The Only Independent Reviewer of Targeting and Minimization Refuses to Review It
On May 4, Senate Intelligence Committee members Ron Wyden and Mark Udall asked the Intelligence Community Inspector General to determine whether it was feasible to determine how many US persons have been spied on under the FISA Amendments Act.
The Temporally Perfect Fuck You
On May 22, the Committee marked up the renewal of the Act. During consideration of the bill, the Committee rejected Wyden and Udall’s efforts to require the IGs quantify such numbers based on their pending request to the IGs.
During the Committee’s consideration of this legislation, several Senators expressed a desire to quantify the extent of incidental collection under Section 702. I share this desire. However, the Committee has been repeatedly advised by the ODNI that due to the nature of the collection and the limits of the technology involved, it is not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under Section 702 authority. Senators Ron Wyden and Mark Udall have requested a review by the Inspector General of the NSA and the Inspector General of the Intelligence Community to determine whether it is feasible to estimate this number. The Inspectors General are conducting that review now, thus making an amendment on this subject unnecessary. SSCI report on the bill reminds that the IC IGs are authorized–but not required too–conduct reviews of Section 702.
Note, elsewhere the bill report includes these authorized but not mandatory reviews as part of the “robust oversight” of this spying program.
In addition, the Inspectors General of the Department of Justice and certain elements of the Intelligence Community are authorized to review the implementation of Section 702 and must provide copies of any such reviews to the Attorney General, DNI, and congressional committees of jurisdiction.
Yet in rejecting the motion to actually mandate a review, Dianne Feinstein’s report emphasizes that this authority is optional.
Also while marking up the bill, Wyden and Udall attempted to direct the Committee’s Technical Advisory Group to review what was really going on with the FAA. That motion was ruled out of order (Kent Conrad joined Wyden and Udall on this one vote–otherwise the committee voted against all their efforts for greater oversight).
We also proposed directing the committee’s Technical Advisory Group to study FISA Amendments Act collection and provide recommendations for improvements. We were disappointed that our motion to request that the Technical Advisory Group study this issue was ruled by our colleagues to be out of order.
As a result, the bill was voted out of committee on May 22 without any requirement that the intelligence community report on how many US persons it is spying on with FAA.
On June 15, the IC IGs finally got back to Wyden and Udall. (h/t Wired) Note the dates cited in the response.
On 21 May 2012, I informed you that the NSA Inspector General, George Ellard, would be taking the lead on the requested feasibility assessment, as his office could provide an expedited response to this important inquiry.
The NSA IG provided a classified response on 6 June 2012. I defer to his conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission. He further stated that his office and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons.
As I stated in my confirmation hearing and as we have specifically discussed, I firmly believe that oversight of intelligence collection is a proper function of an Inspector General. I will continue to work with you and the Committee to identify ways that we can enhance our ability to conduct effective oversight. [my emphasis]
So IC IG Charles McCullough waited 17 days to even tell Wyden what he was going to do with the request, at which point–the eve of the bill markup–he told Wyden that Ellard would prospectively conduct the inquiry. So when the Committee decided not to mandate an IG review based on the “pending” review, it had not started yet. The NSA IG provided Wyden with a classified response the day before the bill report was released, making it impossible to get any hint of the results of the review into the report. And now this letter basically says that the IG purportedly able to answer these questions neither has the resources to do so nor the legal authority to do so (presumably under the Privacy Act).
In short, this entire assessment was a very polite “fuck you” to Ron Wyden, all timed to undercut efforts to pressure for more oversight.
The Efforts to Ensure Only an IG Could Conduct This Review
As blatant as this “fuck you” is, it’s important to recall everything that went before. For the last 11 years, after all, the government has done everything possible to avoid real protections on US person data.
As Thomas Drake’s failed prosecution made clear, the NSA deliberately pursued technical choices in 2001 that would not give US persons privacy. And I suspect, though can’t prove, that NSA’s IG chose not to investigate these privacy issues in 2004.
The FISA Court, which had tried to use minimization to prevent illegal wiretapping from tainting formal FISA warrants by using minimization, got shot down in 2002. The FISC was trying to inquire about minimization in 2005, too, which presumably led to the exposure of the program by the NYT. Yet FISC review of whether the government complied with minimization requirements is one of the things that Mike McConnell considered a deal breaker in the negotiations over the Protect America Act in 2007.
During debate over the FISA Amendments Act, Senator Sheldon Whitehouse had tried to give FISC some review of whether the government complied with the minimization requirements approved by the Court. But he failed. The current law only allows FISC to review whether the targeting and minimization procedures comply with the letter of the law; they can’t review whether the government fulfills their certifications.
(2) Review
The Court shall review the following:
(A) Certification
A certification submitted in accordance with subsection (g) to determine whether the certification contains all the required elements.
(B) Targeting procedures
The targeting procedures adopted in accordance with subsection (d) to assess whether the procedures are reasonably designed to—
(i) ensure that an acquisition authorized under subsection (a) is limited to targeting persons reasonably believed to be located outside the United States; and
(ii) prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States.
(C) Minimization procedures
The minimization procedures adopted in accordance with subsection (e) to assess whether such procedures meet the definition of minimization procedures under section 1801 (h) of this title or section 1821 (4) of this title, as appropriate.
(3) Orders
(A) Approval
If the Court finds that a certification submitted in accordance with subsection (g) contains all the required elements and that the targeting and minimization procedures adopted in accordance with subsections (d) and (e) are consistent with the requirements of those subsections and with the fourth amendment to the Constitution of the United States, the Court shall enter an order approving the certification and the use, or continued use in the case of an acquisition authorized pursuant to a determination under subsection (c)(2), of the procedures for the acquisition.
Which leaves, as the bill report makes clear even in its boasting, the optional IG review and Director of National Intelligence and Attorney General self-reporting as the primary forms of oversight. We have reason to believe the FISC has objected to some practices in recent years–both because Wyden has unsuccessfully pushed for these opinions to be released and because Whitehouse said at a recent SJC hearing that the FISC has suggested impending sunsets are the only time the government fixes its programs.
And remember, the Senate Intelligence Committee went to some length–then in Jay Rockefeller’s hands–to make sure DOJ’s IG, Glenn Fine, didn’t get anywhere near the NSA wiretapping (or at least the report on the illegal program). The folks overseeing this spying program want a captive IG to conduct reviews. And why not? You can dial up a timely “fuck you” on command.
And note these issues–whether the government uses this program to intentionally spy on US persons–is one topic on which the government chose to remain silent in a recent filing in Amnesty v. Clapper.
All of which is a long-winded way of saying that the government has spent the last 10 years making sure that 1) US person data was not protected and 2) there would be no way–short of trusting the sworn statements of the DNI and AG–of ensuring that it was protected.
And now NSA’s IG, in a blatant “fuck you” to the only one trying to exercise oversight. reveals that it “can’t” review whether US person privacy is protected as mandated by law, because doing so would violate their privacy.
Again, it’s fairly clear what is going on here. We should, at this point, assume the DNI and AG are violating their sworn statements–how could they even make these sworn statements if what they’re attesting to is impossible to know!?!?
But we’ll never get to hold them accountable for that. Partly because all but two of the Senators mandated with oversight of this program refuse to hold them accountable. And because doing so would–the NSA IG claims–violate our privacy.
With regard to it being a violation of my privacy to know whether my privacy is being violated, Joseph Heller would be proud.
Sounds more like Lewis Carroll to me.
Thanks for this work.
It helps when normalizing previously aberrant, corrupt or criminal behavior to permit it to proceed without review or comment for several years, while at the same time ostracizing, firing, prosecuting, discrediting and otherwise making shrill those who oppose it. All.Without.Debate. Or “authorization” other than fiat from the top.
It is something Mr. Obama is especially good at, much better than Mr. Cheney. If he played baseball, Mr. Obama would always bat no. 4.
It sounds like an inelegant variation of the old, “I can tell you, but I would have to kill you first,” defense. It seems that the position that we would have to violate your privacy to answer your question about privacy is just the sort of thing designed to make a dog chase its tail.
It is also more entertaining than the likely real answer which is: 100% of the population is impacted by the screening. “we read and listen to it all, but we ‘target’ only the stuff that is bad. So you don’t have anything to worry about unless you’re ‘bad.'”
Well I think Wyden and Udall (and all of us) got the answer.
The answer is that the number is HUGE.
But boy oh boy are they weasels or what?
I hope Wyden and Udall don’t give up.
Maybe they could start selling the snooping service to get more revenue, ha. Blackwater/Xe/Academie (where the heck did they get that last name?) can start a corporate espionage subsidiary and use the giant Hoover data base for their clients to spy on their competition.
Just imagine all of the things that Hoover data base could be used for if you could keep it all secret.
And hell, I hope they have better security on that Hoover data base than they do on the other Defense and State Dept. info.
I don’t want to change the subject but has anyone seen this?
http://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html?wpisrc=al_national
Did it ever occur to any of our government’s geniuses that now the Iranians and others don’t even need to develop their own code to retaliate – we’ve given them ours that they can manipulate at will. What group of idiots came up with this idea? The Israelis carry out one operation and get caught bringing down the whole scheme? With friends like that who needs enemies. When are we going to cut those people loose?
@Skilly: Agreed, I believe the answer is “everyone” has had their privacy invaded by these agencies. 100%. Everyone who has used any communications device, and every instance of communication, which is thousands of violations per person per year (2-3 per person per day, at least!).
OT, but since our NSA is involved, tangentially related – the WaPo’s Ellen Nakashima, Greg Miller and Julie Tate report:
(My Bold)
Directly on topic, this from Lauren Fox of U.S. News & World Report:
One conclusion that I think all should take away from EW’s posts on this topic is that the collection of US persons electronic communications must be truly massive if the Inspector General of the largest, most expensive agency in the US Intelligence community says this:
@MadDog: For folks who want to understand why I draw the conclusion that the collection of US persons electronic communications must be truly massive, this is why I come to that conclusion:
If the collection of US persons electronic communications by the NSA was but a handful, a minor piddling amount, an insignificant percentage of a percent, then I would respectfully assert that the NSA would come out and say so. At the very least in a classified briefing to Senator Wyden and his colleagues on the Senate Select Committee on Intelligence.
But the NSA hasn’t, and apparently refuses to do so. This says to me that the NSA knows full well that their electronic communications collection activities acquire a great deal of US person electronic communications.
Coupled with the fact that the NSA’s own IG admits that an effort by the NSA to provide even an estimate of the amount “would likely impede the NSA’s mission” pretty much nails it for me.
Massive. Truly massive!
@MadDog:
‘“He keeps getting the same answer, and he keeps not believing it,” Litt says.’
I wonder why?
If this can’t be stopped with a Democrat in office then it’s not going to be stopped. One more reason to be disappointed in Obama. I just finished reading a book named ‘Rubicon’ about the transformation of the Roman Republic to an empire. It’s one of many I’ve read as I like ancient history but this one was easy to read and laid it all out in a way that was easily understandable to the layman. It’s eerie how we are following the pattern. One can only conclude that democracy (or republicanism) and empire are incompatible. Nothing I’ve seen out of Obama could lead me to conclude anything different.
@MadDog: And all because some mystical being wanted to play real estate agent while getting someone else to pay for it. When will enough be enough and we can rid ourselves of this sickness in our midst?
@GulfCoastPirate: As far as I can see, we’ve yet to hit the bottom. After jumping or getting pushed (by Repugs) off the cliff of adherence to our Constitution, we’re still in free-fall.
What happens if, instead of thinking that the IG is a participator in a conspiracy to stonewall the senators, you try taking him at his word and figuring out what it means about what techniques and data and intelligence processes are operative? He doesn’t have the capacity to estimate how many people have had their communications reviewed by section 702 authority and trying to find out would in itself violate their privacy.
It would mean that whatever the techniques were for gathering data didn’t allow one to determine what the people were whose data was being gathered, and to find out would then cause their privacy to be violated. One possibility is data being gathered and analyzed without processing it into identifiable information, e.g. patterns being searched on encrypted or compressed data or data that hasn’t been composed from packets.
More OT – Scott Shane and Charlie Savage of the NYT explain how the Obama Administration believes its record in prosecuting leaks was a bug; not a feature:
And I must insist on credit where credit is due in this paragraph:
My Bold, and my first-use credit for revitalizing the term “blabbermouth”. Heh!
@MadDog: As long as the Isrealis are running our foreign policy we’re probably nowhere near bottom since everything to which we on this web site reject is related to the Middle East. How far we free fall is directly related to how long we want to continue to play real estate agent for a mystical being who some think decided who gets what land in that area a long time ago.
It wasn’t only the Repugs. The dems are just as bad if not worse. Obama could have stopped all this crap and he didn’t. Let’s not kid ourselves as to where the blame lies. The Jews in this country have mostly voted Democratic and they’re getting what they want at the expense of the privacy rights of the rest of the country. It is what it is and few are saying anything.
@ondelette:
‘He doesn’t have the capacity to estimate how many people have had their communications reviewed by section 702 authority and trying to find out would in itself violate their privacy.’
You’re kidding right? Please tell me you are kidding.
@GulfCoastPirate
What I was proposing was, instead of being an arrogant about it and pretending you know everything there is to know about surveillance and electronic data streams, perhaps it’s worth taking the statements at face value for at least the time it takes to figure out whether or not they could be true. An Inspector General is not necessarily on the side of the obfuscators at the NSA.
Next, I was proposing a couple of possible ways he could be telling the truth. That people have been working on gathering data from compressed and encrypted streams without decompressing or decrypting them since at least 1994 is a fact. You can take it to the bank. I used to work on that problem. I know others that did. I know of at least one standards body, probably two (MPEG, ITU) that tried to organize some international standards around that particular activity before the year 1998.
And if the NSA were doing such a thing, the Inspector General’s team might not know how many people the NSA were surveilling because they might be looking at a muxed stream for the emergence of patterns, and might have to decrypt or decompress the streams to answer the question. That would invade privacy in a way that not decrypting or decompressing would not. Consequently, that would be one possible way in which the statement would be true at face value, no joke.
I’m not saying it is what they meant or what was going on, I’m just offering a known counterexample to your interpretation. Before you fall on the floor laughing, and before the blog owner gets too enamored of her “fuck you” point of view of the thing, it would make sense to at least try to find out what’s going on, first. I know of at least one transform (Burroughs-Wheeler) which can pick stuff like style out of compressed data, so it can probably pick it out of encrypted data too. Certain of the stuff they’re looking for is written in rather stilted literary style. Not saying that is anywhere near the algorithm they are using or why the IG said what he said.
All I’m saying is that you could be laughing a very empty laugh and the blog owner could be tossing around the fuck you’s and be dead ass wrong.
@ondelette:
And the NSA would still be stonewalling on the answer. (If they don’t know, then they’re doing it wrong.)
@ondelette:
‘And if the NSA were doing such a thing, the Inspector General’s team might not know how many people the NSA were surveilling because they might be looking at a muxed stream for the emergence of patterns, and might have to decrypt or decompress the streams to answer the question. That would invade privacy in a way that not decrypting or decompressing would not. Consequently, that would be one possible way in which the statement would be true at face value, no joke.’
Do they have warrants to look at these streams of data? Obviously, if they are analyzing all streams of data they are surveilling everyone. Which is exactly what the ‘fuck you owner of the blog’ has said all along.
I don’t know about you and I can’t speak for the ‘fuck you owner of the blog’ but I don’t think they have the right to look at any stream of data that I or anyone else creates unless I’m suspected of a crime and they have a ‘fuck you’ warrant.
Just one person’s opinion.
@P J Evans: Sure. No question about it. Just the IG isn’t kidding, that’s all.
@GulfCoastPirate: No, they don’t have warrants to look at the streams of data. My guess is they do have permission to look at the streams from somebody. But the algorithm I gave as an example also doesn’t yield details, just puts up a red flag for suspicious information, and I would bet they would argue they don’t need warrants for it. When the streams turn up something they deem suspicious, they switch algorithms, and then they use something more intrusive. I was just giving a possible reason for why the IG felt he couldn’t comply with what he was asked to do.
@GulfCoastPirate:
Warrant,warrant?? (We don’t need no stinkin’ warrant!)
Ever notice the word warrant contains war AND rant?
Speaking of which,doesn’t ANY war require a declaration by Congress,firstly?
now we know who was behind the assassination of iran scientists and how they got the info they needed to learn the scientists habits.
http://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html?hpid=z1
in letting israel push us into focusing on a trivial nuclear arms issue, we have created a class of weapons that will be copied and that could become as deadly over time as a nuclear weapon.
@ondelette: Let’s review:
1. They don’t have warrants but they have ‘permission’. Should we know who gave that permission?
2. Do you personally believe that all data from everyone should be looked at with any algorithm?
3. If they deem something ‘suspicious’ they look at it again and they again do it without warrants but they would argue they don’t need warrants. Is this acceptable to you?
@Gitcheegumee: That is so, so, so 18th century.
@GulfCoastPirate:
Ah yes, I remember it well….
Veddy interesting to review the Wiki timelines for events preceding both the American AND French Revolutions.
Plus ca change…
@GulfCoastPirate:
Let’s review: I’m telling you what they do, and what they probably do and don’t need warrants for, not telling you what I personally think they should and shouldn’t do. Personally, I think the great wonderful civil liberties lawyers should have heeded the call to protect peoples’ civil rights in cyberspace a long, long time ago, and then we would have a lot more clout complaining about what they do and don’t do. But we don’t. Can they convince a court that they should be allowed to look at a stream without decoding it for suspicious looking features in the stream? It’s a bit like having a geiger counter at a port of entry or a sniffing dog near customs at an airport. So probably the court says it’s okay. Can they go into the stream and look if they find something with their sniffer? Again, probably the court will say okay. Do they need minimization and targeting and a warrant much beyond that? Probably. Do they always get it? What do you think? Do I think that’s okay? Nope. All I was pointing out when this started was that it’s perfectly reasonable that the IG wouldn’t be able to figure out how many people had been surveilled. It was just one possible reason for it, too. There are lots of others, I’m sure.
Suppose surveillance is a search. How does the search engine work? Google’s actually starts with a crawler. Does the crawler count? It’s a machine that translates data and no human is looking at anything, it’s arguably a very, very complicated data processor, no different in some ways than a router or something else that processes data. If the crawler counts, then Google looks at everybody’s stuff, if it doesn’t then Google only looks at the stuff that people search for.
Choose your beast. There’s a ton of unanswered questions after 20 years of legal eagle neglect for peoples civil liberties IMHO. But civil liberties lawyers go absolutely batshit if you tell them that. In all honesty, they’ve been the worlds greatest libertarians in favor of the internet tech companies. Sometimes that’s been really great. But for the growing intelligence community and the strangling of privacy by people like Mark Zuckerberg, John Poindexter, and company, it’s been a disaster. The news media brings us stories of cute American teenagers bullied to death by social media. They don’t want to bring down their cash cow so they don’t dare tell us about third world teenagers flirting with human traffickers on the same social media. Besides, they don’t really care.
@ondelette:
‘But we don’t. Can they convince a court that they should be allowed to look at a stream without decoding it for suspicious looking features in the stream? It’s a bit like having a geiger counter at a port of entry or a sniffing dog near customs at an airport. So probably the court says it’s okay. Can they go into the stream and look if they find something with their sniffer? Again, probably the court will say okay. Do they need minimization and targeting and a warrant much beyond that? Probably. Do they always get it? What do you think? Do I think that’s okay? Nope. All I was pointing out when this started was that it’s perfectly reasonable that the IG wouldn’t be able to figure out how many people had been surveilled. It was just one possible reason for it, too. There are lots of others, I’m sure. ‘
The IG already knows the answer to the question. We’re all being surveilled every minute of every day. It’s not as if any of us spend all of our time at airports or at ports.
I agree with your other remarks on Facebook (which I’ve never joined), Google, etc.