Dianne Feinstein is the latest member of Congress to offer a non-compromise compromise to replace the compromise USA F-ReDux, this time with a bill that would:
- Impose a 2-year data mandate in some cases (which would affect Apple and Verizon most immediately)
- Extend the current dragnet order — which is already 89 days old — for an entire year
- Require certification that the providers could provider phone data before moving over to the replacement system before that year runs out
- Retain Richard Burr’s Section 215-specific Espionage Act imposing 10 year penalties on anyone who tells us what the intelligence community is really doing with the call records program
- Retain Richard Burr’s counter-productive amicus provision
- Revamps USA F-ReDux’s transparency provisions in ways that are less dishonest but just as useless
- For key authorities, allow any member of Congress (under certain limits) to learn how the government is using them
This will be a working thread.
Update: Just to clarify, I believe Feinstein’s bill is almost certainly supposed to be the “face-saving” version of USA F-ReDux referred to in this article.
Feinstein accomplishes this:
Some leaders of the House Intelligence Committee, along with supporters in the Senate, hope they can assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in.
In Section 108, with the certification process.
Feinstein adds an odd data mandate — not listed in this story but a key complaint from Mitch and others — in Section 101 (page 4).
And Feinstein responds to this request,
Republicans have also expressed a desire to protect the phone companies against harassment from privacy activists over their participation in a new surveillance program.
By adopting the Section 215 dedicated Espionage Act at Section 501.
(3) DiFi’s bill explicitly permits the government to get call detail records in the old way.
(4) DiFi’s bill tweaks USA F-ReDux’s call chaining language for use with “individuals” who are not agents of foreign powers engaged in international terrorism. Those would be US persons.
(5) The data mandate is really fascinating. It only requires a company to retain data after getting a request but is vague about how much data must be retained (which is likely “all”).
(3) may include a request for an order that requires each recipient of the order under this section to retain the call detail records for up to 24 months from the date the call detail record was initially generated—
(A) if the request includes a certification made by the Director of the Federal Bureau of Investigation that the Government has reason to believe that the recipient of the order being applied for is not retaining call detail records for a period of up to 24 months and that the absence of call detail records for that period of time is resulting in, or is reasonably likely toresult in, the loss of foreign intelligence information relevant to an authorized investigation; and
(B) if the order provides that call detailrecords retained solely for purposes of complying with an order under this section may only be produced pursuant to an order under this section.
It’s an odd construct (though it does try to keep the records out of the hands of divorce lawyers, which I guess is good). Obviously, the government will have the records they actually ask for at any given time. So what it suggests is this will be a mandate on some or entire universe of the providers existing records so they can do pattern analysis.
(7) The scheme for call detail records is the same as in USA F-ReDux, but absent the HJC report language saying it can’t involve analysis I assume it does.
(12) DiFi retains the minimization procedures from USA F-ReDux.
(14) The bill adds immunity for records retention.
(17) The “limitation” language is different, and adds “indiscriminate.” Again, this still uses the IC definition of bulk, though, which is meaningless, even modified by “indiscriminate.” SST is the same, including the narrower limit for CDR function.
(19) DiFi eliminates IG reports, I guess because they show how sloppily these things are run and how generally useless they are.
(19) Here’s how DiFi deals w/Burr’s transition canard.
IN GENERAL.—The amendments made by sections 101 through 107 shall take effect on the date that is 180 days after the date of the enactment of this Act unless the President certifies to the appropriate committees of Congress that the transition from the existing procedures for the productionof business records under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.), as in effect prior to the effective date for the amendments made by section 101 through 107,to the new procedures, as amended by sections 101through 107, is not sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.
(2) EXTENSION FOR CERTIFICATION.—If the President makes a certification described in paragraph (1), the amendment made by sections 101 through 107 shall take effect on the date, that may be up to 1 year after the date of the enactment of this Act, that the President determines that the transition referred to in such paragraph is sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.
(3) LIMITATION ON TRANSITION PERIOD.—If the President makes a certification under paragraph(1) and does not determine an effective date under paragraph (2), the amendments made by sections 101 through 107 shall take effect on the date that is 1 year after the date of the enactment of this Act.
(b) NO EFFECT ON PRIOR AUTHORITY.—Nothing in this Act, or any amendment made by this Act, shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.) as in effect on May 31, 2015, during the period ending on such effective date.
(c) TRANSITION.—(1) ORDERS IN EFFECT ON MA
Y 31, 2015.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, any order issued or made under title V of the Foreign Intelligence Surveillance Act of 1978 and in effect on May 31, 2015, shall continue in effect until the date of the expiration of such order.
(2) CONTINUED APPLICABILITY.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, the order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26, 2015, in Docket No. BR 15–24, may be extended by order of that court until the effective date established in subsection (a).
(3) USE OF INFORMATION.—
(A) IN GENERAL.—Information acquired from the call detail records pursuant to an order issued under section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) prior to the effective date in subsection (a) may continue to be used after the effective date of this Act, subject to the limitation in subparagraph (B).
(B) DESTRUCTION OF INFORMATION.—
Any record produced under any order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26 2015, in Docket No. BR 15–24 , or any predecessor order for such an order shall be destroyed no later than 5 years after the date such record was initially collected. Until that time, such a record may be used in accordance with the purpose prescribed and the procedures established in such order.
(23) DiFi’s bill takes out this language, which was in USA F-ReDux, in the PRTT section, but it does retain privacy procedures.
(C) For purposes of subparagraph (A), the term ‘address’ means a physical address or electronic address, such as an electronic mail address or temporarily assigned network address (including an Internet protocol address).
(24) Difi includes bulk controls on NSLs, but not the gag fix.
(26) The 215 reporting takes out the reporting on bulk collection to Congress that was in USA F-ReDux. Sharing of this is extended to everyone in Congress whom the HPSCI chair likes.
(33) DiFi gets rid of two-track reporting on all non-215 and consolidates it. The reporting is somewhat different (for example, Congress will no longer know when something has been used in a trial). DiFi pretends to extend this reporting to everyone in Congress, but since it’s subject to Congressional rules that will only happen in the senate.
(40) DiFi does include significant matter of law reporting to the appropriate committees (which exists).
(45) DiFi continues Burr’s Espionage Act.
(47) The amicus curiae is the John Bates Richard Burr version, which I think might be counterproductive.
(55) DiFi requires agencies that have not established minimization procedures required under the original EO 12333. See this post for more background.