In Sworn Declaration about Dragnet, NSA Changes Its Tune about Scope of “This Program”

I’ve been tracking the sudden effort on the part of NSA to minimize how much of the call data in the US it collects (under “this program,” Section 215).

That effort has, unsurprisingly, carried over to its sworn declarations in lawsuits.

Along with the response in the First Unitarian Church of Los Angeles v. NSA suit the government filed last Friday (this is the EFF-backed suit that challenges the phone dragnet on Freedom of Association as well as other grounds), NSA’s Signals Intelligence Director Theresa Shea submitted a new declaration about the scope of the program.

Ostensibly, Shea’s declaration serves to explain the “new” “changes” Obama announced last month, which the FISA Court approved on February 4. As I have noted, in one case the “change” simply formalized NSA”s existing practice and in the other it’s probably not a big change either.

In addition to her explanation of those “changes,” Shea included this language about the scope of the dragnet.

Although there has been speculation that the NSA, under this program, acquires metadata relating to all telephone calls to, from, or within the United States, that is not the case. The Government has acknowledged that the program is broad in scope and involves the collection and aggregation of a large volume of data from multiple telecommunications service providers, but as the FISC observed in a decision last year, it has never captured information on all (or virtually all) calls made and/or received in the U.S. See In re Application of the FBI for an Order Requiring the Production of Tangible Things from [Redacted], Dkt. No. BR13-109 Amended Mem. Op. at 4 n.5 (F.I.S.C. Aug. 29, 2013) (publicly released, unclassified version) (“The production of all call detail records of all persons in the States has never occurred under under this program.“) And while the Government has also acknowledged that one provider was the recipient of a now-expired April 23, 2013, Secondary Order from the FISC (Exhibit B to my earlier declaration), the identities of the carriers participating in the program (either now, or at any time in the past) otherwise remain classified. [my emphasis]

Shea appears to be presenting as partial a picture of the dragnet as she did in her prior declaration, where she used expansive language that — if you looked closely — actually referred to the entire dragnet, not just the Section 215 part of it.

Here, she’s selectively citing the declassified August 29, 2013 version of Claire Eagan’s July 19, 2013 opinion. The latter date is significant, given that the day the government submitted the application tied to that order, NSA General Counsel Raj De made it clear there were 3 providers in the program (see after 18:00 in the third video). These are understood to be AT&T, Sprint, and Verizon.

Shea selectively focuses on language that describes some limits on the dragnet. She could also note that Eagan’s opinion quoted language suggesting the dragnet (at least in 2011) collected “substantially all” of the phone records from the providers in question, but she doesn’t, perhaps because it would present problems for her “virtually all” claim.

Moreover, Shea’s reference to “production of all call detail records” appears to have a different meaning than she suggests it has when read in context. Here’s what the actual language of the opinion says.

Specifically, the government requested Orders from this Court to obtain certain business records of specified telephone service providers. Those telephone company business records consist of a very large volume of each company’s call detail records or telephony metadata, but expressly exclude the contents of any communication; the name, address, or financial information of any subscriber or customer; or any cell site location information (CSLI). Primary Ord. at 3 n.l.5

5 In the event that the government seeks the production of CSLI as part of the bulk production of call detail records in the future, the government would be required to provide notice and briefing to this Court pursuant to FISC Rule 11. The production of all call detail records of all persons in the United States has never occurred under this program. For example, the government [redacted][my emphasis]

In context, the reference discusses not just whether the records of all the calls from all US telecom providers (AT&T, Sprint, and Verizon, which participated in this program on the date Eagan wrote the opinion, but also T-Mobile and Cricket, plus VOIP providers like Microsoft, owner of Skype, which did not) are turned over, but also whether each provider that does participate (AT&T, Sprint, and Verizon) turns over all the records on each call. The passage makes clear they don’t do the latter; AT&T, Sprint, and Verizon don’t turn over financial data, name, or cell location, for example! And since we know that at the time Eagan wrote this opinion, there were just those 3 providers participating, clearly the records of providers that didn’t use the backbone of those 3 providers or, in the case of Skype, would be inaccessible, would be missed. So not all call detail records from the providers that do provide records, nor records covering all the people in the US. But still a “very large volume” from AT&T, Sprint, and Verizon, the providers that happen to be covered by the suit.

And in this declaration, instead of using the number De used last July, Shea instead refers to “multiple telecommunications service providers,” which could be 50, 4, 3, or 2, or anywhere in between. Particularly given her “either now, or at any time in the past” language, this suggests the number of providers participating may have changed since July.

Which brings me to the two other implicit caveats in her statement.

First, she suggests (ignoring the time ODNI revealed Verizon’s name a second time) that the only thing we can be sure of is that Verizon provided all its domestic data for the 3 months following April 23, 2013.

Actually, we can be fairly sure that at least until January 3, Verizon still participated. That’s because the Primary Order approved on that date still includes a paragraph that — thanks to ODNI’s earlier redaction fail — we know was written to ensure that Verizon didn’t start handing over its foreign call records along with its domestic ones.

Screen Shot 2014-02-25 at 9.33.00 AM

Though curiously, the way in which DOJ implemented the Obama-directed changes — the ones that Shea’s declaration supposedly serves to explain — involved providing substitute language affecting a huge section of the Primary Order, without providing a new Primary Order itself. So we don’t know whether ¶1(B) — what I think of as the Verizon paragraph — still exists, or even whether it still existed on February 4, when Reggie Walton approved the change.

Which is particularly interesting given that Shea’s declaration just happened to be submitted on the date, February 21, when a significant change in Verizon’s structure may have affected how NSA gets its data. (That date was set in December by a joint scheduling change.)

One way or another, Shea’s claim that the dragnet doesn’t collect all or even virtually all phone records is very time delimited, certainly allowing the possibility that the scope of the dragnet has changed since the plaintiffs filed this suit on July 16, 3 days before Eagan explicitly excluded cell location data from the dragnet collection, which is the reason NSA’s leak recipients now give for limits on the scope of the program.

The claim is also — as claims about the Section 215 always are — very program delimited. In her statement claiming limits on how much data the NSA collects, Shea makes 2 references to “this program” and quotes Eagan making a third. She’s not saying the NSA doesn’t collect all the phone data in the US (I don’t think they quite do that either, but I think they collect more US phone data than they collect under this program). She’s saying only that it doesn’t collect “virtually all” the phone data in the US “under this program.”

Given her previously expansive declaration (which implicitly included all the other dragnet collection methods), I take this declaration as a rather interesting indicator of the limits to the claims about limits to the dragnet.

7 replies
  1. Frank33 says:

    The assassins and war pimps and terror profiteers of the NSA use their Universal Dragnet for the benefit of the billionaires. They, the NSA, oppress the American people, especially the anti-war citizens, because they need to maintain and protect war profiteering. Give the NSA credit, their criminal activities are very successful in destroying dissent and protecting the phony war on terror.

    But when a secret government has unlimited taxpayer money, and unlimited power to commit crimes, it is easy. Then they can make pre-emptive detention of citizens.

    In November 2007, Towery wrote an email to a number of people he had met at a Domestic Terrorism (DT) conference in Spokane, Washington, that “it would be a good idea to develop a leftist/anarchist mini-group for intel sharing and distro.”

    But he was very concerned that existence of such a group would become public knowledge. “[W]e will need to look at the third party rules and each individuals [sic] agency policy about email,” he wrote, because “[e]ven open source information and files should not be distributed, because it might tip off groups that we are studying their techniques, tactics and procedures.”…

    According to activists, Towery’s data on peaceful protesters, who were standing, singing, and chanting on a street outside the Port of Olympia, Washington, resulted in their preemptive arrest by police.

  2. Mindrayge says:

    Okay. Semantics at play. Strawman building actually. What happened in the August 2013 order was that the government got to build a strawman and tear it apart while the compliant judge affirmed that indeed the strawman was just a pile of straw.

    (“The production of all call detail records of all persons in the States has never occurred under under this program.“)

    That statement is absolutely, 100 percent true. Semantic parsing horseshit, but factually true. Note the use of all persons rather than all calls. Call detail records do not correspond one to one to a specific person but rather to a specific call. In truth, a call detail record only corresponds to the phone number(s) involved and then only to the account holder for that number. Anyone in a household could make a call to any other phone in another household and yet the actual persons involved are not actually known in that call detail record, in and of itself.

    What the statement doesn’t say is whether the government collects at least one call detail record for every call made. That is the distinction and the court allowed the government to frame their strawman to try to say something different.

    A quick side note but hopefully the use of the word States rather than the United States is covered by a definition of States somewhere in the order context or an error of omission. Otherwise, there is another problem with it because then we would have no idea which states, etc. is being discussed.

    Then in the latest one Shea then turned that around to have a different meaning:

    The government has acknowledged that the program is broad in scope and involves the collection and aggregation of a large volume of data from multiple telecommunications service providers, but as the FISC observed in a decision last year, it has never captured information on all (or virtually all) calls made and/or received in the U.S.

    Of course the court didn’t observe anything of the sort. We got the old switcheroo.

    “this program” (Section 215) collects all call detail records on every call made. The orders to the companies absolutely demand all call detail records. Not some. Not most. Not virtually all. But ALL of them. Where are the contempt of court proceedings for failure to comply?

    So what we have here is more obfuscation and subterfuge. A compliant court helping the government along by not even acknowledging that the government in its 1st order this year changed the fact(s) of what the court observed in August 2013.

    Adding “all persons” and conflating the association of call detail records to persons rather than to the calls themselves is the ruse in play. I mean, whoever made the claim that the government was collecting call detail records on all persons? It seems the only one to do so is the US government.

    There is simply no way for virtually every call made in the United States not to have a call detail record that ends up with one of ATT, Verizon, or Sprint. It is just not possible based on the telephony system infrastructure in this country. I say virtually all because we do have situations where telephone communications, both cellular and landlines, are handled by Canadian near the border. In particular cell phones near the border may hit towers in either country without affecting the ability to make a call though there have been problems with roaming charges that aren’t supposed to occur in those situations. There are places along the border where the physical wires to the homes are connected to switches in Canadian towns on the other side particularly in very rural areas. Then there are places like Point Roberts Washington, which at the end of a peninsula just south of Vancouver, British Columbia but not connected to the rest of the US by land that get phone service via Canada. Up until the late 1980s that place actually had a British Columbia Area Code. Though that has changed to a Washington State Area code the phone service is still physically connected to Canada. It is rather simple to have a particular Area Code/Exchange combination route anywhere with the changes made to the phone system under SS7. Likewise, there are Canadian towns that get service via the US because the switches are across the border.

    Because those are isolated examples the only call records missing would be those made within those towns or neighboring towns if they also are serviced via Canada.

    And all of this is on top of the “this program” dodge.

  3. Frank33 says:

    Ray McGovern former CIA analyst has a Youtube interview. He has some comments about the scope of the NSA. The NSA uses their spying powers to make wars. He says that Frank Koza of the NSA told British Intelligence to spy on the UN Security Council, to make sure they supported the attack on Irak.

    McGovern also said US spies pressured Sweden to use “made up charges about rape” against Julian Assange. McGovern suggested that David Kelly British weapons expert was assassinated, “He was probably done in by MI5.”

  4. emptywheel says:

    @Mindrayge: I actually think it’s possible telecoms stopped providing backbone calls. Which would have been discretionary, and when the shit hit the fan last June, they would have had an incentive to stop.

    Also think it’s possible, after the July 19 “no cell location” that someone said “oops, that’s the only business record we have, you gotta get that or get nothing.”

  5. emptywheel says:

    @Mindrayge: I actually think it’s possible telecoms stopped providing backbone calls. Which would have been discretionary, and when the shit hit the fan last June, they would have had an incentive to stop.

    Also think it’s possible, after the July 19 “no cell location” that someone said “oops, that’s the only business record we have, you gotta get that or get nothing.”

  6. Mindrayge says:

    @emptywheel: I don’t buy it. The orders clearly state ALL call detail records. That hasn’t changed. While telling them they can’t collect Cell Location records under 215 orders simply shifted any of that to EO 12333. As Saul Tannenbaum noted way back when we were talking about the whole “we only collect 30% of data because of cell phones nonsense it is a minor change to the Extract/Transform/Load (ETL) process.

    I can’t think of any situation where the only record produced contains cell location data. Cell location information would be associated with Home Location Register and Visitor Location Register processing as well as “predicting” or “directing” the next cell tower you will connect to – if you are driving – to maintain call continuity. VLR/HLR has to cross the backbone while the “next tower” stuff stays within the backhaul portion of the network. Cell loction records are a different type of call detail record. But they are in addition to the main detail record showing the end points of the call, duration, completion status, etc.

    It is not possible for there not to be a record of each and every call made in the country. Because all carriers have to be CALEA compliant, that is, they have to support wire taps and pen registers these records have to exist.

    The entire scope change is nothing of the sort. They played word games and the court was actively complicit in doing so. Someone should find out where that “all persons” horseshit came from because that was a stroke of genius. Assert an allegation of collection of metadata on all persons rather than the actual allegation of collecting metadata on all calls. Then have the NYT, WAPO, LAT, and WSJ play with that pinata. That is what is going on.

Comments are closed.