Since September 20, 2012, FBI Has Been Permitted to Share FISA-Derived Hacking Information with Internet Service Providers

As I noted, yesterday Reuters reported that in 2015, Yahoo had been asked to scan its incoming email for certain strings. Since that time, Yahoo has issued a non-denial denial saying the story is “misleading” (but not wrong) because the “mail scanning described in the article does not exist on our systems.”

As I suggested yesterday, I think this most likely pertains to a cybersecurity scan of some sort, in part because FISC precedents would seem to prohibit most other uses of this. I’ve addressed a lot of issues pertaining to the use of Section 702 for cybersecurity purposes here; note that FISC might approve something more exotic under a traditional warrant, especially if Yahoo were asked to scan for some closely related signatures.

If you haven’t already, you should read my piece on why I think CISA provided the government with capabilities it couldn’t get from a 702 cyber certificate, which may explain why the emphasis on present tense from Yahoo is of particular interest. I think it quite likely tech companies conduct scans using signatures from the government now, voluntarily, under CISA. It’s in their best interest to ID if their users get hacked, after all.

But in the meantime, I wanted to point out this language in the 2015 FBI minimization procedures which, according to this Thomas Hogan opinion (see footnote 19), has been in FBI minimization procedures in some form since September 20, 2012, during a period when FBI badly wanted a 702 cyber certificate.

The FBI may disseminate FISA-acquired information that … is evidence of a crime and that it reasonably believes may assist in the mitigation or prevention of computer intrusions or attacks to private entities or individuals that have been or are at risk of being victimized by such intrusions or attacks, or to private entities or individuals (such as Internet security companies and Internet Service Providers) capable of providing assistance in mitigating or preventing such intrusions or attacks. Wherever reasonably practicable, such dissemination should not include United States person identifying information unless the FBI reasonably believes it is necessary to enable the recipient to assist in the mitigation or prevention of computer intrusions or attacks. [my emphasis]

This is not surprising language: it simply permits the FBI (but not, according to my read of the minimization procedures, NSA) to share cyber signatures discovered using FISA with private sector companies, either to help them protect themselves or because private entities (specifically including ISPs) might provide assistance in mitigating attacks.

To be sure, the language falls far short of permitting FBI to demand PRISM providers like Yahoo to use the signatures to scan their own networks.

But it’s worth noting that Thomas Hogan approved a version of this language (extending permitted sharing even to physical infrastructure and kiddie porn) in 2014. He remained presiding FISA judge in 2015, and as such would probably have reviewed any exotic or new programmatic requests. So it would not be surprising if Hogan were to approve a traditional FISA order permitting FBI (just as one possible example) to ask for evidence on a foreign-used cyber signature. Sharing a signature with Yahoo — which was already permitted under minimization procedures — and asking for any  results of a scan using it would not be a big stretch.

There’s one more detail worth remembering: way back the last time Yahoo challenged a PRISM order in 2007, there was significant mission creep in the demands the government made of Yahoo. In August 2007, when Yahoo was initially discussing compliance (but before it got its first orders in November 2007), the requests were fairly predictable: by my guess, just email content. But by the time Yahoo started discussing actual compliance in early 2008, the requests had expanded, apparently to include all of Yahoo’s services  (communication services, information services, storage services), probably even including information internal to Yahoo on its users. Ultimately, already in 2008, Yahoo was being asked to provide nine different things on users. Given Yahoo’s unique visibility into the details of this mission creep, their lawyers may have reason to believe that a request for packet sniffing or something similar would not be far beyond what FISCR approved way back in 2008.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

7 replies
  1. jerryy says:

    Wildly off topic:

    Jim, stay safe down there, …, this might be a good time to oh, say take in an Auburn game. :)

    Back on topic, does running the scanners on the front facing Cisco routers coumt as ‘not on our systems’?

    • Jim White says:

      Thanks, jerryy.

      Right now, we’re probably looking at no worse than we got from Hermine last month. In fact, some friends from the Cocoa area might evacuate to our farm and bring their horses. But we will be keeping a close eye on things. Time for a trip to the feed store and to check the supply of gas for our backup generator. Already did the grocery run.

  2. SpaceLifeForm says:

    “… does not exist on our systems”
    Of course not.  It is someone elses system that just happens to be co-located in their data centre.  Similar setup to Room 641A.
    But, in this case it is more specific than just splitting all packets off to be collected by a buffer box, to possibly be reviewed later.
    I believe they are looking for an email event to occur (or more importantly to NOT occur).
    The leak may have happened on purpose to see if the email event does NOT occur.

  3. Hieronymus Howard says:

    An added space or two between sentences does wonders for legibility—just like widened line spacing. Kudos for that.

    But check out that string above, “Similar setup to Room 641A.” Note how the line starts out with a space. This is because two soft spaces cannot format correctly at the end of a line. The second soft space will always position itself on the next line. There has to be a hard space & then a soft space to make it do right.

    This stuff was figured out years ago. *sigh.* Hard spaces are underrated in many ways & it’s a mistake to pretend that they don’t exist.

    I’ll not be posting about your HTML output choices any more. Not my problem. Besides, people come to this site to read what Marcy has to say—not about formatting glitches.

    Only other thing I noticed was, one can swipe downward & select text. But the text does not display as having been selected. If you want to do it that way, carry on. I’m all in with ya, whateva.


    • Hieronymus Howard says:

      The two spaces between sentences are gone?  Shucks, I’m always behind the curve here.

        • Hieronymus Howard says:

          Lost in spaces, part deux

          Pasting as ASCII text test:

          Are there two spaces here below?  Yes or no.

          Are there three spaces in a row?   Yeah no.

          If four, we want to know.    5     Y/N

Comments are closed.