The Continuing Myth about USA Freedom Transparency
Summary: This is a response to an Elizabeth Goitein claim that USA Freedom would provide detailed reporting on FISA programs. That’s false. As I show below, the only three kinds of collection for which reasonably real numbers will be reported are Individual FISA orders, NSLs (though FBI refuses to count those accurately), and the new CDR provision (though it will be presented as foreign collection even though it will be domestic). On everything else, the reporting will be excepted away beyond usefulness. Further, both PRTT and traditional 215 will likely get reported only as “fewer than 500,” a significant regression from current reporting.
In a piece at Just Security, Brennan Center’s Elizabeth Goitein bemoans what she claims as a distraction from passing the USA Freedom Act in the form of ISIS.
Then came ISIS. Following the group’s capture of territory in Iraq, its beheading of two American journalists, and its calls for followers to launch attacks in the US, some American lawmakers claimed it would be irresponsible to ratchet back surveillance authorities in the face of a new terrorist threat.
I’m skeptical that USAF was going to pass anyway, and equally skeptical the Republicans are really responding to ISIS and not improving GOP Senate chances.
But I’m more interested in Goitein’s portrayal of the bill.
To her credit, she limits her most aggressive claims that the bill would end bulk collection to the phone dragnet. Though she claims continuation of the financial dragnets would be a misreading of the bill.
That’s something on which we can fairly disagree. In my opinion, this language does nothing to limit the financial dragnet.
(i) means a term that specifically identifies a person, account, address, or personal device, or another specific identifier, that is used by the Government to narrowly limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things;
As I’ve noted, permitting “person” as a selector permits the use of “Western Union.” And the language “to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things” closely resembles claims we’ve seen in released applications and orders. I would be fairly shocked if the applications for the Western Union dragnet didn’t say — as NSA said of the phone dragnet — that FBI required all foreign money transfers to be able to track such transfers. If so, then FISC has already bought off on the government’s claim that the existing financial dragnets are as narrowly limited as “reasonably practicable, consistent with the purpose for seeking the tangible things.” If so — and given public FISC releases, this is actually not a distorted reading in the least — then this bill will not affect the existing dragnets in the least.
Still, I commend Goitein for exercising far more caution than other USAF supporters have in the past about the extent of the bill.
But Goitein’s claims about the transparency required under the bill are simply wrong.
The USA Freedom Act also would require more detailed statistical reporting by the government on the number of people affected by specific surveillance authorities –including, for most FISA programs, a separate tally of U.S. persons affected. These numbers give meaning to abstract legal interpretations. It’s clear that the FISC endorsed a broad interpretation of the term “relevance,” but only the numbers can tell us exactly how broad.
This bill will be less than useless in helping us understand how broadly the government is collecting; it will be counter-productive.
Here’s what, to the best of my understanding, we’ll actually get:
Individual orders (Titles I, III, 703, 704): We’ll get a “good faith” estimate of how many individuals are targeted. The government won’t reveal the split of this targeting. That will likely hide that much of its “targeting” consists of obtaining already collected data. The government won’t reveal that it does not use 703. At all.
702: We’ll get the number “1” for total orders, and something like 90,000 for targets. We’ll get a grossly misrepresentative number for number of people located in the US collected under PRISM, because the government will not be required to count IPs in the US as someone in the US. We’ll also get a certificate saying it cannot estimate whether more than 56,000 US persons are collected in upstream every year (because if the government did so it would then be illegal). We’ll get numbers like NSA 100 and CIA 1000 for back door searches, but we will get nothing on FBI back door searches, which can be done with no suspicion of wrong-doing. This leaves out 56,000 or more Americans affected via upstream, probably 100s of 1000s under an IP dodge, and probably 10s of 1000s affected in back door searches, and that’s assuming the DNI doesn’t use a Certificate to refuse to report all people affected by PRISM. Update: See this post for something else that may be hidden — non-communication cloud data.
Title IV (PRTT): We’ll start with a number like 140, as currently counted this would show as something like 300 targets, 70 of whom are named US persons who got their phone or email records collected. But this may not count US persons who have their email records collected, because the government won’t have to treat a US IP as a US person. It also won’t count the people sucked up in Stingray use, as that is not counted as a communication collected. That’ll ensure the number is fewer than 500, meaning that’s the only number we’ll get, which is far worse then reporting we currently get. Moreover, if as I suspect any bulkier PRTT program collects location, it will show only something like 4 al Qaeda related targets (because location data is not a communication). And the government can issue a claim that it can’t count those in the US (because if it did so it’d be illegal). One way or another, this will leave out hundreds of thousands, and perhaps millions, of affected Americans.
Traditional 215: Under current counting we’d get a number like 210 orders, targeting 800 targets. Here’s how it’ll break out in this reporting:
Exotic Internet requests (currently the majority of 215 orders): These are in the US, but they won’t be counted as such because they’re FBI orders and FBI is exempted from counting that. I suspect they’re also exempted even more generally from total persons affected counts as subscriber session time (see below regarding the definition of communications collected), though that’s a guess. Update: see this post for more on this language.
Less exotic Internet orders: These won’t have to be reported as US persons either, because the government doesn’t have to treat US IPs as US location.
Known non-financial dragnets: Under current counting this would probably count as roughly 24 orders (assuming 6 programs with 90 day renewals), with 4 targets — the al Qaeda groups included — each. Under USAF reporting, none of the individuals affected by the known bulk non-communications dragnets — which we know to include financial records and purchase records and which may include travel records — will get reported because the bill doesn’t require non-communications 215 orders to be individualized.
Having exempted almost every known kind of 215 order from individualized reporting, it’ll bring the total number affected well under 500, meaning that’s all we’ll get for persons affected, a far worse report than we currently get. This will definitely leave out millions of affected Americans, and will present the false impression that most 215 orders affect foreigners.
New-Fangled 215: For CIA and NSA — which are unlikely to use this provision — the government will have to report the targets, plus the people within 2 degrees sucked in with those targets. For FBI, which is likely to collect this data now that it doesn’t require ingesting all the phone records in the US and because FBI has far more liberal sharing rules, it’ll probably report 300 targets, and a total of 3 million people affected. But those won’t be identified as Americans because the FBI is exempted from that. Moreover, since this will bring the number under 500, that’s all we’ll get for targets (though not persons affected). This will probably hide hundreds of thousands of Americans affected.
Update, 10/5: See this post for one other thing USAF may hide: cloud-related metadata that might be used for connection chaining.
NSLs: This bill provides slightly more breakout on US/non-US NSL reporting, though that has largely been available via IG report (plus, FBI refuses to count it accurately), except for subscriber data.
To sum up, what USAF effectively does is require reporting on the number of people affected by surveillance programs, and for most requires a break-out of the number of US persons affected. But then it uses the following exemptions to hide by far the bulk of the US persons affected — and in most cases, the number of persons affected — by surveillance:
- 603(b)(2): Only a phone number registered in the US provides a reasonable basis that a person is located in the US. Thus all bulky Internet collection in the US can and will be hidden as foreign collection.
- 603(e)(2): For several target and affected numbers, DNI will report numbers under 500 as fewer than 500. This will result in significantly less granular reporting than we currently have for some authorities, especially PRTT and 215.
- 603(e)(3): If records are held by FBI or queries are conducted for them, 702 back door searches, communications-related traditional 215 orders, and newfangled 215 results don’t have to report on US persons affected. FBI will effectively be even more of a black hole where reporting goes to die than it already is.
- 603(e)(4): DNI can certify that it can’t report on the 702 and PRTT Americans caught in the dragnet. Unless they use the IP dodge, they’ll almost certainly do this because if they admit this is US person collection, it’ll become illegal.
- 603(g)(3): The definition of “individual whose communications were collected,” on which non back door 702, PRTT, and both traditional and newfangled 215 individualized reporting is based, would (according to my reading–lawyers should definitely check this) exclude:
- Any location data (tracking devices are excluded)
- Any financial, purchase, or other non-communication record (they are non-communication)
- Any subscriber to an electronic computer service who is not a party to a communication who has had only her call records or session times collected [(B)(ii) excludes subparagraph (C) of 2703(c)(2)]
That is, after requiring reporting for most FISA reports, it then exempts virtually all of it from reporting.
This is not serious transparency reporting. Rather, it’s a hoax, at best reporting knowingly false information, but usually creating nothing but propaganda creating a grossly misleading description of what collection occurs.
Updated 10/4 with summary and some clarifications.