Administration Feeds Journalists Hints of More Secret Law … Journalists Instead Parrot “Russian Roulette” Line

Back in January, Charlie Savage revealed that in 2007 the FISC approved a secret interpretation of the Roving Wiretap provision, one of the provisions due to sunset Sunday night. To support a domestic content collection order targeting al Qaeda targets overseas, Judge Roger Vinson rubber-stamped DOJ’s argument that — because Congress had let it wiretap individual targets without naming each of the phones they were using, that also meant it could target al Qaeda as a target — without naming each of the phones and email addresses it was using.

Judge Vinson ruled that this procedure was a legitimate interpretation of FISA because of a provision Congress had added to the surveillance law in the Patriot Act. The provision created so-called roving wiretap authority, which allows the F.B.I. to get orders to swiftly follow targets who switch phones, telling the court about the new numbers later.

Public discussion of the purpose and meaning of roving wiretap authority has focused on targeting individual terrorists or spies who seek to evade detection. But Judge Vinson accepted a Justice Department proposition that the target could be Al Qaeda in general, so if the N.S.A. learned of a new Qaeda suspect, it could immediately collect his communications and get after-the-fact approval.

The government stopped using this particular application as it transitioned to Protect America Act (though it even grandfathered some of the existing targets tasked under the prior argument). But the premise — that DOJ can target entire communication nodes based on the argument that a specific target is using unknown accounts passing through that node — surely remains on the books.

This secret interpretation of the law may not be as outrageous as FISC’s redefinition of the word “relevant” to mean “all,” but it is nevertheless a fairly breathtaking argument, with potentially dangerous ongoing implications.

Yet, in spite of the fact that a top journalist (not some dirty hippie like me!) revealed this secret interpretation, the journalists who transcribed Administration claims that sunsetting PATRIOT would amount to playing “national security Russian roulette” have also transcribed Administration claims that they’re only using Roving Wiretaps individually.

A second tool is the “roving wiretap,” which enables the FBI to use one warrant to wiretap a spy or terrorist suspect who is constantly switching cellphones. Those two in particular are of “tremendous value,” the first official said.

We don’t know they’re using Roving Wiretaps to tap entire circuits anymore. But we know they can. That detail should be included in any description before a journalist parrots the Administration claim this is an “uncontroversial” authority. If it’s not controversial, it should be.

Ditto the Lone Wolf provision.

Reporters are reporting something that — 11 years after passage of the Lone Wolf provision — ought to raise serious questions (note: Lone Wolf was actually not part of the PATRIOT Act; it was passed in 2004 as part of the Intelligence Reform and Terrorism Prevention Act).

A third tool allows the FBI to surveil a “lone wolf” suspect who cannot be tied to a foreign terrorist group such as al-Qaeda. It has never been used, but officials said it is a valuable authority they do not want to lose.

That provision has been on the book for 11 years, and the FBI still says they have never used it but even though they have never used it is a valuable authority. It was not used in cases — such as that of Khalid Ali-M Aldawsari — that solidly fit the definition of a Lone Wolf. Even if the FBI found someone who they thought was an international terrorist but didn’t know to what group he belonged, they could get an emergency wiretap to help them find evidence.

So what “value” does the Lone Wolf provision have, if it’s not to authorize the wiretapping of Lone Wolves?

I think there’s increasing reason to ask whether this, like the Roving Wiretap, serves to justify some other secret law, allowing the government to spy on people against whom it has no evidence of ties to al Qaeda or any other terrorist group, but on whom it nevertheless wants to use its terrorist authorities against.

We’re on the fifth or so reauthorization debate where FBI has said “we don’t use this thing but we find it very valuable anyway.” At some point, we need to start assuming that when they say they haven’t “used” it, they only mean in the literal sense, and they’re using it to support some secret, unintended purpose.

Rather than parroting Administration claims of “Russian roulette,” shouldn’t journalists be asking why, after 11 years, their claims of necessity make no sense?

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

DOJ IG Issues Yet Another Classified Report that Should Be Public Before Congress Votes on PATRIOT Act

DOJ’s Inspector General just announced it completed its draft report on the use of Pen Register/Trap and Trace between 2007 and 2009 15 months ago, but the Intelligence Community only finished its classification review last month. It has now issued a classified version of that report to the Judiciary and Intelligence Committees.

Department of Justice Inspector General Michael E. Horowitz today issued a classified report entitled, The Federal Bureau of Investigation’s Use of Pen Register and Trap and Trace Devices under the Foreign Intelligence Surveillance Act in 2007 through 2009. The Department of Justice (DOJ) Office of the Inspector General (OIG) completed a draft of this report in February 2014. At that time, we provided the draft report to DOJ, the Federal Bureau of Investigation (FBI), and the Intelligence Community to conduct factual accuracy and classification reviews. In May 2014, we circulated an updated draft report that reflected minor revisions made in response to the factual accuracy comments we received. We did not receive the final results of the classification reviews until April 30, 2015.

We are providing today’s classified report to the relevant Congressional oversight and intelligence committees, as well as to DOJ leadership offices. We recently submitted a short unclassified Executive Summary of the report to DOJ, the FBI, and the Intelligence Community for review. We will publicly release the Executive Summary as soon as that review is completed.

This is another report that should have been released long before the current debate on the PATRIOT Act. While PRTT is not among the authorities that sunsets on Sunday, the issues surrounding the shut-down of the bulk Internet program in (around) October 2009 are central to the debate about the dragnet going forward, because “call” records are increasingly Internet records.

Moreover, the USA F-ReDux calls for “privacy guidelines” that I believe are still inadequate to protect US persons’ privacy in the ways the IC is likely using PRTT today. Plus, PRTT is likely used for applications — such as tower dumps and Stingrays — that affect the privacy of many people not otherwise targeted. Congress should have details about that before they legislate.

In addition, Richard Burr’s bill actually adopts a definition of “content” — excluding Dialing, Routing, Addressing, and Signaling data from the definition of content — that responds directly to the issues behind the Internet dragnet shutdown in 2009.

Last week, much of DC discovered for the first time — because of the delayed release of DOJ IG’s report on Section 215 — what I had been reporting for months: that the bulk of Section 215 orders actually collect bulky Internet data. That report also disclosed that, at least as used up until 2009 (that is, as FBI just started using 215 for that Internet collection), Section 215 wasn’t all that useful.

It is highly likely that the 15-month old PRTT report DOJ’s IG just released would have information that is equally important to this debate.

But the public is not going to have access to it.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Behold, BR 15-24, the Longest-Serving Phone Dragnet Order Ever

By my calculation today marks the 91st day of the life of phone dragnet order BR 15-24, making it the longest running dragnet order ever. Though the order offered no explanation, FISC judge James Boasberg approved a 95-day expiration for this order back on February 26 so the dragnet order expiration would coincide with PATRIOT Act’s sunset.

It probably seemed wise at the time, but it definitely exacerbates the impact of Mitch McConnell’s miscalculation last week, as it means there’s is no grace period after the current order expires.

The 90-day renewals appear to arise out of both the Stellar Wind practice and the FISA Pen Register practice. Under the former, the Bush Administration reviewed the dragnet every 45 days to make sure it was still necessary and give it the appearance of oversight. (The renewal dates appear on this timeline.) When FISC approved the use of the Pen Register statute to collect the Internet dragnet, it adhered to that statute’s renewal process, which requires 90-day renewals. I assume the phone dragnet adopted the same, even though Section 215 has no renewal requirement, because the phone dragnet collected even more data than the Internet dragnet did.

So already, we’re a day longer than the spirit of the law should permit, four days before Sunday’s scheduled resolution (or lack thereof) of the current impasse.

Given Charlie Savage’s account, it appears the Administration did not — as ordered by Boasberg — brief the FISC on the impact of the 2nd Circuit decision if it would change the program. Rather, they’re just hiding out, hoping they don’t need to raise this or any other issue with regards to the dragnet with the FISC.

The Foreign Intelligence Surveillance Court had given the government a deadline of last Friday to file a new application to extend the bulk phone records program for 90 days. Given the disarray in the Senate and the looming deadline, the Justice Department did not file, the official said, speaking on condition of anonymity to discuss intelligence-related matters.

[snip]

The administration is holding to its decision not to invoke the grandfather clause to keep collecting bulk phone records past next Monday, the official said. But the government has not ruled out invoking such a clause for using the business records provision — as well as the other two powers that are expiring — to gather specific records for more routine investigations.

“We will not use the grandfather clause in the Patriot Act to continue the bulk metadata collection program; it would not be tenable for us to do so,” the senior official said.

“Thus, because of the pending sunset of the current authority, we have not filed an application with the FISA court to continue collection,” the official said, referring to the Foreign Intelligence Surveillance Act court, also known as FISC.

The official added, “We will consider, in light of our national security needs and the status of our authorities, whether to make an appropriate filing with the FISC about accessing previously collected metadata.”

[snip]

The administration is hoping to avoid any need to go to the court for permission to query already-acquired bulk phone data, which would raise additional legal complications.

But one plan being floated — Dianne Feinstein’s non-compromise compromise — would simply permit the FISC to extend the current order until a year after whenever her bill might be passed into law (which couldn’t be Sunday night), as if nothing had ever happened.

CONTINUED APPLICABILITY.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, the order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26, 2015, in Docket No. BR 15–24, may be extended by order of that court until the effective date established in subsection (a) [that is, one year after the passage of this bill]

In other words, Feinstein proposes to take a dragnet collecting the phone records of all Americans, and extend it for an entire year, when even a Pen Register targeting an individual would need to be formally renewed.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

US Extended Its Special Relations with the Saudis another Decade

Back in 2013, then Saudi Interior Minister and current Crown Prince Mohammed bin Nayef came to the US for a great coming out party (and, seemingly, to herald Obama’s second term foreign policy team). While here, he signed an extension to the Technical Cooperation Agreement first signed back in 2008.

The TCA is basically a cooperation agreement to get direct help from us–including training and toys–to protect Saudi infrastructure and borders, particularly its oil infrastructure. As part of it, the Saudis are developing a 35,000 person force, including a paramilitary force, with US training. But unlike our other defense agreements with the Saudis (and like theJoint Commission for Economic Cooperation it was explicitly modeled on, which had been in place from the 1970s until 1999), this one includes a special bank account to fund it all.

The Kingdom of Saudi Arabia will establish a dollar disbursement account in the United States Treasury. Any funds required by the United States for agreed-upon projects will be deposited by the Kingdom of Saudi Arabia in the account in such amounts and at such times as are mutually agreed, and the United States may draw on this account in the amount so agreed. If upon termination of this agreement there are funds remaining in the special account after all expenses have been paid, such funds will be refunded to the Kingdom of Saudi Arabia.

That account could fund contractors and toys. But at least at first, it could not fund US government employees.

The United States will pay for all costs of U.S. Government direct-hire employees assigned to the Kingdom of Saudi Arabia to perform services under this Agreement.

Less than a year into the agreement, that changed, with MbN agreeing the Saudis would also pay for US personnel salaries.

MbN was grateful for USG efforts and assured us full funding would soon follow the signing of these documents, and reconfirmed the SAG’s commitment to pay all OPM-MOI costs. He also agreed to fund all USG employee costs, concurring with any necessary TCA changes to allow such payments, commenting that “hopefully the lawyers will not cause us any problems.”

And already by the time MbN made that agreement, the US was installing military and State employees to oversee this effort (see more on these personnel here).

After unsuccessfully trying to ask for the TCA, I FOIAed it, which I only finally got yesterday. For the most part, it wasn’t worth the wait, as it was only a formal extension of the deal.

That said, I find it interesting that rather than extend the deal 5 years (the original term of the TCA), they instead extended it over a decade, until May 15, 2023.

Given all the events in the Middle East, January 2013 was an interesting time for MbN to come to the US to preemptively sign this TCA. And it’s interesting they’ve extended it a full decade. I’m also curious about the timing of this release, as MbN just returned to the US (this time as part of the Gulf summit), for the first time as the US-backed heir to the Saudi throne (though maybe it just takes State 2 years to release a totally unclassified document as a matter of course?).

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Intelligence Committees Still Trying to Force Agencies to Follow Reagan’s Rules

34 years ago Ronald Reagan issued the Executive Order that still governs most of our country’s intelligence activities, EO 12333.

As part of it, the EO required any agency using information concerning US persons to have a set of procedures laying out how it obtains, handles, and disseminates information (see the language of 2.3 below).

Only — as the Privacy and Civil Liberties Oversight Board started pointing out in August 2013 — some agencies have never complied. In February, PCLOB revealed the 4 agencies that are still flouting Reagan’s rules, along with what they have been using:

The Department of Homeland Security’s notoriously shoddy Office of Intelligence and Analysis: Pending issuance of final procedures, I&A is operating pursuant to Interim Intelligence Oversight Procedures, issued jointly by the Under Secretary for Intelligence and Analysis and the Associate General Counsel for Intelligence (April 3, 2008).

United States Coast Guard (USCG)- Intelligence and counterintelligence elements: Pending issuance of final procedures, operating pursuant to Commandant Instruction – COMDINST 3820.12, Coast Guard Intelligence Activities (August 28, 2003).

Department of Treasury Office of Intelligence and Analysis (OIA): Pending issuance of final procedures. While draft guidelines are being reviewed in the interagency approval process, the Office of Intelligence and Analysis conducts intelligence operations pursuant to EO 12333 and statutory responsibilities of the IC element, as advised by supporting legal counsel.

Drug Enforcement Administration, Office of National Security Intelligence (ONSI): Pending issuance of final procedures, operates pursuant to guidance of the Office of Chief Counsel, other guidance, and: Attorney General approved “Guidelines for Disclosure of Grand Jury and Electronic, Wire, and Oral Interception Information Identifying United States Persons” (September 23, 2002); Attorney General approved “Guidelines Regarding Disclosure to the Director of Central Intelligence and Homeland Security Officials of Foreign Intelligence Acquired in the Course of a Criminal Investigation” (September 23, 2002).

Last year’s House Intelligence Committee version of NSA reform (the one I called RuppRoge) would have included language requiring agencies to finish these procedures — mandated 34 years ago — within 6 months. And now, over a year later, Dianne Feinstein’s latest attempt at reform echoed that language.

Which strongly suggests these agencies are still deadbeats.

As I said in February, I’m most concerned about DEA (because DEA is out of control) and, especially, Treasury (because Treasury’s intelligence activities are a black box with little court review). Treasury is making judgements that can blacklist someone financially, but it has thus far refused to institute procedures to protect Americans’ privacy while it does so.

And no one seems to be rushing to require them to do so.


2.3 Collection of Information. Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order. Those procedures shall permit collection, retention and dissemination of the following types of information:
(a) Information that is publicly available or collected with the consent of the person concerned;
(b) Information constituting foreign intelligence or counterintelligence, including such information concerning corporations or other commercial organizations. Collection within the United States of foreign intelligence not otherwise obtainable shall be undertaken by the FBI or, when significant foreign intelligence is sought, by other authorized agencies of the Intelligence Community, provided that no foreign intelligence collection by such agencies may be undertaken for the purpose of acquiring information concerning the domestic activities of United States persons;
(c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation;
(d) Information needed to protect the safety of any persons or organizations, including those who are targets, victims or hostages of international terrorist organizations;
(e) Information needed to protect foreign intelligence or counterintelligence sources or methods from unauthorized disclosure. Collection within the United States shall be undertaken by the FBI except that other agencies of the Intelligence Community may also collect such information concerning present or former employees, present or former intelligence agency contractors or their present or former employees, or applicants for any such employment or contracting;
(f) Information concerning persons who are reasonably believed to be potential sources or contacts for the purpose of determining their suitability or credibility;
(g) Information arising out of a lawful personnel, physical or communications security investigation;
(h) Information acquired by overhead reconnaissance not directed at specific United States persons;
(i) Incidentally obtained information that may indicate involvement in activities that may violate federal, state, local or foreign laws; and
(j) Information necessary for administrative purposes.
In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

A Brief History of the PATRIOT Reauthorization Debate

I wanted to provide some background of how we got to this week’s PATRIOT Reauthorization debate to explain what I believe the surveillance boosters are really aiming for. Rather than a response to Edward Snowden, I think it is more useful to consider “reform” as an Intelligence Community effort to recreate functionalities they had and then lost in 2009.

2009 violations require NSA to start treating PATRIOT data like PATRIOT data and shut down automated functions

That history starts in 2009, when NSA was still operating under the system they had established under Stellar Wind while pretending to abide by FISC rules.

At the beginning of 2009, the NSA had probably close to full coverage of phone records in the US, and coverage on the most important Internet circuits as well. Contrary to the explicit orders of the FISC, NSA was treating all this data as EO 12333 data, not PATRIOT data.

On the Internet side, it was acquiring data that it considered Dialing, Routing, Addressing, and Signaling information but which also constituted content (and which violated the category limits Colleen Kollar-Kotelly had first imposed).

On the phone side, NSA was not only treating PATRIOT data according to NSA’s more general minimization procedures as opposed to those dictated by the FISC. But in violation of those minimization procedures, NSA was submitting phone dragnet data to all the automated procedures it submitted EO 12333 data to, which included automated searches and automatic chaining on other identifiers believed to belong to the same user  (the latter of which NSA calls “correlations”). Either these procedures consisted of — or the data was also treated to — pattern analysis, chaining users on patterns rather than calls made. Of key importance, one point of having all the data in the country was to be able to run this pattern analysis. Until 2008 (and really until 2009) they were sharing the results of this data in real time.

Having both types of data allowed the NSA to chain across both telephony and Internet data (obtained under a range of authorities) in the same query, which would give them a pretty comprehensive picture of all the communications a target was engaging in, regardless of medium.

I believe this bucolic state is where the surveillance hawks want us to return to. Indeed, to a large extent that’s what Richard Burr’s bill does (with a lot of obstructive measures to make sure this process never gets exposed again).

But when DOJ disclosed the phone violations to FISC in early 2009, they shut down all those automatic processes. And Judge Reggie Walton took over 6 months before he’d even let NSA have full ability to query the data.

Then, probably in October 2009, DOJ finally confessed to FISC that every single record NSA had collected under the Internet dragnet for five years violated Kollar-Kotelly’s category rules. Walton probably shut down the dragnet on October 30, 2009, and it remained shut down until around July 2010.

At this point, not only didn’t NSA have domestic coverage that included Internet and phone, but the phone dragnet was a lot less useful than all the other phone data NSA collected because NSA couldn’t use its nifty automatic tools on it.

Attempts to restore the pre-2009 state

We know that NSA convinced John Bates to not only turn the Internet dragnet back on around July 2010 (though it took a while before they actually turned it on), but to expand collection to some or all circuits in the US. He permitted that by interpreting anything that might be Dialing, Routing, Addressing, and Signaling (DRAS) to be metadata, regardless of whether it also was content, and by pointing back to the phone dragnet to justify the extension of the Internet dragnet. Bates’ fix was short-lived, however, because by 2011, NSA shut down that dragnet. I wildarseguess that may partly because DOJ knew it was still collecting content, and when Bates told NSA if it knew it was collecting content with upstream collection, it would be illegal (NSA destroyed the Internet dragnet data at the same time it decided to start destroying its illegal upstream data). I also think there may have been a problem with Bates’ redefinition of DRAS, because Richard Burr explicitly adopted Bates’ definition in his bill, which would have given Bates’ 2010 opinion congressional sanction. As far as we know, NSA has been coping without the domestic Internet dragnet by collecting on US person Internet data overseas, as well as off PRISM targets.

Remember, any residual problems the Internet dragnet had may have affected NSA’s ability to collect any IP-based calls or at least messaging.

Meanwhile, NSA was trying to replace the automated functions it had up until 2009, and on November 8, 2012, the NSA finally authorized a way to do that. But over the next year plus, NSA never managed to turn it on.

The phone records gap

Meanwhile, the phone dragnet was collecting less and less of the data out there. My current theory is that the gap arose because of two things involving Verizon. First, in 2009, part or all of Verizon dropped its contract with the FBI to provide enhanced call records first set up in 2002. This meant it no longer had all its data collected in a way that was useful to FBI that it could use to provide CDRs (though Verizon had already changed the way it complied with phone records in 2007, which had, by itself, created some technical issues). In addition, I suspect that as Verizon moved to 4G technology it didn’t keep the same kind of records for 4G calls that transited its backbone (which is where the records come from, not from customer bills). The problems with the Internet dragnet may have exacerbated this (and in any case, the phone dragnet orders only ask for telephony metadata, not IP metadata).

Once you lose cell calls transiting Verizon’s backbone, you’ve got a big hole in the system.

At the same time, more and more people (and, disproportionately, terrorist targets) were relying more and more on IP-based communications — Skype, especially, but also texting and other VOIP calls. And while AT&T gets some of what crosses its backbone (and had and still has a contract for that enhanced call record service with the FBI, which means it will be accessible), a lot of that would not be available as telephony. Again, any limits on Internet collection may also impact IP based calls and messaging.

Edward Snowden provides a convenient excuse

Which brings you to where the dragnets were in 2013, when Edward Snowden alerted us to their presence. The domestic PATRIOT-authorized Internet dragnet had been shut down (and with it, potentially, Internet-based calls and messaging). The phone dragnet still operated, but there were significant gaps in what the telecoms would or could turn over (though I suspect NSA still has full coverage of data that transits AT&T’s backbone). And that data couldn’t be subjected to all the nifty kinds of analysis NSA liked to subject call data to. Plus, complying with the FISC-imposed minimization procedures meant NSA could only share query results in limited situations and even then with some bureaucratic limits. Finally, it could only be used for counterterrorism programs, and such data analysis had become a critical part of all of NSA’s analysis, even including US collection.

And this is where I suspect all those stories about NSA already considering, in 2009 and in 2013, shutting down the dragnet. As both Ken Dilanian stories on this make clear, DOJ believed they could not achieve the same search results without a new law passed by Congress. Bob Litt has said the same publicly. Which makes it clear these are not plain old phone records.

So while Edward Snowden was a huge pain in the ass for the IC, he also provided the impetus to make a decision on the phone dragnet. Obama made a big show of listening to his Presidential Review Group and PCLOB, both of which said to get rid of it (the latter of which said it was not authorized by Section 215). But — as I noted at the time — moving to providers would fix some of their problems.

In their ideal world, here’s what we know the IC would like:

  • Full coverage on both telephony and IP-based calls and messaging and — ideally — other kinds of Internet communications
  • Ability to share promiscuously
  • Ability to use all NSA’s analytical tools on raw data (the data mandates are about requiring some kind of analytical work from providers)
  • Permission to use the “call” function for all intelligence purposes
  • Ability to federate queries with data collected under other authorities

And the IC wants this while retaining Section 215’s use of bulky collections that can be cross-referenced with other data, especially the other Internet collection it conducts using Section 215, which makes up a majority of Section 215 orders.

Those 5 categories are how I’ve been analyzing the various solutions (which is one of about 10 reasons I’m so certain that Mitch McConnell would never want straight reauthorization, because there’s nothing that straight reauthorization would have ratified that would have fixed the existing problems with the dragnet), while keeping in mind that as currently constructed, the Internet 215 collection is far more important to the IC than the phone dragnet.

How the bills stack up

USA F-ReDux, as currently incarnated, would vastly expand data sharing, because data would come in through FBI (as PRISM data does) and FBI metadata rules are very permissive. And it would give collection on telephony and IP-based calls (probably not from all entities, but probably from Apple, Google, and Microsoft). It would not permit use for all intelligence purposes. And it is unclear how many of NSA’s analytical tools they’d be able to use (I believe they’d have access to the “correlations” function directly, because providers would have access internally to customers’ other accounts, but with the House report, other kinds of analysis should be prohibited, though who knows what AT&T and Microsoft would do with immunity). The House report clearly envisions federated queries, but they would be awkward to integrate with the outsourced collection.

Burr’s bill, on the other hand, would expand provider based querying to all intelligence uses. But even before querying might —  maybe — probably wouldn’t — move to providers in 2 years, Burr’s bill would have immediately permitted NSA to obtain all the things they’d need to return to the 2009 bucolic era where US collected data had the same treatment as EO 12333 collected data. And Burr’s bill would probably permit federated queries with all other NSA data. This is why, I think, he adopted EO 12333 minimization procedures, which are far more restrictive than what will happen when data comes in via FBI, because since it will continue to come in in bulk, it needs to have an NSA minimization procedure. Burr’s bill would also sneak the Section 215 Internet collection back into NSL production, making that data more promiscuously available as well.

In other words, this is why so many hawks in the House are happy to have USA F-ReDux: because it is vastly better than the status quo. But it’s also why so many hawks in the Senate are unsatisfied with it: because it doesn’t let the IC do the other things — some of the analytical work and easy federated queries — that they’d like, across all intelligence functions. (Ironically, that means even while they’re squawking about ISIS, the capabilities they’d really like under Burr’s bill involve entirely other kinds of targets.)

A lot of the debate about a phone dragnet fix has focused on other aspects of the bill — on transparency and reporting and so on. And while I think those things do matter (the IC clearly wants to minimize those extras, and had gutted many of them even in last year’s bill), what really matters are those 5 functionalities.

 

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Feinstein Enters the Non-Compromise Compromise Fray (Working Thread)

Dianne Feinstein is the latest member of Congress to offer a non-compromise compromise to replace the compromise USA F-ReDux, this time with a bill that would:

  • Impose a 2-year data mandate in some cases (which would affect Apple and Verizon most immediately)
  • Extend the current dragnet order — which is already 89 days old — for an entire year
  • Require certification that the providers could provider phone data before moving over to the replacement system before that year runs out
  • Retain Richard Burr’s Section 215-specific Espionage Act imposing 10 year penalties on anyone who tells us what the intelligence community is really doing with the call records program
  • Retain Richard Burr’s counter-productive amicus provision
  • Revamps USA F-ReDux’s transparency provisions in ways that are less dishonest but just as useless
  • For key authorities, allow any member of Congress (under certain limits) to learn how the government is using them

This will be a working thread.

Update: Just to clarify, I believe Feinstein’s bill is almost certainly supposed to be the “face-saving” version of USA F-ReDux referred to in this article.

Feinstein accomplishes this:

Some leaders of the House Intelligence Committee, along with supporters in the Senate, hope they can assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in.

In Section 108, with the certification process.

Feinstein adds an odd data mandate — not listed in this story but a key complaint from Mitch and others — in Section 101 (page 4).

And Feinstein responds to this request,

Republicans have also expressed a desire to protect the phone companies against harassment from privacy activists over their participation in a new surveillance program.

By adopting the Section 215 dedicated Espionage Act at Section 501.


(3) DiFi’s bill explicitly permits the government to get call detail records in the old way.

(4) DiFi’s bill tweaks USA F-ReDux’s call chaining language for use with “individuals” who are not agents of foreign powers engaged in international terrorism. Those would be US persons.

(5) The data mandate is really fascinating. It only requires a company to retain data after getting a request but is vague about how much data must be retained (which is likely “all”).

(3) may include a request for an order that requires each recipient of the order under this section to retain the call detail records for up to 24 months from the date the call detail record was initially generated—

(A) if the request includes a certification made by the Director of the Federal Bureau of Investigation that the Government has reason to believe that the recipient of the order being applied for is not retaining call detail records for a period of up to 24 months and that the absence of call detail records for that period of time is resulting in, or is reasonably likely toresult in, the loss of foreign intelligence information relevant to an authorized investigation; and

(B) if the order provides that call detailrecords retained solely for purposes of complying with an order under this section may only be produced pursuant to an order under this section.

It’s an odd construct (though it does try to keep the records out of the hands of divorce lawyers, which I guess is good). Obviously, the government will have the records they actually ask for at any given time. So what it suggests is this will be a mandate on some or entire universe of the providers existing records so they can do pattern analysis.

(7) The scheme for call detail records is the same as in USA F-ReDux, but absent the HJC report language saying it can’t involve analysis I assume it does.

(12) DiFi retains the minimization procedures from USA F-ReDux.

(14) The bill adds immunity for records retention.

(17) The “limitation” language is different, and adds “indiscriminate.” Again, this still uses the IC definition of bulk, though, which is meaningless, even modified by “indiscriminate.” SST is the same, including the narrower limit for CDR function.

(19) DiFi eliminates IG reports, I guess because they show how sloppily these things are run and how generally useless they are.

(19) Here’s how DiFi deals w/Burr’s transition canard.

IN GENERAL.—The amendments made by sections 101 through 107 shall take effect on the date that is 180 days after the date of the enactment of this Act unless the President certifies to the appropriate committees of Congress that the transition from the existing procedures for the productionof business records under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.), as in effect prior to the effective date for the amendments made by section 101 through 107,to the new procedures, as amended by sections 101through 107, is not sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.

(2) EXTENSION FOR CERTIFICATION.—If the President makes a certification described in paragraph (1), the amendment made by sections 101 through 107 shall take effect on the date, that may be up to 1 year after the date of the enactment of this Act, that the President determines that the transition referred to in such paragraph is sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.

(3) LIMITATION ON TRANSITION PERIOD.—If the President makes a certification under paragraph(1) and does not determine an effective date under paragraph (2), the amendments made by sections 101 through 107 shall take effect on the date that is 1 year after the date of the enactment of this Act.

(b) NO EFFECT ON PRIOR AUTHORITY.—Nothing in this Act, or any amendment made by this Act, shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.) as in effect on May 31, 2015, during the period ending on such effective date.

(c) TRANSITION.—(1) ORDERS IN EFFECT ON MA

Y 31, 2015.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, any order issued or made under title V of the Foreign Intelligence Surveillance Act of 1978 and in effect on May 31, 2015, shall continue in effect until the date of the expiration of such order.

(2) CONTINUED APPLICABILITY.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, the order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26, 2015, in Docket No. BR 15–24, may be extended by order of that court until the effective date established in subsection (a).

(3) USE OF INFORMATION.—

(A) IN GENERAL.—Information acquired from the call detail records pursuant to an order issued under section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) prior to the effective date in subsection (a) may continue to be used after the effective date of this Act, subject to the limitation in subparagraph (B).

(B) DESTRUCTION OF INFORMATION.—

Any record produced under any order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26 2015, in Docket No. BR 15–24 , or any predecessor order for such an order shall be destroyed no later than 5 years after the date such record was initially collected. Until that time, such a record may be used in accordance with the purpose prescribed and the procedures established in such order.

(23) DiFi’s bill takes out this language, which was in USA F-ReDux, in the PRTT section, but it does retain privacy procedures.

(C) For purposes of subparagraph (A), the term ‘address’ means a physical address or electronic address, such as an electronic mail address or temporarily assigned network address (including an Internet protocol address).

(24) Difi includes bulk controls on NSLs, but not the gag fix.

(26) The 215 reporting takes out the reporting on bulk collection to Congress that was in USA F-ReDux. Sharing of this is extended to everyone in Congress whom the HPSCI chair likes.

(33) DiFi gets rid of two-track reporting on all non-215 and consolidates it. The reporting is somewhat different (for example, Congress will no longer know when something has been used in a trial). DiFi pretends to extend this reporting to everyone in Congress, but since it’s subject to Congressional rules that will only happen in the senate.

(40) DiFi does include significant matter of law reporting to the appropriate committees (which exists).

(45) DiFi continues Burr’s Espionage Act.

(47) The amicus curiae is the John Bates Richard Burr version, which I think might be counterproductive.

(55) DiFi requires agencies that have not established minimization procedures required under the original EO 12333. See this post for more background.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Why Does Richard Burr Think It Will Take Four Times Longer To Set Up a Metadata Compliance System than a Content One?

On November 8, 2007, Yahoo received its first order to comply with the Protect America Act, the original law authorizing PRISM. Yahoo immediately told DOJ it would challenge the order. On May 12, 2008 — even as Yahoo appealed FISC’s order to comply with those PAA orders — Yahoo started complying with its PAA orders.

It took 185 days for Yahoo to set up a content compliance system under PRISM and challenge the underlying orders. And along the way, FBI’s requests expanded, from just a few items to nine, which appear to span the four business units Yahoo had at the time. Yet even in spite of FBI’s moving target and its ongoing legal challenge, Yahoo was able to start complying in about 6 months.

And yet Richard Burr believes — rather, claims to believe — that providers who already have sophisticated compliance systems (either under upstream and daily call records production, in the case of the telecoms, or PRISM production, in the case of other providers, not to mention that AT&T already provides roughly what it will under the new program under a contract with the FBI) will not be able to implement a system that will allow them to turn over phone records within 180 days.

Now, perhaps Burr really believes it will be tougher for providers to set up a metadata compliance system than set up content compliance systems that involve a heavy metadata component.

If so, that ought to raise real questions about what he thinks these providers will be doing, because it won’t just be turning over metadata.

Alternately, he’s wielding his ridiculous concerns about compliance for the same hoped effect as his bill did. He claimed that bill would institute a 2-year transition period for this program, but what it did in fact was to immediately grant the Intelligence Community all the authorities it has wanted, vastly expanding the dragnet. Then, a year after giving the IC everything it wanted, it would conduct a 1-year review (before any transition happened) that would show that it would be cheaper for the government to remain in the dragnet business. Only after 2 years would any “transition” happen, and it would in fact happen, if it did, immediately, with no transition period (though it probably never would happen, given that the IC would have already gotten everything it wanted).

That is, Burr’s claim that providers that have been complying with significant government requests for 7 years would need 2 more years to learn how to do it are probably just a bid to prevent the move to providers in the first place, a bid to have one more chance to argue in 6 months or a year or 2 years that it’s okay for the government to hold onto all our phone and Internet metadata.

But if not — if the new system will require more from providers than it did when they started turning over records under PRISM — than that is itself news.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Devin Nunes Will Let Dragnet Lapse So Mitch McConnell Can Save Face?!?!

NYT has a remarkable article describing how a number of hawks are willing to risk letting PATRIOT Act authorities lapse so Mitch McConnell can save face.

Senior lawmakers are scrambling this week in rare recess negotiations to agree on a face-saving change to legislation that would rein in the National Security Agency’s dragnet of phone records, with time running out on some of the government’s domestic surveillance authority.

[snip]

If negotiators accept minor changes to the House bill, it will mark a significant retreat for Senator Mitch McConnell of Kentucky, the majority leader, and Senator Richard M. Burr of North Carolina, the chairman of the Senate Intelligence Committee.

Sadly, the NYT continues the typically credulous mainstream reporting on this topic. For example, Mitch McConnell never really wanted a straight reauthorization.

Mr. McConnell and Mr. Burr wanted a straight extension of the existing surveillance authority, although an appeals court judge ruled this month that such authority was illegal.

False. Burr revealed what they want Friday night. They want to move bulky Internet production back to NSLs. They want to expand the current dragnet to include Internet calls and even straight IP (and, oddly, documents!), and they want to expand it well beyond its counterterrorism focus to include all foreign intelligence. They want to criminalize whistleblowing about this law in particular. They want to eliminate all special privacy protections — over the standard NSA ones — for US persons.

And very importantly, they want to use the claim to need a 2-year transition period to finally obtain the authorities for NSA to conduct the bulk collection they actually want to do, in which place they’ll be well positioned to claim having the government retain the data is most efficient.

I could go on. But after Friday night no journalists with any self-respect should propagate Mitch’s “straight reauthorization” canard, which — it was clear over a month ago — was only ever a negotiating tactic.

NYT also falsely claims Burr wants just Lone Wolf and Roving Wiretap made permanent.

Mr. Burr wants the so-called lone wolf and roving authorities to be made permanent to avoid cliffhangers like the one Congress finds itself in now. The House bill would extend them to December 2019.

The title to that section of Burr’s bill reads,

PERMANENT AUTHORITY FOR ACCESS TO BUSINESS RECORDS, ROVING SURVEILLANCE, AND INDIVIDUAL TERRORISTS AS AGENTS OF FOREIGN POWERS UNDER THE FOREIGN INTELLIGENCE SURVEILLANCE ACT OF 1978 [my emphasis]

And the language of it repeals both parts of both laws that include a sunset.

But the really absurd part of this story — and to be fair, NYT has to report these arguments as if they’re serious, and I should be grateful they have been recorded in all their absurdity — is that Burr and Nunes are now claiming that the largest phone companies in the US don’t know how to 1) store data, or 2) “search stored phone data after a warrant [actually, a Reasonable Articulable Suspicion order, not a warrant] is issued, then communicate the results to the government.”

The two men have said phone companies, which would collect the data instead of the N.S.A. under the USA Freedom Act, are not equipped to handle the task.

[snip]

Leaders of the House Intelligence and Judiciary Committees from both parties, along with supporters in the Senate, said they could assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in.

Mr. Burr said he would like that period to be two years, a proposal not very likely to be accepted by the House.

“The question is whether the technology can be developed in time, over a six-month window,” Mr. Nunes said in an interview. “I think it can be. I was at N.S.A. reviewing this 10 days ago.”

He added: “We believe six months works, but it wouldn’t be bad to have a little longer.”

But even that change has irked lawmakers, who worked for months on the compromise that passed the House. Representative Adam B. Schiff of California, the ranking Democrat on the House Intelligence Committee, said the technology in question — the ability to search stored phone data after a warrant is issued, then communicate the results to the government — was “a pretty minor deal” that could easily meet a certification deadline.

The men overseeing our intelligence community claim to not understand that phone companies store this information — and respond to lawful government requests for it — every day.

In truth, this is likely another ploy to expand the role of providers down the road (as happened under PRISM), after we’ve all become less vigilant — beyond simply providing phone records (as these silly Congressmen claim) to doing far more analysis.

After all, the only way these claims make sense, is if the government expects to get real pushback from providers going forward — and that’s not going to happen if all they want is call records delivered to the government, which telecoms have been doing forever.

So that’s the likely play: to set up some mechanism whereby the hawks can claim — in 6 months time — that telecoms are unwilling or unable (the same standard they use for drones killing!) to do what the government will ask. At which point we’ll be fighting to get the government out of an expanded dragnet business.

One more thing.

The Republicans also claim that the telecoms have been harassed by privacy advocates.

Republicans have also expressed a desire to protect the phone companies against harassment from privacy activists over their participation in a new surveillance program.

This is likely a bid to do something to shroud the dragnets (it won’t be just telecom going forward) in secrecy from here on out. Probably not the act-specific Espionage Act, like Burr wants, but probably some other means to ensure that no one ever gets standing to challenge what will still be an unconstitutional program going forward.

I guess they hope we won’t notice because we’re laughing at their other batty excuses so hard?

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

I’m Shocked, Shocked, to Find that Lying Is Going on in the Senate

As I noted here, given the content of the radical bill Richard Burr introduced on Friday, it appears likely that his claim Section 215 sIpported an IP dragnet was no misstatement, as he claimed when I called him on it. But that — and the misstatements Mitch McConnell made on Friday about the bill — are not the only lies the authoritarians have been telling.

Just after USA F-ReDux failed in the Senate Friday night and Barbara Boxer tried to call it back up for a vote, Mitch McConnell falsely claimed that Dianne Feinstein was involved in Burr’s radical bill. Senator Feinstein actually had to interrupt and point out that not only doesn’t she think Burr’s bill is the way to go, but that pushing for it might put all the expiring provisions at risk. (h/t Steven Aftergood for pulling Congressional Research Service records)

McCONNELL. Mr. President, the Senate has demonstrated that the House-passed bill lacks the support of 60 Senators. I would urge a “yes” vote on the 2-month extension. Senator Burr, the chairman of the Intelligence Committee, and Senator Feinstein, the ranking member, as we all know, have been working on a proposal that they think would improve the version that the Senate has not accepted that the House sent over. It would allow the committee to work on this bill, refine it, and bring it before us for consideration. So the 2-month extension, it strikes me, would be in the best interest of getting an outcome that is acceptable to both the Senate and the House and hopefully the President.

[snip]

Mrs. FEINSTEIN. Mr. President, if I may a point of personal privilege. Mr. President, I would like to correct the majority leader, regretfully. I did not support the Burr bill. I do not believe that is the way to go. I have taken a good look at this. For those who want reform and want to prevent the government from holding the data, the FREEDOM Act is the only way to do it. The House has passed it. The President wants it. All of the intelligence personnel have agreed to it, and I think not to pass that bill is really to throw the whole program–that whole section 215 as well as the whole business records, the “lone wolf,” the roving wiretaps–into serious legal jeopardy.

That is, of course, precisely what has happened. In his bid to ram through Burr’s expanded dragnet, Mitch has now made it increasingly likely that all the expiring provisions will lapse on June 1.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Emptywheel Twitterverse

emptywheel @LauraClawson No. But Indiv A would also (as I noted) stick out, as a person bringing in $450K in bribes in town where median is $90K.
2mreplyretweetfavorite
emptywheel @ErrataRob @puellavulnerata I'm at 30% veg, 18% vegan. Maybe they'd know I'd offer humanely raised meat for dinner?
5mreplyretweetfavorite
emptywheel @LauraClawson If he did what we assume he did does Indiv A have the right to his or her privacy given the extortion?
9mreplyretweetfavorite
JimWhiteGNV Cool! The periscope works. http://t.co/7LAHYao2C3
16mreplyretweetfavorite
JimWhiteGNV Cool! The periscope works. http://t.co/87LcCZjtXw
17mreplyretweetfavorite
emptywheel @billmon1 Not given the other rumors out there, no.
18mreplyretweetfavorite
emptywheel Misconduct against Indiv A happened "years earlier" when Hastert and A discussed it in 2010. Hastert was teacher/coach until 1981.
23mreplyretweetfavorite
JimWhiteGNV Okay. Time far a 'Mericun sub now. http://t.co/xTm9LzUJTu
24mreplyretweetfavorite
emptywheel @bungdan There have been questions raised during past scandals.
25mreplyretweetfavorite
emptywheel @Walshman23 High school teacher and coach. Both of which indictment mentions.
28mreplyretweetfavorite
emptywheel @bungdan Yes, and there have been past allegations abt Hastert that would be rather alarming for a coach, which indictment mentions.
29mreplyretweetfavorite
emptywheel Median income in Yorkville is $83,059. Indiv A was making 5 times that from his or her Hastert bribes.
31mreplyretweetfavorite
May 2015
S M T W T F S
« Apr    
 12
3456789
10111213141516
17181920212223
24252627282930
31