May 22, 2015 / by emptywheel

 

Working Thread Burr’s 11 Bullet Points

Update May 31: I’m doing a second read of the bill and will put new things I find here in correct page order. I’ve corrected any previous errors I made with strike through. 

Richard Burr finally released the bill he pulled out of his ass. This will be a working thread.

(4) The bill defines Dialing, Routing, Addressing, and Signaling information as not-content, which would make it permissible to collect things like URLs.

(6) Look, they expanded their bulk carve-out to cloud providers.

(ii) an electronic communication service provider, when not used as part of a specific term as described in subparagraph (A), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

(7) SPECIFIC SELECTION TERM.—The term ‘specific selection term’—

(A) means a term or set of terms that identifies or describes a person, account, address, or personal device, or another specific term, that is used by the Government to limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information; and

(B) does not include a term that solely identifies—

(i) a broad domestic geographic region, including the United States, a State, county, city, zip code, or area code, when not used as part of a specific term as described in subparagraph (A); or

(ii) an electronic communication service provider, when not used as part of a specific term as described in subparagraph (A), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

I’ve long noted that this language — which would prevent you from using a phone or email provider corporate names as your sole discriminator — did not include non-communications providers (like Western Union or Chase). But they’ve now excluded remote computing services (cloud providers) from that. Meaning they can do bulk on non-comm corporations AND cloud storage corporations.

I take that back: Burr’s bill uses the Section 702 definition of ECSP, which includes Remote Computing Services. This means Burr’s bill adds this more explicitly to those who might receive a CDR request:

any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored;

In addition, Burr’s bill does not require CDR SSTs be a specific individual or account. That means it could target a “person” (organizations like AQ can be considered a person), or an address (which could be an organization or Internet cafe’s IP address)

(29) The bill treats data from Section 215 as if it were EO 12333. As a threshold level, this s weaker minimization than under the existing program (then so was USA F-ReDux). But right now nothing under EO 12333 ever gets disclosed to defendants. So this creates a black hole, meaning this stuff will never be forcibly reviewed for constitutionality.

USE OF INFORMATION.—Information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title concerning any United States person may be used and disclosed by Federal officers and employees in accordance with the guidelines approved by the Attorney General under Executive Order 12333 (or a successor order). No otherwise privileged information acquired from tangible things received by the Federal Bureau of Investigation in accordance with the provisions of this title shall lose its privileged character. No information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title may be used or disclosed by Federal officers or employees except for lawful purposes.

Here’s what the query language looks like (the “System” is defined before–we’ll just call it PRISM-Plus here).

(C) AUTHORIZED QUERIES.—Any order referred to in paragraph (1) or a directive under section 505 may permit access to the System—

(i) to perform a query using a specific selection term for which a recorded determination has been made that the specific selection term is relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism, clandestine intelligence activities, or activities in preparation therefor;

(ii) to return information as authorized under paragraph (2); or

(iii) as may be necessary for technical assurance, data management or compliance purposes, or for the purpose of narrowing the results of queries, in which case no information produced pursuant to the order may be accessed, used, or disclosed for any other purpose, unless the information is responsive to a query authorized under paragraph (2).

(2) SCOPE OF PERMISSIBLE QUERY RETURN 7 INFORMATION.—For any query performed pursuant to paragraph (1)(C)(i), the query only may return information concerning—

(A) a first set of call detail records using the specific selection term that satisfies the standard required under paragraph (1)(C)(i); or

(B) a second set of call detail records using session-identifying information or a telephone calling card number identified by the specific selection term used to produce call detail records under subparagraph (A).

First, note that language “permit access to the system.”  By whom?

This lets the government chain against foreigners for any FI purpose or against Americans for CT  or CI purposes (the latter of which includes cyber). This is a huge expansion off status quo.

The tech paragraph is nutty: it gives access to raw data but data obtained there can’t be used unless it’d be subject to a query. Which it wasn’t.

The querying language is the same from USA F-ReDux, which I argued required providers to do non-call chaining. I think that’s been the intent all along.

(33) Unlike USA F-ReDux, this bill doesn’t even pretend it’s only about phone companies. And this will double retention time periods for Verizon, and probably worse than that for Apple.

An electronic communication service provider shall notify the Attorney General if that service provider intends to retain its call detail records for a period less than 36 months.

When the provider refuses to keep data the FBI Director (Jim Comey, who has been whinging abt iMessage for months in the guise of whinging about encryption) can get FISC to require the provider to keep data for 3 years for only FI purpose.

‘(3) ORDERS.—Upon an application made pursuant to paragraph (2), if the judge finds that the failure to retain such call detail records for a period of at least 36 months is resulting in, or is reasonably likely to result in, the loss of foreign intelligence information relevant to an investigation conducted under this title, the judge may enter an ex parte order requiring the retention of such records for a period of at least 36 months.

(36) The interim procedure expands the application, I think.

(44) There are 3 restatements of the function:

  • Tangible things
  • CDR function
  • Transition function

Only the latter has minimization procedures, but in a bizarre cut and paste fail, it requires FBI to come up with new procedures that already exist (but didn’t change the date to 2015).

(f) MINIMIZATION PROCEDURES.—Not later than 180 days after the date of the enactment of the USA PATRIOT Improvement and Reauthorization Act of 2005, the Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this section. Such minimization procedures shall include a procedure for using a reasonable articulable suspicion standard to make emergency queries of the tangible things acquired in response to an order under this section.

(45) This incents the government to go hogwild with bulk collection.

‘(h) CLARIFICATION.—Notwithstanding any other provision of law, the Government is authorized to obtain orders in accordance with this section for the purpose of obtaining tangible things produced in bulk, in the same manner as previously authorized by the court established by section 103(a) in orders issued by that court under this title prior to June 1, 2015. The Government is further authorized to continue to retain and use tangible things produced under such orders issued by that court prior to June 1, 2015, subject to any procedures prescribed by that court

(54) This has the same emergency provision as USA F-ReDux, which is an invitation for abuse and parallel construction. It’s telling that they still want this given how everything else has been permitted.

(54) They introduce the phrase “good faith” into the immunity section, but only for those being forced to retain their records.

‘(a) IN GENERAL.—No cause of action shall lie in 6 any court against a person who—

(1) produces tangible things or provides information, facilities, or technical assistance pursuant to 9 an order issued or an emergency directive required under this title;

(2) in good faith, retains call detail records under an order pursuant to this title; or

(3) otherwise provides technical assistance to the Government under this section or to implement this title.

(55) Burr’s bill compensates providers for all 215 compliance whereas USA F-ReDux only does for CDR function.

(57) By my read the government won’t even test its querying at providers

(57) On June 1, 2016, they assess the cost of moving to providers. But they won’t have started that yet.

(60) Wow. Burr also eliminates all sunset for business records provision (see Section 102 here)

(a) ACCESS TO BUSINESS RECORDS AND ROVING SURVEILLANCE.—Subsection (b) of section 102 of the USA PATRIOT Improvement and Reauthorization Act of 2005 (Public Law 109–177; 50 U.S.C. 1805 note, 50 U.S.C. 1861 note, and 50 U.S.C. 1862 note) is repealed.

(66) Huh. Burr goes well beyond what USAF does in making terrorism a bigger crime, extending the prison sentences in two additional provisions.

But this is fairly shocking.

(a) ACTS OF TERRORISM TRANSCENDING NATIONAL BOUNDARIES.—Section 2332b(g)(5)(B)(i) of title 18, United States Code, is amended by inserting ‘‘924(c)(relating to use, carrying, or possession of firearms),’’ after ‘‘844(i) (relating to arson and bombing of property used in interstate commerce),’’.

This would permit DOJ to charge people busted for another felony (which isn’t that much) who brandish their guns in such a way to intimidate the government terrorists. It would make it very easy to call any dissident with a gun a terrorist, or call any looters who happen to be armed terrorists.

(67) This language moves the Internet production back to NSLs

 REQUIRED CERTIFICATION.—The Director of the Federal Bureau of Investigation, or the designee of the Director in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director, may request the name, address, length of service, local and long distance toll billing records, and electronic communications transactional records of a person or entity if the Director (or the designee) certifies in writing to the wire or electronic communication service provider to which the request is made that such information is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States.

(68) When a bill creates its own special Espionage Act, you know they intend to break the law.

(a) PROHIBITION ON UNAUTHORIZED DISCLOSURE.—An officer, employee, contractor, or consultant of the United States, or an officer, employee, contractor, or consultant of a recipient of an order issued pursuant to title V of the Foreign Intelligence Surveillance Act of 1978 18 (50 U.S.C. 1861 et seq.) who—

(1) knowingly comes into possession of classified information or documents or materials containing classified information of the United States that—

(A) was submitted in connection with an application to the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a));

(B) was submitted in connection with an order approved by such court; or

(C) was acquired pursuant to an order or directive of such court; and (2)(A) knowingly and willfully communicates, transmits, or otherwise makes available to an unauthorized person, such classified information or documents or materials; or

(B) knowingly removes such classified information or documents or materials without authority and with the intent to retain such classified information or documents or materials at an unauthorized location, shall be punished according to subsection (b).

(b) TERM OF IMPRISONMENT.—A person who violates this section shall be fined under title 18, United States Code, or—

(1) for a violation of paragraph (2)(A) of subsection (a), imprisoned for not more than 10 years;

or (2) for a violation of paragraph (2)(B) of such subsection, imprisoned for not more than 1 year, or both.

(70) The bill changes the amicus in interesting ways.

(B) COVERED MATTER.—The term ‘covered matter’ means a matter before a court established under subsection (a) or (b)—

(i) that, in the opinion of such a court, presents a legal or technical issue regarding which the court’s deliberations would benefit from participation by an amicus curiae; and

(ii) that pertains to—

(I) an application for an order under this title, title III, IV, or V of 12 this Act, or section 703 or 704 of this Act;

(II) a review of a certification or procedures under section 702 of this Act; or

(III) a notice of non-compliance with any such order, certification, or procedures.

[snip]

(5) DUTIES.—An amicus curiae appointed under paragraph (1) to assist with the consideration of a covered matter shall carry out the duties assigned by the appointing court.

[snip]

(6) NOTIFICATION.—A court established under subsection (a) or (b) shall notify the Attorney General of each exercise of the authority to appoint an amicus curiae under paragraph (1).

First of all, this does not include all significant matters. One that would benefit might be broader, but might be more narrow.

It doesn’t include traditional FISA, nor does it include anything but certification process for 702, the latter of which suggests they have been having problems with the latter. Correction: This language is an amendment to traditional FISA so it DOES include that in its reference to “under this title.” I also think the separate language for 702 arises from the different certification process. But it seems like this language is designed to exclude something…

But non-compliance can trigger this (perhaps meaning providers can no longer have their own lawyers?)

I’m particularly intrigued that non-compliance is in here. Does that mean providers can no longer have their own lawyers? Note, too, that FISC can ask their one lawyer to represent their own views–basically no more than the staffers they already have.

Also note, the court need only appoint one lawyer here.

Which probably means this is worse than status quo.

One thing about the amicus which is very important is this is John Bates’ wish list. He was appointed by John Roberts.

Also, USAF required notice when FISC didn’t use the amicus. This only requires notice when they do.

(73) Note, I’ve always believed the fast-track to FISCR is a bad thing, because it provides a way to get appellate rubber stamp on an issue to bypass (say) the 2nd Circuit fixing something. This retains that, which leads me to believe I was right.

(74) This waters down the provider reporting permissions significantly. Fine, that’s something they can sue about!

(78) I’m not sure but I think this introduces more of a delay on new kinds of production (like under PRISM Plus??).

 

Copyright © 2018 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2015/05/22/working-thread-burrs-11-bullet-points/