I’ve had some discussions of late about whether the flawed transparency provisions in the USA Freedom Act are a net good. Until I read them closely, I believed they couldn’t hurt. Now I believe they do.
That’s because the transparency provisions are designed to withhold data on all the collection programs to which privacy activists would like to make further changes — or would, if we knew about them. And while bill supporters note we don’t receive the information that would be withheld under the bill now, I believe the selective way the transparency provisions work, however, will make it harder to oppose these programs.
To explain what I mean, let me first separate programs into three categories:
USAF withholds information on two of the most abusive practices: FBI’s back door searches, including on people against whom it has no concrete evidence of wrong-doing, and illegal domestic wiretapping under the upstream program. USAF hides FBI’s back door searches under the FBI exemptions. It hides illegal domestic wiretapping by permitting the DNI to get a certificate saying he can’t count people in the US collected under upstream collection, and also (probably) by treating only US-based phone numbers as proof of US location.
I agree that passing USAF won’t set back mobilization on these two. We’ve got documented acknowledgment of both, so it will be easy to insist on the continued existence of the practice, even while transparency reports come out showing no FBI back door searches (as compared to 100 NSA ones and 1,300 CIA ones), and a certificate asserting the NSA can’t count illegal domestic wiretapping.
So while the Intelligence Community’s refusal to count these things helps them by not making it easier to organize against them, keeping the scope of these programs hidden won’t make it any harder (I believe the secrecy on these programs serves more nefarious discovery purposes).
Known but not confirmed programs
I do, however, fear the transparency provisions will make it harder to organize to fix two other programs: Non-communications Section 215 programs and FBI’s apparent PRTT program, and will invite abuse in a third, the Internet Section 215 orders.
USAF not only permits the use of corporate persons as selectors for non-communications Section 215 programs, but it also requires no individualized reporting. So bulk collection of international Western Union transfers would be unaffected by this bill; Section 215 has also been confirmed for use collecting purchase records of TATP precursors — large volumes of acetone and hydrogen peroxide — and probably is also used to track fertilizer and pressure cooker purchases. Travel records are another likely use. Thus, even ignoring the likelihood the government will roll out new collection programs in the future, these programs will all likely remain unchanged.
But, in spite of the probability these programs collect the records of hundreds of thousands or millions of Americans, they will each show up in reporting as something like 4 orders affecting 4 or so targets. Worse, NGOs and Senate bull supporters have been telling the public for months, wrongly, that the bill would end bulk collection. So even if they later wanted to insist that such collection still went on, who would believe them, after they boasted that the bill would end precisely this kind of bulk collection? So by permitting this ongoing collection and excluding it from transparency reporting, USAF would make these — and (just as importantly) any new non-communications bulk Section 215 programs invisible –and that invisibility would be reinforced by the public comments of people who overstated the bill’s effects.
FBI’s PRTT program (or rather bulk PRTT programs generally) is similarly something that bill supporters have claimed would be eliminated by the program. As a reminder, we know the existence of this — at least as recently as February 2012 — from Snowden’s leaks. A classification guide from that month made it clear that the actual numbers relating to the “FBI Pen Register Trap Trace program were among the most sensitive FISA secrets.
But that’s about it. We don’t know anything more about this program (or whether, as is possible, it got shut down for some reason). That said, unless it exactly replicates the defunct NSA PRTT program (collecting on most switches in the US), there’s no reason to believe USAF would shut it down. My guess — backed both by the structure of the transparency procedures and by other details (we’ve recently learned, for example, that FBI uses criminal PRTTs for location data, including stingrays) — is that it is a program to collect location data on some subset of targets. And if that’s the case, I believe it would be entirely hidden under USAF, because — as with traditional Section 215s — PRTT reporting only requires individualized reports for communications, using a definition of communications that would exclude phones pinging providers.
If this program is closer to the old NSA PRTT program — collecting Internet metadata — it will show up as a huge number, but one affecting only foreigners, because the US persons affected can be hidden in two ways: both because only phone numbers are used to track US location under this bill, and because DNI can certify that he can’t count the US persons collected under this.
Whichever it is, it thwarts key legal battles civil libertarians are increasingly winning. And does so without any hint of doing so.
In any case, both of these are known programs that bill supporters claim will not exist after passage of the bill. Yet they do and, according to a close reading of the bill, will exist. Which sort of makes it impossible to oppose them.
I would add that the Internet Section 215 orders — which make up a majority of current Section 215 orders — pose a unique problem. We learned in a recent NSL IG report that starting in 2009, some Internet companies refused certain production under NSLs, and since then the government has used 215 orders to get the data. Given that the companies successfully refused that production as NSLs, they are likely exotic collections — possibly up to and including content — protected by FISC imposed minimization procedures (which may get weaker with the passage of USAF). My wildarseguess is that they are targets’ URL searches. Since these make up a majority of current 215 orders, they are probably 110 to 180 of these a year.
But I worry that this will move to emergency production once that becomes an option under USAF, not least because the government has been complaining about the long turnaround for these. And if they move to emergency production, then FBI could not only get away with illegal requests (because FBI never has to destroy data, even if it was improperly collected), but could avoid a great deal of oversight. Moreover, by eliminating the long wait, the availability of emergency procedures may make it more tempting to use 215. I don’t so much mind the use of Section 215 orders to collect individualized Internet data (though I do suspect some of this is illegal content); but without tracking on the numbers of emergency orders, I suspect they will turn into a area of significant abuse. Also note, these are FBI programs, and the FBI doesn’t have to individualize US person collection (plus, US IPs won’t be counted), so this collection will inaccurately appear to be foreign focused.
Finally, I have a more vague concern about the unknown programs. The “transparency” guidelines specifically provide for a lot of propaganda — such as permitting DNI to boast about how few human hands touch US person records, while ignoring that automated scans touch all the same US person data on a daily basis as par of an automated alert. We certainly know that’s going to happen, but it does help DNI to obscure what is really going (and will serve as useful propaganda, especially for court challenges).
Similarly, the “transparency” provisions almost certainly won’t report real numbers on the new CDR function, because that will be exempted by FBI.
For this category of data, I agree we’ll be in the same place we’re in now: not knowing. But because we don’t know what’s there, we won’t be able to point to the lies DNI is telling. That may make it harder for us to see and do something about these programs.
It’s that middle category, however, for which the transparency procedures and the comments about eliminating collection will make anyone even trying to discuss this stuff sound like a crazy person. I know! I have gotten called a crazy person for identifying collection before James Clapper on a number of occasions.
In short, by getting everyone to — falsely — agree that some of this collection doesn’t happen, this bill will make it virtually impossible to discuss those programs in the future, now matter how broad they become.