I Con the Record Transparency Bingo Part One: Consider the Full Surveillance Playing Hand

Several weeks ago, the government released its yearly transparency reports:

  • FISA Court’s report: This provides a very useful description of approvals viewed from the FISA Court’s perspective. While it is the least deceptive report, FISC has only released one full year (2016) and one partial year (2015) report before, so it can’t be used to study trends or history.
  • DOJ report: This is the mostly useless report, told from the government’s standpoint, reflecting how many final applications get approved. While it isn’t very useful for nuance, it is the only measure we can use to compare last year with the full history of FISA.
  • DNI report: This is the report started in the wake of the Snowden leaks and codified in the USA Freedom Act and last year’s FISA Amendments Act. Parts of this report are very useful, parts are horribly misleading (made worse by new reporting requirements pass in the FAA reauthorization). But it requires more kinds of data than the other two reports.

I’ve been meaning to write more on the transparency reports released some weeks ago (see this post debunking the claim that we can say the FISA Court has rejected more applications than in the past). But given some misunderstandings in this post, I thought it better to lay out some general principles about how to understand what the transparency reports show us.

Consider the full surveillance playing hand

FISA is just one way that the government can collect data used for national security investigations, and because it involves a secret court, it attracts more attention than the many other ways. Worse, it often attracts the focus in isolation from other surveillance methods, meaning even experts fail to consider how authorities work together to provide different parts of the government all the kinds of data they might want. Additionally, an exclusive focus on FISA may blind people to how new restrictions or permissions in one authority may lead to changes in how the government uses another authority.

National security surveillance currently includes at least the following:

  • FISA, including individualized orders, 702, and metadata collection
  • NSLs, providing some kind of metadata with little (albeit increasing) court oversight
  • Criminal investigative methods, collecting content, metadata, and business records; in 2016 this came to include Rule 41 hacking
  • Other means to collect business records, such as private sector contractors or mandated bank reporting
  • The Cybersecurity Information Sharing Act, permitting the private sector to share cyber data “voluntarily” with the government
  • EO 12333: spying conducted overseas under Article II authority; in 2017, the Obama Administration permitted the sharing of raw data within the intelligence community (which includes FBI)

Two examples of how FISA interacts with other authorities may help to demonstrate the importance of considering all these authorities together.

The Internet dragnet moves to PRISM and SPCMA

For virtually the entirety of the time the government collected Internet metadata as metadata domestically, it was breaking the law (because the concepts of metadata and content don’t apply neatly to packet based collection). From 2009 to 2011, the government tried to fake their way through this (in part by playing games with the distinction between collection and access). By the end of 2011, however, that game became legally untenable. Plus, the restrictions the FISA Court imposed on dissemination rules and purpose (NSA was only permitted to collect this data for counterterrorism purposes) made the program less useful. As a result, the government moved the function of chaining on Internet metadata to two different areas: metadata collected under PRISM (which because it was collected as content avoided the legal problems with Internet metadata collection) and metadata collected under EO 12333 and made accessible to analysts under Special Procedures approved in 2008 and extended throughout NSA in early 2011.

Some location collections moves to criminal context

As I’ve laid out, the FISC actually takes notice of rulings in the criminal context — even at the magistrate level — and adjusts FISC rulings accordingly. They’ve done this with both Post Cut Through Dialed Digits and location data. When the FISC adopted a highest common denominator for location collection, it meant that, in jurisdictions where FBI could still obtain location data with a d order, they might do that for national security purposes rather than obtain a PRTT under FISA (to say nothing of the additional paperwork). More recently, we’ve gotten hints that FBI had ways to access cell phones in a national security realm that were unavailable in a criminal realm.

This probably goes on all the time, as FBI Agents make trade offs of secrecy, notice to defendants, paperwork and oversight, and specific collection techniques to pursue national security investigations. We don’t get great numbers for FBI collection in any case, but what we do get will be significantly affected by these granular decisions made in secret.

Understand why surveillance law changes

Additionally, it’s important to understand why surveillance laws get passed.

CISA, for example, came about (among many other reasons) because Congress wouldn’t permit the government to conduct upstream collection using Section 702 for all cybersecurity purposes. Engaging in “voluntary” sharing with backbone providers gave the government data from all kinds of hostile actors (not just nation states), with fewer restrictions on sharing, no court oversight, and no disclosure requirements.

Similarly, to this day, many privacy activists and journalists misunderstand why the government was willing (nay, happy!) to adopt USA Freedom Act. It’s not that the government didn’t collect mobile data. On the contrary, the government had been obtaining cell data from AT&T since 2011, and that was probably a resumption of earlier collection incorporating FISA changed rules on location collection. Nor was it about calling card data; that had been explicitly permitted under the old program. Rather, USAF gave the government the ability to require assistance, just as it can under Section 702. While that was instrumental in getting access to Verizon cell data (which had avoided complying because it did not retain business records in the form that complied with FISA collection rules), that also gave the ability to get certain kinds of data under the “session identifier” definition of call records in the law.

Here’s a post on all the other goodies the government got with USA Freedom Act.

One more important detail virtually unmentioned in coverage of this authority: the 215 dragnet (both the old one and the USAF one) intersect with a far vaster dragnet of metadata collected under 12333. The “bulk” is achieved — and has been since 2009! — using EO 12333 data, data which doesn’t have the same restrictions on things like location data that FISA data does. Section 215 is about getting records (and correlations) that aren’t available overseas, effectively filling in the holes in data collected overseas.

All that is necessary background to understanding numbers that track just FISA (and NSL authorities). FISA is just one part of the always evolving national security collection the government does. And as permissive as a lot of people think FISA is, in many ways it is the most closely regulated part of national security collection.

7 replies
  1. SpaceLifeForm says:

    I’m sure Senator Wyden understands what is going on, no problem.


    But *not* every call or text.  I believe it is compartmented under various ‘programs’.

    If there is a *hot* investigation happening, they can locate cell phone immediately via ops like Securus.  No Stingray needed.  Though a Stingray could potentially screw up an intel op because IC may be depending on a set of towers to do the geolocation, but the target cell phone has connected to a Stingray which is mobile itself, and therefore not having a fixed tower location, can confuse the normal cell tower geo-location software.  Even an IC op using Stingray can cause problems for a different IC op that is not using Stingray type technology.  Worse for both ops if both using Stingray on same target and they both are near the target cell phone.

    But, there is no reason to believe Securus is *wide open*, even though investigators have verified their own location.

    From the justsecurity link:

    However, the number of records the NSA collected more than tripled from 151,230,968 records in 2016 to 534,396,285 in 2017.

    [This points to extensive filtering, the haystacks are too large.  A half Billion in one year is *nothing*, not even 2 million per day]

    The report states that “the government does not have the technical ability to isolate the number of unique identifiers within records received from the providers,” but does not explain why the government lacks this capability.

    [This points to compartmentization and programs.  Even DNI, NSA can not see it all]

    [The filtering, compartmentization, and programs prevent people in government from finding out if they are targets]

    [I believe this all fits in with things that have happened, esp.  wrt to say, HPSCI]







  2. SpaceLifeForm says:

    The end-around Congressional and FISC oversight

    You can find link to the Wyden letter to Ajit Pai, and a link to a website to find your cell phone location.

    All designed so that Securus can have a throw-away shell to bail out of Dodge later.


    Kevin Bankston, director of New America’s Open Technology Institute, explained in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn’t restrict disclosure to other companies, who then may disclose that same data to the government.

    He called that loophole “one of the biggest gaps in US privacy law.”

  3. SpaceLifeForm says:

    Background on how Securus was exposed, and the Missouri Boothill sheriff tied in.

    Judge denies dismissal motion; embattled sheriff remains out of office for now
    The Attorney General’s Office [Mo State, not Federal.  My edit] filed criminal charges of assault, robbery and forgery against Hutcheson in April.
    Hutcheson’s lawyer, Thomas Rynard, argued the sheriff should not be barred from office when the criminal case is pending.

    [2017-07-06] [at this point FBI involved]
    Sheriff bound over on forgery charges; case shines spotlight on notary issue

    Embattled Mississippi County Sheriff Cory Hutcheson told an FBI agent he was unaware he could not notarize his own signature on a law-enforcement document, according to court testimony.

    In addition to the felony counts, Hutcheson also faces seven misdemeanor counts of tampering with computer data and a misdemeanor count of notary misconduct.
    [Stll all MO State level charges at this point]
    Kamp’s ruling only dealt with the felony counts because the judge did not have to issue a decision for the prosecution to proceed with the misdemeanor counts, said Hutcheson’s lawyer, Scott Rosenblum.
    [Note the lawyer change.  Cory Hucheson in big trouble so he or someone got well-known lawyer from St. Louis]


    [2018-03-21]  [the Hammer drops]
    Feds indict Mississippi County Sheriff Cory Hutcheson

    Embattled Mississippi County Sheriff Cory Hutcheson has been indicted on 11 federal charges of identity theft while awaiting trial on related state charges.

    The indictment charges Hutcheson with “illegally possessing and transferring the means of identification of others, in this case mobile telephone numbers, without lawful authority, and in connection with the commission of the state felony crime of forgery,” according to the news release.
    “This office will prosecute people who violate federal law regardless of their positions,” U.S. Attorney Jeff Jensen said


  4. SpaceLifeForm says:

    Apparently, not compartmented at all.

    Locationsmart now down, because the website was such crap that one did not even need to provide a fake/forged document to access, if you knew the secret backdoor.  There is no security by obscurity.

    What this means is that non-LE people could have been told how to get info *without* providing *any* credentials.

    Wyden comments also.




    • SpaceLifeForm says:

      Senator Wyden:

      This leak, coming only days after the lax security at Securus was exposed, demonstrates how little companies throughout the wireless ecosystem value Americans’ security. It represents a clear and present danger, not just to privacy but to the financial and personal security of every American family. Because they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone.”

      “The threats to Americans’ security are grave – a hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your child’s cell phone to know when they were alone. The dangers from LocationSmart and other companies are limitless. If the FCC refuses to act after this revelation then future crimes against Americans will be the commissioners’ heads.”

  5. SpaceLifeForm says:

    The spying goes way back. 3 decades now.

    Including on US Attorneys. See DOJ, RBOCs.

    Securus, nee T-Netix, nee Tele-Matic.
    Tele-Matic formed 1986. Worked as subcontractor to AT&T.

Comments are closed.