In Advance of FISA Amendments Act Reauthorization, DOJ Did Not Tell Congress about Cyber Signature Collection

As I noted here, I’m working on a post that puts last week’s report on NSA’s use of upstream Section 702 collection in context.

But first, there’s one more detail that deserves its own post.

By March 23, 2012, NSA had drafted a certificate exclusively for cyber, with the intent of getting the FISC to approve it that year (which probably would have been in October). Yet “the current Certifications already allow[ed] for the tasking of [] cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors.”

And whether or not NSA was already collecting cyber signatures in March 2012, by May, DOJ approved their collection on the Foreign Government certificate.

On May 4, 2012, DOJ sent the Intelligence Committee Chairs a white paper on Section 702 to be shared with the rest of Congress. Here’s the passage that describes how NSA uses upstream collection:

Screen Shot 2015-06-08 at 8.13.37 AM

Given that the only redaction here addresses terrorists and the unredacted remainder describes only the collection of email and phone identifiers, it seems virtually certain that the passage — and therefore the white paper — made no mention of the cyber signature collection the NSA and DOJ were actively preparing to collect, and would collect before the reauthorization of FAA that December.

It’s certainly possible DOJ gave Congress notice that the use of Section 702 had changed significantly by the time Congress voted in December, but there’s no public record of it. In the interim period, the Senate defeated a cybersecurity bill that would even have restricted NSA from obtaining domestically collected cyber data, reflecting real skepticism about spying for cybersecurity purposes in the US.

If, as the record strongly suggests, the government expanded NSA upstream 702 to include cyber signatures without telling Congress before they reauthorized the underlying authority, it would not be the first time: DOJ did not tell even the House Judiciary Committee — much less Congress as a whole — that it was using Section 215 to collect location data until after both the 2010 and 2011 Patriot Act reauthorizations.

Whatever the merit to using 702 upstream collection to hunt hackers — even ignoring the real privacy problems with it — the public record raises real questions about whether the practice was authorized and would have been authorized by Congress. Given that such collection involves an expansion of the intentional collection of domestic data, the apparent absence of Congressional sanction raises real problems about the practice (though, as I’ve suggested, Congress just retroactively authorized the use of whatever illegally-collected 702 data NSA can get FISC to approve the use of).

The NSA’s defenders like to claim Congress always gets notice. But the record shows that, over and over, NSA only asks for for forgiveness after the fact rather than asking for permission before the collection.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

5 replies
  1. scribe says:

    “…communications that contain the targeted e-mail address in the body of a communication between two third parties.”

    In other words, they’re reading the content of emails looking for an e-mail address. If there’s an e-mail address contained in the content, then they flick that one into the pile marked “Keep”. If someone were litigating a case, that statement would be fairly construable as an admission they’re reading the email. After all, how does one sort out the dross to find those communications between two third parties containing a “targeted e-mail address” if you don’t read it?

    So, does that also mean when someone writes in the text of their email “joe blow [oneword] at gmail dot com”, so as to avoid the spambots that hoover email addresses for junk emails, they’re also reading and capturing those emails? Or, more likely, they’re just copying everything and holding it until they can figure out a way to put it into the pile officially marked “Keep”?

    • emptywheel says:

      Yes, it is an admission they’re reading everything but not one that has gotten EFF in their lawsuits anywhere. Don’t know about joeblow, though.

  2. bloopie2 says:

    Off topic, but I couldn’t pass this one up: “President Barack Obama said on Monday his top national security advisers were still working to solidify their plans to train Iraqi defense forces battling ISIS in their own country.” Uhh … say what?

Comments are closed.