EO 12333

1 2 3 13

A Brief History of the PATRIOT Reauthorization Debate

I wanted to provide some background of how we got to this week’s PATRIOT Reauthorization debate to explain what I believe the surveillance boosters are really aiming for. Rather than a response to Edward Snowden, I think it is more useful to consider “reform” as an Intelligence Community effort to recreate functionalities they had and then lost in 2009.

2009 violations require NSA to start treating PATRIOT data like PATRIOT data and shut down automated functions

That history starts in 2009, when NSA was still operating under the system they had established under Stellar Wind while pretending to abide by FISC rules.

At the beginning of 2009, the NSA had probably close to full coverage of phone records in the US, and coverage on the most important Internet circuits as well. Contrary to the explicit orders of the FISC, NSA was treating all this data as EO 12333 data, not PATRIOT data.

On the Internet side, it was acquiring data that it considered Dialing, Routing, Addressing, and Signaling information but which also constituted content (and which violated the category limits Colleen Kollar-Kotelly had first imposed).

On the phone side, NSA was not only treating PATRIOT data according to NSA’s more general minimization procedures as opposed to those dictated by the FISC. But in violation of those minimization procedures, NSA was submitting phone dragnet data to all the automated procedures it submitted EO 12333 data to, which included automated searches and automatic chaining on other identifiers believed to belong to the same user  (the latter of which NSA calls “correlations”). Either these procedures consisted of — or the data was also treated to — pattern analysis, chaining users on patterns rather than calls made. Of key importance, one point of having all the data in the country was to be able to run this pattern analysis. Until 2008 (and really until 2009) they were sharing the results of this data in real time.

Having both types of data allowed the NSA to chain across both telephony and Internet data (obtained under a range of authorities) in the same query, which would give them a pretty comprehensive picture of all the communications a target was engaging in, regardless of medium.

I believe this bucolic state is where the surveillance hawks want us to return to. Indeed, to a large extent that’s what Richard Burr’s bill does (with a lot of obstructive measures to make sure this process never gets exposed again).

But when DOJ disclosed the phone violations to FISC in early 2009, they shut down all those automatic processes. And Judge Reggie Walton took over 6 months before he’d even let NSA have full ability to query the data.

Then, probably in October 2009, DOJ finally confessed to FISC that every single record NSA had collected under the Internet dragnet for five years violated Kollar-Kotelly’s category rules. Walton probably shut down the dragnet on October 30, 2009, and it remained shut down until around July 2010.

At this point, not only didn’t NSA have domestic coverage that included Internet and phone, but the phone dragnet was a lot less useful than all the other phone data NSA collected because NSA couldn’t use its nifty automatic tools on it.

Attempts to restore the pre-2009 state

We know that NSA convinced John Bates to not only turn the Internet dragnet back on around July 2010 (though it took a while before they actually turned it on), but to expand collection to some or all circuits in the US. He permitted that by interpreting anything that might be Dialing, Routing, Addressing, and Signaling (DRAS) to be metadata, regardless of whether it also was content, and by pointing back to the phone dragnet to justify the extension of the Internet dragnet. Bates’ fix was short-lived, however, because by 2011, NSA shut down that dragnet. I wildarseguess that may partly because DOJ knew it was still collecting content, and when Bates told NSA if it knew it was collecting content with upstream collection, it would be illegal (NSA destroyed the Internet dragnet data at the same time it decided to start destroying its illegal upstream data). I also think there may have been a problem with Bates’ redefinition of DRAS, because Richard Burr explicitly adopted Bates’ definition in his bill, which would have given Bates’ 2010 opinion congressional sanction. As far as we know, NSA has been coping without the domestic Internet dragnet by collecting on US person Internet data overseas, as well as off PRISM targets.

Remember, any residual problems the Internet dragnet had may have affected NSA’s ability to collect any IP-based calls or at least messaging.

Meanwhile, NSA was trying to replace the automated functions it had up until 2009, and on November 8, 2012, the NSA finally authorized a way to do that. But over the next year plus, NSA never managed to turn it on.

The phone records gap

Meanwhile, the phone dragnet was collecting less and less of the data out there. My current theory is that the gap arose because of two things involving Verizon. First, in 2009, part or all of Verizon dropped its contract with the FBI to provide enhanced call records first set up in 2002. This meant it no longer had all its data collected in a way that was useful to FBI that it could use to provide CDRs (though Verizon had already changed the way it complied with phone records in 2007, which had, by itself, created some technical issues). In addition, I suspect that as Verizon moved to 4G technology it didn’t keep the same kind of records for 4G calls that transited its backbone (which is where the records come from, not from customer bills). The problems with the Internet dragnet may have exacerbated this (and in any case, the phone dragnet orders only ask for telephony metadata, not IP metadata).

Once you lose cell calls transiting Verizon’s backbone, you’ve got a big hole in the system.

At the same time, more and more people (and, disproportionately, terrorist targets) were relying more and more on IP-based communications — Skype, especially, but also texting and other VOIP calls. And while AT&T gets some of what crosses its backbone (and had and still has a contract for that enhanced call record service with the FBI, which means it will be accessible), a lot of that would not be available as telephony. Again, any limits on Internet collection may also impact IP based calls and messaging.

Edward Snowden provides a convenient excuse

Which brings you to where the dragnets were in 2013, when Edward Snowden alerted us to their presence. The domestic PATRIOT-authorized Internet dragnet had been shut down (and with it, potentially, Internet-based calls and messaging). The phone dragnet still operated, but there were significant gaps in what the telecoms would or could turn over (though I suspect NSA still has full coverage of data that transits AT&T’s backbone). And that data couldn’t be subjected to all the nifty kinds of analysis NSA liked to subject call data to. Plus, complying with the FISC-imposed minimization procedures meant NSA could only share query results in limited situations and even then with some bureaucratic limits. Finally, it could only be used for counterterrorism programs, and such data analysis had become a critical part of all of NSA’s analysis, even including US collection.

And this is where I suspect all those stories about NSA already considering, in 2009 and in 2013, shutting down the dragnet. As both Ken Dilanian stories on this make clear, DOJ believed they could not achieve the same search results without a new law passed by Congress. Bob Litt has said the same publicly. Which makes it clear these are not plain old phone records.

So while Edward Snowden was a huge pain in the ass for the IC, he also provided the impetus to make a decision on the phone dragnet. Obama made a big show of listening to his Presidential Review Group and PCLOB, both of which said to get rid of it (the latter of which said it was not authorized by Section 215). But — as I noted at the time — moving to providers would fix some of their problems.

In their ideal world, here’s what we know the IC would like:

  • Full coverage on both telephony and IP-based calls and messaging and — ideally — other kinds of Internet communications
  • Ability to share promiscuously
  • Ability to use all NSA’s analytical tools on raw data (the data mandates are about requiring some kind of analytical work from providers)
  • Permission to use the “call” function for all intelligence purposes
  • Ability to federate queries with data collected under other authorities

And the IC wants this while retaining Section 215’s use of bulky collections that can be cross-referenced with other data, especially the other Internet collection it conducts using Section 215, which makes up a majority of Section 215 orders.

Those 5 categories are how I’ve been analyzing the various solutions (which is one of about 10 reasons I’m so certain that Mitch McConnell would never want straight reauthorization, because there’s nothing that straight reauthorization would have ratified that would have fixed the existing problems with the dragnet), while keeping in mind that as currently constructed, the Internet 215 collection is far more important to the IC than the phone dragnet.

How the bills stack up

USA F-ReDux, as currently incarnated, would vastly expand data sharing, because data would come in through FBI (as PRISM data does) and FBI metadata rules are very permissive. And it would give collection on telephony and IP-based calls (probably not from all entities, but probably from Apple, Google, and Microsoft). It would not permit use for all intelligence purposes. And it is unclear how many of NSA’s analytical tools they’d be able to use (I believe they’d have access to the “correlations” function directly, because providers would have access internally to customers’ other accounts, but with the House report, other kinds of analysis should be prohibited, though who knows what AT&T and Microsoft would do with immunity). The House report clearly envisions federated queries, but they would be awkward to integrate with the outsourced collection.

Burr’s bill, on the other hand, would expand provider based querying to all intelligence uses. But even before querying might —  maybe — probably wouldn’t — move to providers in 2 years, Burr’s bill would have immediately permitted NSA to obtain all the things they’d need to return to the 2009 bucolic era where US collected data had the same treatment as EO 12333 collected data. And Burr’s bill would probably permit federated queries with all other NSA data. This is why, I think, he adopted EO 12333 minimization procedures, which are far more restrictive than what will happen when data comes in via FBI, because since it will continue to come in in bulk, it needs to have an NSA minimization procedure. Burr’s bill would also sneak the Section 215 Internet collection back into NSL production, making that data more promiscuously available as well.

In other words, this is why so many hawks in the House are happy to have USA F-ReDux: because it is vastly better than the status quo. But it’s also why so many hawks in the Senate are unsatisfied with it: because it doesn’t let the IC do the other things — some of the analytical work and easy federated queries — that they’d like, across all intelligence functions. (Ironically, that means even while they’re squawking about ISIS, the capabilities they’d really like under Burr’s bill involve entirely other kinds of targets.)

A lot of the debate about a phone dragnet fix has focused on other aspects of the bill — on transparency and reporting and so on. And while I think those things do matter (the IC clearly wants to minimize those extras, and had gutted many of them even in last year’s bill), what really matters are those 5 functionalities.

 

Mitch McConnell Suggests He Wants a Bulk Document Collection System

On May 7, the very same day the Second Circuit ruled that Congress has to say specifically what a surveillance bill means for the bill to mean that thing, Richard Burr engaged in a staged colloquy on the Senate floor where he claimed that the Section 215 bulk collection program collects IP addresses. After Andrew Blake alerted me to that and I wrote it up, Burr stuffed the claim into the memory hole and claimed, dubiously, to have made a misstatement in a planned colloquy.

Then, after Mitch McConnell created a crisis by missing the first Section 215 reauthorization deadlines, Burr submitted a bill that would immediately permit the bulk collection of IP addresses, plus a whole lot more, falsely telling reporters this was a “compromise” bill that would ensure a smooth transition between the current (phone) dragnet and its replacement system.

Which strongly suggests Burr’s initial “misstatement” was simply an attempt to create a legislative record approving a vast expansion of the current dragnet that, when he got caught, led Burr to submit a bill that actually would implement that in fact.

This has convinced me we’re going to need to watch these authoritarians like hawks, to prevent them from creating the appearance of authorizing vast surveillance systems without general knowledge that’s what’s happening.

So I reviewed the speech Mitch made on Friday (this appears after 4:30 to 15:00; unlike Burr’s speech, the congressional record does reflect what Mitch actually said; h/t Steve Aftergood for Congressional Record transcript). And amid misleading claims about what the “compromise” bill Burr was working on, Mitch suggested something remarkable: among the data he’s demanding be retained are documents, not just call data.

I’ve placed the key part of Mitch’s comments below the rule, with my interspersed comments. As I show, one thing Mitch does is accuse providers of an unwillingness to provide data when in fact what he means is far more extensive cooperation. But I’m particularly interested in what he says about data retention:

The problem, of course, is that the providers have made it abundantly clear that they will not commit to retaining the data for any period of time as contemplated by the House-passed bill unless they are legally required to do so. There is no such requirement in the bill. For example, one provider said the following: “[We are] not prepared to commit to voluntarily retain documents for any particular period of time pursuant to the proposed USA FREEDOM Act if not otherwise required by law.”

Now, one credulous journalist told me the other day that telecoms were refusing to speak to the Administration at all, which he presumably parroted from sources like Mitch. That’s funny, because not only did the telecom key to making the program work — Verizon — provide testimony to Congress (which is worth reviewing, because Verizon Associate General Counsel — and former FBI lawyer — Michael Woods pointed to precisely what the dragnet would encompass under Burr’s bill, including VOIP, peer-to-peer, and IP collection), but Senator Feinstein has repeatedly made clear the telecoms have agreed with the President to keep data for two years.

Furthermore, McConnell’s quotation of this line from a (surely highly classified letter) cannot be relied on. Verizon at first refused to retain data before it made its data handshake with the President. So when did this provider send this letter, and does their stance remain the same? Mitch doesn’t say, and given how many other misleading comments he made in his speech, it’s unwise to trust him on this point.

Most curiously, though, look at what they’re refusing to keep. Not phone data! But documents.

Both USA F-ReDux and Burr’s bill only protect messaging contents, not other kinds of content (and Burr’s excludes anything that might be Dialing, Routing Addressing and Signaling data from his definition of content, which is the definition John Bates adopted in 2010 to be able to permit NSA to resume collecting Internet metadata in bulk). Both include remote computing services (cloud services) among the providers envisioned to be included not just under the bill, but under the “Call Detail Record” provision.

Perhaps there’s some other connotation for this use of the word “documents.” Remember, I think the major target of data retention mandates is Apple, because Jim Comey wants iMessage data that would only be available from their cloud.

But documents? What the hell kind of “Call Detail Records” is Mitch planning on here?

One more thing is remarkable about this. Mitch is suggesting it will take longer for providers to comply with this system than it took them to comply with Protect America Act. Yahoo, for example, challenged its orders and immediately refused to comply on November 8, 2007. Yet, even in spite of challenging that order and appealing, Yahoo started complying with it on May 5, 2008, that same 180-time frame envisioned here. And virtually all of the major providers already have some kind of compliance mechanism in place, either through PRISM (Apple, Google, and Microsoft) or upstream 702 compliance (AT&T and Verizon).
Continue reading

Mitch McConnell and Richard Burr’s Authoritarian Power Grab Fails

Last night, Mitch McConnell dealt himself a humiliating defeat. As I correctly predicted a month before events played out, McConnell tried to create a panic that would permit him and Richard Burr to demand changes — including iMessage retention, among other things — to USA F-ReDux. That is, in fact, what Mitch attempted to do, as is evident from the authoritarian power grab Burr released around 8:30 last night (that is, technically after the Administration had already missed the FISA Court deadline to renew the dragnet).

Contrary to a lot of absolutely horrible reporting on Burr’s bill, it does not actually resemble USA F-ReDux.

As I laid out here, it would start by gutting ECPA, such that the FBI could resume using NSLs to do the bulky Internet collection that moved to Section 215 production in 2009.

It also vastly expanded the application of the call record function (which it very explicitly applied to electronic communications providers, meaning it would include all Internet production, though that is probably what USA F-ReDux does implicitly), such that it could be used against Americans for any counterterrorism or counterintelligence (which includes leaks and cybersecurity) function, and for foreigners (which would chain onto Americans) for any foreign intelligence purpose. The chaining function includes the same vague language from USA F-ReDux which, in the absence of the limiting language in the House Judiciary Committee bill report, probably lets the government chain on session identifying information (like location and cookies, but possibly even things like address books) to do pattern analysis on providers’ data. Plus, the bill might even permit the government to do this chaining in provider data, because it doesn’t define a key “permit access” term.

Burr’s bill applies EO 12333 minimization procedures (and notice), not the stronger Section 215 ones Congress mandated in 2006; while USA F-ReDux data will already be shared far more widely than it is now, this would ensure that no defendant ever gets to challenge this collection. It imposes a 3-year data retention mandate (which would be a significant new burden on both Verizon and Apple). It appears to flip the amicus provision on its head, such that if Verizon or Apple challenged retention or any other part of the program, the FISC could provide a lawyer for the tech companies and tell that lawyer to fight for retention. And in the piece de la resistance, the bill creates its very own Espionage Act imposing 10 year prison terms for anyone who reveals precisely what’s happening in this expanded querying function at providers.

It is, in short, the forced-deputization of the nation’s communications providers to conduct EO 12333 spying on Americans within America.

Had Mitch had his way, after both USA F-ReDux and his 2-month straight reauthorization failed to get cloture, he would have asked for a week extension, during which the House would have been forced to come back to work and accept — under threat of “going dark” — some of the things demanded in Burr’s bill.

It didn’t work out.

Sure, both USA F-ReDux (57-42) and the short-term reauthorization (45-54) failed cloture votes.

But as it was, USA F-ReDux had far more support than the short-term reauthorization. Both McConnell and Rand Paul voted against both, for very different reasons. The difference in the vote results, however, was that Joe Donnelly (D), Jeff Flake (R), Ron Johnson (R), James Lankford (R), Bill Nelson (D), Tim Scott (R), and Dan Sullivan (R) voted yes to both. McConnell’s preferred option didn’t even get a majority of the vote, because he lost a chunk of his members.

Then McConnell played the hand he believed would give himself and Burr leverage. The plan — as I stated — was to get a very short term reauthorization passed and in that period force through changes with the House (never mind that permitting that to happen might have cost Boehner his Speakership, that’s what McConnell and Burr had in mind).

First, McConnell asked for unanimous consent to pass an extension to June 8. (h/t joanneleon for making the clip) But Paul, reminding that this country’s founders opposed General Warrants and demanding 2 majority vote amendments, objected. McConnell then asked for a June 5 extension, to which Ron Wyden objected. McConnell asked for an extension to June 3. Martin Heinrich objected. McConnell asked for an extension to June 2. Paul objected.

McConnell’s bid failed. And he ultimately scheduled the Senate to return on Sunday afternoon, May 31.

By far the most likely outcome at this point is that enough Senators — likely candidates are Mark Kirk, Angus King, John McCain, Joni Ernst, or Susan Collins — flip their vote on USA F-ReDux, which will then be rushed to President Obama just hours before Section 215 (and with it, Lone Wolf and Roving Wiretaps) expires on June 1. But even that (because of when McConnell scheduled it) probably requires Paul to agree to an immediate vote.

But if not, it won’t be the immediate end of the world.

On this issue, too, the reporting has been horrible, even to almost universal misrepresentation of what Jim Comey said about the importance of expiring provisions — I’ve laid out what he really said and what it means here. Comey cares first and foremost about the other Section 215 uses, almost surely the bulky Internet collection that moved there in 2009. But those orders, because they’re tied to existing investigations (of presumably more focused subject than the standing counterterrorism investigation to justify the phone dragnet), they will be grand-fathered at least until whatever expiration date they have hits, if not longer. So FBI will be anxious to restore that authority (or move it back to NSLs as Burr’s bill would do), especially since unlike the phone dragnet, there aren’t other ways to get the data. But there’s some time left to do that.

Comey also said the Roving Wiretap is critical. I’m guessing that’s because they use it to target things like Tor relays. But if that’s the primary secretly redefined function, they likely have learned enough about the Tor relays they’re parked on to get individual warrants. And here, too, the FBI likely won’t have to detask until expiration days on these FISA orders come due.

As for the phone dragnet and the Lone Wolf? Those are less urgent, according to Comey.

Now, that might help the Republicans who want to jam through some of Burr’s demands, since most moderate reformers assume the phone dragnet is the most important function that expires. Except that McConnell and others have spent so long pretending that this is about a phone dragnet that in truth doesn’t really work, that skittish Republicans are likely to want to appear to do all they can to keep the phone dragnet afloat.

As I said, the most likely outcome is that a number of people flip their vote and help pass USA F-ReDux.

But as with last night’s “debate,” no one really knows for sure.

GOP Brought in Guy Who Authorized Dragnet to Talk Dragnets

I’m far more alarmed by this tidbit in the latest report on the fight over USA F-ReDux than many who are commenting on it.

McConnell’s presser came following Senate lunches, during which former Attorney General Michael Mukasey, who served under George W. Bush, briefed Republicans on the importance of the surveillance authorities. While defending the NSA’s phone-records dragnet, Mukasey did say a recent federal appeals court deeming the program illegal could complicate McConnell’s efforts to renew the Patriot Act without changes, given the legal uncertainty that could result, according to two senators present.

“He did recommend some acknowledgment of the decision so that it is addressed in the legislation,” Sen. John Hoeven, a North Dakota Republican, said.

The Republicans sat down to talk about dragnet surveillance and they brought in Michael Mukasey, who not only presided over the expansion of Stellar Wind in the form of FISA Amendments Act, but authorized SPCMA after some previous DOJ officials appear to have refused to.

SPCMA, you’ll recall, is the authority to contact chain on US-person metadata collected under EO 12333 that current FBI General Counsel James Baker refused to authorize in an earlier position at DOJ in 2006 but which Mukasey signed in early 2008 (and DOJ then promptly hid from FISC as it was considering whether the contact chaining that provided particularly under PRISM was constitutionally sound). The actual authorization for it languished for several months, half-signed, before Mukasey signed it in the early part of his tenure as Attorney General.

There is reason to believe SPCMA — that is, Internet data collected overseas, in addition to telephone metadata — is where a lot of the Internet chaining currently occurs, with almost none of the controls (or subject limitations) that existed under the PATRIOT-Authorized Internet dragnet. There is also reason to believe that USA F-ReDux envisions the government federating queries of metadata collected under its new Call Detail Record function with SPCMA data. Finally, I suspect that the Second Circuit decision on Section 215 may have repercussions for SPCMA as well.

In other words, I find it fairly alarming that GOP brought in Michael Mukasey and his advice was to make a nod to the Second Circuit even while talking about why the authorities — plural — were important.

Which is to say I don’t think his acknowledgment that Courts are Courts is very comforting, given that he appears to recommend sustaining existing “surveillance authorities” in current bulk form.

USA F-ReDux Is Non-Exclusive, but the Second Circuit Might Be

I’m still trying to figure out WTF Mitch McConnell is doing with his Senate machinations over USA F-ReDux. Currently, he has both his short-term reauthorization and USA F-ReDux prepped for a vote, which probably means he’ll bring USA F-ReDux up for cloture or a vote, show that it doesn’t have enough support, and then use that to scaremonger the short-term reauthorization through as a way to wring more concessions out of the House.

Still, given what a dead-ender he is on a bill, USA F-ReDux, that gives the Intelligence Community so many goodies, I can’t help but wonder if there’s another explanation for his intransigence. I can think of one other possibility.

The House Judiciary Committee made it clear USA F-ReDux would be the exclusive means to obtain prospective Call Detail Records under Section 215:

This new mechanism is the only circumstance in which Congress contemplates the prospective, ongoing use of Section 501 of FISA in this manner.

But it made it equally clear it is not the exclusive means to obtain Call Detail Records. That’s because the report envisions conducting federated queries including “metadata [the government] already lawfully possess.”

The government may require the production of up to two ‘‘hops’’—i.e., the call detail records associated with the initial seed telephone number and call detail records (CDRs) associated with the CDRs identified in an initial ‘‘hop.’’ Subparagraph (F)(iii) provides that the government can obtain the first set of CDRs using the specific selection term approved by the FISC. In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses. Together, the CDRs produced by the phone companies and those identified independently by the government constitute the first ‘‘hop.’’

I suggested here that that other “lawfully possessed metadata” probably consisted of data collected under EO 12333 (and permissible for chaining on US persons under SPCMA) and PRISM metadata.

But maybe that’s not all it includes. Maybe, the government has devise a way by which AT&T (or some other backbone provider) will still provide phone records in bulk on a daily basis? Maybe — as Richard Burr claimed before he later unclaimed — the government secretly maintains an IP dragnet under some other authority?

If that was the plan (though keep in mind, USA F-ReDux passed the House after the Second Circuit decision), then the Second Circuit may have ruined that effort. The ruling should limit all collection under a “relevant to” standard, not just that conducted under Section 215. And, as Faiza Patel argued, the decision should also affect collection where the government has dodged Fourth Amendment issues by focusing on “searches” rather than “seizures.”

[A]s Jennifer Daskal explained last Friday, “collection matters.” The Second Circuit rejected the government’s contention that there was no cognizable injury until plaintiffs’ phone records were actually analyzed and reviewed. It ruled that collection is properly analyzed as “seizure,” which if unlawful constitutes a separate injury from the “search” that takes place when records are analyzed either by a human being or a computer.

As the Supreme Court has recognized, in Fourth Amendment cases the analysis of standing is intertwined with the merits question of whether there has been an invasion of a protected privacy interest. Thus, the Second Circuit’s position on collection could have serious implications for other government programs beyond the standing question.

I’ve already suggested the decision might create problems for the virgin birth DOJ secretly gave to EO 12333 data used in SPCMA.

But who knows what else it applies to?

After all, USA F-ReDux was written so as to allow other dragnets (which is what EO 12333 is, after all). But the Second Circuit may pose problems for such dragnets that USA F-ReDux did not.

Going back to Richard Burr’s odd colloquy — which his office’s excuses simply cannot rationally explain — I think it (very remotely) possible the government is dragnetting IP addresses (perhaps for cybersecurity rather than counterterrorism purposes), but worries it has lost authority to do so with the Second Circuit decision. If so, it might be using this fight over counterterrorism data collection to lay congressional support for broader dragnet collection, to be able to sustain whatever other dragnets it has in place.

Michael Hayden’s Masturbatory Claims of Dragnet Efficacy

In a bid to extend a dragnet that has proven useless in the function the Intelligence Community claims it serves, Mitch McConnell is claiming there are secret reasons we need to keep the dragnet.

It’s possible this is just a tactic, to gain leverage to make USA F-ReDux even worse.

It’s possible that McConnell just wants to retain the dragnet to identify people to coerce into becoming informants, the use the FBI has claimed for the dragnet that never got included in its more public assessments of value.

It’s possible McConnell wants to retain a dragnet — and finally expand it to include most Internet metadata — because he can (and all of our Five Eyes allies have done so in the wake of Snowden’s leaks).

But I want to submit another possibility, based on the Stellar Wind IG Report.

In its assessment of the Stellar Wind dragnet — the same section that notes that 1.2% of all tips made a “significant” contribution to finding terrorists (and that measure included deporting suspected terrorists and identifying potential informants, not just identifying actual terrorists) and Internet dragnet tips had made no contribution — the report explained Michael Hayden’s justification.

Hayden also observed that the enemy may not have been as embedded in the United States as much as feared but said that he believes Stellar Wind helped determine this.

[snip]

Other witnesses, such as General Hayden, said that the value of the program may lie in its ability to help the Intelligence Community determine that the terrorist threat embedded within the country is not as great as once feared. (PDF 647, 664)

Now, remember, to justify operating this program in defiance of the law (and to justify getting FISC to rubber stamp it in 2004 in defiance of common sense), John Brennan and his colleagues would routinely write a “scary memo” to establish that the threat of a terrorist attack on the US was so big that the government needed the program. Probably, they used Khalid Sheikh Mohammed’s claim that he had gotten a Briton to recruit non-existent black Muslims in Montana to start forest fires for the 3 months of 2003 that CIA believed that ruse. We know in 2004, the CIA drummed up fear of an election year plot — seeded by a fabricator and sustained through CIA’s use of torture — to sustain the initial Internet dragnet order.

The point is, for the entire life of the dragnet, the government justified it by talking about scary terrorists embedded in the US.

And then, when challenged in 2009 to explain the value of the dragnet, Hayden explained that it was useful because it proved those claims of scary terrorists embedded in the US turned out to be overblown.

The best Hayden can offer — after years of overseeing a dragnet — is that it proved the IC’s overblown claims in the first place were overblown.

Behind all this dragnettery, then, lies a great deal of masturbatory fear-mongering.

 

 

Joel Brenner Reveals David Addington’s Sources and Methods

Several people (including Dan Froomkin) have pointed to the speech former NSA Inspector General Joel Brenner gave at NSA today for the confirmation of what was pretty clear from the joint IG Report on Stellar Wind — that David Addington ran the program out of OVP.

The seed of the problem was planted shortly after 9/11, when the White House determined to undertake certain collection outside the FISA regime under a highly classified, but now mostly declassified, program called STELLAR WIND. That program was not SAP’ed, because the creation of a new special access program requires Congressional notification, but it was run directly by the Office of the Vice President and put under the direct personal control of the Vice President’s counsel, David Addington.

But there’s another detail I find more interesting (aside from Brenner’s note that parts of the program remain classified, which people often forget).

Stellar Wind was not SAP’ed, Joel Brenner (who was, at least according to the IG Report, not read in himself until far later than he makes out in his speech).

Because if it were SAP’ed — if it were made a Special Access Program — then Congress would have had to be notified.

I’m interested in that for two reasons.

First (and most prosically), the Executive was messing around with the classification of Stellar Wind at least until January 2009, when they appear to have been making last minute adjustments to gain advantage in the al-Haramain suit.

More interestingly, because the Executive claims Congress was notified (even in that IG Report, though interestingly enough, some accountings of Congressional briefings got redacted in the underlying reports). Joel Brenner is here suggesting that they weren’t, really. Which is consistent with the fact that the briefing Congress got on March 10, 2004 was different in substance than what they had gotten before then.

Finally, because there are questions about when and who made the torture program a SAP. It appears not to have happened until early 2003 (and some of CIA’s own briefing records suggest that’s when the first torture briefings were, notwithstanding the September 2002 briefings for the Gang of Four).

Brenner’s suggestion makes it likely (as if it weren’t already) that that decision, too, was driven by Addington.

Did the Second Circuit Decision ALSO Blow Up SPCMA?

In a post on last week’s Second Circuit opinion finding NSA’s Section 215 phone dragnet unlawful, Faiza Patel observed that the government may have problems with the court’s ruling that a seizure of metadata can constitute an injury. She points to DOD directive 5240.1-R as a rule that may be impacted.

Second, as Jennifer Daskal explained last Friday, “collection matters.” The Second Circuit rejected the government’s contention that there was no cognizable injury until plaintiffs’ phone records were actually analyzed and reviewed. It ruled that collection is properly analyzed as “seizure,” which if unlawful constitutes a separate injury from the “search” that takes place when records are analyzed either by a human being or a computer.

As the Supreme Court has recognized, in Fourth Amendment cases the analysis of standing is intertwined with the merits question of whether there has been an invasion of a protected privacy interest. Thus, the Second Circuit’s position on collection could have serious implications for other government programs beyond the standing question.

[snip]

Another set of programs for which “collection matters” are those conducted under Executive Order 12,333. Department of Defense directive 5240.1-R, which sets out procedures for intelligence activities that affect U.S. persons, states:

Information shall be considered as “collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties … Data acquired by electronic means is “collected” only when it has been processed into intelligible form. (Emphasis added.)

Although the directive does not explain what constitutes an “intelligible form” of electronic data, another regulation (USSID 18) states that information becomes “intelligible” and is therefore “collected” when a NSA analyst “intentional[ly] task[s] or select[s]” a communication of interest for “inclusion in a report or retention as a file record.” This is a critical distinction because protections for US persons under Executive Order 12,333, Presidential Policy Directive 28, and subsidiary regulations are triggered when information is “collected” per the government’s definition.

All the caveats about not being a lawyer, I think there’s a subset of practices under 5240.1-R that may be particularly acutely affected: SPCMA, the authority that the NSA uses to contact (and, presumably, connection) chain on US person metadata collected overseas.

As I pointed out here, OIPR (during a period when it was headed by current FBI General Counsel James Baker) originally informally advised that NSA had to stop chaining when it hit a US person. But then, a rather suspiciously short period after Baker left in 2007, Steven Bradbury and Ken Wainstein came up with a theory whereby such data did not count as an acquisition — because it had already been collected — and therefore could be chained through.

The fourth definition of electronic surveillance involves “the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication …. ” 50 U.S.C. § 1802(f)(2). “Wire communication” is, in turn, defined as “any communication while it is being carried by a wire, cable, or other like connection furnished or operated by any person engaged as a common carrier …. ” !d. § 1801 (1). The data that the NSA wishes to analyze already resides in its databases. The proposed analysis thus does not involve the acquisition of a communication “while it is being carried” by a connection furnished or operated by a common carrier. (S//SI)

[snip]

The current DOD procedures and their Classified Annex may be read to restrict NSA’s ability to conduct the desired communications metadata analysis, at least with respect to metadata associated with United States persons. In particular, this analysis may fall within the procedures’ definitions of, and thus restrictions on, the “interception” and “selection” of communications.

Accordingly, the Supplemental Procedures that would govern NSA’s analysis of communications metadata expressly state that the DOD Procedures and the Classified Annex do not apply to the analysis of communications metadata. Specifically, the Supplemental Procedures would clarify that “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communications, nor do they qualify as ‘us[ing] a selection term,’ including using a selection term ‘intended to intercept a communication on the basis of. .. [some] aspect of the content of the communication.” Once approved, the Supplemental Procedures will clarify that the communications metadata analysis the NSA wishes to conduct is not restricted by the DOD procedures and their Classified Annex. (S//SI)

As I’ve previously explained, it works out to a kind of virgin birth, all to avoid the actual seizure moment that would implicate EO 12333.

That virgin birth theory led to this paragraph in supplemental procedures that amend 5240.1-R to treat metadata analysis (it doesn’t say it here, but it means, of US persons) as something other than an interception.

S//SI) For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”

I’m not sure, but Gerard Lynch’s opinion may pose real problems for this virgin birth theory. And oh, by the way, a lot of this data leads to data ending up in FBI’s hands which would be overseen by … James Baker, who may have had a problem with this argument in the past, even without the Second Circuit decision.

All of which is one way of saying that, in addition to creating some pressure on Congress to pass USA F-ReDux, this bill may have (though I await actual lawyers to consider this question) created far, far larger problems for SPCMA, which is understood to have been one of the places where the old domestic Internet dragnet went to (which might explain why Richard Burr was talking about Internet dragnets on the floor of the Senate the other day).

If so, the government has a far bigger headache than just the one created for the domestic phone metadata program.

In 2003, OLC Doubled Down on Unlimited (de)Classification Authority for the President

One of the tactics those in DOJ attempted to use in 2004 to put some controls on Stellar Wind, it appears from the DOJ IG Report, was to point to legal requirements to inform Congress (for example, to inform Congress that the Attorney General had decided not to enforce particular laws), which might have led to enough people in Congress learning of the program to impose some limits on it. For example, Robert Mueller apparently tried to get the Executive to brief the Judiciary Committees, in addition to the Gang of Four, about the program.

On March 16, 2004 Gonzales wrote a letter to Jim Comey in response to DOJ’s efforts to force the Administration to follow the law. Previous reporting revealed that Gonzales told Comey he misunderstood the White House’s interest in DOJ’s opinion.

Your memorandum appears to have been based on a misunderstanding of the President’s expectations regarding the conduct of the Department of Justice. While the President was, and remains, interested in any thoughts the Department of Justice may have on alternative ways to achieve effectively the goals of the activities authorized by the Presidential Authorization of March 11, 2004, the President has addressed definitively for the Executive Branch in the Presidential Authorization the interpretation of the law.

This appears to have led directly to Comey drafting his resignation letter.

But what previous reporting didn’t make clear was that Gonzales also claimed the Administration had unfettered authority to decide whether or not to share classified information (and that, implicitly, it could blow off statutory Congressional reporting requirements).

Gonzales letter also addressed Comey’s comments about congressional notification. Citing Department of the Navy v. Egan, 484 U.S. 518 (1988) and a 2003 OLC opinion, Gonzales’s letter stated that the President has the constitutional authority to define and control access to the nation’s secrets, “including authority to determine the extent to which disclosure may be made outside the Executive Branch.” (TS//STLW//SI/OC/NF) [PDF 504]

I’m as interested in this as much for the timing of the memo — 2003 — as the indication that the Executive asserted the authority to invoke unlimited authority over classification as a way to flout reporting mandates (both with regards to Stellar Wind, but the implication is, generally as well).

The most likely time frame for this decision would be around March 25, 2003, when President Bush was also rewriting the Executive Order on classification (this EO is most famous because it gave the Vice President new authorities over classifying information). If that’s right, it would confirm that Bush’s intent with the EO (and the underlying OLC memo) was to expand the ability to invoke classification for whatever reasons.

And if that OLC opinion was written around the time of the March 2003 EO, it would mean it was on the books (and, surely, known by David Addington) when he counseled Scooter Libby in July 2003 he could leak whatever it was Dick Cheney told him to leak to Judy Miller, up to and including Valerie Plame’s identity.

But I’m also interested that this footnote was classified under STLW, the Stellar Wind marking. That may not be definitive, especially given the innocuous reference to the OLC memo. But it’s possible that means the 2003 opinion — the decision to share or not share classified information according to the whim of the President — was tied to Stellar Wind. That would be interesting given that George Tenet and John Yoo were declaring Iraq and their claimed conspirators in the US were terrorists permissible for surveillance around the same time.

Finally, I assume this OLC memo, whatever it says, is still on the books. And given how it was interpreted in the past — that OLC could simply ignore reporting mandates — and that the government continued to flout reporting mandates until at least 2010, even those tied specifically to surveillance, I assume that the Executive still believes it can use a claimed unlimited authority over classification to trump legally mandated reporting requirements.

That’s worth keeping in mind as we debate a bill, USA F-ReDux, celebrated, in part, for its reporting requirements.

How the NSA Connection Chains without Calls

Screen Shot 2015-05-08 at 3.19.27 PMFor a very long time, I’ve been trying to figure out what the government means when it says it “connection chains” data call detail records under its Section 215 dragnet (and, possibly, once it passes, under USA F-ReDux).

The phone dragnet first started moving towards “connection chaining” in 2013, when Dianne Feinstein included the concept in her Fake FISA Fix.

Scope of permissible query return information:

For any query performed pursuant to paragraph (1)(D)(i), the query only may return information concerning communications—

(A) to or from the selector used to perform the query;
(B) to or from a selector in communication with the selector used to perform the query; or
(C) to or from any selector reasonably linked to the selector used to perform the query, in accordance with the court approved minimization procedures required under subsection (g). [my emphasis]

The February phone dragnet order that approved Obama’s modified approach also approved (though it may have approved earlier) chaining on “connections” in addition to “contacts” made.

The first “hop” from a seed returns results including all identifiers (and their associated metadata) with a contact and/or connection with the seed. The second “hop” returns results that include all identifiers (and their associated metadata) with a contact and/or connection with an identifier revealed by the first “hop.”

And all versions of USA Freedom Act, once the Intelligence Community got their whack at them, chained on “connections” as well as calls.

(iii) provide that the Government may require the prompt production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

The latest version of USA F-ReDux takes a different approach, with two hops, neither of which requires that Call Detail Records — defined as a set of 5 things that may but are not required to be included, just one of which involves calls made — reflect calls made. And the second hop invokes “session identifying information” that is divorced from the definition of CDRs that excludes (for example) location data.

(iii) provide that the Government may require the prompt production of a first set of call detail records using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii);

(iv) provide that the Government may require the prompt production of a second set of call detail records using session-identifying information or a telephone calling card number identified by the specific selection term used to produce call detail records under clause (iii)

Absent more limiting language, I read this as permitting the government to require (immunized and compensated) providers to find CDRs using session identifier information that the government itself is not permitted to receive to find a set of “CDRs” of interest (again, without requiring that the CDRs have to reflect calls made, because that’s not a required aspect of the definition).

I’ve been having a hard time explaining what that might involve.

But today’s Intercept story shows what chaining NSA does that does not involve calls made.

Screen Shot 2015-05-08 at 3.37.45 PMAs the slide, above (from this deck), makes clear, with data collected from Pakistan, they start with selectors of people who have not left Af-Pak, and then match phone use not involving calls made. It does this by training the computer on what is normal and what is unique to identifiers previously IDed as couriers. It proves its data works, of course, by showing that Ahmed Muwafak Zaidan is the top match, even though Zaidan isn’t a terrorist at all! But it shows that the government will use location data to “chain” on people connected primarily by location habits.

The other deck describes the Automated Bulk Cloud Analytics, SKYNET. The slide to the left describes tracking things, all but one of which involves “session identifying information” that doesn’t involve any actual calls made (though this scheme also has access to phrases made, which any domestic program could not).

  • Travel patterns, including repeated visits to particular locations (obtained using location data)
  • Patterns of call usage (incoming only, “excessive” SIM or handset swapping or power-downs probably indicating counter-surveillance)
  • Co-travelers (obtained using location data — and we know AT&T does this under Hemisphere)
  • Similar travel patterns (again, obtained using location data)
  • Common contacts

Screen Shot 2015-05-08 at 3.43.55 PM

Only common contacts involve calls made (though that could even come from address books, which we know NSA collects).

And the outcome of this process is a set of identifiers — some tasked, the others not yet tasked — all of which (as either IMSIs or Handsets) would qualify as CDRs under USA F-ReDux.

None of this proves this is what the government wants to do with the hop process under USA F-ReDux.

But it does show that the NSA has a whole approach to analysis that has nothing to do with contact chaining, chaining on calls made, but instead chains on connections. The key input to that process is location data, which the government can’t obtain as a CDR under USA F-ReDux, but which telecoms need to provide service and therefore would have available to conduct analysis (and again, AT&T does some of this analysis now under Hemisphere).

These slides don’t prove that’s what the government intends under USA F-ReDux. But it does show it’s the kind of thing the NSA does, regularly, with its metadata analysis.

1 2 3 13
Emptywheel Twitterverse
bmaz @Nick_Hentoff Yep, exactly.
3mreplyretweetfavorite
JimWhiteGNV Definitely the food highlight of our trip. Terrific dinner tonight @BandarSanDiego
8mreplyretweetfavorite
bmaz @Nick_Hentoff Jeebus, I've not only never heard of that atty, I don't think I've heard of anybody in his firm either. Had it about right tho
19mreplyretweetfavorite
emptywheel @normative Sorry if you interpret me treating McConnell as the adversary as a dis. Stay on target. @NathanielDWhite
36mreplyretweetfavorite
emptywheel @NathanielDWhite I certainly could do a longer response but I have higher priorities over next 2 days. @normative
42mreplyretweetfavorite
emptywheel @NathanielDWhite The Medium one?Didn't write it, but short version is it only makes sense if ACLU & corporations have no lawyers @normative
43mreplyretweetfavorite
emptywheel @sjgloria Sure. But let's be clear. They're running a hate rally, not a protest.
53mreplyretweetfavorite
emptywheel @Merriiman I think it's important to witness otherwise it's easy for provocateurs to claim violence.
54mreplyretweetfavorite
bmaz @adamsteinbaugh There was to be one, but the bar they chose told them to fuck off and closed up for the night.
1hreplyretweetfavorite
bmaz @Nick_Hentoff @BazNoir Six feet under, and no tears being shed.
1hreplyretweetfavorite
emptywheel What, pray tell, are these haters "protesting"? They're not. They're just plain old hate rallying.
1hreplyretweetfavorite
May 2015
S M T W T F S
« Apr    
 12
3456789
10111213141516
17181920212223
24252627282930
31