”) ought to be entirely disqualifying.

But that detail is not news to emptywheel readers. As I noted in my analysis of the Intelligence Authorization the House just passed, James Clapper would be required to do a report 30 days after the authorization passes telling Congress which “telecoms” aren’t holding your call records for 18 months.

Section 307: Requires DNI to report if telecoms aren’t hoarding your call records

This adds language doing what some versions of USA Freedom tried to requiring DNI to report on which “electronic communications service providers” aren’t hoarding your call records for at least 18 months. He will have to do a report after 30 days listing all that don’t (bizarrely, the bill doesn’t specify what size company this covers, which given the extent of ECSPs in this country could be daunting), and also report to Congress within 15 days if any of them stop hoarding your records.

That there would be so many companies included Clapper would need a list surprised me, a bit. When I analyzed the House Report on the bill, I predicted USAF would pull in anything that might be described as a “call.”

We have every reason to believe the CDR function covers all “calls,” whether telephony or Internet, unlike the existing dragnet. Thus, for better and worse, far more people will be exposed to chaining than under the existing dragnet. It will catch more potential terrorists, but also more innocent people. As a result, far more people will be sucked into the NSA’s maw, indefinitely, for exploitation under all its analytical functions. This raises the chances that an innocent person will get targeted as a false positive.

At the same time, I thought that the report’s usage of “phone company” might limit collection to the providers that had been included — AT&T, Verizon, and Sprint — plus whatever providers cell companies aren’t already using their backbone, as well as the big tech companies that by dint of being handset manufacturers, that is, “phone” companies, could be obligated to turn over messaging records — things like iMessage and Skype metadata.

Nope. According to uber-hawk who believes leakers are traitors Marco Rubio, a “large number” of companies are getting requests.

From that I assume that the IC is sending requests to the entire universe of providers laid out by Verizon Associate General Counsel Michael Woods in his testimony to SSCI in 2014:

Screen Shot 2015-12-08 at 1.17.27 AM

Woods describes Skype (as the application that carried 34% of international minutes in 2012), as well as applications like iMessage and smaller outlets of particular interest like Signal as well as conferencing apps.

So it appears the intelligence committees, because they’re morons who don’t understand technology (and ignored Woods) got themselves in a pickle, because they didn’t realize that if you want full coverage from all “phone” communication, you’re going to have to go well beyond even AT&T, Verizon, Sprint, Apple, Microsoft, and Google (all of which have compliance departments and the infrastructure to keep such records). They are going to try to obtain all the call records, from every little provider, whether or not they actually have the means with which to keep and comply with such requests. Some — Signal might be among them — simply aren’t going to keep records, which is what Rubio is complaining about.

That’s a daunting task — and I can see why Rubio, if he believes that’s what needs to happen, is flustered by it. But, of course, it has nothing to do with the end of the old gap-filled dragnet. Indeed, that daunting problem arises because the new program aspires to be more comprehensive.

In any case, I’m grateful Rubio has done us the favor of laying out precisely what gaps the IC is currently trying to fill, but hawks like Rubio will likely call him a traitor for doing so.

Did NSA Add a New Dragnet Provider with Its Latest Order?

Cryptome has published the latest phone dragnet order. Contrary to reports, the dragnet order is only for two months (until the end of August), not until the expiration of the bulk dragnet in November, plus retroactive collection to May 31. It also has new language reflecting changes in minimization requirements in USA Freedom Act, and updated language to reflect the Second Circuit’s decision in a paragraph ordering that the government inform FISC if anything changes because of the pending circuit court decisions.

But the most interesting change has to do with the redactions.

The initial redaction (which lists all the providers) is not the same size — the new order, 15-75, has a wider redaction than the last order, 15-24, but the earlier order may be a line longer. But it is very close.

But the paragraph addressing custodians of records is clearly different. Here’s what that first few lines in that paragraph in 15-24 looks like:

Screen Shot 2015-07-03 at 2.57.57 PM

Here’s what it looks like in 15-75.

Screen Shot 2015-07-03 at 3.01.01 PM

The following paragraph, which addresses Verizon, appears to be the same.

There are two things that might explain the change in redaction. First, the providers may remain the same (understood to be AT&T and Sprint), but the official name used to refer to one may have changed — though I’m not aware of any changes at AT&T or Sprint that might explain that.

Or, they may have added another provider.

Mind you, I expect the government to add new providers once they move to the new querying technique in November, as the government will almost certainly be querying more newfangled kinds of “calls” and “texts” (to include VOIP and other Internet-based communications). So I think additional providers are inevitable.

Still, at least from the redactions of this order, it appears NSA may have already added a new provider.

The Government Changed Its Mind about How Many Databases It Searched in the Hassanshahi Case after It Shut Down the DEA Dragnet

As I noted in this post, the government insists that it did not engage in parallel construction in the case of Shantia Hassanshahi, the Iranian-American busted for sanctions violations using evidence derivative of a search of what the government now claims was a DEA dragnet. “While it would not be improper for a law enforcement agency to take steps to protect the confidentiality of a law enforcement sensitive investigative technique, this case raises no such issue.”

The claim is almost certainly bullshit, true in only the narrowest sense.

Indeed, the changing story the government has offered about how they IDed Hassanshahi based off a single call he had with a phone belonging to a person of interest, “Sheikhi,” in Iran, is instructive not just against the background of the slow reveal of multiple dragnets over the same period. But also for the technological capabilities included in those claims. Basically, the government appears to be claiming they got a VOIP call from a telephony database.

As I lay out below, the story told by the government in various affidavits and declarations (curiously, the version of the first one that appears in the docket is not signed) changed in multiple ways. While there were other changes, the changes I’m most interested in pertain to:

  • Whether Homeland Security Investigator Joshua Akronowitz searched just one database — the DEA toll record database — or multiple databases
  • How Akronowitz identified Google as the provider for Hassanshahi’s phone record
  • When and how Akronowitz became interested in a call to Hassanshahi from another Iranian number
  • How many calls of interest there were

As you can see from the excerpts below, Akronowitz at first claimed to have searched “HSI-accessible law enforcement databases,” plural, and suggested he searched them himself.  In July 2014, in response to a motion to suppress (and after Edward Snowden had disclosed the NSA’s phone dragnet), Akronowitz changed that story and said he sent a research request to a single database, implying someone else did a search of just one database. Akronowitz told the same story in yet another revised affidavit submitted last October. In the declaration submitted in December but unsealed in January, DEA Assistant Special Agent Robert Patterson stuck with the single database story and used the passive voice to hide who did the database query.

While Akronowitz’ story didn’t change regarding how he discovered that Hassanshahi’s phone was a Google number, it did get more detailed in the July 2014 affidavit, which explained that he had first checked with another VOIP provider before being referred to Google.

Perhaps most interestingly, the government’s story changed regarding how many calls of interest there were, and between what numbers. In January 2013, Akronowitz said “a number of telephone calls between ‘Sheikhi’s’ known business telephone number and telephone number 818-971-9512 had occurred within a relatively narrow time frame” (though he doesn’t tell us what that time frame was). He also says that his Google subpoena showed “numerous calls to the same Iranian-based telephone number during a relatively finite period of time.” He neither explained that this number was not Sheikhi’s number — it was a different Iranian number — nor what he means by “a relatively finite period of time.”  His July and October affidavits said his research showed a contact, “on one occasion, that is, on July 4, 2011,” with Sheikhi’s number. The July affidavit maintained the claim that there were multiple calls between Hassanshahi’s number and an Iranian one: “numerous phone calls between Hassanshahi’s ‘818’ number and one Iranian phone number.” But by October, Akronowitz conceded that the Google records showed only “that Hassanshahi’s ‘818’ number made contact with an Iranian phone number (982144406457) only once, on October 5, 2011” (as well as a “22932293” number that he bizarrely claimed was a call to Iran).  Note, Akronowitz’ currently operative story would mean the government never checked whether there were any calls between Hassanshahi and Sheikhi between August 24 and September 6 (or after October 6), which would be rather remarkable. Patterson’s December affidavit provided no details about the date of the single call discovered using what he identified as DEA’s database, but did specify that the call was made by Hassanshahi’s phone, outbound to Iran. (Patterson didn’t address the later Google production, as that was pursuant to a subpoena.)

To sum up, before Edward Snowden’s leaks alerted us to the scope of NSA’s domestic and international dragnet, Akronowitz claimed he personally had searched multiple databases and found evidence of multiple calls between Hassanshahi’s phone number and Sheikhi’s number, as well as (after getting a month of call records from Google) multiple calls to another Iranian number over unspecified periods of time. After Snowden’s leaks alerted us to the dragnet, after Dianne Feinstein made it clear the NSA can search on Iranian targets in the Section 215 database, which somehow counts as a terrorist purpose, and after Eric Holder decided to shut down just the DEA dragnet, Akronowitz changed his story to claim he had found just one call between Hassanshahi and Shiekhi, and — after a few more months — just one call from another Iranian number to Hassanshahi. Then, two months later, the government claimed that the only database that ever got searched was the DEA one (the one that had already been shut down) which — Patterson told us — was based on records obtained from “United States telecommunications service providers” via a subpoena.

Before I go on, consider that the government currently claims it used just a single phone call of interest — and the absence of any additional calls in a later months’s worth of call records collected that fall — to conduct a warrantless search of a laptop in a state (CA) where such searches require warrants, after having previously claimed there was a potentially more interesting set of call records to base that search on.

Aside from the government’s currently operative claim that it would conduct border searches based on the metadata tied to a single phone call, I find all this interesting for two reasons.

First, the government’s story about how many databases got searched and how many calls got found changed in such a way that the only admission of an unconstitutional search to the judge, in December 2014, involved a database that had allegedly been shut down 15 months earlier.

Maybe they’re telling the truth. Or maybe Akronowitz searched or had searched multiple databases — as he first claimed — and found the multiple calls he originally claimed, but then revised his story to match what could have been found in the DEA database. We don’t know, for example, if the DEA database permits “hops,” but he might have found a more interesting call pattern had he been able to examine hops (for example, it might explain his interest in the other phone number in Iran, which otherwise would reflect no more than an immigrant receiving a call from his home country).

All of this is made more interesting because of my second point: the US side of the call in question was an Internet call, a Google call, not a telephony call. Indeed, at least according to Patterson’s declaration (records of this call weren’t turned over in discovery, as far as I can tell), Hassanshahi placed the call, not Sheikhi.

I have no idea how Google calls get routed, but given that Hassanshahi placed the call, there’s a high likelihood that it didn’t cross a telecom provider’s backbone in this country (and god only knows how DEA or NSA would collect Iranian telephony provider records), which is who Patterson suggests the calls came from (though there’s some room for ambiguity in his use of the term “telecommunications service providers”).

USAT’s story on this dragnet suggests the data all comes from telephone companies.

It allowed agents to link the call records its agents gathered domestically with calling data the DEA and intelligence agencies had acquired outside the USA. (In some cases, officials said the DEA paid employees of foreign telecom firms for copies of call logs and subscriber lists.)

[snip]

Instead of simply asking phone companies for records about calls made by people suspected of drug crimes, the Justice Department began ordering telephone companies to turn over lists of all phone calls from the USA to countries where the government determined drug traffickers operated, current and former officials said.

[snip]

Former officials said the operation included records from AT&T and other telecom companies.

But if this call really was placed from a Google number, it’s not clear it would come up under such production, even under production of calls that pass through telephone companies’ backbones. That may reflect — if the claims in this case are remotely honest — that the DEA dragnet, at least, gathered call records not just from telecom companies, but also from Internet companies (remember, too, that DOJ’s Inspector General has suggested DEA had or has more than one dragnet, so it may also have been collecting Internet toll records).

And that — coupled with the government’s evolving claims about how many databases got checked and how many calls that research reflected — may suggest something else. Given that the redactions on the providers obliged under the Section 215 phone dragnet orders haven’t changed going back to 2009, when it was fairly clear there were just 3 providers (AT&T, Sprint, and Verizon), it may be safe to assume that’s still all NSA collects from. A never-ending series of leaks have pointed out that the 215 phone dragnet increasingly has gaps in coverage. And this Google call would be precisely the kind of call we would expect it to miss (indeed, that’s consistent with what Verizon Associate General Counsel — and former DOJ National Security Division and FBI Counsel — Michael Woods testified to before the SSCI last year, strongly suggesting the 215 dragnet missed VOIP). So while FISC has approved use of the “terrorist” Section 215 database for the terrorist group, “Iran,” (meaning NSA might actually have been able to query on Sheikhi), we should expect that this call would not be in that database. Mind you, we should also expect NSA’s EO 12333 dragnet — which permits contact chaining on US persons under SPCMA — to include VOIP calls, even with Iran. But depending on what databases someone consulted, we would expect gaps in precisely the places where the government’s story has changed since it decided it had searched only the now-defunct DEA database.

Finally, note that if the government was sufficiently interested in Sheikhi, it could easily have targeted him under PRISM (he did have a GMail account), which would have made any metadata tied to any of his Google identities broadly shareable within the government (though DHS Inspectors would likely have to go through another agency, quite possibly the CIA). PRISM production should return any Internet phone calls (though there’s nothing in the public record to indicate Sheikhi had an Internet phone number). Indeed, the way the NSA’s larger dragnets work, a search on Sheikhi would chain on all his correlated identifiers, including any communications via another number or Internet identifier, and so would chain on whatever collection they had from his GMail address and any other Google services he used (and the USAT described the DEA dragnet as using similarly automated techniques).  In other words, when Akronowitz originally said there had been multiple “telephone calls,” he may have instead meant that Sheikhi and Hassanshahi had communicated, via a variety of different identifiers, multiple times as reflected in his search (and given what we know about DEA’s phone dragnet and my suspicion they also had an Internet dragnet, that might have come up just on the DEA dragnets alone).

The point is that each of these dragnets will have slightly different strengths and weaknesses. Given Akronowitz’ original claims, it sounds like he may have consulted dragnets with slightly better coverage than just the DEA phone dragnet — either including a correlated DEA Internet dragnet or a more extensive NSA one — but the government now claims that it only consulted the DEA dragnet and consequently claims it only found one call, a call it should have almost no reason to have an interest in.

Read more

The Foreign Metadata Problem

In this post, I argued that a likely explanation for the NSA’s limits on collecting domestic cell phone data stem from a decision Verizon made in 2009 to stop participating in an FBI call records program. I’m not sure if I’m right about the cause (I know I’m not right about the timing), but I based part of my argument on how the FISA Court resolved a problem with telecoms turning over foreign data in 2009. And that resolution definitely indicates there’s something different about the way Verizon produces dragnet data from how AT&T does (Sprint is probably a third case, but not as important for these purposes).

Let me be clear: Verizon was not the only telecom to have the problem. It affected at least one other telecom; I believe it may have affected all of them. But the FISC resolved it differently with Verizon, which I believe shows that Verizon complies with the Section 215 orders in different fashion than AT&T and Sprint.

The problem was first identified when, in May 2009, Verizon informed the NSA it had been including foreign-to-foreign records in the data it provided to the NSA. Here’s how David Kris explained it in his report accompanying the phone dragnet end to end report.

NSA advised that for the first time, in May 2009, [redacted–Verizon] stated it produced foreign-to-foreign record pursuant to the Orders. [redacted–Verizon] stopped its production of this set of foreign-to-foreign records on May 29, 2009, after service of the Secondary Order in BR 09-06, which carves out foreign-to-foreign records from the description of records to be produced. (19)

In an accompanying declaration Keith Alexander provided more detail.

In May 2009, during a discussion between NSA and [redacted–Verizon] regarding the production of metadata, a [redacted–Verizon] representative stated that [redacted] produced the records [redacted] pursuant to the BR FISA Orders. This was the first indication that NSA had ever received from [redacted–Verizon] of its contrary understanding. At the May 28, 2009, hearing in docket number BR 09-06, the government informed the Court of [redacted redacted]. To address the issue, based on the government’s proposal, the Court issued a Secondary Order to [redacted] in docket number BR 09-06 that expressly excluded foreign-to-foreign call detail records from the scope of records to be produced. On May 29, 2009, upon service of the Secondary Order in docket number  BR 09-06, [redacted–Verizon] ceased providing foreign-to-foreign records [redacted]. (42/PDF67)

Almost every dragnet order since that May 29, 2009 one has broken its production order out into two subparagraphs to reflect this change.

Screen Shot 2014-11-09 at 11.28.29 AM

We can be virtually certain that Verizon is this provider, because the Verizon secondary order leaked by Edward Snowden includes the language excluding foreign-to-foreign data. That long redaction likely hides Verizon’s full name under this program, “Verizon Business Network Services, Inc. on behalf of MCI Communication Services Inc., d/b/a Verizon Business Services (individually and collectively “Verizon”), which is the name initially used in the secondary order.

Additionally, ODNI originally released the January 20, 2011 primary order with the paragraph that clarifies this with Verizon’s name unredacted. The paragraph remains in the dragnet orders, even after Verizon and Vodaphone split earlier this year (though if the split affected this issue, they may have hidden the fact by retaining the paragraph, given that they’re now anticipating declassification of the orders).

Less than a month after this incident, on June 25, the NSA finished its End-to-End report, which reported just the Verizon issue. Sometime between then and July 9, the FISC appears to have realized one of the other providers had a similar problem. The July 9, 2009 dragnet order, in the only exception I know to the two-part production order, looked like this:

Screen shot 2014-11-09 at 2.07.33 PM

The production order is to plural custodians of records, meaning at least two providers must be named. But it applies the Verizon rules to all of the named providers.

The order also requires an explanation for inclusion of the foreign-to-foreign records (see the bullet at 16-17). It is redacted in the released order but the DOJ submission (see page 6) shows that Judge Walton ordered,

a full explanation of the extent to which NSA has acquired call detail records of foreign-to-foreign communications from [redacted–too long to just be Verizon] pursuant to orders of the FISC, and whether the NSA’s storage, handling, and dissemination of information in those records, or derived therefrom, complied with the Court’s orders;

The September 3, 2009 order reverts to the two-paragraph structure. But it also orders retroactive production from one of the providers (AT&T or Sprint, probably the latter based on redaction length) named in the first paragraph (I first wrote about this here).

In addition, the Custodian of Records of [redacted] shall produce to NSA upon service of the appropriate Secondary Order an electronic copy of the same tangible things created by [redacted] for the period from 5:11 p.m. on July 9, 2009 to the date of this Order, to the extent those records still exist.

And adds a requirement that NSA report on any significant changes in reapplications, including on any changes to how the government obtains the data from carriers.

Any application to renew or reinstate the authority granted herein shall include a report describing: (1) the queries made since the end of the reporting period of the last report filed with the Court; (ii) the manner in which NSA applied the procedures set forth in paragraph (3)C above; and (iii) any proposed changes in the way in which the call detail records would be received from the carriers and any significant changes to the systems NSA uses to receive, store, process, and disseminate BR metadata. [my emphasis]

The DOJ report provides further evidence that at least one other provider provided foreign-to-foreign records. When Kris introduces this problem (see page 18), he references a three part discussion in Alexander’s declaration.

Screen shot 2014-11-09 at 3.52.19 PM

You can see the heading for the third provider on page 46/PDF 71 of the Alexander declaration.

So the report appears to have commented on all three providers. The problem clearly affected two of them.

But FISC only retains the clarification for Verizon.

As I said, I appear to be wrong about the timing of this. I had suggested it was tied to Verizon deciding not to reup its contract under the FBI phone program in 2009. That almost certainly had to have happened (as Charlie Savage noted to me via Twitter, the Exigent Letter IG Report was focused on AT&T, MCI, and Verizon, and one of the latter two, which means basically one part of Verizon, backed out).

But the End-to-End Report makes it clear Verizon first started turning over this data in January 2007.

This foreign-to-foreign metadata started coming into NSA in January 2007. (15)

There was not even a dragnet order signed in January 2007, so it can’t be tied primarily to the phone dragnet. It also preceded the end of the on-site phone provider program (which ended in December 2007) and even the release of the first NSL IG Report in March 2007, which led the providers to get squirrelly (see page 191 for these dates).

The details regarding the potential problems with Verizon’s provision of foreign-to-foreign records suggests this may have something to do with upstream production (Verizon had been providing upstream records to the NSA for years, but it only came under the oversight of the FISC in January 2007).

Furthermore, because the records are records of foreign-to-foreign communications, almost all of them do not concern the communications of U.S. persons. To the extent any of the records concern the communications of U.S. persons, such communications would be afforded the same protections as any other U.S. person communication [redacted] authorities. Id. at 43. (19)

[snip]

almost all of them concern the communications of non-U.S. persons located outside the United States. If NSA were to find that any of the records concerned U.S. persons, their dissemination would be governed by the terms of USSID 18 which are the procedures established pursuant to EO 12333, as amended. (68)

The discussion of records that might “concern the communications” sounds like an “about” search (though I’m not sure of what).

All that said, AT&T should have had the same upstream “about” obligations starting in January 2007 that Verizon did. I suspect (based on my guess that Sprint is the production that got shut down) the order in the July 9, 2009 order is the only instruction they ever got to stop providing foreign-to-foreign records. Yet FISC felt the need — still feels the need — to keep that explicit order to Verizon in every single primary order.

Mind you, all this shows that Verizon was able to shut down the foreign production immediately, on the same day. So it’s clear they can shut down certain kinds of production.

All this seems to suggest that — in addition to at least some part of Verizon withdrawing from the FBI’s records program, and to Verizon not retaining records for the same length of time AT&T does — Verizon also produces phone dragnet data differently than AT&T does.

Company B (Verizon? Sprint?) Stopped Playing Nice with FBI in 2009

I’m reading this DOJ IG report on NSLs — about which I’ll have far more later.

But given everything we’ve learned about NSA’s dragnet, I’m rather interested in footnote 156:

Company A, Company B, and Company C are the three telephone carriers described in our Exigent Letters Report that provided telephone records to the TCAU in response to exigent letters and other informal requests between 2003 and 2006. As described in our Exigent Letters Report, the FBI entered into contracts with these carriers in 2003 and 2004, which required that the communication service providers place their employees in the TACU’s office space and give these employees access to their companies’ databases so they could immediately service FBI requests for telephone records. Exigent Letters Report, 20. As described in the next chapter, TCAU no longer shares office space with the telephone providers. Companies A and C continue to serve FBI requests for telephone records and provide the records electronically to the TCAU. Company B did not renew its contract with the FBI in 2009 and is no longer providing telephone records directly to the TCAU. Company B continues to provide telephone records in response to NSL requests issued directly by the field without TCAU’s assistance.

I’m guessing Company B is Verizon, because it always comes second! Though it could also be Sprint.

Recall that Reggie Walton shut down Verizon production for part of 2009 (I’ll have posts reinforcing this claim sometime in the near future). Verizon may have started being a jerk about providing foreign calls records at that point which — at least technically were provided voluntarily. So that’s why it might be Verizon.

At the same time. Sprint is a good candidate because, at the end of the year, it demanded legal process from the phone dragnet. Also, it has challenged DOJ’s reimbursements, which has gotten it sued.

Given ongoing discussions about whether NSA gets all the phone records it’d like under Section 215 — and the explanation they’re missing cell records — I’m particularly interested in this development.

Sadness in the NSA-Telecom Bromance

In his report on an interview with the new Director of NSA, Admiral Mike Rogers, David Sanger gets some operational details wrong, starting with his claim that the new phone dragnet would require an “individual warrant.”

The new phone dragnet neither requires “warrants” (the standard for an order is reasonable suspicion, not probable cause), nor does it require its orders to be tied to “individuals,” but instead requires “specific selection terms” that may target facilities or devices, which in the past have been very very broadly interpreted.

All that said, I am interested in Rogers’ claims Sanger repeats about NSA’s changing relationship with telecoms.

He also acknowledged that the quiet working relationships between the security agency and the nation’s telecommunications and high technology firms had been sharply changed by the Snowden disclosures — and might never return to what they once were in an era when the relationships were enveloped in secrecy.

Oh darn!

Sadly, here’s where Sanger’s unfamiliarity with the details makes the story less useful. Publicly, at least, AT&T and Verizon have had significantly different responses to the exposure of the dragnet (though that may only be because Verizon’s name has twice been made public in conjunction with NSA’s dragnet, whereas AT&T’s has not been), and it’d be nice if this passage probed some of those details.

Telecommunications businesses like AT&T and Verizon, and social media companies, now insist that “you are going to have to compel us,” Admiral Rogers said, to turn over data so that they can demonstrate to foreign customers that they do not voluntarily cooperate. And some are far more reluctant to help when asked to provide information about foreigners who are communicating on their networks abroad. It is a gray area in the law in which American courts have no jurisdiction; instead, the agency relied on the cooperation of American-based companies.

Last week, Verizon lost a longstanding contract to run many of the telecommunications services for the German government. Germany declared that the revelations of “ties revealed between foreign intelligence agencies and firms” showed that it needed to rely on domestic providers.

After all, under Hemisphere, AT&T wasn’t requiring legal process even for domestic call records. I think it possible they’ve demanded the government move Hemisphere under the new phone dragnet, though if they have, we haven’t heard about it (it would only work if they defined domestic drug dealer suspects as associated with foreign powers who have some tie to terrorism). Otherwise, though, AT&T has not made a peep to suggest they’ll alter their decades-long overenthusiastic cooperation with the government.

Whereas Verizon has been making more audible complaints about their plight, long before the Germans started ending their contracts. And Sprint — unmentioned by Sanger — even demanded to see legal support for turning over phone data, including, apparently, turning over foreign phone data under ECPA;s exception in 18 U.S.C. § 2511(2)(f)‘s permitting telecoms to voluntarily provide foreign intelligence data. 

Given that background — and the fact ODNI released the opinions revealing Sprint’s effort, if not its name — I am curious whether the telecoms are really demanding process. If courts really had no jurisdiction then it is unclear how the government could obligate production

Though that may be what the Microsoft’s challenge to a government request for email held in Ireland is about, and that may explain why AT&T and Verizon, along with Cisco and Apple — for the most part, companies that have been more reticent about the government obtaining records in the US — joined that suit. (In related news, EU Vice President Viviane Reding says the US request for the data may be a violation of international law.)

Well, if the Microsoft challenge and telecom participation in the request for data overseas is actually an effort to convince the Europeans these corporations are demanding legal process, Admiral Rogers just blew their cover.

Admiral Rogers said the majority of corporations that had long given the agency its technological edge and global reach were still working with it, though they had no interest in advertising the fact.

Dear Ireland and the rest of Europe: Microsoft — which has long been rather cooperative with NSA, up to and including finding a way to obtain Skype data — may be fighting this data request just for show. Love, Microsoft’s BFF, Mike Rogers.

Why Is DOJ Hiding Three Phone Dragnet Orders in Plain Sight?

The ACLU and EFF FOIAs for Section 215 documents are drawing to a head. Later this week, EFF will have a court hearing in their suit. And last Friday, the government renewed its bid for summary judgment in the ACLU case.

Both suits pivot on whether the government’s past withholdings on Section 215 were in good faith. Both NGOs are arguing they weren’t, and therefore the government’s current claims — that none of the remaining information may be released — cannot be treated in good faith. (Indeed, the government likely released the previously sealed NSA declaration to substantiate its claim that it had to treat all documents tying NSA to the phone dragnet with a Glomar because of the way NSA and DOJ respectively redact classification mark … or something like that.)

But the government insists it is operating in good faith.

Instead, the ACLU speculates, despite the government’s declarations to the contrary, that there must be some non-exempt information contained in these documents that could be segregated and released. In an attempt to avoid well-established law requiring courts to defer to the government’s declarations, especially in the area of national security, the ACLU accuses the government of bad faith and baldly asserts that the government’s past assertions regarding segregability—made before the government’s discretionary declassification of substantial amounts of information regarding its activities pursuant to Section 215— “strip the government’s present justifications of the deference due to them in ordinary FOIA cases.” ACLU Br. at 25. The ACLU’s allegations are utterly unfounded. For the reasons set forth below, the government’s justifications for withholding the remaining documents are “logical and plausible,”

EFF and ACLU have focused closely on a August 20, 2008 FISC order describing a method to conduct queries; I have argued it probably describes how NSA makes correlations to track correlations.

The government is refusing to identify 3 orders it has already identified

But — unless I am badly mistaken, or unless the government mistakenly believes it has turned over some of these orders, which is possible! — I think there are three other documents being withheld (ones the government hasn’t even formally disclosed to EFF, even while pretending they’ve disclosed everything to EFF) that raise questions about the government’s good faith even more readily: the three remaining phone dragnet Primary Orders from 2009. All three have been publicly identified, yet the government is pretending they haven’t been. They are:

BR 09-09, issued on July 8, 2009. Not only was this Primary Order identified in paragraph 3 of the next Primary Order, but it was discussed extensively in the government’s filing accompanying the end-to-end report. In addition, the non-approval of one providers’ metadata  (I increasingly suspect Sprint is the provider) for that period is reflected in paragraph 1(a) of that next Primary Order.

BR 09-15, issued on October 30, 2009. The docket number and date are both identified on the first page of this supplemental order.

BR 09-19, issued on December 16, 2009. It is mentioned in paragraph 3 of the next Primary Order. The docket number and the date are also referred to in the documents pertaining to Sprint’s challenge recently released. (See paragraph 1 and paragraph 5 for the date.)

Thus, the existence of all three Primary Orders has been declassified, even while the government maintains it can’t identify them in the context of the FOIAs where they’ve already been declassified.

The government has segregated a great deal of the content of BR 09-09

The government’s withholding of BR 09-09 is particularly ridiculous, given how extensively the end-to-end motion details it. From that document, we learn:

  • Pages 5-7 approve a new group for querying. (see footnote 2)
  • Pages 9-10 require those accessing the dragnet be briefed on minimization procedures tied to the dragnet (see PDF 22); this is likely the language that appears in paragraph G of the subsequent order. This specifically includes technical personnel. (see PDF 49)
  • Pages 10-11 require weekly reporting on disseminations. (see PDF 23) This is likely the information that appears in paragraph H in the subsequent order.
  • Page 12 affirmatively authorizes the data integrity search to find “certain non user specific numbers and [redacted] identifiers for purposes of metadata reduction and management” (see footnote 19 and PDF 55)
  • Page 8 and 13-14 lay out new oversight roles, especially for DOJ’s National Security Division (see PDF 22); these are likely the requirements laid out in paragraphs M through R in subsequent orders. Those same pages also require DOJ to share the details of NSD’s meeting with NSA in new FISC applications. (see PDF 23)
  • BR 09-09 included the same reporting requirements as laid out in BR 09-01 and BR 09-06 (see PDF 5)
  • Pages 16 -17 also included these new reporting requirements: (see PDFs 6 and 29 – 30)
    • a full explanation of why the government has permitted dissemination outside NSA of U.S. person information in violation of the Court’s Orders in this matter;
    • a full explanation of the extent to which NSA has acquired call detail records of foreign-to-foreign communications from [redacted] pursuant to orders of the FISC, and whether the NSA’s storage, handling, and dissemination of information in those records, or derived therefrom, complied with the Court’s orders; and
    • either (i) a certification that any overproduced information, as described in footnote 11 of the government’s application [i.e. credit card information), has been destroyed, and that any such information acquired pursuant to this Order is being destroyed upon recognition; or (ii) a full explanation as to why it is not possible or otherwise feasible to destroy such information.
  • BR 09-09 specifically mentioned that NSA had generally been disseminating BR FISA data according to USSID 18 and not the more restrictive dissemination provisions of the Court’s Orders. (see footnote 12)
  • BF 09-09 approved Chief, Information Sharing Services, the Senior Operations Officer, the Signals Intelligence
    Directorate (So) Director, the Deputy Director of NSA, and the Director of NSA to authorize US person disseminations. (see footnote 22 and PDF 28)

Significant parts of at least 13 pages of the Primary Order (the next Primary Order is 19 pages long) have already been deemed segregable and released. Yet the government now appears to be arguing, while claiming it is operating in good faith, that none of these items would be segregable if released with the order itself!

Wildarse speculation about why the government is withholding these orders

Which raises the question of why. Why did the government withhold these 3 orders, alone among all the known regular Primary Orders from the period of EFF and ACLU’s FOIAs? (See this page for a summary of the known orders and the changes implemented in each.)

The reason may not be the same for all three orders. BR 09-09 deals with two sensitive issues — the purging of credit card information and tech personnel access — that seem to have been resolved with that order (at least until the credit card problems returned in March 2011).

But there are two things that all three orders might have in common.

First, BR 09-09 deals closely with dissemination problems — the ability of CIA and FBI to access NSA results directly, and the unfettered sharing of information within NSA. BR 09-15 lays out new dissemination rules, with the supplement in November showing NSA to still be in violation. So it’s likely all 3 orders deal with dissemination violations (and therefore with poison fruit of inappropriate dissemination that may still be in the legal system), and that the government is hiding one of the more significant aspects of the dragnet violations by withholding those orders.

I also think it’s possible the later two (potentially all three, but more likely the later two) orders combine the phone and Internet dragnets. That’s largely because of timing: A June 22, 2009 order — the first one to deal with the dissemination problems formally addressed in BR 09-09 — dealt with both dragnets. There is evidence the Internet dragnet data got shut down (or severely restricted) on October 30, 2009, the date of BR 09-15. And according to the 2010 John Bates Internet dragnet opinion, NSA applied to restart the dragnet in late 2009 (so around the time of BR 09-19). So I think it possible the later orders, especially, deal with both programs,  thereby revealing details about the legal problems with PRTT the government would like to keep suppressed. (Note, if BR 09-15 and BR 09-19 are being withheld because they shut down Internet production, it would mean all three orders shut down some production, as BR 09-09 shut down one provider’s telephone production.)

Another possibility has to do with the co-mingling of EO 12333 and Section 215 data. These three orders all deal with the fact that providers (at least Verizon, but potentially the other two as well) had included foreign-to-foreign phone records along with the production of their domestic ones.That’s the reason production from one provider got shut down in BR 09-09. And immediately after the other withheld records, the Primary Orders always included a footnote on what to do with EO 12333 data turned over pursuant to BR FISA orders (see footnote 7 and footnote 10 for examples). Also, starting in March 2009, the Orders all contain language specifically addressing Verizon. So we know the FISC was struggling to come up with a solution for the fact that NSA had co-mingled data obtainable under EO 12333 and data the telecoms received PATRIOT Act orders from. (I suspect this is why Sprint insisted on legal cover, ultimately demanding the legal authorization of the program with the December order.) So it may be that all these orders reveal too much about the EO 12333 dragnet — and potential additional violations — to be released.

Whatever the reason, there is already so much data in the public domain, especially on BR 09-09, it’s hard to believe withholding it is entirely good faith.

David Barron’s ECPA Memo

Last week, I laid out the amazing coinkydink that DOJ provided Sprint a bunch of FISA opinions — including the December 12, 2008 Reggie Walton opinion finding that the phone dragnet did not violate ECPA — on the same day, January 8, 2010, that OLC issued a memo finding that providers could voluntarily turn over phone records in some circumstances without violating ECPA.

Looking more closely at what we know about the opinion, I’m increasingly convinced it was not a coinkydink at all. I suspect that the memo not only addresses FBI’s exigent letter program, but also the non-Section 215 phone dragnet.

As a reminder, we first learned of this memo when, in January 2010, DOJ’s Inspector General issued a report on FBI’s practice of getting phone records from telecom provider employees cohabiting at FBI with little or no legal service. The report was fairly unique in that it was released in 3 versions: the public unclassified but heavily redacted version, a Secret version, and a Top Secret/SCI version. Given how closely parallel the onsite telecom provider program was with the phone dragnet, that always hinted the report may have touched on other issues.

Roughly a year after the IG Report came out, EFF FOIAed the memo (see page 30). Over the course of the FOIA litigation — the DC Circuit rejected their appeal for the memo in January — DOJ provided further detail about the memo.

Here’s how OLC Special Counsel Paul Colborn described the memo (starting at 25):

The document at issue in this case is a January 8, 2010 Memorandum for Valerie Caproni, General Counsel of the Federal Bureau of Investigation (the “FBI”), from David J. Barron, Acting Assistant Attorney General for the Office of Legal Counsel (the “Opinion”). The OLC Opinion was prepared in response to a November 27, 2009 opinion request from the FBI’s General Counsel and a supplemental request from Ms. Caproni dated December 11, 2009. These two requests were made in order to obtain OLC advice that would assist FBI’s evaluation of how it should respond to a draft Report by the Office of Inspector General at the Department of Justice (the “OIG”) in the course of a review by the OIG of the FBI’s use of certain investigatory procedures.In the context of preparing the Opinion, OLC, as is common, also sought and obtained the views of other interested agencies and components of the Department. OIG was aware that the FBI was seeking legal advice on the question from OLC, but it did not submit its views on the question.

The factual information contained in the FBI’s requests to OLC for legal advice concerned certain sensitive techniques used in the context of national security and law enforcement investigations — in particular, significant information about intelligence activities, sources, and methodology.

Later in his declaration, Colborn makes it clear the memo addressed not just FBI, but also other agencies.

The Opinion was requested by the FBI and reflects confidential communications to OLC from the FBI and other agencies. In providing the Opinion, OLC was serving an advisory role as legal counsel to the Executive Branch. In the context of the FBI’s evaluation of its procedures, the general counsel at the FBI sought OLC advice regarding the proper interpretation of the law with respect to information-gathering procedures employed by the FBI and other Executive Branch agencies. Having been requested to provide counsel on the law, OLC stood in a special relationship of trust with the FBI and other affected agencies.

And FBI Record/Information Dissemination Section Chief David Hardy’s declaration revealed that an Other Government Agency relied on the memo too. (starting at 46)

This information was not examined in isolation. Instead, each piece of information contained in the FBI’s letters of November 27, 2009 and December 11, 2009, and OLC’s memorandum of January 8, 2010, was evaluated with careful consideration given to the impact that disclosure of this information will have on other sensitive information contained elsewhere in the United States intelligence community’s files, including the secrecy of that other information.

[snip]

As part of its classification review of the OLC Memorandum, the FBI identified potential equities and interests of other government agencies (“OGAs”) with regard to the OLC memo. … FBI referred the OLC Memo for consultation with those OGAs. One OGA, which has requested non-attribution, affirmatively responded to our consultation and concurs in all of the classification markings.

Perhaps most remarkably, the government’s response to EFF’s appeal even seems to suggest that what we’ve always referred to as the Exigent Letters IG Report is not the Exigent Letters IG Report!

Comparing EFF’s claims (see pages 11-12) with the government’s response to those claims (see pages 17-18), the government appears to deny the following:

  • The Exigent Letters IG Report was the 3rd report in response to reporting requirements of the USA PATRIOT reauthorization
  • FBI responded to a draft of the IG Report by asserting a new legal theory defending the way it had obtained certain phone records in national security investigations, which resulted in the January 8, 2010 memo
  • The report didn’t describe the exception to the statute involved and IG Glenn Fine didn’t recommend referring the memo to Congress
  • In response to a Marisa Taylor FOIA, FBI indicated that USC 2511(2)(f) was the exception relied on by the FBI to say it didn’t need legal process to obtain voluntary disclosure of phone records

Along with these denials, the government reminded that the report “contained significant redactions to protect classified information and other sensitive information.” And with each denial (or non-response to EFF’s characterizations) it “respectfully refer[red] the Court to the January 2010 OIG report itself.”

The Exigent Letters IG Report is not what it seems, apparently.

With all that in mind, consider two more details. First, as David Kris (who was the Assistant Attorney General during this period) made clear in his paper on the phone (and Internet) dragnet, in addition to Section 215, the government obtained phone records from the telecoms under USC 2511(2)(f), the clause in question.

And look at how the chronology maps.

November 5, 2008: OLC releases opinion ruling sneak peak and hot number requests (among other things) impermissible under NSLs

December 12, 2008: Reggie Walton rules that the phone dragnet does not violate ECPA

Throughout 2009: DOJ confesses to multiple violations of Section 215 program, including:

  • An alert function that serves the same purpose as sneak peaks and also violates Section 215 minimization requirements
  • NSA treated Section 215 derived data with same procedures as EO 12333 data; that EO 12333 data included significant US person data
  • One provider’s (which I originally thought was Sprint, then believed was Verizon, but could still be Sprint) production got shut down because it included foreign-to-foreign data (the kind that, according to the OLC, could be obtained under USC 2511(2)(f)

Summer and Fall, 2009: Sprint meets with government to learn how Section 215 can be used to require delivery of “all” customer records

July 9, 2009: Sprint raises legal issues regarding the order it was under; Walton halts production from provider which had included foreign-to-foreign production

October 30, 2009: Still unreleased primary order BR 09-15

November 27, 2009: Valerie Caproni makes first request for opinion

December 11, 2009: Caproni supplements her request for a memo

December 16, 2009: Application and approval of BR 09-19

December 30, 2009: Sprint served with secondary order

January 7, 2010: Motion to unseal records

January 8, 2010: FISC declassifies earlier opinions; DOJ and Sprint jointly move to extend time when Sprint can challenge order; and OLC releases OLC opinion; FISC grants motion (John Bates approves all these motions)

January 11, 2010: DOJ moves (in a motion dated January 8) to amend secondary order to incorporate language on legality; this request is granted the following day (though we don’t get that order)

January 20, 2010: IG Report released, making existence of OLC memo public

This memo is looking less and less like a coinkydink after all, and more and more a legal justification for the provision of foreign-to-foreign records to accompany the Section 215 provision. And while FBI said it wasn’t going to rely on the memo, it’s not clear whether NSA said the same.

Golly. It’d sure be nice if we got to see that memo before David Barron got to be a lifetime appointed judge.