May 2, 2016 / by emptywheel

 

2015 I Con the Record Transparency™ Working Thread

ODNI has released the Transparency Report and DOJ has released the FISA Report for 2015. The former is the first that falls under USA Freedom Act expanded reporting requirements, so I’m going to do a very detailed report on it. Here are the ODNI and DOJ equivalent reports from last year and my post on both from last year.

The big news here is a 200% plus increase, either in the reporting or the actual back door searches of US person data collected under Section 702. And remember, this doesn’t include the FBI at all.

Preamble

(2 fn 3) ODNI admits that AOUSC counts each certificate under 702 as an order, whereas ODNI counts all the certificates as one order, so ODNI makes AOUSC redact its more accurate number.

(2) The report confirms something not everyone understood before: the report counts renewals (so an order that gets renewed 4 times a year will be counted 4 times) but not modifications.

(2) ODNI here admits that selector can be a much bigger number than target — I suspect maybe a hundred times bigger (because even for Google one target will have up to 45 selectors).

Within the IC, the term “target” has multiple meanings. With respect to the statistics provided in this report, the term “target” is defined as the individual person, group, entity comprised of multiple individuals, or foreign power that uses the selector, such as a telephone number or email address. If a target were known to use four different selectors, the IC would count one target, not four.

(2) ODNI is using the timing of the implementation of USAF to not report on how the new phone dragnet works.

Title V of FISA. The IC implemented the USA FREEDOM Act’s Title V provisions on November 30, 2015, resulting in one additional month’s worth of data for calendar year 2015. Because statistical information tied to a particular FISA authority for a particular month remains classified, Title V data specifically associated with December 2015 – i.e., the information required under Section 603 (b)(4)(A) and (B) and 603 (b)(5)(A), (B) and (C) – is included only in the classified annex to this report that has been provided to Congress.

Here’s all the reporting that we don’t get this year as a result (though we appear to get the top-line for 4 and 5 — see page 8 below):

(4) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of– [This is traditional 215 orders]

(A) the number of targets of such orders; and

(B) the number of unique identifiers used to communicate information collected pursuant to such orders;

(5) the total number of orders issued pursuant to applications made under section 501(b)(2)(C) and a good faith estimate of– [This is new style phone dragnet orders]

(A) the number of targets of such orders;

(B) the number of unique identifiers used to communicate information collected pursuant to such orders; and

(C) the number of search terms that included information concerning a United States person that were used to query any database of call detail records obtained through the use of such orders;

(3) ODNI used a definition for US person that is not the one used in USAF (in that it includes incorporated and non-incorporated US persons). At one level, this should provide a more realistic number, as it might include additional targets. At another level, it could very easily hide bulky collection, both by not counting (for example) a targeted mosque or US run chat room, or for non-communications signifiers, hide that a US corporation was used as part of a selector term.

(3) As a reminder, the unique identifiers used for 215 and PRTT collection does not include non-communications identifiers (say, bank accounts) or pings (say, stingray collection). It probably also doesn’t include data flow collections.

Targeted FISA

(4/DOJ 1-2) In 2015, the government got 1,585 targeted FISA orders targeting 1,695. That’s based off 1,499 applications, of which 1,497 were for electronic surveillance only.

One of those applications was withdrawn after submission stage (which is tantamount to a denial). In addition, DOJ included a footnote reminding that they don’t include pre-final submissions withdrawn to be withdrawn, which suggests the number of what would normally count as rejections might be significant this year.

Those numbers compare with 1,519 orders affecting 1,562 targets, based off 1,416 applications, of which 1,379 were for electronic surveillance only.

So the total number of orders has gone up 4%, the number of persons affected as gone up 8.5%, and the number of applications has gone up almost 6%.

The really alarming change is in modifications. Last year, there were 19 modifications to proposed orders (1.3% of all applications); this year there were 80 modifications (5.3% of all applications).

Section 702

(5) Last year there were 94,368 targets of 702 surveillance, up from 92,707 last year, which is less than a 2% increase. But remember, for each of these targets, NSA may have a hundred or so selectors.

This is the first year I Con the Record has to report back door searches (though FBI is excluded from this reporting). Last year, there were 4,672 back door searches of US person content. In 2013, there were 198 NSA US person identifiers whitelisted, some of which will get searched more than once; there were 1,900 CIA content back door searches, representing 1,400 unique identifiers (see pages 57-58). While these numbers are not exact, that suggests there was a 223% increase in back door searches of Americans by these two “foreign” intelligence agencies. There were 9,500 NSA US person metadata queries in 2013, and CIA didn’t count them. There were 23,800 metadata searches, with one IC element not being able to provide this information. That probably means CIA was not able to, which means there may have been a 250% increase in NSA back door searches of metadata. [Update: here’s the James Clapper certification indicating that one IC agency couldn’t count this number.]

(6) NSA discretionarily reports that NSA released 4,280 reports based on 702 including US person information, of which the information was unmasked upon release in 1,122 cases and got unmasked on request in 654 cases. (Note, given the number of 702 reports they issue, this is actually impressive, but since they don’t tell us how big that number is, they don’t get the PR value of it.)

PRTT

(7) The number of PRTT orders was down last year, from 135 orders affecting 516 targets in 2014 to 90 orders affecting 456 targets in 2015. 134,987 unique identifiers were used to communicate information in those PRTT orders, but that number doesn’t include:

  • FBI orders that don’t include email addresses or phone numbers (that is, this doesn’t include Stingray use or data flow, among other usages)
  • Data turned over in hard copy or portable media (only those turning over such information electronically gets counted)

Section 215

(8/DOJ 2) Because of the transition period, the 215 numbers may be a mess (see page 2 above).

There were 142 215 applications approved last year, as compared to 170 in 2014.

There were 134 specific targets of 215 orders as compared to 160 last year (in both cases it appears all but 6% of the orders are individualized, and the discrepancy may have had to do with the timing of the year, and this may not include December at all).

There were 56 RAS approved selectors last year, as compared to 161 in 2014. These numbers are probably the same (in which case far fewer selectors are being RAS approved), but it’s possible last year’s numbers don’t include those who, by virtue of having a traditional FISA order, automatically get treated as RAS-approved. I will try to clarify this.

There were 183 US person queried identifiers last year, as compared with 227 in 2014 (this partly reflects the automatic approval of those with FISA orders). But the number for last year definitely doesn’t include phone dragnet queries in December (so compare the 183 to 208, which is what 11 months of last year’s number would be).

The DOJ report notes that,

One application made by the Government after the effective data of the business records provisions of the USA FREEDOM Act did not specifically identify an individual, account, or personal device as the specific selection term.

The footnote explains that there’s a discrepancy between the reporting requirement, which is limited to individual, account, or personal devices, and the definition of specific selection term, which also includes “address” and anything else they can get the FISC to approve. Perhaps this is just about targeting an address, or perhaps this is a bulk or bulky collection (in any case, 215 can be very bulky on its own). That’s a problem with the transparency guidelines.

There’s also one more problem. The 2015 702 reauthorization opinion revealed that in summer of last year, a PRTT used a novel interpretation of specific selection term, which FISC might have otherwise gotten an amicus for. They didn’t because by the time they considered doing so, the emergency PRTT was done. But that may mean that novel interpretation of specific selection term will never get amicus review, because it will no longer be novel.

NSLs

(9/DOJ 3) Keep in mind that the NSL numbers aren’t exactly apples to oranges, because this year adds subscriber numbers. But this is what the comparison looks like. (I will update this once I figure out why the Total NSL numbers don’t add up, which presumably has to do with how they request for subscriber information.)

Screen Shot 2016-05-02 at 4.32.28 PM

The key takeaway here is that while a lot more of the requests affect non-US persons, there were more US persons affected by non-subscriber requests than foreigners (though this sort of makes sense, as they’d be issued for US providers which would disproportionately affect US persons).

Copyright © 2016 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2016/05/02/2015-i-con-the-record-transparency-working-thread/