6 Years Later, Are the Internet Companies Trying to Expose Telecoms Stealing Their Data, Again?

Update: And now this, too, has been halted because of the shutdown (h/t Mike Scarcella). This motion suggests the government asked the Internet companies for a stay on Friday. This one suggests the Internet companies asked the government for access to the classified information in the government filing, but the government told them they can’t consider that during the shut-down. 

As Time lays out, unlike several of the other NSA-related transparency lawsuits, the fight between the government and some Internet companies (Google, Yahoo, Facebook, Microsoft, and LinkedIn, with Dropbox as amicus) continues even under government shut-down. The government’s brief and declaration opposing the Internet bid for more transparency is now available on the FISA Court docket.

Those documents — along with an evolving understanding of how EO 12333 collection works with FISA collection — raise new questions about the reasons behind the government’s opposition.

When the Internet companies originally demanded the government permit them to provide somewhat detailed numbers on how much information they provide the government, I thought some companies — Google and Yahoo, I imagined — aimed to show they were much less helpful to the government than others, like Microsoft. But, Microsoft joined in, and it has become instead a showdown with Internet companies together challenging the government.

Meanwhile, the phone companies are asking for no such transparency, though one Verizon Exec explicitly accused the Internet companies of grandstanding.

In a media briefing in Tokyo, Stratton, the former chief operating officer of Verizon Wireless, said the company is “compelled” to abide by the law in each country that it operates in, and accused companies such as Microsoft, Google, and Yahoo of playing up to their customers’ indignation at the information contained in the continuing Snowden leak saga.

Stratton said that he appreciated that “consumer-centric IT firms” such as Yahoo, Google, Microsoft needed to “grandstand a bit, and wave their arms and protest loudly so as not to offend the sensibility of their customers.”

“This is a more important issue than that which is generated in a press release. This is a matter of national security.”

Stratton said the larger issue that failed to be addressed in the actions of the companies is of keeping security and liberty in balance.

“There is another question that needs to be kept in the balance, which is a question of civil liberty and the rights of the individual citizen in the context of that broader set of protections that the government seeks to create in its society.”

With that in mind, consider these fascinating details from the government filings.

  • The FBI — not the NSA — is named as the classification authority and submits the declaration (from Acting Executive Assistant Director Andrew McCabe) defending the government’s secrecy claims
  • The government seems concerned about breaking out metadata numbers from content (or non-content from non-content and content, as Microsoft describes it), even while suggesting this is about providing our “adversaries” hints about how to avoid surveillance
  • The government suggests some of what the Internet companies might disclose doesn’t fall under FISC’s jurisdiction

All of these details lead me to suspect (and this is a wildarsed guess) that what the government is really trying to hide here is how they use upstream metadata collection under 12333 to develop relatively pinpointed requests for content from Internet companies. If the Internet companies disclosed that, it would not only make their response seem much more circumscribed than what we’ve learned about PRISM, but more importantly, it would reveal how the upstream, unsupervised collection of metadata off telecom switches serves to target this collection.

The FBI as declarant

Begin with the fact that the FBI — and not NSA or ODNI — is the declarant here. I can think of two possible reasons for this.

One, that much of the collection from Internet companies is done via NSL or another statute for which the FBI, not the NSA, would submit the request. There are a number of references to NSLs in the filings that might support this reading. [Correction: FBI is not required to submit NSLs in all cases, but they are in 18 USC 2709, which applies here.]

It’s also possible, though, that the Internet companies only turn over information if it involves US persons, and that the government gets all other content under EO 12333. As with NSLs, the FBI submits applications specifically for US person data, not the NSA. But if that’s the case, then this might point to massive parallel construction, hiding that much of the US person data they collect comes without FISC supervision.

And remember — the FBI seems to have had the authority to search incidentally collected (presumably, via whatever means) US person data before the NSA asked for such authority in 2011.

There may be other possibilities, but whatever it is, it seems that the FBI would only be the classification authority appropriate to respond here if they are the primary interlocutor with the Internet companies — at least within the context of collection achieved under the FISA Court’s authority.

Breaking out metadata from content numbers and revealing “timing”

While the government makes an argument that revealing provider specific information would help “adversaries” to avoid surveillance, two other issues seem to be of more acute concern.

First, it suggests Google and Microsoft’s request to break out requests by FISA provision — and especially Microsoft’s request to “disclose separate categories for ‘non-content’ requests and ‘content and non-content requests” — brought negotiations to a head (see 2-3). This suggests we would see a pretty surprising imbalance there — perhaps (if my theory that the FBI goes to Internet companies only for US person data is correct) primarily specific orders (though that would seem to contradict the PRISM slide that suggested it operated under Section 702). It also suggests that the Internet companies may be providing either primarily content or primarily metadata, not both (as we might expect under PRISM).

The government is also concerned about revealing “the timing of when the Government acquires certain surveillance capabilities.” (see brief 19; the brief references McCabe’s discussion of timing, but the discussion is entirely redacted). That’s interesting because these are to a large extent (though not exclusively) storage companies. It may suggest the government is only asking for data stored in the Internet companies’ servers, not data that is in transit.

The FISC may not have jurisdiction over all this

Then there are hints that the FISC may not have jurisdiction over all the collection involving the Internet companies. That shows up in several ways.

First, in one spot (page 17) the government refers to the subject of its brief as “FISA proceedings and foreign intelligence collection.” In other documents, we’ve seen the government distinguish FISC-governed collection from collection conducted under other authorities — at least EO 12333. Naming both may suggest that part of the jurisdictional issue is that the collection takes place under EO 12333.

There’s another interesting reference to the FISC’s jurisdiction, where the government says it wants to reveal information on the programs “overseen by this Court.”

Although the Government has attempted to release as much information as possible about the intelligence collection activities overseen by this Court, the public debate about surveillance does not give the companies the First Amendment right to disclose information that the Government has determined must remain classified.

I’m increasingly convinced that the government is trying to do a limited hangout with the Edward Snowden leaks, revealing only the stuff authorized by FISC, while refusing to talk about the collection authorized under other statutes (this likely also serves to hide the role of GCHQ). If this passage suggests — as I think it might — that the Government is only attempting to release that information overseen by the FISC, then it suggests that part of what the Internet companies would reveal does not fall under FISC.

Then there are the two additional threats the government uses — in addition to gags tied to FISA orders — to ensure the Internet personnel not reveal this information: nondisclosure agreements and the Espionage Act.

I’m not certain whether the government is arguing whether these two issues — even if formulated in conjunction with FISA Orders — are simply outside the mandate of the FISC, or if it is saying that it uses these threats to gag people engaged in intelligence collection not covered by FISA order gags.

The review and construction of nondisclosure agreements and other prohibitions on disclosure unrelated to FISA or the Courts rules and orders fall far outside the powers that “necessarily result to [this Court] from the nature of [the] institution,” and therefore fall outside the Court’s inherent jurisdiction.

Whichever it is (it could be both), the government seems intent on staving off FISC-mandated transparency by insisting that such transparency on these issues is outside the jurisdiction of the Court.

There there’s this odd detail. Note that McCabe’s declaration is not sworn under oath, but is sworn under penalty of perjury under 18 USC 1746 (see the redaction at the very beginning of the declaration) . Is that another way of saying the FISA Court doesn’t have jurisdiction over this matter? [Update: One possibility is that this is shut-down related–that DOJ’s notaries who validate sworn documents aren’t considered essential.]

The PRISM companies and the poisoned upstream fruit

One more thing to remember. Though we don’t know why, the government had to pay the PRISM companies — that is, the same ones suing for more transparency — lots of money to comply with a series of new orders after John Bates imposed new restrictions on the use of upstream data. I’ve suggested that might be because existing orders were based on poisoned fruit, the illegally collected US person data collected at telecom switches.

That, too, may explain why PRISM company disclosure of the orders they receive would reveal unwanted details about the methods the government uses: there seems to be some relation between this upstream collection and the requests the Internet companies that is particularly sensitive.

As I have repeatedly recalled, back in 2007, these very same Internet companies tried to prevent the telecoms from getting retroactive immunity for their actions under Bush’s illegal wiretap program. That may have been because the telecoms were turning over the Internet companies’ data to the government.

They appear to be doing so again. And this push for transparency seems to be an effort to expose that fact.

Update: Microsoft’s Amended Motion — the one asking to break out orders by statute — raises the initial reports on PRISM, reports on XKeyscore, and on the aftermath of the 2011 upstream problems (which I noted above). It doesn’t talk about any story specifically tying Microsoft to Section 215. However, it lists these statutes among those it’d like to break out.

1These authorities could include electronic surveillance orders, see 50 U.S.C. §§ 1801-1812; phyasical search orders, see 50 U.S.C. §§ 1821-1829; pen register and trap and trace orders, see 50 U.S.C. §§ 1841-1846; business records orders, see 50 U.S.C. §§ 1861-1862; and orders and directives targeting certain persons outside the United States, see 50 U.S.C. §§ 1881-1881g. [my emphasis]

If I’m not mistaken, the motion doesn’t reference this article, which described how the government accessed Skype and Outlook, which you’d think would be one of the ones MSFT would most want to refute, if it could. But I’ve also been insisting that they must get Skype info for the phone dragnet, otherwise they couldn’t very well claim to have the whole “phone” haystack.

But the mention of Section 215 suggests they may be included in that order.

Also, we keep seeing physical search orders included in a communication arena. I wonder if that’s a storage issue.

Update: One more note about the MSFT Amended Motion. It lists where the people involved got their TS security clearances. MSFT’s General Counsels is tied to DOD; the lawyers on the brief all are tied to FBI.

One final detail on MSFT. Though the government brief doesn’t say this, MSFT is also looking to release the number of accounts affected by various orders, not just the number of targets (which is what the government wants to release). That’s a huge difference.

13 replies
  1. scribe says:

    A couple things.

    First, to be a little obvious. You note:

    While the government makes an argument that revealing provider specific information would help “adversaries” to avoid surveillance, two other issues seem to be of more acute concern.

    Whomever the “adversaries” might be, it’s been obvious to anyone with a pulse that “avoid[ing] surveillance” is best accomplished by staying off-line. Since at least 1998.

    Just saying.

    Second, you question this:

    There there’s this odd detail. Note that McCabe’s declaration is not sworn under oath, but is sworn under penalty of perjury under 18 USC 1746 (see the redaction at the very beginning of the declaration) . Is that another way of saying the FISA Court doesn’t have jurisdiction over this matter?

    It’s been a bit since I’ve had to parse this out – in the usual case, the form is a distinction without a difference b/c people are presenting stuff to the Court as-good-as-under-oath – but off the top of my head I suspect using 18 USC 1746 is a way of taking the prosecutorial authority out of the court’s inherent authority to go after liars and dissemblers and placing it into DoJ’s. Compare, e.g., Scott Bloch. One would have to look at the DoJ’s manual of style and usage (whatever its name might be) to find out the distinction between when to use affidavits, declarations and 1746. I’m sure there’s such a book somewhere that will tell exactly when to use which form and why.

    And before someone starts whining about how all these DFH bloggers are always imputing the worst of motives and behaviors to the fine, upstanding employees of the government, remember: the last dozen years have brought forth such a cavalcade of lies, deception and dissembling (remember the time how DoJ argued in some FOIA-related cases they had the right and even duty to lie to the Court and to do it with immunity and impunity?) that the best which can be said is that the honest folks who do work there both are on the short end of the career stick and are kept on more as a beard for the liars than anything else. The liars keep getting the sexy cases and, doubtless, the bonuses and promotions.

  2. emptywheel says:

    Two more things I like abt this filing.

    1) In footnote 6 the same Executive that wails constantly about needing to correct erroneous reporting says the Internet companies don’t need to correct erroneous reporting.
    2) Near the end, the same Executive that has asked the FISC to serve as a quasi secret Appellate court insists the FISC mandate is very narrow.

  3. orionATL says:

    what is apparent by now, based merely on analysis here at emptywherl, is that the u.s. government’s electronic spying programs are simply not controllable by any executive/president, court, or congress. they are too intertwined, too technically and legally complex, and too susceptible to serious hidden abuse to oversee with any confidence of competent ovetsight being performed.

    furthermore, any oversight that promises restrictions on nsa/fbi/doj spying activity is met with deceit and evasion.

    the fbi/nsa/doj are like a troop of monkeys feeding in a jungle. if a limb of one tree becomes unrewarding for whatever reason, the monkeys simply jump to branches on anotber tree and continue their feast.

    the only realistic solution to reassert outside civilian control over this hydra is to rescind all the enabling laws, statutes, and regulations. then start again with a focus on what is the minimum truly needed for national security and how those limited programs can be persistently and thoroughly overseen individuals not involved with any part of the spying programs.

  4. Nigel says:

    Stratton said that he appreciated that “consumer-centric IT firms” such as Yahoo, Google, Microsoft needed to “grandstand a bit, and wave their arms and protest loudly so as not to offend the sensibility of their customers.”

    As opposed to companies run by horses’ asses like Stratton who despise their customers to an extent unusual even in large businesses ?


    I wish that you would make some strong comments and really get it widely distributed about the real problem with this spying. There is not place for it to end than with total control by the worst elements of government. No matter what the stated intentions are. Secondly, it seems to me thatall of this data collection is of minimal value relative to “terrorist”. I think that there is too much data for it to be useful until after the fact. However, for manipulating markets, controlling politics and keeping the population in a feudal state it is an outstanding tool. Imagine what Hoover could have done with this. This is so much worse than anyone could have imagined.

  6. C says:

    While I generally think you are correct I suspect that the relationship is more synergistic. This is my own wildarsed guess.

    Think about the upstream data. Assuming that the NSA is tapping fiber directly or accessing a splitter of the type described at AT&T then what they are recieving is a raw traffic feed. The resulting data would be noisy, contain partial packets, and would be terrabytes per day. While the NSA has the horsepower to scan that stream for some things using the upstream queries, they cannot get everything.

    What they can get are packets to and from some site (e.g. Skype servers or Google+) that contain keywords or link to “persons of interest” (a genuinely awful legal fiction designed to circumvent established law). What they probably lack is key historical data (they cannot save that much data forever even in Utah, and account data.

    Thus with the raw stream they can conduct widespread surveillance looking for “suspicious activity” and pull out or even profile targeted individuals quite extensively but may not be able to narrow it down to a particular person or to check historical contacts or to actively tag the content to an individual as opposed to a group.

    In that sense the “you should use both” line in the original slides makes more sense. Each type of information is different and with only one they risk having large gaps in their ability to snort or refine the traffic. In general it makes sense then to say that they rely on the IPs for metadata and don’t want that to be known but I suspect they also fear losing that metadata or having it subjected to more rigorous oversight because it would disrupt their workflow.

  7. William A. Hamilton says:

    President Reagan issued EO 12333 on December 4, 1981 governing the roles and responsibilities of NSA and the other agencies of the U.S. intelligence community.

    NSA began its Follow the Money bank surveillance project in 1981 as documented by key former Reagan National Security Council staff in the 1989 PBS television documentary entitled “Follow the Money.” The U.S. Department of Justice misappropriated the PROMIS legal case management software from INSLAW and covertly disseminated it to NSA in 1981 for installation on banking sector computers in support of the new Reagan mission. The Reagan NSC staff called the shots on the Follow the Money Project just as it did on Iran/Contra scandal activities. NSA’s PROMIS-based Follow the Money signal intelligence information included intelligence information about the bank transfers of both foreign persons and Americans.

    In 1982, President Reagan approved a covert intelligence project whereby Israel would serve as an agent or instrumentality of the United States, i.e., of NSA, for selling hundreds of millions of dollars worth of licenses to stolen copies of PROMIS to foreign governments as part of a scheme to steal intelligence secrets from their law enforcement and intelligence agencies. As with other aspects of Iran/Contra, the private sector individuals who facilitated this work participated in the financial gain from the effort. Many of these facts were documented by the British journalist and author, Gordan Thomas, in his 1999 book entitled “Gideon’s Spies: The Secret History of the Mossad,” and were based on admissions made to Gordon Thomas by Rafi Eitan, the senior Israeli intelligence official in charge of the PROMIS partnership between Israel and the Reagan Administration.

    Also during the first term of the Reagan Administration, the Reagan NSC worked with the Federal Emergency Management Agency (FEMA) and the Continuity of Government (COG) Program on contingency plans for a national catastrophe and martial law, including, reportedly, the creation of a PROMIS-based domestic spying database system known as Main Core. The Main Core database system allegedly primarily contained financial intelligence information on Americans. Did that information include the signal intelligence information on Americans produced by NSA’s Follow the Money bank surveillance project.

    NSA is still operating its Follow the Money Program according to documents leaked by Edward Snowden and NSA is also inexplicably sharing raw signal intelligence information with Israel’s signal intelligence agency.

    NSA is still relying on EU 12333 as the authority for some of its most sensitive signal intelligence work, as documented by Emptywheel recently.

    President Reagan issued EO 12333 just several years after Congress created the FISA Court as its main reform for correcting excesses of NSA and other intelligence community agencies exposed by the Church Committee. Could it be that EO 12333 enabled the Reagan Administration, and its successor administrations, to circumvent much of the intended reforms?

  8. emptywheel says:

    @C: You may be right. I’m just working on how that’d be clear from aggregate disclosures by statute.

  9. Bob Swern says:

    Beating around “the Bush and the Obama”…yes, it’s self-evident what’s going on here, IMHO; and, this is across-the-board, with the telcos and the Internet-related co’s.

    There are, essentially, three types of collection/info-sifting activities occurring:

    1.) Mostly outlawed “stuff” that’s being circumvented post-2004-2011…(I state, “mostly,” thinking about the “NYPD’s” monitoring of racial/ethnic communities–i.e.: Muslim communities in NJ, for instance. But, obviously, there are many others; 1.3 million pen register, track and trace and wiretap requests of cellphones in 2011, per the ACLU FOIA “dragnet,” and on and on)…still occurring, as you read this…

    2.) Upstream data, from a variety of Internet-related and telco-related entities…

    3.) Data gleaned/accessed from outside our national boundaries, essentially circumventing U.S. laws (“perfectly legal,” of course, via GCHQ, CSEC, the other “two” of the “five eyes,” etc.; there’s a reason why we have somewhere in the neighborhood of at least 1,500-2,000 NSA “contractors” at Menwith Hill, Bude and Yorkshire, etc., etc.; and, there’s a reason why they ALL have direct access to the NSA’s PRISM platform; then there’s ISRAEL, and the whole “NAURUS thing”).

    NOTE: The term “FIBER OPTIC,” which is invoked with regard to what type of transmissions are monitored by our government, INCLUDES landline phone data, since copper-transmitted data is mostly converted to fiber optic data once it reaches most local switching centers, nowadays. i.e.: it’s not just “cellphones.”

    With well over a dozen, highly-credible sources telling us (over the past 12 years) that there’s 24/7/365 access to EVERYTHING, that really does mean “EVERYTHING,” IMHO, one way or the other.


    So, Marcy, thanks, as always, for — essentially — telling everyone to stop beating around “the BUSH”…and “the OBAMA.”

  10. bevin says:

    “There is no place for it to end than with total control by the worst elements of government. No matter what the stated intentions are.

    “Secondly, it seems to me that all of this data collection is of minimal value relative to “terrorist”. I think that there is too much data for it to be useful until after the fact. However, for manipulating markets, controlling politics and keeping the population in a feudal state it is an outstanding tool.

    “Imagine what Hoover could have done with this. This is so much worse than anyone could have imagined.”

    That is putting it mildly. The market implications are incalculable. Given the obvious temptations it is hard not to conclude that, already, billions of dollars must have been skimmed off the markets by the ultimate in insider traders.
    And who would be able, or at liberty to tell?

  11. C says:

    @emptywheel: Hmm, just a guess but… that might depend upon how the disclosures are framed. If, for example, the ISPs disclose types say by month and the telcos do likewise then you would expect to see heavy pulls from the telcos followed in the next reporting period by smaller but predictable requests by the telcos. I.e. in june there is a spike in bulk upstream requests from AT&T or others. In July there is a spike in NSLs sent to Google. This wouldn’t reveal who was being searched but it would present a pattern of use consistent with parallel construction or mass spying.

    But it is also likely that the fight is not about timing, annual disclosures would likely hide this pattern, but about the camel. By nature the NSA opposes any disclosures about themselves, all Intel agencies do but the NSA is particularly egregious (see below). If Microsoft and the others are allowed to report on bulk counts and the sky doesn’t fall why not AT&T or the others? At a certain point I think they are afraid that people would learn about how much they use orders like E) 1333 which scares them even more because there can be no illusion that that was done with public consent.

    (from above) According to James Bamford NSA security once made a habit of cutting highway monitoring cables on the roads near their headquarters just to prevent anyone from knowing how many people worked there. They literally went out with a knife and just sabotaged the equipment and let it be blamed on “vandals.”

  12. William A. Hamilton says:

    @C: I support of your hypothesis that NSA tries to conceal what it has done under the authority of Executive Orders such as Executive Order 12333 because they necessarily lack any pretense of informed public consent, I invite your attention to the final paragraph in Der Spiegel’s September 15, 2013 article about NSA’s Follow the Money bank surveillance project. The final paragraph notes that GCHQ, the U.K. signal intelligence agency (which operates in an even less accountable environment than NSA), was uneasy about NSA’s Follow the Money Project because of the depth of its invasion of the privacy of citizens.

    President Reagan gave NSA its first bank surveillance SIGINT mission, known then as now as Follow the Money, in 1981, the same year Reagan issued EO 12333 setting forth, in secret of course, the roles and responsibilities of NSA and the other agencies of the U.S. intelligence community. The Reagan Department of Justice illicitly and covertly copied the PROMIS legal case management software and disseminated it to NSA for its new Follow the Money Project and NSA began installing PROMIS on computers in the banking sector in 1981.

    In all probability, the bank surveillance version of PROMIS would have enabled NSA to intercept bank transfers of both Americans and others residing in the United States, as well as of foreigners.

    NSA’s collection of such intelligence information on Americans without any public knowledge or debate and possibly under the authority of the highly classified Executive Order 12333, might explain why even the British GCHQ, which does not normally appear squeamish about its real-time electronic surveillance work, was worried about the propriety of what NSA was doing.

Comments are closed.