October 30, 2013 / by emptywheel


NSA Non-Denial Denial 241,352,052

Here’s the best the NSA could come up with to deny the WaPo’s report about how it steals data from Google and Yahoo overseas.

NSA has multiple authorities that it uses to accomplish its mission, which is centered on defending the nation. The Washington Post’s assertion that we use Executive Order 12333 collection to get around the limitations imposed by the Foreign Intelligence Surveillance Act and FAA 702 is not true.

NSA seems defensive about WaPo’s suggestion they used EO 12333 — if they did — for this collection. But note that David Kris suggests at least one other possibility for this “vacuum cleaner” collection, voluntary production (as well as procedures subordinate to EO 12333), so it’s possible they didn’t use EO 123333. Maybe the first line is meant to suggest at least one of these providers did cough this up voluntarily (which I think past reporting might support).

NSA then engages in the most delectable projection ever, in which it takes this comment from its biggest apologist this side of Michael Hayden, John Schindler, and suggests the WaPo made the assertion.

Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to “full take,” “bulk access” and “high volume” operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.

Outside U.S. territory, statutory restrictions on surveillance seldom apply and the Foreign Intelligence Surveillance Court has no jurisdiction. Senate Intelligence Committee Chairwoman Dianne Feinstein has acknowledged that Congress conducts little oversight of intelligence-gathering under the presidential authority of Executive Order 12333 , which defines the basic powers and responsibilities of the intelligence agencies.

John Schindler, a former NSA chief analyst and frequent defender who teaches at the Naval War College, said it was obvious why the agency would prefer to avoid restrictions where it can.

“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,” he said. “It’s fair to say the rules are less restrictive under Executive Order 12333 than they are under FISA.” [my emphasis]

The WaPo didn’t make the assertion, NSA’s most loyal voice on Twitter did.

But let’s at least entertain the possibility they’re using another authority to get around FISA, or using 12333 to get around some other limitation (possibly just FISC limits, perhaps placed on a bulk record order — the old Internet dragnet no longer conducted under FISC — rather than a FISA one).

They do a similar, though craftier thing, here.

The assertion that we collect vast quantities of U.S. persons’ data from this type of collection is also not true.

The WaPo specifically said it did not know how many Americans’ data this collection was picking up.

It is not clear how much data from Americans is collected, and how much of that is retained.

By claiming the WaPo had said they collected vast quantities, NSA could deny that rather than deny they were knowingly collecting USP data. Which I take as confirmation they know they’re collecting USP data.

But who knows how much?!?! Certainly not the NSA — at least per their claims to John Bates and Ron Wyden. They don’t know how many Americans’ data is collected in this way, purportedly. So they can’t make this claim.

Not credibly, anyway.

Now we get to minimization.

NSA applies Attorney General-approved processes to protect the privacy of U.S. persons — minimizing the likelihood of their information in our targeting, collection, processing, exploitation, retention and dissemination.

Keep in mind, if your defense is minimization procedures, you’ve already conceded that 1) you are collecting US person data 2) there are a slew of circumstances in which you are keeping and circulating US person data. What NSA doesn’t say is that even the more stringent FAA minimization procedures were deemed too permissive for intentional upstream collection in the US. Since NSA has all but admitted they do collect US person data, they’ve admitted it’s intentional. Which would seem to mean that the weaker 12333 minimization procedures may not meet Fourth Amendment muster, per the John Bates opinion.

Also one more thing: those words, targeting, collection, processing, retention, and dissemination? I’ve seen all those words. But now we’re talking about “exploiting” data. I find that … troubling.

Which brings us to the familiar refrain, in which collection the NSA admits includes US person collection is redefined as “foreign” which makes all us white people okay with it unless we’re hackers or some other enemies within.

NSA is a foreign intelligence agency. And we’re focused on discovering and developing intelligence about valid foreign intelligence targets only.

Of course, this refrain doesn’t work anymore, given that we know that discovering and developing intelligence about foreign intelligence also involves collecting the phone records of each and every one of us. But I guess it’s stuck in NSA’s boilerplate until it becomes embarrassingly obvious to all that “foreign” no longer necessarily has much to do with “other countries.”

Copyright © 2013 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2013/10/30/nsa-non-denial-denial-241352052/