June 12, 2017 / by emptywheel

 

Privacy Community Lets Dan Coats Off Easy in Letter Accusing Him of Reneging on His Promise

This post may make me some enemies in DC.

But the privacy community appears to be missing some critical points in this letter accusing Dan Coats of reneging on his promise to provide an estimate of how many Americans have been sucked up in Section 702 surveillance. The letter rehearses what it claims is the history of NSA counting or not counting how many Americans get collected under Section 702, going back to 2011.

This debate began in 2011 when Senator Wyden first asked Director Clapper to provide an estimate.2 In 2012, the Inspector General of the Intelligence Community claimed that such an estimate would not be possible because the process of establishing the estimate would violate the privacy of U.S. persons, and require too many resources.3

Yet in the same letter, it claims that NSA managed to do a count of Americans implicated in upstream surveillance in 2011.

First, the NSA previously undertook an effort to provide the Foreign Intelligence Surveillance Court (FISC) with a similar estimate, and “there is no evidence that this undertaking impeded any NSA operations.”5 There, in order to address the FISC’s concerns about the number of wholly domestic communications that were being collected under Section 702, the NSA “conducted a manual review of a random sample consisting of 50,440 Internet transactions taken from the more than 13.25 million Internet transactions acquired through the NSA’s upstream collection during a six month period.”6

It is absolutely true that NSA “undertook an effort” to provide the number of Americans implicated in upstream surveillance. But it was not “a similar estimate.” On the contrary, NSA only obtained an estimate of entirely domestic communications collected as part of multiple communication transactions, MCTs. It did not — not even after Bates asked — come up with an estimate of how many entirely domestic communications NSA collected via upstream collection as single communication transactions, much less an estimate of all the Americans collected.

Here’s how John Bates described it in the opinion cited in footnote 6.

NSA’s manual review focused on examining the MCTs acquired through NSA’s upstream collection in order to assess whether any contained wholly domestic communications. Sept. 7, 2011 Hearing Tr. at 13-14. As a result, once NSA determined that a transaction contained a single, discrete communication, no further analysis of that transaction was done. See August 16 Submission at 3. After the Court expressed concern that this category of transactions might also contain wholly domestic communications, NSA conducted a further review. See Sept. 9 Submission at 4. NSA ultimately did not provide the Court with an estimate of the number of wholly domestic “about” SCTs that may be acquired through its upstream collection. Instead, NSA has concluded that “the probability of encountering wholly domestic communications in transactions that feature only a single, discrete communication should be smaller — and certainly no greater — than potentially encountering wholly domestic communications within MCTs.” Sept. 13 Submission at 2.

The Court understands this to mean that the percentage of wholly domestic communications within the universe of SCTs acquired through NSA’s upstream collection should not exceed the percentage of MCTs within its statistical sample. Since NSA found 10 MCTs with wholly domestic communications within the 5,081 MCTs reviewed, the relevant percentage is .197% (10/5,081). Aug. 16 Submission at 5.

NSA’s manual review found that approximately 90% of the 50,440 transactions in the same were SCTs. Id. at 3. Ninety percent of the approximately 13.25 million total Internet transactions acquired by NSA through its upstream collection during the six-month period, works out to be approximately 11,925,000 transactions. Those 11,925,000 transactions would constitute the universe of SCTs acquired during the six-month period, and .197% of that universe would be approximately 23,000 wholly domestic SCTs. Thus, NSA may be acquiring as many as 46,000 wholly domestic “about” SCTs each year, in addition to the 2,000-10,000 MCTs referenced above.

Now, ODNI might raise this detail and say that the 2011 review was not as intensive as the one the privacy community wants to conduct. They’d be right, not least because the upstream review should be easier to conduct than the PRISM review, even though there should be less upstream collection under the new rules (under 702, anyway — much of it would have just gone to EO 12333 collection).

But the other critical point is that, having done the sampling, NSA wasn’t even willing to give Bates the information he requested t0 explain the scope of illegal collection under Section 702.

NSA’s refusal to count all the entirely domestic communications collected in their own right is particularly important given another point that would be worth mentioning here.

It’s not so much that this debate started when Ron Wyden made his request. Rather, Ron Wyden, with Mark Udall, made a written request for such a count on the very same day, July 14, 2011, that DOJ obtained an extension to conduct the count for John Bates.

In April 2011, Wyden and Mark Udall asked for the number.

In April of 2011, our former colleague, Senator Mark Udall, and I then asked the Director of National Intelligence, James Clapper, for an estimate.

According to Clapper’s response, they sent a written letter with the request on July 14, 2011. The timing of this request is critically important because it means Wyden and Udall made the request during the period when NSA and FISA Judge John Bates were discussing the upstream violations (see this post for a timeline). As part of that long discussion Bates had NSA do analysis of how often it collected US person communications that were completely unrelated to a targeted one (MCTs). Once Bates understood the scope of the problem, he asked how many US person communications it collected that were a positive hit on the target that were the only communication collected (SCTs).

But the timing demands even closer scrutiny. On July 8, John Bates went to DOJ to express “serious concerns” — basically, warning them he might not be able to reauthorize upstream surveillance. On July 14 — the same day Wyden and Udall asked Clapper for this information — DOJ asked Bates for another extension to respond to his questions, promising more information. Clapper blew off Wyden and Udall’s request in what must be record time — on July 26. On August 16, DOJ provided their promised additional information to Bates. That ended up being a count of how many Americans were affected in MCTs.

So this debate started when Wyden, simultaneously with the FISC, asked for numbers on how many Americans were affected. But the NSA proceeded to do a count that was only partially responsive to Bates’ concerns and barely responsive to Wyden’s.

NSA did a count in 2011. But even though they had requests for a number from both other co-equal branches of government, they refused to do a responsive count, even as they were already committing the resources to doing the count.

The claim about resources made in 2011 rings hollow, because the resources were expended but the scope was narrowly drawn.

Which brings me to the last critical point here: the most likely motive for drawing the scope so narrowly even as both other co-equal branches of government were requesting the number.

In July 2010, John Bates wrote another opinion. On its face, it addressed the NSA’s collection of prohibited categories under the PR/TT Internet dragnet. But in reality, that collection was just upstream collection with some filtering to try to get down to the part of the packets that constituted metadata under rules set in 2004. Effectively, then, it was also an opinion about the deliberate collection of domestic content via upstream collection. And in that opinion, he weighed the government’s request to let it keep data it had collected that might contain entirely domestic content. Ultimately, Bates said that if the government knew it had obtained domestic content, it had to delete the data, but if it didn’t know, it could keep it.

When it is not known, and there is no reason to know, that a piece of information was acquired through electronic surveillance that was not authorized by the Court’s prior orders, the information is not subject to the criminal prohibition in Section 1809(a)(2). Of course, government officials may not avoid the strictures of Section 1809(a)(2) by cultivating a state of deliberate ignorance when reasonable inquiry would likely establish that information was indeed obtained through unauthorized electronic surveillance.

[snip]

In light of the government’s assertions of need, and in heavy reliance on the assurances of the responsible officials, the Court is prepared — albeit reluctantly — to grant the government’s request with respect to information that is not subject to Section 18099a)(2)’s prohibition. Hence, the government may access, use, and disseminate such information subject to the restrictions and procedures described above that will apply to future collection.

From that point forward, it was a precedent in the FISC that the government could obtain entirely domestic communications, provided that they didn’t know they were collecting it. But they couldn’t cultivate deliberate ignorance of what they were doing. (They still violated the precedent, but quickly destroyed all the data before they got caught in 2011.)

If the NSA knows they’re intentionally collecting entirely domestic communications, it is illegal. If the NSA doesn’t know they’re intentionally collecting entirely domestic collections, it’s not illegal.

You can see how, even with Bates’ stern warning not to deliberately cultivate ignorance, this provided a huge incentive to deliberately cultivate ignorance.

Of course, Dan Coats performed just that deliberate ignorance the other day, when Wyden made it clear Coats had signed the reauthorization certification for 702 even though the accompanying memo made it clear that the NSA would still be collection entirely domestic communications. Coats claimed they wouldn’t collect Americans’ communications even in spite of the fact that the memo accompanying his certification said it would do just that.

This is a concept the privacy community really needs to learn, quickly. Because Ron Wyden is laying all the ground work to make it clear that this is about deliberate ignorance, of just the sort that Bates said was improper, not actually a concern about resources.

Copyright © 2017 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2017/06/12/privacy-community-lets-dan-coats-off-easy-in-letter-accusing-him-of-reneging-on-his-promise/