It Is False that Downstream 702 Collection Consists Only of To and From Communications

I was swamped this week when Hoover Institute had this conference on Section 702 of FISA. But I heard so much about this panel, with Jim Baker, Susan Hennessey, Alex Abdo, and Julian Sanchez, I had to watch.

The panel generally and Hennessey especially gave far too much credence to the claim that NSA self-reported the upstream search violations revealed in the April 26 Rosemary Collyer opinion. You cannot claim NSA self-reported a problem they sat on for nine months before initially explaining, and pointedly didn’t mention in the initial reauthorization application, and that’s just one example of egregiously belated reporting described in the opinion. I’ll have far more to say about that — and NSA oversight generally — in the upcoming days.

I’m also frankly shocked that no one on the panel mentioned the approval to share EO 12333 data that was authorized between the time NSA belatedly declared these problems and the time it said it would discontinue an abusive problem. Here’s what the timing looked like:

  • January 2016: Several formal discoveries of the problems in upstream searches
  • September 26, 2016: Initial application (that didn’t disclose the problems) first submitted
  • October 24, 2016: The government first discloses the upstream search problems
  • January 3, 2017: Loretta Lynch signs procedures authorizing the sharing of raw EO 12333 data
  • March 30, 2017: The government submits their fix to upstream problems
  • April 26, 2017: Rosemary Collyer opinion authorizing the reframed upstream collection

The timing is critical because in between the time the government very belatedly revealed the problems with upstream and the time it decided to halt a narrowly defined “about” collection, it got approval to share raw EO 12333 data between agencies. The searches that NSA won’t be able to do under Section 702 are all, by definition, possible (though probably not as easy) to do under EO 12333. So the government can still obtain the very things they’ve told the FISC they won’t collect [under 702], and they can share them more easily with the FBI and CIA (which can do back door searches on them). In other words, even as the FISC was saying that the backdoor searches of upstream collection violated the Fourth Amendment, the government was self-authorizing a way to do the very same searches via means that don’t have any FISC oversight (and for which the existing oversight regime is flimsy).

But one thing that was most striking for me came when Hennessey stated “there are two forms of collection, upstream and downstream. Within downstream there’s only to and from collection.”

This is the kind of claim that seems to be correct. Indeed, much of Rosemary Collyer’s shitty opinion is premised on such an assumption. In all unclassified FISC discussions, back door searches of PRISM content are considered acceptable because (the assumption is) the searches would return only the side of the US person conversing with a foreign intelligence target. The idea is that the US person would be interesting and potentially valid foreign intelligence because they had knowingly communicated with a target.

But it is actually incorrect.

That’s because PRISM (which has been renamed “downstream” for some reason, which distracts from what kind of providers these actually are) is significantly about the collection of stored data. And the data it collects is not just electronic surveillance (that is, data in motion). As the WaPo described years ago, the NSA will collect other things that are in someone’s users account.

No government oversight body, including the Justice Department, the Foreign Intelligence Surveillance Court, intelligence committees in Congress or the president’s Privacy and Civil Liberties Oversight Board, has delved into a comparably large sample of what the NSA actually collects — not only from its targets but also from people who may cross a target’s path.

Among the latter are medical records sent from one family member to another, résumés from job hunters and academic transcripts of schoolchildren. In one photo, a young girl in religious dress beams at a camera outside a mosque.

Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.

I raise this not to gotcha Hennessey for making a mistake at all; as I said, on its face the statement seems to be, but is not, correct. Rather, I wanted to point to an assumption virtually everyone has been making about PRISM collection and its suitability for back door searches that may not be valid. If you think about the hack-and-leak dumps in recent years, for example, often the most damaging, as well as the most ridiculous infringements on privacy, involve email attachments, such as the list of most Democratic members of Congress’ email many passwords for which were easily obtainable online, or phone conversations about routine housekeeping or illness. And that’s just attachments; most of the PRISM providers are actually cloud storage providers, in addition to being electronic communication providers, and from the very first requests to Yahoo there was mission creep of all the types of things the government might demand.

And while NSA and FBI aren’t supposed to keep stuff that doesn’t count as foreign intelligence or criminal information, it’s clear (from the WaPo report) that NSA, at least, does.

So as we talk about how inappropriate the upstream back door searches were and are because they can search on stuff that’s not foreign intelligence information, we should remember that the very same thing is likely true of back door searches of  the fruits of searches on a person’s cloud storage account.


9 replies
  1. greengiant says:

    Drake and Binney say the NSA hoovers up every keystroke, web search, web page, email, text, voice mail, cell phone ping, what have you. Now the ISPs officially can sell every web page that they and thousands of tracker cookies are all already selling. Try searching for pressure cookers as has been mentioned here before. A question I have is what the NSA has that they do not share now?
    “Your” cloud storage account? You are in a whole lot of different cloud storage accounts besides the ones you download or send stuff to.

  2. SpaceLifeForm says:

    Upstrean, downstream, sidestream, it does not matter what words are used. If it is going over a network, it is being collected. I seriously doubt that PRISM providers are sending data to NSA via sneakernet. Tunnels more likely.

    FISC is a joke, it is a kangaroo court inside a security circus. Waste of time and money. FISC has no real enforcement authority, it is for show. FISC will never know the reality of the actual collections.

    May as well eliminate FISC. There would be no impact.

    And while at that, get rid of CAFC too; Another kangaroo court.

  3. SpaceLifeForm says:

    Supreme Court agrees to decide major privacy case on cellphone data

    The U.S. Supreme Court on Monday agreed to hear a major case on privacy rights in the digital age that will determine whether police officers need warrants to access past cellphone location information kept by wireless carriers.

  4. harpie says:

    emptywheel Retweeted Jack Goldsmith‏@jacklgoldsmith  9m9 minutes ago

    14/ Every hour they face the qu whether doing the normal thing in protecting presidential prerogatives is, with this POTUS, appropriate.

    …for example…[?]:
    John Pomfret @JEPomfret 3hr 

    David Rank, no.2 @USEmbassyBJ, has resigned, sources say. He couldn’t back Trump on climate. Rank had 27yr career including @USEmbassyKabul / Rank called a town hall meeting @USEmbassyBJ to say he could not deliver a demarche to the PRC govt over US withdrawal from @ParisAgreement 

  5. SpaceLifeForm says:

    Interesting. Suspect Comey knows, lets call it ‘stuff’ for now, that he prefers best left unsaid for a few more days.

    Former FBI director James Comey is formally refusing to answer questions submitted to him by a bipartisan group of senators, suggesting he no longer must do so as a private citizen.

    Comey sent an email from his private account last week rebuffing the seven questions that had been submitted to him by Senate Judiciary Committee Chairman Charles Grassley and the committee’s ranking Democrat Dianne Feinstein after Comey’s final testimony as FBI director to the panel last month. Comey was fired by President Donald Trump shortly after his appearance.

    • SpaceLifeForm says:

      FBI likely very busy next 72 hours in DC area.

      On May 9, immediately after the firing of FBI Director James Comey, Deputy Press Secretary Sarah Huckabee Sanders told CBS that the administration fired Comey, at least in part, because “rank-and-file” FBI employees had lost confidence in the Director—a claim that Acting FBI Director Andrew McCabe later disputed when he testified before the Senate Intelligence Committee a few days later.

Comments are closed.