I’ve written about this here and here, but I’m going to make one more effort at explaining why I believe HR 3361 (AKA USA Freedumber Act) will undo the paltry efforts John Bates made to rein in the NSA.

My argument is that with section 202 of HR 3361, the government is creating something new — Attorney General created “privacy procedures” — that serve to dramatically alter the concept of minimization procedures and in doing so undermining the authority of the FISA Court to limit illegal activities.

The government and NSA’s boosters have long argued that minimization procedures — limits on the collection, retention, and dissemination of US person data — play an affirmative role in protecting US person privacy even while the government “collects it all.” Significantly, they point the the FISA Court’s role in reviewing minimization procedures as a key part of oversight of these massive dragnets.

But they’ve always played a funny game with minimization procedures on the legally most problematic part of their dragnet, the Internet dragnet. And a last minute change to HR 3361 seems to codify that funny game.

Unlike the FISA authorization for content in motion, stored communication, and business record collection, the Pen Register/Trap and Trace provision (50 USC 1842) they used to collect Internet metadata collection includes no provision for minimization procedures. The original USA Freedom Act and the compromise bill added minimization procedures and gave FISC judges the authority to review compliance with them. But at the last minute, the intelligence community replaced that provision with “Privacy Procedures” over which only the Attorney General has sole authority.

SEC. 202. PRIVACY PROCEDURES.

(a) IN GENERAL.—Section 402 (50 U.S.C. 1842) is amended by adding at the end the following new sub-section:

‘(h) The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect national security, include protections for the collection, retention, and use of information concerning United States persons.

Given the history of the PR/TT program, I believe this may (and may be designed to) permit the ongoing acquisition of illegal content.

DOJ argues FISC may only rubber stamp

Before we look at the history of minimization procedures under the FISC-authorized Internet dragnet, understand that even as the government asked the FISC to rubber stamp one of the only parts of the illegal wiretapping program DOJ saw fit to shut down, it also argued that FISC’s authority to do was very limited.

In Colleen Kollar-Kotelly’s July 2004 opinion, she made clear the government believed she could only review the presence of language in the application, not whether it complied with the law, including the “relevance” provision.

In the Government’s view, the Court’s exclusive function regarding this certification would be to verify that it contains the words required by § 1842(c)(2); the basis for a properly worded certification would be of no judicial concern. See Memorandum of Law and Fact at 28-34.

The Court has reviewed the Government’s arguments and authorities and does not find them persuasive.19

19 For example, the Government cites legislative history that “Congress intended to ‘authorize[] FISA judges to issue a pen register or trap and trace upon a certification that the information sought is relevant to'” an FBI investigation. Memorandum of Law and Fact at 30 (quoting S. Rep. No. 105-185, at 27 (1998). However, authorizing the Court to issue an order when a certification is made, and requiring it to do so without resolving doubts about the correctness of the certification are quite different. (26-27)

Six years later, the government was still arguing the FISC could only serve as a rubber stamp. John Bates’ 2010 opinion again had to deal with such a claim.

The Government again argues that the Court should conduct no substantive review of the certification of relevance. See Memorandum of Law at 29. This opinion follows Judge Kollar-Kotelly’s [redacted] Opinion in assuming, without conclusively deciding, that substantive review is warranted. (73 fn 58)

The government’s review that the FISC is no more than a rubber stamp is particularly interesting given the discussion over minimization procedures.

The government invites rubber stamp judges to modify minimization procedures 

Even in spite of DOJ’s view that the FISC should be no more than a rubber stamp on PRTT applications, they nevertheless invited the judges to review and modify minimization procedures submitted in light of the extent of the collection being approved.

In addition to providing specific guidelines for what categories of metadata the government could collect (these categories appear to have come directly from the government’s application), Kollar-Kotelly added three things to the government’s proposed minimization procedures: First Amendment review, data retention limits, and an increased role for NSA’s lawyers.

To ensure that this authority is implemented in a lawful manner, NSA is ordered to comply with the restrictions and procedures set out below at pages 82-87, which the Court has adapted from the Government’s application. 50

50 The principal changes that the Court has made from the procedures described in the application are the inclusion of a “First Amendment proviso” as part of the “reasonable suspicion” standard for an [redacted] to be used as the basis for querying archived meta data, see pages 57-58 above, the adoption of a date after which meta data may not be retained, see 70-71 below, and an enhanced role for the NSA’s Office of General Counsel in the implementation of this authority, see pages 84-85 below. The Court recognizes that, as circumstances change and experience is gained in implementing this authority, the Government may propose other modifications to these procedures. (69-70)

Similarly, Bates modified the minimization procedures submitted by the government by retaining reports — originally imposed by Reggie Walton the previous year — on dissemination of PRTT outside of NSA (though Bates made what had been weekly reports monthly).

The [redacted] Order also directed the government to submit weekly reports listing each instance in which “NSA has shared, in any form, information obtained or derived from the PR/TT metadata with anyone outside of NSA,” including a certification that the requirements for disseminating United States person information (i.e., that a designated official had determined that any such information related to counterterrorism information and was necessary to understand counterterrorism information or to assess its importance had been followed. See [redacted] Order at 17. The government’s proposal does not include such a requirement. In light of NSA’s historical problems complying with the requirements for disseminating PR/TT-derived information, the Court is not prepared to eliminate the reporting requirement altogether. At the same time, the Court does not believe that weekly reports are still necessary to ensure compliance. Accordingly, the Court will order that the 30-day reports described in the preceding paragraph include a statement of the number of instances since the preceding report in which NSA has shared, in any form, information obtained or derived from the PR/TT metadata with anyone outside of NSA. For each such instance in which United States person information has been shared, the report must also include NSA’s attestation that one of the officials authorized to approve such disseminations determined, prior to dissemination, that the information was related to counterterrorism information and necessary to understand the counterterrorism information or to assess its importance.

Given how rampant the compliance problems were between 2004 and 2010, it’s unclear whether NSA ever took the minimization procedures imposed by NSA or the Court seriously, but the government at least said they would abide by the minimization procedures imposed by the Court.

And because the Court had a say in the minimization procedures, there was a First Amendment limit on PRTT collection, data retention limits, OGC involvement, and reporting requirements to track outside dissemination.

There’s no reason to believe such useful additions would have been added under the scheme currently in HR 3361.

The government’s invitation to turn minimization procedures into affirmatively permissive things

We get a much better sense of how the government really regarded this process, however, in the passage where Bates declined to use his ostensible authority to require minimization procedures to permit the government to use improperly collected data.

Here, as Bates makes clear, his authority to impose minimization procedures arises not from the law (because of course it’s not there) but an agreement with the government that he has that authority. And in spite of the government’s request he do so, he declined to use the authority both sides agreed he had, to authorize the government to use data it had collected improperly.

Further, although Section 1842 does not explicitly require the application of minimization procedures to PR/TT-acquired information, the Court also agrees that in light of the sweeping and non-targeted nature of this bulk collection, it has authority to impose limitations on access to and use of the metadata that NSA has accumulated.
The Court is satisfied that it may invoke the same authority to permit NSA to resume querying the PR/TT information that was collected in accordance with the Court’s prior orders.
[snip]
By contrast, the Court is not persuaded that it has authority to grant the government’s request with respect to all information collected outside the scope of its prior orders. (99-100)

Later in the same discussion, Bates describes the basis of his authority not just an agreement, but an invitation from the government.

The government next contends that because the Court has, in its prior orders, regulated access to and use of previously accumulated metadata, it follows that the Court may now authorize NSA to access and use all previously collected information, including information that was acquired outside the scope of prior authorizations, so long as hte information “is within the scope of the [PR/TT] statute and the Constitution.” Memorandum of Law at 73. But the government overstates the precedential significance of the Court’s past practice [imposing minimization procedures]. The fact that the Court has, at the government’s invitation, exercised authority to limit the use of properly-acquired bulk PR/TT data does not support the conclusion that it also has the authority to permit the use of improperly-acquired PR/TT information, especially when such use is criminally prohibited by Section 1809(a)(2). (110; my emphasis)

The government tried about 3 other ways to persuade Bates to be able to continue to use this data. But ultimately Bates said he couldn’t permit them access to anything they knew had been improperly collected.

Perhaps the government was just throwing a bunch of things against the wall to see if they’d stick, but they appear to have argued that Bates could and should use the authority to approve minimization procedures they had graciously granted him to override legal limits on the dissemination of illegally collected information.

That’s a rather breath-taking conception of what the authority to impose minimization procedures entails, as it seems to view this authority to work as a double edged sword, with the ability to both impose limits, but if necessarily to permissively bypass even legal limits.

And this is the authority the government has rewritten to reserve entirely to the Attorney General.

Did the government follow Bates’ rules?

Ultimately, Bates prohibited the government from using any data they knew to have been improperly collected, though he gave them a giant out.

When it is not known, and there is no reason to know, that a piece of information was acquired through electronic surveillance that was not authorized by the Court’s prior orders, the information is not subject to the criminal prohibition in Section 1809(a)(2). Of course, government officials may not avoid the strictures of  Section 1809(a)(2) by cultivating a state of deliberate ignorance when reasonable inquiry would likely establish that information was indeed obtained through unauthorized electronic surveillance. (115)

I have real questions whether they abided by Bates’ order not to use the improperly collected PRTT data, at least for the remaining year of the program (it was shut down at the end of 2011, so no more than 18 months after Bates’ opinion), for two reasons.

First a training program from late 2011 tells analysts to contact their organization’s management or SME regarding using data from prior to November 2009 (see the line spanning 15-16 here).

For a comprehensive listing of all the BR and PR/TT SIGADs as well as information on PR/TT data collected prior to November of 2009, contact your organization’s management or subject matter expert.

From a documentation standpoint (I’m drawing on days when I did oil and gas documentation), such referrals are always a red flag that the organization in question won’t put the instructions in writing for legal reasons. My suspicion is the oral instructions and SME would offer would probably include some kind of instruction not to acknowledge the data included US person data, because if they never acknowledged that, according to Bates’ rules, they’d still be able to use the data.

The other reason I don’t think they complied right away is because in 2011, once they decided not to appeal Bates’ October 3, 2011 order that they couldn’t use some upstream data under 1809(a)(2) either, they decided to shut down and and destroy (or claim to, in the EFF case) both the upstream data and the PRTT data at the same time. While the government portrays the decision to shut down the PRTT program in 2011 to stem from operational and cost reasons (and we have no affirmative reason to believe it had a tie to the upstream decision, though both do rely on very similar if not the same technology), it is remarkable they went from desperately trying to retain access to this data in 2010 to choosing not just to end the collection of the data, but also to destroy all the data they had fought to retain as well.

The only reason to keep the 1809(a)(2)-violative data in 2010 but destroy all of it, from both the upstream and PRTT program, in 2011 is if you’re fighting (or not complying with) Bates’ ruling in the 2010 opinion that 1809(a)(2) makes it illegal for them to use the data until such time as his threats to stop accepting FISA warrants causes them to comply.

Of course, Bates made the decision in 2011 in a program where he had clearly defined authority to approve minimization procedures, unlike his decision in 2010.

Remember, too, that the entire time they’re carrying out this back and forth with FISC, NSA was rolling out SPCMA, an alternative means to contact chain on US person data. I don’t think (though could be wrong) their limits on that chaining are within the guidelines of the PRTT rulings (that is, I think they explicitly include stuff that should be content). They may be getting all of this overseas, in which case they may consider it a back door search on content or something. But I find it interesting that in analogous practice rolled out just as (and possibly because) the PRTT program was being shut down does not meet the same legal standards for minimization.

Privacy procedures versus minimization procedures

Which brings me to why I’m so concerned that one of the IC’s last minute changes was to create something call privacy procedures, approved solely by the Attorney General. We have already seen how the FISC’s involvement affirmatively added important safeguards, including First Amendment protection and reporting requirements, that the government didn’t really want. Why, after all the violations in such programs, would you choose to forgo that?

More importantly, even assuming the government failed to follow minimization procedures set for the PRTT program out of poor management and not just because it was blowing them off because it did not consider them statutorily mandated, consider how they tried to use what they viewed as DOJ-authorized minimization procedures at the time: to dismiss Bates’ reading of the law retroactively. When it served their purpose to rubber stamp a controversial practice, they were happy to accept restrictions (that they ignored over at least 5 years time). But when it came to the actual law prohibiting their actions, they tried to use that authority to impose minimization procedures to trump the law.

And now, having added the phrase, ” to the maximum extent practicable and consistent with the need to protect national security” to the concept, they want to affirmatively reserve that authority exclusively to the Executive Branch, with no review by the court.