In this post I pointed out what Clapper’s letter really said. In this one, I described why it is so inexcusable that Clapper emphasized FBI’s exemption from reporting requirements (I will have a follow-up soon about why that earlier post just scratches the surface). And this post lays out some — but not all — the ways Clapper’s letter said he would gut the Advocate provision.
But I think there’s a far better way of understanding Clapper’s letter. He didn’t endorse Leahy’s USAF, S 2685. He endorsed USA Freedumber, HR 3361.
Below the rule I’ve put a summary of changes from USA Freedumber to Leahy USA Freedom, HR 3361 to S 2685. I did it a very long time ago, and there are things I’d emphasize differently now, but it will have to do for now (it may also be helpful to review this summary of how USA Freedumber made USA Freedumb worse). Basically, S 2685 improved on HR 3361 by,
- Tightening the definition of “specific selection term”
- Adding transparency (though, with exemptions for FBI reporting)
- Improving the advocate
- Limiting prospective CDR collection (but not retention and therefore probably dissemination) to counterterrorism
This closely matches what the coalition that signed onto S 2685 laid out as the improvements from HR 3361 to S 2685.
[T]he new version of the bill:
- Strengthens and clarifies the ban on “bulk” collection of records, including by tightening definitions to ensure that the government can’t collect records for everyone in a particular geographic area or using a particular communication service, and by adding new post-collection minimization procedures;
- Allows much more detailed transparency reporting by companies—and requires much more detailed transparency reporting by the government—about the NSA’s surveillance activities; and
- Provides stronger reforms to the secret Foreign Intelligence Surveillance Court’s processes, by creating new Special Advocates whose duty is to advocate to the court in favor of privacy and civil liberties, and by strengthening requirements that the government release redacted copies or summaries of the court’s significant decisions.
Though as I explained here, there is no public evidence the minimization procedures required by the bill are even as stringent as what the FISC currently imposes on most orders, so the minimization procedures of S 2685 might — like the emergency procedures do — actually weaken the status quo.
Here are three of the key passages from Clapper’s letter that I believe would address the intent of the bill as written.
- “Recognizing that the terms [laid out in the definition of specific selection term] enumerated in the statute may not always meet operational needs, the bill permits the use of other terms.”
- “The transparency provisions in this bill … recognize the technical limitations on our ability to report certain types of information.”
- “The appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Office of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address those concerns.”
In other words, the limiting language in Clapper’s letter very clearly maps the changes from HR 3361 to S 2685.
He clearly says he doesn’t have to follow the new limits on specific selection terms. He signals he will use his authority to make classification and privilege determinations to keep information away from the amicus (or retain ex parte procedures via some other means). And by endorsing John Bates’ letter, he revealed his intention to take out requirements that the amicus advocate in favor of privacy and civil liberties. In addition — this is the part of Bates’ letter I missed in my previous analysis — he thereby endorsed Bates’ recommendation to “delet[e] this provision [specifying that the Court must release at least a summary], leaving in place the provision that significant FISA court decision would continue to be released, whenever feasible, in redacted form.”
Plus, as I mentioned, his use of “metadata” rather than “Call Detail Record” suggests he may play with that laudable limit in the bill as well.
I think Clapper’s read on the exemption for FBI is totally a fair reading of the bill; I just happen to think the Senate is doing a great deal of affirmative damage by accepting it. (Again, I hope to explain more why that is the case in the next day or so.)
Voila! Clapper’s “endorsement” of the bill managed to carve out almost all the improvements from HR 3361 to S 2685 (as well as emphasize Congress’ ratification for the FBI exemption, the huge reservation on the one improvement he left untouched). The only other improvement Clapper left in place was the limit on collection of prospective phone record to counterterrorism purposes.
That’s it. If Clapper’s views hold sway, that’s all this bill is: USA Freedumber with the retention of the status quo counterterrorism application for CDR collection.
This gets closer to banning bulk collection than USA Feedumber, but language about IP addresses and distinctions between persons and individuals still concerns me
Much of the transparency is good and welcome, but note this excludes FBI from back door search reporting, which is actually quite alarming.
The FISA Advocate is better, though still doesn’t prevent the government from stymying it (for example through “need to know” language). I’m also not convinced PCLOB will be a good faith entity long term, particularly if we lose the Senate (Certainly Cook and Brand are not civil libertarians; they’re defenders of these programs, which is what we should expect if GOP gets another appointee). Also, I think the FISCR fast-track review could backfire in significant ways, because it could preclude real adversarial review if anyone ever gets standing.
I’m not convinced the NSL language fixes the Doe problems–it would seem to just provide the government another way to gag these things, but I’d have to look closer to be sure.
This doesn’t change that the CDR chaining is on connections, not calls. I think this is a very dangerous provision given that no one I’ve talked to outside of Intel Committees knows what it means (and we should assume it means, at a minimum, location chaining). Assuming this will get delayed beyond recess, it seems like a good point to demand answers on. And if those come back reasonably it might be wise to add interpretations of “connections” to the transparency requirements?
Also, while the limitation on CDR chaining to CT purposes is good, the bill still permits retention for any FI purpose, which we know thanks to PCLOB means they’ll retain everything. I think it very likely that under this program more Americans will be stuck in the corporate store indefinitely than they are under the current program, and by tying retention to FI, I suspect it will weaken minimization protections on dissemination of that data, too.
Note that the bill still permits CDR collection under b2B. What’s to prevent them from continuing to do bulk collection there?
Finally, I continue to believe the Rule of Construction on content is meaningless; given what Zoe Lofgren has gotten James Cole to agree to, we should assume FISC has already authorized content (especially URL searches) collection. So the government already has the authority.
I still don’t see why inventing new privacy protections, rather than codifying minimization procedures approved by the court, makes any sense. And the Rule of Construction not changing FISC’s current authority is meaningless, as it has no legal authority, it has just assumed authority.
Here are further comments organized by page number.
(6) Retains the chaining on “connections.” Thus far I have met no one who knows what this means outside of the intelligence committees, and language addressing it in phone dragnet orders remains redacted. Particularly given that every government witness has only admitted to call chaining, not connection chaining, there seems to be a need to discuss what connection chaining is, particularly given that once the government gets inside a smart phone at a telecom they might be able to use things like calendars and phone books to make such connections. The requirement that the product at each step be a CDR limits this somewhat, but it doesn’t limit it all that much. This will likely result in a might higher hit rate than what is currently supposed to go on in chaining using 215 data.
(7) The bill retains the meaningless destruction requirement from USA Freedumber, tied to FI purpose rather than CT purpose (which is what the current dragnet is supposed to have). Particularly given confirmation from both PCLOB and WaPo in the interim that destruction requirements tied to FI mean nothing gets destroyed, this is a problem. It will mean everything will be retained–and we still don’t know whether this includes pizza joint connections or not.
(16) I’ve heard people express significant concerns about IP addresses, which can be quite broad. So this definition of address may actually include some flux in it. It certainly could include a whole company, depending on what they do with their web service.
(17) Specific selection term: This is generally better than what we had. There are three questions I have. First, why use people in 3Ai (which applies to b2B collection and other authorities like PRTT and NSL) and individual in 3B, which applies to b2C collection? With the additional minimization procedures, they basically admit the primary definition of SST needs additional minimization should raise questions. I know this is meant to serve for the collection of things like TATP precursors (they used 215 to get acetone and hydrogen peroxide in 2009). Doesn’t that mean something is still very broad?
(27) In my opinion the rule of construction on minimization procedures is meaningless. By law, FISA has no authority under pen registers authority to impose minimization procedures; it’s just that they did in order to approve the broad requests made. What is the explanation for providing this authority to the AG? In other words, privacy procedures are not “new,” they’re just done now with the involvement of the FISC. Why change that in law?
Also, FBI has (or did in 2012, after the NSA PRTT program was shut down) a PRTT bulk program. If Senators don’t know what that is, it would seem time to answer those questions in the context of this discussion.
(30) Note, the Special Advocates are now required to be attorneys and weren’t under USA Freedumber. There may be a good reason for this, but it would seem to rule out the kind of technical people who may be just as necessary to this process. With the ability to request a technical advisor that may not be a problem but it is worth noting.
(33) The language on classified information seems to build in a presumption that the executive will determine access. Given how the government has used “need to know” designation to prevent lawyers from accessing information they need, that may be a problem.
(35) The FISCR review actually seems very dangerous as written. First, because the FISC staffers will be the ones staffing the FISCR judges; they don’t have independent staffers. So they will effectively be a continuity of view, not a new one. Moreover, this system will present an adversary-less system of giving decisions appellate sanction in secret. Even in the two known cases, In Re Sealed 2002 and Yahoo, there was some kind of adversary or amicus. It’s not clear this would be as robust (particularly given that the FISC only may, not shall, appoint an amicus). In other words, while the intent here may be laudable, in practice it might fast track appellate sanction for broad expansions of law without 1) real adversarial proceedings or 2) notice to the public. At the very least, this provision should require that Congress get full notification before something gets appealed, otherwise this could all happen in secret before Congress gets their required notice.
(40) Note the FCRA NSL specifically uses customer or account and SST. Why isn’t this available elsewhere?
(75) Why does the back door search on content count “search terms that included information concerning a United States person that were used to query any database of the contents” but the search on metadata counts “queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents”?
(79) The transparency exempts FBI from the most important requirements (covering 702 back door searches and 215 searches of both the traditional fashion and the new CDR program).
(3) FEDERAL BUREAU OF INVESTIGATION.— Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.
This seems crazy. It is not just a transparency problem, but a management problem, that FBI refuses to count these numbers. Not only would it provide a badly misrepresentative number, but wouldn’t make FBI impose the kind of management oversight they need on precisely the kind of back door searches most likely to land someone in prison.
(80) After having seen the WaPo do a statistical sample, this bill permits DNI to claim they can’t do a sample.That seems overly generous.
(83) The description of someone who is “a party” to an electronic communication may not count those who get collected in chat rooms as lurkers, or similar such things. Does someone using a tracked URL get tracked here, for example?