August 18, 2014 / by emptywheel


USA Freedom Must Explicitly Require NSA and CIA to Comply with Law’s Minimization Procedures

I know I’ve had a lot of mostly unenthusiastic things to say about even Pat Leahy’s version of the USA Freedom Act.

  • It explicitly exempts FBI from counting back door searches
  • It may not do anything to existing non-electronic communication bulk programs, because it probably permits the use of corporate persons as Specific Selection Terms
  • The “connection chaining” may permit expanded access to smart phone data
  • It retains USA Freedumber’s “foreign intelligence” retention language

Having read about half of last week’s Internet Dragnet document dump so far, I’m increasingly worried about two details I’ve already raised.

I suspect, unless the law explicitly imposes minimization procedures on NSA (and CIA, which reportedly operates the bulky Western Union dragnet), they will evade the bill’s most stringent minimization procedures.

As I noted in November and PCLOB noted in January, the business records provision was explicitly written for FBI, not other intelligence agencies. As a result, the language in it requiring minimization procedures did not — and still would not under Leahy Freedom (to say nothing of USA Freedumber) — require minimization procedures from Agencies beyond FBI. For example, unless I’m misreading how the law would be implemented, this is what would still be in place with regards to minimization procedures.

Applications have to lay out minimization procedures. But the law only requires they apply to FBI.

(D) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

The judge reviews the minimization procedures in the application to make sure they comply with (g), and then includes an order they be followed in his order approving the application.

(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b) and that the minimization procedures submitted in accordance with subsection (b)(2)(D) meet the definition of minimization procedures under subsection (g), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.

And as I’ve already noted, the entire section (g) devoted to minimization explicitly applies to just FBI.

The Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this subchapter.

What’s particularly crazy about this is that the clause was changed to take out deadlines imposed in the 2006 renewal. In other words, they changed this clause, but left in the limits for most minimization procedures to just FBI.

There are two new kinds of minimization that the bill’s supporters are (in my mind, foolishly) very excited about. First, there’s new language in (g) that applies to any non-targeted collection (otherwise known as bulky collection).

(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—

(i) a subject of an authorized investigation;

(ii) a foreign power or a suspected agent of a foreign power;

(iii) reasonably likely to have information about the activities of—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation; or

(iv) in contact with or known to—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation, unless the tangible thing or information therein indicates a threat of death or serious bodily harm to any person

I lay out here why this language probably doesn’t change the status quo, and could conceivably be more permissive than the minimization procedures FISC currently imposes on large numbers (probably a majority) of its orders. And again–that’s under the “FBI” section, so presumably would not explicitly apply to CIA’s reported Western Union bulk program.

Finally, there’s the one section — as part of the b(2)(C) Call Detail Record provision — that doesn’t explicitly apply only to FBI. It requires the Agency in question to adopt minimization procedures, but unlike all the minimization procedures for the traditional collection, the law dose not require the FISC to approve the minimization procedures!

(I) adopt minimization procedures that require the prompt destruction of all call detail records produced under the order that the Government determines are not foreign
3 intelligence information; and

(II) destroy all call detail records produced under the order as prescribed by such procedures.

I’ve noted that, given PCLOB’s and WaPo’s review of NSA’s implementation of its minimization procedures under Section 702 (which impose an identical destruction requirement), this language is meaningless. We know NSA (and also FBI and CIA) would just call everything Foreign Intelligence and keep it!

Worse still, what this language would do, I’m increasingly sure, is explicitly change the dissemination rules for Section 215 data. Currently, Section 215 queries can only be shared if an NSA official certifies the data has a counterterrorism purpose and is necessary to understand the intelligence. By permitting the retention of language that has a foreign intelligence purpose, this language would permit foreign intelligence dissemination.

None of this is surprising. What this language does — rather than imposing some new protection — is to weaken current protections to USSID 18 standards, NSA’s default minimization procedures for all their data.

And the reason I’m increasingly certain all this is designed to sustain and at least as pertains NSA weaken the status quo is because of what we’ve now seen in the End-to-End Reports for both the Internet and phone  dragnets. In them, after 5 and 3 years of collection (respectively) the government said to the Court: “Gee willikers! Sure you’ve told us 21 or 12 times not to share this data outside of a counterterorrism focus. But golly, we didn’t notice that and we’ve just been using our default USSID standard which is also in the orders! And sorry, by the way, that means that CIA, FBI, and NCTC have been able to log right into query results directly!”

I’m also willing to bet a quarter there is or at least was an opinion somewhere judging that NSA didn’t have to pay attention to the minimization procedures imposed by the FISC because obviously they’re only intended for the FBI. Takers?

Which, by passing Leahy’s bill, Congress would ratify explicitly.

This was — as the Internet dragnet documents make clear — the plan from 2002. NSA conducts this analysis and CIA and FBI tap right into it. Which is presumably what — after a period of 5 years of heightened protection — we would return to under Leahy’s Freedom.

One more detail that suggests this is the plan.

As I’ve noted elsewhere, Leahy’s bill adds meaningless language to try to reassure that by assigning “privacy procedures” under the PRTT authority to the Attorney General, it wouldn’t take such authority out of FISC hands. But there is a consistent thread here: with both PRTT and emergency procedures, the AG assumes the authority the FISC currently has. And with Section 215 collection, everything reverts to what the Agencies in question were doing until they got caught in 2009.

I’d say that’s pretty good indication it’s all part of the plan.

Copyright © 2014 emptywheel. All rights reserved.
Originally Posted @