The Loss of PRTT Minimization Review in USA F-ReDux

As I noted earlier, the House Judiciary Committee just released a new version of USA Freedom Act, which I’ve dubbed USA F-ReDux. I’ll have a lot more to say about it, but I want to make two minor point about things that got taken out of Leahy’s bill from last year.

Section 215 Minimization

215 tracker

First, last year’s bill had minimization procedures tied to bulky Section 215 collection effectively requiring the government to destroy the data that had not been determined to be two hops from a target within a period of time.

(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—

(i) a subject of an authorized investigation;

(ii) a foreign power or a suspected agent of a foreign power;

(iii) reasonably likely to have information about the activities of—

(I) a subject of an authorized 21 investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation;

(iv) in contact with or known to—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation,

Those minimization procedures resemble what we’ve seen from the minimization procedures FISC imposed on the phone dragnet, which probably means they also resemble what FISC was imposing in other cases. In the previous year (2013), FISC had imposed minimization procedures on almost 80% of all orders.

In other words, the clause basically required the government to do what the FISC was probably already forcing it to do in the majority of orders (which, in any case, permitted the government to keep, indefinitely, the records associated with people two hops out of someone whom the government had a traffic stop suspicion had ties to terror or spying).

Last year, however, the FISC modified fewer than 3% of orders, and at least one of those was probably a phone dragnet one. Perhaps the change means the government finally started complying with the requirement laid out in 2006 that it adopt minimization procedures (the impending Section 215 IG Report likely created an incentive to do that, as following the law on minimization was one of the recommendations Glenn Fine had made in 2008, so Michael Horowitz surely followed up on that recommendation; plus, the generally law-abiding James Baker assumed FBI’s General Counsel role in this period). Perhaps it means the government stopped making bulky collections (though that is unlikely). But for some reason, the number of orders on which the FISC imposed minimization procedures and a report back fell off a cliff.

And now the requirement that the government adopt minimization procedures for bulky collection is gone from the bill.

I might be alarmed by that, but this year’s bill does add a Rule of Construction clarifying that the FISA Court can impose additional minimization procedures on top of what the bill requires the government to adopt for Section 215. So it may be that if the FBI returns to its recidivist ways on minimization procedures, we’ll see the number of modified orders spike again.

PRTT “Privacy Procedures”

I’m more concerned about what happened on the Pen Register side.

Last year, the PRTT section added new “privacy” (not “minimization”) procedures.

IN GENERAL.—The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect national security, include privacy protections that apply to the collection, retention, and use of information concerning United States persons.

Compare how squishy those privacy procedures are to the required Section 215 minimization procedures FBI blew off for years.

A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 1801 (e)(1) of this title, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and

Rather than requiring the procedures minimize the retention and dissemination, the bill required only that privacy protections be applied. And there was no requirement limiting dissemination of non-foreign intelligence data.

But at least there were privacy procedures, right? Baby steps?

Last year’s bill had, and this year’s bill retains, a Rule of Construction (like that added to Section 215) that notes nothing limits FISC’s power to impose additional minimization procedures.

(2) RULE OF CONSTRUCTION.—Nothing in this subsection limits the authority of the court established under section 103(a) or of the Attorney General to impose additional privacy or minimization procedures with regard to the installation or use of a pen register or trap and trace device.

Which is all well and good, but FISC’s authority to do so with PRTT has no statutory basis, unlike Section 215. And during both the 2004 initial application for the Internet dragnet and John Bates’ 2010 reauthorization of it, the government made some fairly aggressive claims about FISC’s impotence to do anything but rubber stamp applications. So this Rule of Construction may not have the same weight as that in Section 215.

Which is why I worry that this section was removed from the bill.

(3) COMPLIANCE ASSESSMENT.—At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the privacy procedures required by this subsection by reviewing the circumstances under which information concerning United States persons was collected, retained, or disseminated.

As the documents on the phone dragnet violations showed, unless FISC has and exercises the authority to ensure compliance with minimization procedures, the government will cheat (or, more charitably, not find systematic years-long violations staring them in the face). FISC seemed to recognize this when it imposed compliance reports on its minimization of Section 215 orders in recent years. But it won’t have statutory authority to review assessment with these already-squishy “privacy procedures.”

And consider some background. Patrick Leahy has been trying to add minimization procedures to PRTT for a long long time. As I laid out here, the Obama Administration worked with Jeff Sessions (of all people) to kill that effort in 2009 literally days from the time when DOJ finally confessed to the FISA Court that NSA had never, ever, not once in 5 years, and not even after having been caught once, complied with the Court’s limits on categories of metadata it could collect under the Internet dragnet.

In other words, the Obama Administration has a sordid history of gutting PRTT minimization at the precise moment when the need for it is most evident.

Now, we shouldn’t have to worry about an Internet dragnet under PRTT anymore. But there are 3 reasons why I’m worried that the IC prioritized eliminating this provision:

  • NSA’s retention of content under PCTDD
  • The invisibility of any location-based dragnet under USA F-ReDux
  • The spike in numbers of PRTT orders last year

NSA’s collection of content under PCTDD

One thing I showed (though it is somewhat apparent in FBI’s Domestic Investigations and Operations Guide) from EPIC’s FOIA of PRTT related documents is that FBI doesn’t treat pen registers under FISA the same way they treat pen registers under Title III. The latter, they set the device collecting the data to exclude Post Cut Through Dialed Digits — the digits a caller or, it seems, an emailer enters after being connected to the number she calls, which might include PIN numbers, credit card numbers, or extension numbers — from collection. But for FISA pen registers, FBI sets the device to collect all those digits, which they then deal with through minimization procedures. Back in 2006 and then again in 2009 (weeks before Leahy tried to impose minimization procedures on PRTT), the FISC had some discussions with the government about whether their minimization of these digits was really fulfilling the Fourth Amendment prohibition on collecting content. The DIOG still reflects 7 uses of PCTDD data, broken into two groups (perhaps phone and Internet applications?).

Given that the FISC has seen the need to intervene on this issue in the past, and given that the collection of this PCTDD is legally dubious, it seems it would be useful for FISC to be able to check whether FBI is complying with the procedures that let it skirt the law.

The invisibility of any location-based dragnet under USA F-ReDux

As I noted last year, USA F-ReDux’ transparency provisions won’t count how many people are sucked up in any location tracking. Which (past experience has proven) is a good indication that they are doing location tracking. And PRTT is what the government uses on the criminal side to get location data — on those occasions when it actually gets legal process.

In other words, if the FBI had a systematic Stingray or tower dump program that focused on particular targets but sucked up the location data of thousands of other people, that huge number of Americans affected won’t ever be public. This is especially concerning given the possibility that the IC would use location proximity as a way to establish imagined ties between a suspect and potentially innocent people, because it would mean all those people incidentally sucked in would be investigated as a result.

Which seems like another good reason to explicitly permit FISC to make sure the government complies with whatever “privacy procedures” the government adopts.

The spike in numbers of PRTT orders last year

As I noted, while IConTheRecord’s Transparency Report shows fairly flat numbers for total PRTT orders year-on-year, it shows a very significant jump in targets affected in from last year’s numbers, 319,

Screen Shot 2015-04-30 at 12.22.35 PM

To this year’s, 516.

Screen Shot 2015-04-30 at 12.20.49 PM

Given what we now know: that each target might represent a very bulky collection (or even targeted group), a 61% jump in targets is potentially (though not necessarily) alarming. Worse, if any of this is location collection, it might reflect tens or hundreds of thousands of incidentally collected Americans affected that would not be reflected in this report. Finally, the IC has a history (until 2006, for both location and subscriber record) of yoking PRTT orders to 215 orders, and in a hearing last year, James Cole suggested that they might yoke orders in the future (specifically to get location data). So a big spike in the number of affected persons might reflect some kind of novel new application.

That’s all just guesswork, reading almost meaningless numbers to suggest last year’s numbers reflect a greater potential for funny business on the PRTT side than on Section 215.

Still, there’s the history, of how the Obama administration worked to kill a minimization effort that would have directly addressed — or even just given FISC the tools to address — illegal collection. Given that we have reason to have more confidence in the minimization on the other side, I’m far more concerned that this provision came out than that the minimization procedures did.