emptywheel Coverage of USA F-ReDux, or, PRISM for Smart Phones

This post will include all my coverage on USA F-ReDux.

USA F-ReDux: Chaining on “Session Identifying Information” that Is Not Call Detail Records 

As I correctly predicted a year ago, by outsourcing “connection chaining” to the providers, the Intelligence Community plans to be able to chain on session identifying information (things like location and cookies) that is probably illegal.

Unlike the Existing Phone Dragnet, USA F-ReDux Does Not Include “Telephony” in Its Definition of Call Detail Record (Latest post)

The definition of Call Detail Record that will be adopted under USA F-ReDux is closely related to the definition currently used in the phone dragnet — though the USA F-ReDux does not require CDRs to be comprehensive records of calls as the existing phone dragnet does. The big difference, however, is that USA F-ReDux never specifies that calls include only telephony calls.

Congress’s Orwellian spying “reforms”: Why the government wants to outsource its surveillance to your Internet provider 

At Salon, I explain more about why the IC wants to create PRISM for Smart Phones with USA F-ReDux.

Google Applauds USA F-ReDux Because It “Modernizes” Surveillance 

Neither Google nor any of the other providers are admitting they’ll be getting expansive immunity to help spy on their users if USA F-ReDux passes. But Google does reveal they consider this move “modernization,” not reform. Is that because they’ll once again get a monopoly on spying on their users?

Nine Members of Congress Vote to Postpone the Fourth Amendment 

In the House Judiciary Committee mark-up of USA F-ReDux, 9 members appeared to agree with Ted Poe, Zoe Lofgren, and others, that the IC continues to violate the Fourth Amendment under back door searches. But they nevertheless decided they could “postpone” the Fourth Amendment for two years until FISA Amendments Authorization.

USA F-ReDux’s “Transparency” Provisions and Phone-PRISM 

Remarkably, after publishing topline numbers for Section 702 collection two years running, the IC has decided it can no longer share such data after USA F-ReDux passes. Some reasons it might not want to is because that would reveal the sea of unique identifiers the IC is tracking, as well as the expansion of PRISM and PRISM-lite that will happen under USA F-ReDux.

How to Break the Law Under USA F-ReDux: The Emergency Provision that Would Blow Up the Bill 

Given that Jim Sensenbrenner says closing some loopholes in USA F-ReDux’s emergency provisions (to say nothing of retaining the status quo, under which the FISC can force the government to destroy data obtained illegally), it makes it far more likely the IC intends to use those emergency provisions to break the law. There is already reason to believe they have tried to collect on people solely for protected First Amendment activities. But using this emergency loophole, they likely will also spy on targets that have nothing to do with counterterrorism.

On Mitch’s PATRIOT Gambit 

Mitch McConnell has filed a straight reauthorization of the PATRIOT Act until next decade. While it would be unwise to underestimate the Majority Leader’s strength of position, neither should reformers or the press treat this as anything else than what it is: a negotiating tactic. Remember: the IC doesn’t want a straight reauthorization, because it won’t let them do everything they want to do.

Bob Litt: That Bill I Wrote Looks Great on First Read 

Along with pretending that Mitch McConnell’s straight reauthorization is anything but a negotiating tactic, USA F-ReDux supporters and the press are also pretending that Bob Litt didn’t write this bill. He did.

Back Door Searching the Data Coming into FBI’s Front Door 

USA F-ReDux’s transparency provisions show that FBI will be able to do back door searches of data obtained through the connection chaining function. This also means that the data will come in through FBI, not NSA, which means it will be shared far, far more broadly than happens under the phone dragnet now, probably all the way down to localities.

The Loss of PRTT Minimization Review in USA F-ReDux 

There are two aspects of USA F-ReDux that add to my concerns about the use of the Pen Register provision for location data. One is that the IC eliminated authority for the FISA Court to review compliance of any minimization (or “privacy”) procedures under the provision.

FBI’s Pen Registers without Any Call Records 

The other reason to infer that the FBI is increasingly using PRTT to collect location data is that it only reports PRTT collection that involves phone and email records.

Congress Finally Gets Around to (Secretly) Tracking Section 215 Dragnets 

One improvement in the reporting requirements under USA F-ReDux is that the IC will have to tell Congress how many dragnets it is conducting under Section 215 and whether the FISC has imposed additional minimization procedures on those dragnets, suggesting they’re very privacy intrusive. This is tacit admission they weren’t being told about all the dragnets! What reporting requirement will Congress finally pass in another 9 years, after the IC has been abusing the program?

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Unlike the Existing Phone Dragnet, USA F-ReDux Does Not Include “Telephony” in Its Definition of Call Detail Record

As part of a larger effort to get some people who understand the intersection of telephony and Internet technologies well to review the chaining process that would be introduced under USA F-ReDux, I want to compare the definitions of Call Detail Record used under the current dragnet orders and that which would be adopted under USA F-ReDux (both of which I’ve put below).

Obviously, the definitions are very closely related. Both prohibit the collection of the name, address, or financial information of a subscriber or customer (which makes this definition far narrower than an administrative subpoena for phone records). Both prohibit the collection of “contents” (though using a definition tied to a communication sent, which may not include stored content). Both prohibit the collection of non-trunk identifier location data, though the USA F-ReDux definition explicitly adds GPS data to the definition.

And both include certain things in their definitions of “session identifying information,” including originating and terminating telephone number, IMSI and IMEI numbers, calling card numbers, and time and duration of a call. Though the existing definition uses the conjunction “and” in its orders that ultimately go to providers, but notes the definition “includes but is not limited to” this session-identifying information. USA F-ReDux uses a non-exclusive “or” for its description of what session-identifying information is, suggesting only one of those things must be included in a CDR. At least as I read it, then, the existing phone dragnet definition of “session identifying information” is expansive, ordering providers to turn over at least this much, though possibly more (cough, AT&T), just so long as that “more” doesn’t include anything from the 3 kinds of prohibited information. Whereas the USA F-ReDux definition provides a list of things, one of which must be included, to be considered a CDR that can be returned to the government at the end of the process. As I read it, a CDR might consist of nothing more than an IMEI or an IMSI number.

But by far the most interesting difference between these two definitions is that the existing phone dragnet orders requires this be telephony session-identifying information (and also seems to require some communications routing information). Not only doesn’t USA F-ReDux require the session-identifying information to relate to telephony sessions, the word “telephony” doesn’t appear in USA F-ReDux at all.

Thus, while the bill requires that reports back to the government include something that is considered a telephony identifier — a phone number or one of two numbers identifying a device — it doesn’t actually say that the sessions in question must be telephony sessions.

That’s important, because people increasingly make their calls using Internet technology, whether via things that feel like phone calls (VOIP), via video conversations, or via messaging (most notably iMessage) that — if sent across wifi — would not hit a telecom network as telephony. Nothing I see in this bill excludes those “calls” from this definition of CDR.

USA F-ReDux Definition of Call Detail Record

(3) CALL DETAIL RECORD.—The term ‘call detail record’—

(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location or global positioning system information.

Existing Section 215 Definition of Call Detail Records

From the February 26, 2015 order, footnote 1.

For the purposes of this Order, “telephony metadata” includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identifier (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. Furthermore, this Order does not authorize the production of cell site location information (CSLI).

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Sony, the White House, and 10 Downing Street: What’s the Quid Pro Quo?

BrokenHollywoodLots of ugly things crawled out of Sony Pictures Entertainment’s emails leaked by hackers this past autumn.

The leak of emails and intellectual property, including then-unreleased film The Interview, was labeled “a serious national security matter” by the White House. In January this year, President Obama issued an executive order increasing sanctions against North Korea, the purported origin of the hack on SPE’s network and computers.

Sony Pictures Entertainment (SPE) is a wholly-owned subsidiary of Sony Corporation, a Japanese multinational conglomerate. In offering retaliation on behalf of SPE, the White House placed SPE on par with critical U.S. infrastructure, though no one will be physically injured or die should SPE be hacked again, and the market won’t collapse if SPE loses money on all its movies this year.

If SPE, a foreign-owned, information security-challenged entertainment firm, is now entitled to military protection against cyberattack, what is it the White House and the U.S. will receive or has received in exchange?

What’s the exchange in this quid pro quo?

Which brings us to the matter of STARZ’ cable series, Outlander, and UK Prime Minister David Cameron‘s government.

In 2013, STARZ network ordered the 16-episode adaptation of bestselling historical fiction novel, Outlander by author Diana Gabaldon, from production companies Tall Ship Productions, Story Mining & Supply Co., and Left Bank Productions, in association with Sony Pictures Television.

While STARZ was the U.S. distributor, offering the series on its own cable network, SPE’s TV arm appears to have handled overseas distribution to broadcast, cable, and video streaming services.

Outlander’s cross-genre narrative is set mainly in 1740s Scotland; the story is sympathetic to a Scottish protagonist and his time-traveling English wife who are caught between the British and Jacobites in the ramp up to the 1746 Battle at Culloden. The Scottish people and countryside are treated favorably in the series’ production.

The program debuted on STARZ in the U.S. on August 9 last year — a little less than six weeks before Scotland’s independence referendum (“IndyRef”). Outlander began airing in Canada and Australia in August also, and in October in Ireland after the IndyRef vote.

Distribution deals in other countries including Germany, Hungary, Japan, and the Netherlands led to wider release overseas last year.

But Outlander never received a distribution deal in 2014 in the UK, in spite of its many Scottish and British fans’ clamor and the source book’s status as a renewed bestseller in advance of the show’s U.S. debut. To date the series has only released on Amazon Prime Instant Video in the UK, for paid video-on-demand streaming — not on broadcast or cable.

At least one email leaked by hackers revealed that SPE personnel had a meeting or meetings with Cameron’s government. In an internal email from Keith E. Weaver, executive vice president, SPE executives were told,

“Your meeting with Prime Minister Cameron on Monday will likely focus on our overall investment in the U.K. – with special emphasis on the jobs created by Tommy Cooper [the ITV show], the importance of Outlander (i.e., particularly vis-a-vis the political issues in the U.K. as Scotland contemplates detachment this Fall), and the growth of our channels business…”

The implication is that SPE would suppress any effort to distribute Outlander to the benefit of Cameron’s anti-independence position, in exchange for “growth of our channels business…”

What exactly does this mean?

And is the pursuit of growth confined to SPE, or did “channels business” mean something else? Were Sony executives also looking for opportunities for Sony Corporation, which includes Sony Computer Entertainment, Sony Music Entertainment, Sony Mobile Communications (once known as Sony Ericsson), and Sony Financial?

Did SPE executives and the Prime Minister agree not to seek broadcast or cable distribution Outlander in the UK before this month’s election? Continue reading

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Congress Finally Gets Around to (Secretly) Tracking Section 215 Dragnets

There’s one transparency related aspect of USA F-ReDux that appears to be a necessary improvement over Leahy’s version.

Congress is mandating the Intelligence Community report (to the Judiciary and Intelligence Committees, but not to the public) on how many dragnets it is conducting under Section 215.

(b) REPORTING ON CERTAIN TYPES OF PRODUCTION.—Section 502(c)(1) (50 U.S.C. 1862(c)(1)) is amended—


(3) by adding at the end the following new subparagraphs:

(C) the total number of applications made for orders approving requests for the production of tangible things under section 501 in which the specific selection term does not specifically identify an individual, account, or personal device;

(D) the total number of orders described in subparagraph (C) either granted, modified, or denied; and

(E) with respect to orders described in subparagraph (D) that have been granted or modified, whether the court established under section 103 has directed additional, particularized minimization procedures beyond those adopted pursuant to section 501(g).

This basically requires the IC to tell the oversight committees how many of the applications made to the FISC court are bulky (they use “application” to discuss bulk programs to reflect the fact that one primary order may results in 3 secondary orders, as it does with the phone dragnets, or perhaps — who knows — may orders?). It also requires the IC to tell Congress if the FISC modifies any of these orders, a good indication the court finds them overly broad.

I guess this is tacit admission from Congress the dragnets are not ending under this bill? And that the oversight committees are finally getting around to informing themselves, on a yearly basis, about how many dragnets there are, even if they won’t know what the dragnets collect?

Shouldn’t they have this information before they write a bill? (In truth, they likely got this information from the IG Report on Section 215, which the IC is still pretending to be declassifying to stall the public being able to read it, which may be why it’s only showing up now).

The really pathetic thing is there is an identifiable metric that Congress will almost certainly realize they need, even if it is 9 years too late (as it is in this case), that they don’t have included in this bill. They need to be tracking how often the government is using the emergency provision, and how often the government doesn’t submit or the FISC doesn’t approve (or modifies it) after collection. Because that’s the part of this bill the IC will abuse going forward.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

FBI’s Pen Registers without Any Call Records

There’s one more aspect of the transparency procedures in USA F-ReDux I find notable (in addition to the IC’s sudden unwillingness to share the scope of Section 702 and the fact that FBI will get all the returns from CDR searches, as opposed to a tiny subset as happens now).

As under the Leahy version of USA Freedom Act, the bill only requires the government to count communications collected pursuant to the Pen Register statute.

(3) the total number of orders issued pursuant to title IV and a good faith estimate of—

(A) the number of targets of such orders; and

(B) the number of unique identifiers used to communicate information collected pursuant to such orders;

Location tracking does not count as a communication (and there may be other loopholes in the new, undefined language). So to the extent they’re using PRTTs primarily to conduct location tracking, that won’t show up.

Remarkably (and in good news, maybe, but who knows?), the FBI exemption they give to everything interesting only applies to non telephone and email identifiers.

(B) ELECTRONIC MAIL ADDRESS AND TELEPHONE NUMBERS.—Paragraph (3)(B) of subsection (b) shall not apply to orders resulting in the acquisition of information by the Federal Bureau of Investigation that does not include electronic mail addresses or telephone numbers.

(Bob Litt, didn’t your Yale professors ever tell you not to use a double negative if you wanted to avoid confusing people?)

Again, perhaps this means the FBI is exclusively using PRTT for location data (but even there, to claim they weren’t collecting it, they’d have to claim a device identifier was different than a phone number, which it is, but jeebus are they that cynical?). But we know they’ve got their PCTDD production, which ought to be based off a traditional pen register which ought to collect emails and telephone numbers.

To be honest, I’m confused. I can’t imagine how any of the FBI exemptions do anything but hide some of the most interesting collection, which may be the case if they’re only using PRTT for location. But still, it doesn’t seem to make sense…

One more point of interest. The bill adds to reporting to the oversight committees a requirement that the government list all of the agencies that have been using PRTT.

(4) each department or agency on behalf of which the Attorney General or a designated attorney for the Government has made an application for an order authorizing or approving the installation and use of a pen register or trap and trace device under this title; and

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Back Door Searching the Data Coming into FBI’s Front Door

As I noted, the big takeaway of the changes to USA F-ReDux’s transparency provisions is that, after having given us a topline number for Section 702 collection, the IC has decided it can no longer do so. I provided some reasons why that might be here.

But there are several other interesting aspects of the transparency procedures worthy of note.

As with the Leahy bill, the transparency procedures simply don’t count the non-communications production under traditional Section 215. Though the means by which it counts exclusively communication has changed to “unique identifiers used to communicate information collected pursuant to such orders,” which the bill doesn’t define.

For the CDR function, it includes that (which should show some kind of return, though given that they’re not chaining exclusively on calls made any more, may exclude some of the production because it represents a “connection” chain rather than a “contact” chain). But then it adds a paragraph to track back door searches.

(C) the number of search terms that included information concerning a United States person that were used to query any database of call detail records obtained through the use of such orders;

This reveals the unsurprising detail that once they’ve collected all these records – under which, in the current scheme, they can be subject to all of NSA’s analytical toys – they do back door searches on them. It’s not clear what would be counted here or not (is a device identifier “concerning” a US person?). But this also would seem to exclude analysis done immediately upon intake, which we’ve seen that they do.

And, in case you haven’t already guessed, the FBI is exempted from counting the searches they do of the database, which likely means for them the data will be stuck into the database that gets searched with every assessment. That likely is new. I would bet a good deal that this data will come into the government via the FBI, rather than the NSA (because the FBI can legally share more widely, and because there’s no great technical burden to process the data as there currently is with the phone dragnet). In other words, whereas now the NSA must certify every dissemination to the FBI that is derivative of the phone dragnet, under this scheme, the FBI will be able to get everything in raw form.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Bob Litt: That Bill I Wrote Looks Great on First Read

Supporters of USA F-ReDux are hailing Bob Litt’s comments approving of the bill.

“On first read, the new version of the USA Freedom Act looks like it accomplishes the president’s goals and will preserve important intelligence capabilities,” Robert Litt, the general counsel at the Office of the Director of National Intelligence, said on Friday.

“The administration has worked very closely with members of Congress, their staff — both parties in both houses — to come up with this bill,” he added.

But as even his comments make clear, to say nothing of the comments made during markup yesterday, he didn’t just “on first read it” Tuesday after it was released.

He largely wrote it.

In fact, when the Judiciary Committee tried to add things to the bill yesterday to make it comply with the Constitution, they claimed to be impotent to do so because that would blow up the bill. And so they bowed to IC demands.

No wonder Litt is fond of it.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

How to Break the Law Under USA F-ReDux: The Emergency Provision that Would Blow Up the Bill

Broadcast live streaming video on Ustream

As remarkable as was the House Judiciary Committee’s impotence to protect the Fourth Amendment in yesterday’s markup of USA F-ReDux, of equal importance was Raul Labrador’s effort to more narrowly tailor the emergency provision in the bill, which permits the Attorney General to authorize emergency production under Section 215 prior to getting FISA Court approval.


(1) Notwithstanding any other provision of this section, the Attorney General may require the emergency production of tangible things if the Attorney General—

(A) reasonably determines that an emergency situation requires the production of tangible things before an order authorizing such production can with due diligence be obtained;

(B) reasonably determines that the factual basis for the issuance of an order under this section to approve such production of tangible things exists;

Labrador (at 2:07) suggested that his amendment was very minor, just requiring the emergency provision be used only when there was an actual emergency.

I don’t see what it should blow up the bill, I don’t see why it would blow up the bill, all it’s doing is attempting to clarify the meaning of a term in the bill, which is an emergency situation, as one that involves the potential or imminent death or bodily harm to any person.

Yet, as Labrador noted, without the restriction would permit the AG to get records whenever she wanted.

As Zoe Lofgren noted, the lack of specificity in the bill is an invitation for abuse.

Labrador’s proposed change was even more minor given that we know NSA, at least, has redefined “threat of bodily harm” to “threat to property” in the case of corporate persons.

Jim Sensenbrenner, who argued that this emergency provision goes beyond what is required for emergency electronic surveillance or emergency physical surveillance under FISA, countered that tweaking the emergency provision would blow up the bill.

He and I may have a difference of opinion on what blows up this bill. You know, let me say this all was considered during the negotiations that were going on, I think there is an appropriate compromise to keep the dogs at bay, that is continued in the emergency appropriations of this bill and I am afraid that the amendment from the gentleman from Idaho would be who let the dogs out.

This is alarming.

I get that there’s a need for an emergency provision under Section 215 if it will cover things like Internet production, because the authorization process is too long for active investigations (which wouldn’t, mind you, meet the terms of Labrador’s amendment). But the emergency provision of USA F-ReDux will be one of the chief ways the IC will break the law under this bill (even going beyond what I believe to be a general violation of Riley‘s prohibition on searching smart phones without a warrant under the CDR provision).

That’s because of the way the bill significantly degrades the status quo on what happens if the FISC judges that this was an inappropriate use of Section 215. Currently, the FISC can make the government destroy the records. Under the bill, the government would be prevented from actually using the records in any official proceeding, but given that the AG polices that, and given that FBI basically has a department whose role is to parallel construct records like this, what this bill becomes is a means by which the FBI can get records they know to be illegal. Then, after the FISC rules the collection illegal (or, after FBI decides to “stop” collection before the 7 day deadline and thereby avoids telling the FISC what they’ve done), they can still keep those records so long as they parallel construct them. I’m not even sure collection ended before application would ever get reported to Congress.

And remember, there’s reason to believe that in the one year that the government has had an emergency provision for Section 215, it violated the prohibition on targeting someone for First Amendment protected activities.

If, as Sensenbrenner claims, closing some of the gaping loopholes on this provision would blow up the bill, it is an all but explicit admission that the Intelligence Community plans to use the immunity of this bill to be able to conduct illegal collection against people who are only “related” to an ongoing investigation.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

John Ratcliffe, US Attorney until July 2008, Says He Did Back Door Searches

Screen Shot 2015-05-01 at 12.07.31 PMAs I noted, Republican Congressman John Ratcliffe made an interesting admission during yesterday’s debate over USA F-ReDux in the House Judiciary Committee.

He said he had benefitted from back door searches — the discussion was specifically about FISA Amendments Act — when he was a prosecutor. That’s particularly interesting given the timing of his tenure Chief of Anti-Terrorism and National Security and then US Attorney for the Eastern District of Texas, which is shown to the right (and includes the suburbs of both Dallas and Houston).

Ratcliffe was the District’s top counterterrorism guy from 2004 until 2007, and US Attorney from 2007 until July 2008.

FISA Amendments Act passed in July 2008.

If Ratcliffe did back door searches, he did them off collection other than FAA.

Now, as I have suggested, there are signs they rolled out back door searches at least as early as they rearranged Protect America Act (at first, without telling Reggie Walton, who was presiding over a challenge to the law) such that collection would come in through FBI. Even still, those January 2008 changes would be rather late in the timing of Ratcliffe’s role as a prosecutor.

John Bates made it clear such an approval — for FISA authorized production anyway — happened in 2008.

Of course, there’s the other possibility that Ratcliffe did, and knew he was doing, back door searches off of Stellar Wind production.

In any case, Ratcliffe’s admission does raise some interesting timing questions about back door searches.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

USA F-ReDux’s “Transparency” Provisions and Phone-PRISM

I’m going to make an unpopular argument.

Most observers of USA F-ReDux point to weakened transparency provisions as one of the biggest drawbacks of the latest version of the bill. They’re not wrong: transparency procedures are worse, remarkably so.

But given that I already thought they were not only inadequate but dangerously misleading,* I’m actually grateful to have had the Intelligence Community do another version of transparency provisions, which shows what they’re most intent on hiding and/or hints at what they will really be doing behind the carefully scripted words they’re getting Congress to rubber-stamp.

For comparison, I’ve put the bulk of the required transparency provisions for USA F-ReDux and Leahy’s USA Freedom below the rules below.

Hiding how 702 numbers will explode

The most remarkable of the changes in the transparency provision is that they basically took out this language requiring a top level count of Section 702 targets and persons whose communications were affected — this language.

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders; [sub 500 range]

(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection; [sub 500 range]

This leaves — in addition to the “number of 702 orders” requirement — just this reporting requirement for back door content and metadata searches which (like the Leahy bill) exempts the gross majority of the back door searches, because they are done by the FBI.

(A) the number of search terms concerning a known United States person used to retrieve the unminimized contents of electronic communications or wire communications obtained through acquisitions authorized under such section, excluding the number of search terms used to prevent the return of information concerning a United States person; and [FBI Exemption]

(B) the number of queries concerning a known United States person of unminimized noncontents information relating to electronic communications or wire communications obtained through acquisitions authorized under such section, excluding the number of queries containing information used to prevent the return of information concerning a United States person; [FBI Exemption]

This is all the more remarkable given that ODNI has given us the topline number (though not the number of people sucked in) in each of its last two transparency reports.

Screen Shot 2015-05-01 at 9.28.43 AM


Screen Shot 2015-05-01 at 9.30.36 AM


In other words, ODNI was happy to tell us that the number of FISA 702 targets went up by 4% between 2013 and 2014, but not how much those numbers of targets will go up in 2015, when they presumably begin to roll out the new call chaining provision.

I suspect — and these are well educated but nevertheless wildarseguesses — there are several reasons.

The number of unique identifiers collected under 702 is astronomical

First, the reporting provisions as a whole move from tracking “individuals whose communications were collected” to “unique identifiers used to communicate information.” They probably did that because they don’t really have a handle on which of the identifiers all represent the same natural person (and some aren’t natural persons), and don’t plan on ever getting a handle on that number. Under last year’s bill, ONDI could certify to Congress that he couldn’t count that number (and then as an interim measure I understand they were going to let them do that, but require a deadline on when they would be able to count it). Now, they’ve eliminated such certification for all but 702 metadata back door searches (that certification will apply exclusively to CIA, since FBI is exempted). In other words, part of this is just an admission that ODNI does not know and does not planning on knowing how many of the identifiers they target actually fit together to individual targets.

But since they’re breaking things out into identifiers now, I suspect they’re unwilling to give that number because for each of the 93,000 targets they’re currently collecting on, they’re probably collecting on at least 10 unique identifiers and probably usually far, far more.

Just as an example (this is an inapt case because Hassanshahi, as a US person, could not be a PRISM target, but it does show the bare minimum of what a PRISM target would get), the two reports Google provided in response to administrative subpoenas for information on Shantia Hassanshahi, the guy caught using the DEA phone dragnet (these were subpoenas almost certainly used to parallel construct data obtained from the DEA phone dragnet and PRISM targeted at the Iranian, “Sheikhi,” they found him through), included:

  • a primary gmail account
  • two secondary gmail accounts
  • a second name tied to one of those gmail accounts
  • a backup email (Yahoo) address
  • a backup phone (unknown provider) account
  • Google phone number
  • Google SMS number
  • a primary login IP
  • 4 other IP logins they were tracking
  • 3 credit card accounts
  • Respectively 40, 5, and 11 Google services tied to the primary and two secondary Google accounts, much of which would be treated as separate, correlated identifiers

So just for this person who might be targeted under the new phone dragnet (though they’d have to play the same game of treating Iran as a terrorist organization that they currently do, but I assume they will), you’d have upwards of 15 unique identifiers obtained just from Google. And that doesn’t include a single cookie, which I’ve seen other subpoenas to Google return.

In other words, one likely reason the IC has decided, now that they’re going to report in terms of unique identifiers, they can’t report the number of identifiers targeted under PRISM is because it would make it clear that those 93,000 targets represent, very conservatively, over a million identifiers — and once you add in cookies, maybe a billion identifiers — targeted. And reporting that would make it clear what kind of identifier soup the IC is swimming in.

Hiding new PRISM providers

There is another reason I think they’ve grown reluctant to show much transparency under 702. Implementing the USA F-ReDux system — in which each provider sets up facilities they can use to chain on non-call detail record session identifying information — means more providers (smaller phone companies, and some new Internet providers, for example) will have what amount to PRISM-lite portals that can also be used for PRISM production. If you build it they will come!

In addition, Verizon and Sprint may be providing more PRISM smart phone materials in addition to upstream collection (AT&T likely already provides a lot of this because that’s how they roll).

So I suspect that, whereas now there’s a gap between the cumulative numbers providers report in their own transparency reports and what we see from ODNI, that number will grow notably, which would lead to questions about where the additional 702 production was coming from. (Until Amazon starts producing transparency reports, though, I’ll just assume they’re providing it all).

Hiding the smart-phone-PRISM

Finally, I think that once USA F-ReDux rolls out, the government (read, FBI, where this data will first be sucked in) will have difficulty distinguishing between the 702 and 215 production from a number of providers — probably AT&T, Verizon, Apple, Google, and Microsoft, but that’s just a guess.

Going back to the case of Hassanshahi, for example (and assuming, as I do, that the government has been parallel constructing the fact that they also targeted the Iranian Sheikhi identifier under PRISM, which would have immediately led them to his GMail account, as they very very easily could), the Tehran phone to Google call between Sheikhi and Hassanshahi would likely come in via at least 3 sources: Sheihki PRISM collection, Google USA F-ReDux returns on the Sheikhi number, and AT&T backbone USA F-ReDux returns on the Sheikhi number. And all that’s before you’ve taken a single hop into Hassanshahi’s accounts.

In other words, what you’re actually getting with USA F-ReDux is a way to get to the metadata of US persons identified via incidental collection under PRISM (again, this should just before for targets of a somewhat loosey goosey definition of terrorism targets). It’s basically a way to get a metadata “hop” off of all the Americans already “incidentally” collected under PRISM (note, permission to do this for targets identified under a probable cause warrant is already written into every phone dragnet order; this just extends that, with FISC review, to PRISM targets). And for the big providers that have anything that might be considered “call” service, the portals from which that will derive will likely be very very closely related.

Continue reading

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Emptywheel Twitterverse

bmaz @csoghoian @benwizner @washingtonian Congrats Chris; well deserved.
bmaz @PGEddington Yet another lose-lose gambit by Reid, just like the Loretta Lynch/Human trafficking linage was lose-lose.
bmaz @starshollowgzt @ChrisInParis What could go wrong??
bmaz @ElissaBeth @normative @michaellatulip Does DEA follow rule of law?? Haha, good one. What a naive question. DEA makes NSA look like pikers
bmaz RT @william_pitts: I was just told of a fight I would pay waaaaay more than $100 to watch. @RondaRousey vs Mayweather. #TAKEMYMONEYNOW
bmaz RT @kgosztola: Looks like FBI played role in radicalization of one of men involved in #TexasAttack http://t.co/dxV20XIpQM http://t.co/NOQWW
bmaz @rickhasen Cuomo, but not rue Preet has the cojones to really pull the trigger on that.
bmaz RT @radleybalko: "Sentiment" doesn't kill. Bullets do. And shooting deaths of cops are down 48%, on pace for an all-time low. https://t.co/
bmaz RT @KagroX: 37 pins on my accidental shootings at Walmart board https://t.co/sqU2ym3zxY JUST Walmart.
bmaz @HanniFakhoury I wonder what they will find?!?!
emptywheel @bradheath Or maybe it's just a sign they're getting better at writing themselves immunity.
emptywheel @bradheath I'd believe the urgency more if the IC weren't writing a still more ridiculous exigent circumstances clause into USAF.
May 2015
« Apr