EO 12333

1 2 3 19

Less than 10% of Germany’s SIGINT Spying Targets Terrorist

Sorry I’ve been AWOL. I’ve been on a trip to DC.

Among the things I did was attend a presentation from Konstantin von Notz, one of the Bundestag members who is investigating Germany’s SIGINT spying in the wake of the Snowden leaks.

He made a comment that was really telling. They asked the BND (their NSA) to reveal how many of the selectors being targeted are terrorist targets. It’s less than 10% of the selectors.

I’m not (too) surprised by the number. But it’s a telling detail. For all the fear-mongering about how the government needs dragnets to combat terrorism, the bulk of what the Germans, at least, are doing is spying to serve the self-interest of their country.

For Second Year in a Row, HPSCI Tries to Gut PCLOB

As I reported, during the passage of Intelligence Authorization last year (which ultimately got put through on the Omnibus bill, making it impossible for people to vote against), Congress implemented Intelligence Community wishes by undercutting PCLOB authority in two ways: prohibiting PCLOB from reviewing covert activities, and stripping an oversight role for PCLOB that had been passed in all versions of CISA.

In the 2017 Intelligence Authorization HPSCI passed on April 29, it continued more of the same. It does so in two ways:

Requires it to get its appropriations approved by Congress

Section 303 changes the authorizing language for PCLOB to state that it can only spend money on things if Congress specifically authorized it.

SEC. 303. AUTHORIZATION OF APPROPRIATIONS FOR PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD.

(a) REQUIREMENT FOR AUTHORIZATIONS.—Sub-section (m) of section 1061 of the Intelligence Reform and Terrorism Prevention Act of 2004 (42 U.S.C. 2000ee(m)) is amended to read as follows:

(m) FUNDING.—

(1) SPECIFIC AUTHORIZATION REQUIRED.— Appropriated funds available to the Board may be obligated or expended to carry out activities under this section only if such funds were specifically authorized by Congress for use for such activities for such fiscal year.

(2) DEFINITION.—In this subsection, the term ‘specifically authorized by Congress’ has the meaning given that term in section 504(e) of the National Security Act of 1947 (50 U.S.C. 3094(e)).’

(b) AUTHORIZATION OF APPROPRIATIONS.—There is authorized to be appropriated to the Privacy and Civil Liberties Oversight Board for fiscal year 2017 the sum of $10,081,000 to carry out the activities of the Board under section 1061 of the Intelligence Reform and Terrorism Prevention Act of 2004 (42 U.S.C. 2000ee(m)).

At one level, this looks like nothing more than bureaucratic dick-waving, a reminder to PCLOB that Congress can cut off funding if it does things like deign to comment on covert spying activities.

But — particularly given the way the Intelligence Communities stripped PCLOB’s involvement in CISA oversight at the last minute — I wonder whether this will restrict what PCLOB can do under presidential orders. Congress set up PCLOB such that its mandate covers only counterterrorism programs. But with EO 13636 (the EO that set up the information sharing system that, with significant changes, became CISA) and PPD 28, President Obama gave PCLOB a cybersecurity role beyond that defined in statute. So I wonder whether this is a way to further PCLOB remove from cybersecurity oversight than those last minute changes already did.

The authorization still granted PCLOB its requested funding (and that request did lay out those cybersecurity activities), so this may just be, for the moment, a shot across the bow.

Requires the Committee to warn the Intelligence Committees and Intelligence Agency heads before they conduct any oversight

The bill also adds new reporting requires on PCLOB, beyond the biennial reports that go to a number of congressional committees. In short, the new language requires PCLOB to warn the Intelligence Committees and the heads of an intelligence agency before they start doing any oversight.

SEC. 307. INFORMATION ON ACTIVITIES OF PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD

Section 1061(d) of the Intelligence Reform and Terrorism Prevention Act of 2004 (42 U.S.C. 2000ee(d)) is further amended by adding at the end the following new paragraph:

(5) INFORMATION.—

(A) ACTIVITIES.—In addition to the reports submitted to Congress under subsection (e)(1)(B), the Board shall ensure that each official and congressional committee specified in subparagraph (B) is kept fully and currently informed of the activities of the Board, including any significant anticipated activities.

(B) OFFICIALS AND CONGRESSIONAL COMMITTEES SPECIFIED.—The officials and congressional committees specified in this subparagraph are the following:

(i) The Director of National Intelligence.

(ii) The head of any element of the intelligence community (as defined in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4)) the activities of which are, or are anticipated to be, the subject of the review or advice of the Board.

(iii) The Permanent Select Committee on Intelligence of the House of Representatives and the Select Committee on Intelligence of the Senate.

Of particular note: if PCLOB warned the spooks, and the spooks prohibited PCLOB oversight (again), it’s not clear how the other committees of jurisdiction — which include the Judiciary, Homeland Security and House Oversight Committee, in addition to the Intelligence Committees — would get notice.

These changes are being made based on an Intelligence Committee claim that they give PCLOB — one of the very few entities that has proven to effectively oversee the Intelligence Community — more “oversight.” But it’s hard to understand how they’ll do anything more than ensure that the Intelligence Committees return to the status quo position where they’re the only entities permitted to (not) oversee the IC.

In other words, HPSCI — of all entities !!! — claims that that committee, which has serially failed at overseeing just about anything, must give the overseers greater oversight.

While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704

On Tuesday, the Senate Judiciary Committee had a public hearing on FISA Amendments Act reauthorization, which will take place in the next year. The hearing was treated as solely the reauthorization of Section 702 of FAA. But in fact, all of Title VII needs to be reauthorized. Which is why I think Congress should reform Section 704 — or at the very least, as a whole lot more question about how it (and by association EO 12333) is used against Americans.

As a reminder, here are the parts of Title VII authorizing collection (there are also some transparency provisions):

  • 702: Permits the government to target non-US persons located overseas based on only a FISA review of broad certifications; includes PRISM and upstream
  • 703: Requires NSA to obtain an individualized order when targeting electronic communications of US persons overseas; this is basically for collection on US persons overseas with the assistance of providers in the US
  • 704: Requires NSA to obtain an individualized order when targeting US persons overseas using means for which they’d have a reasonable expectation of privacy in the US; this is basically for spying on US persons overseas collecting overseas
  • 705a: Permits the government to apply for joint applications, effectively permitting them to do both 703 and 704 authorized spying
  • 705b: Permits the Attorney General to approve spying for US persons targeted under traditional FISA when they are located overseas

My interest in Section 704 stems from a fact that no one appears to know: NSA doesn’t use Section 703 of FAA. At all.

There’s a still-unreleased Snowden document that states that explicitly (something to the effect of, “to date [which date was probably 2012], the NSA has not used this authority”). But even some public documents make this clear. For example, the Q1 2012 Intelligence Oversight Board report, which broke out reporting for all FISA authorities used (the hidden authority is probably Title IV), lists only 704 and 705b, not 703 or 705a. More starkly, a 2010 NSA IG Report (PDF 10) discussing FISA authorities only names traditional FISA, Section 704, and Section 705b, which may mean 705a is not used either.

Screen Shot 2016-05-13 at 3.38.08 AM

I’ve been asking what this means since I first figured this out (so for two years) and not a single person has been able to explain it to me. To be fair, most simply don’t believe me that Section 703 is not used and so just blow off my question.

I think this means one (or a combination) of several things:

  • No surveillance of Americans overseas takes place with the assistance of US providers (which would trigger 703)
  • The government has some interpretation — perhaps a corollary to their claim that Americans have no expectation of privacy for any international communications — that claims they can use a lower standard for people overseas
  • The government uses traditional FISA even on people located overseas

I used to think it was this last one: that the government just went through the trouble of getting a traditional order every time it targeted a US person, meaning they’d also give the person full FISA notice if that person were prosecuted. Except I think using a traditional order to target an American overseas is actually a violation (!) that gets reported to IOB.

If it’s not that, then you would think it’d have to be the wacky interpretation, the middle option. After all, Americans are at least as likely to use Gmail as foreigners are, so to get the Gmail of Americans overseas, the NSA would presumably ask Google for assistance, and therefore trigger 703, unless there were a wacky legal interpretation to bypass that. There are things that make it clear NSA has a great deal of redundancy in its collection, even with PRISM collection, which makes it clear they do double dip, obtaining even Gmail overseas and domestically (which is why they’d have GCHQ hack Google’s overseas fiber). It’s possible, though, that the NSA conducts so much bulk collection overseas it is actually easier (or legally more permissive) to just collect US person content from bulk collections obtained overseas, thereby bypassing any domestic provider and onerous legal notice. I suppose it’s also possible that NSA now uses 703 (my proof they don’t dates to 2012 or earlier), having had to resort to playing by the rules as more providers lock up their data better in the wake of the Snowden revelations. (Note, Mieke Eoyang has an interesting FAA suggestion that would require exclusivity when NSA accesses content from US providers, thereby preventing them from stealing Google data overseas.)

My first point, then, in raising 704 is to say Congress and advocates should use this opportunity to figure out which of these options it is. Why is it that members of Congress still brag about having got NSA to accede to 703 when 703 is not used? What does it mean that they’re not using it?

But here’s my other concern. If the first option is the answer — that is, if overseas collection is so thorough that NSA can collect on someone, if there are reasons to, without using any provider, it means there’s a shit-ton of American content — both of people located in the US and overseas — accessible in NSA’s collections. We knew that. But it’d say even US provider content is available in great volume (which would be doable for any of them not using encryption in motion).

My other concern is that Americans overseas may actually have more protections than Americans in the US.

FISA is pretty strict about location: the 700s only apply to people overseas, except for 705b, which is supposed to be tied to someone mostly in the US but heading to China on a business trip. Screwing that up is a violation that gets reported to the IOB.

Add to that the fact that (as I understand it) NSA can access already-collected US person content collected under EO 12333 with the approval of the Attorney General.

If I’m right about all this (a big if, given how little anyone knows about this), then it would say accessing the bulk collected communications of an American overseas would require a 704 order, whereas accessing the bulk collected communications of an American who was herself located in the US, but whose communications were located overseas, would only require AG approval. That can’t be right, can it? Perhaps 704 gives the government some added authorities, such as the ability to target someone using XKeyscore. But we know NSA has collected “vast troves” of US person data overseas, and we know that Assistant Attorney General John Carlin doesn’t think his department should oversee that collection at all! Carlin stated clearly in February 2014 that even “vast troves” of US person data collected “incidentally” (which, under bulk collection, would mean all of it transiting overseas) get no FISA protection.

So in addition to politely requesting that Congress figures out how it is that NSA doesn’t use Section 703, at all, I’d also like to politely suggest that 704 protections or the equivalent be extended to Americans who are located in the US but whose communications have gone to Europe without them.

There has been a lot of discussion about how the NSA accesses the content of US persons who are themselves located in the US but whose communications get collected “overseas.” That has been treated as an EO 12333 issue (and as such, something that would take pulling teeth to get the Executive to agree to change). But there’s a mirror image of that problem, I think, in the Section 704 question. So perhaps shoring up Section 704 is the way to deal with both?

James Clapper’s Latest Effort To Fearmonger about Snowden’s Damage

In addition to getting him to admit the US can’t fix the Middle East but we have to stay because our “leadership” is needed there, in this column David Ignatius asked James Clapper, again, about how much damage Edward Snowden has caused.

Clapper said the United States still can’t be certain how much harm was done to intelligence collection by the revelations of disaffected National Security Agency contractor Edward Snowden. “We’ve been very conservative in the damage assessment. Overall, there’s a lot,” Clapper said, noting that the Snowden disclosures made terrorist groups “very security-conscious” and speeded the move to unbreakable encryption of data. And he said the Snowden revelations may not have ended: “The assumption is that there are a lot more documents out there in escrow [to be revealed] at a time of his choosing.”

Let’s unpack this.

Clapper provides two pieces of evidence for damage:

  1. Snowden disclosures have made terrorist groups “very security-conscious”
  2. Snowden disclosures have “speeded the move” [by whom, it’s not entirely clear] to unbreakable encryption

That’s a bit funny, because what we saw from the terrorist cell that ravaged Paris and Belgium was — as The Grugq describes it — “drug dealer tradecraft writ large.” Stuff that they could have learned from watching the Wire a decade ago, with a good deal of sloppiness added in. With almost no hints of the use of encryption.

If the most dangerous terrorists today are using operational security that they could have learned years before Snowden, then his damage is not all that great.

Unless Clapper means, when he discusses the use of unbreakable encryption, us? Terrorists were already using encryption, but journalists and lawyers and US-based activists might not have been (activists in more dangerous places might have been using encryption that the State Department made available).

Neither of those developments should be that horrible. Which may be why Clapper says, “We’ve been very conservative in the damage assessment” even while insisting there’s a lot. Because this is not all that impressive, unless as Chief Spook you think you should have access to the communications of journalists and lawyers and activists.

I’m most interested, however, in this escrow idea.

“The assumption is that there are a lot more documents out there in escrow [to be revealed] at a time of his choosing.”

Snowden and Glenn Greenwald and Laura Poitras and Bart Gellman have said about a zillion times that Snowden handed everything off before he went to Russia. And everyone who knows anything about Russia would assume if he brought documents there, Putin has had them for almost 3 years.

Sure, there are surely documents that reporters have that, reviewed in the future by other people, may result in new disclosures. But the suggestion that Snowden himself is asking the journalists to hold back some of the documents “in escrow” is rather curious. Why would Snowden withhold documents until such time that the technology behind disclosures would be out of date.

I mean, it’s useful as a basis to claim that Snowden will continue to damage the IC when there’s actually not that much evidence he already has. But it doesn’t make much sense to me.

Ah well. In the article Clapper says he’ll be around for 265 days, which means around February 9 of next year, someone else will take up fearmongering about Edward Snowden.

DOJ Confirms One or More Agencies Acted Consistent with John Yoo’s Crummy Opinion

There’s a whiff of panic in DOJ’s response to ACLU’s latest brief in the common commercial services OLC memo, which was submitted last Thursday. They really don’t want to release this memo.

As you recall, this is a memo Ron Wyden has been hinting about forever, stating that it interprets the law other than most people understand it to be. After I wrote about it a bunch of times and pointed out it was apparently closely related to cybersecurity, ACLU finally showed some interest and FOIAed, then sued, for it. In March, DOJ made some silly (but typical) claims about it, including that ACLU had already tried but failed to get the memo as part of their suit for Stellar Wind documents (which got combined with EPIC’s suit for electronic surveillance documents). In response, Ron Wyden wrote a letter to Attorney General Loretta Lynch, noting a lie DOJ made in DOJ’s filings in the case, followed by an amicus brief asking the judge in the case to read the secret appendix to the letter he wrote to Lynch. In it, Wyden complained that DOJ wouldn’t let him read his secret declaration submitted in the case (making it clear they’re being kept secret for strategic reasons more than sources and methods), but asking that the court read his own appendix without saying what was in it.

Which brings us to last week’s response.

DOJ is relying on an opinion the 2nd circuit released last year in ACLU’s Awlaki drone memo case that found that if a significant delay passed between the time an opinion was issued and executive branch officials spoke publicly about it — as passed between the time someone wrote a memo for President Bush’s “close legal advisor” in 2002 about drone killings (potentially of American citizens) and the time Executive branch officials stopped hiding the fact they were planning on drone-killing an American citizen in 2010, then the government can still hide the memo.(I guess we’re not allowed to learn that Kamal Derwish was intentionally, not incidentally, drone-killed in 2002?)

This is, in my understanding, narrower protection for documents withheld under the b5 deliberative privilege exemption than exists in the DC Circuit, especially given that the 2nd circuit forced the government to turn over the Awlaki memos because they had been acknowledged.

In other words, they’re trying to use that 2nd circuit opinion to avoid releasing this memo.

To do that they’re making two key arguments that, in their effort to keep the memo secret, end up revealing a fair amount they’re trying to keep secret. First, they’re arguing (as they did earlier) that the ACLU has already had a shot at getting this memo (in an earlier lawsuit for memos relating to Stellar Wind) and lost.

There’s just one problem with that. As I noted earlier, the ACLU’s suit got joined with EPIC’s, but they asked for different things. ACLU asked for Stellar Wind documents, whereas EPIC asked more broadly for electronic surveillance ones. So when the ACLU argued for it, they were assuming it was Stellar Wind, not something that now appears to (also) relate to cybersecurity.

Indeed, the government suggests the ACLU shouldn’t assume this is a “Terrorist Surveillance Program” document.

7 Plaintiffs conclude that the OLC memorandum at issue here must relate to the Terrorist Surveillance Program and the reauthorization of that program because the attorney who authored the memorandum also authored memoranda on the Terrorist Surveillance Program. Pls.’ Opp. at 10. The fact that two OLC memoranda share an author of course establishes nothing about the documents’ contents, nature, purpose, or effect.

Suggesting (though not stating) the memo is not about TSP is not the same as saying it is not about Stellar Wind or the larger dragnets Bush had going on. But it should mean ACLU gets another shot at it, since they were looking only for SW documents the last time.

Which is interesting given the way DOJ argues, much more extensively, that this memo does not amount to working law. It starts by suggesting Wyden’s filing arguing a “key assertion” in the government’s briefs is wrong.

3 Senator Wyden asks the Court to review a classified attachment to a letter he sent Attorney General Loretta Lynch in support of his claim that a “key assertion” in the Government’s motion papers is “inaccurate.” Amicus Br. at 4. The Government will make the classified attachment available for the Court’s review ex parte and in camera. For the reasons explained in this memorandum, however, the Senator’s claim of inaccuracy is based not on any inaccurate or incomplete facts, but rather on a fundamental misunderstanding of the “working law” doctrine.

In doing so, it reveals (what we already expected but which Wyden, but apparently not DOJ, was discreet enough not to say publicly) that the government did whatever this John Yoo memo said government could do.

But, it argues (relying on both the DC and 2nd circuit opinions on this) that just because the government did the same thing a memo said would be legal (such as, say, drone-killing a US person with no due process), it doesn’t mean they relied on the memo’s advice when they took that action.

The mere fact that an agency “relies” on an OLC legal advice memorandum, by acting in a manner that is consistent with the advice, Pls.’ Opp. at 11, does not make it “working law.” OLC memoranda fundamentally lack the essential ingredient of “working law”: they do not establish agency policy. See New York Times, 806 F.3d at 687; Brennan Center, 697 F.3d at 203; EFF, 739 F.3d at 10. It is the agency, and not OLC (or any other legal adviser), that has the authority to establish agency policy. If OLC advises that a contemplated policy action is lawful, and the agency considers the opinion and elects to take the action, that does not mean that the advice becomes the policy of that agency. It remains legal advice. 5

5 Nor could the fact that any agency elects to engage in conduct consistent with what an OLC opinion has advised is lawful possibly constitute adoption of that legal advice, because taking such action does not show the requisite express adoption of both the reasoning and conclusion of OLC’s legal advice. See Brennan Center, 697 F.3d at 206; Wood, 432 F.3d at 84; La Raza, 411 F.3d at 358.

Effectively, DOJ is saying that John Yoo wrote another stupid memo just weeks before he left, the government took the action described in the stupid memo, but from that the courts should not assume that the government took Yoo’s advice, this time.

One reason they’re suggesting this isn’t TSP (which is not the same as saying it’s not Stellar Wind) is because it would mean the government did not (in 2005, when Bush admitted to a subset of things called TSP) confirm this action in the same way Obama officials danced around hailing that they had killed Anwar al-Awlaki, which led to us getting copies of the memos used to justify killing him.

In short, the government followed Yoo’s advice, just without admitting they were following his shitty logic again.

Domestic Collection and Stellar Wind

I’m in the middle of comparing John Yoo’s May 17, 2002 letter to Colleen Kollar-Kotelly (which is largely the November 2, 2001 justification he wrote for Stellar Wind) with Jack Goldsmith’s May 6, 2004 memo on Stellar Wind, which reined in some aspects of Stellar Wind. And I realized something about the authorization process.

On page 17 of his memo, Goldsmith describes the previous opinions issued by OLC. The discussion is largely redacted, but it does describe say the October 4, 2001 memo “evaluated the legality of a hypothetical electronic surveillance program,” whereas the November 2, 2001 memo “examined the authorities granted by the President in the November 2, 2001 Authorization of STELLAR WIND and concluded that they were lawful.”

Already, that’s an interesting assertion given that the Yoo letter doesn’t do that entirely. First, at least in the letter to Kollar-Kotelly, Yoo also treated the program as hypothetical.

Electronic surveillance techniques would be part of this effort. The President would order warrantless surveillance in order to gather intelligence that would be used to prevent and deter future attacks on the United States. Given that the September 11 attacks were launched and carried out from within the United States itself, an effective surveillance program might include individuals and communications within the continental United States. This would be novel in two respects. Without access to any non-public sources, it is our understanding that generally the National Security Agency (NSA) only conducts electronic surveillance outside the United States that do not involve United States persons. Usually, surveillance of communications by United States persons within the unites states is conducted by the FBI pursuant to a warrant obtained under the Foreign Intelligence Surveillance Act (“FISA”). Second, interception could include electronic messages carried through the internet, which again could include communications within the United States involving United States persons. Currently, it is our understanding that neither the NSA nor law enforcement conducts broad monitoring of electronic communications in this matter within the United States, without specific authorization under FISA.

[snip]

Thus, for example, all communications between United States persons, whether in the United States or not, and individuals in [redacted–likely Afghanistan] might be intercepted. The President might direct the NSA to intercept communications between suspected terrorists, even if one of the parties is a United States person and the communication takes place between the United States and abroad. The non-content portion of electronic mail communications also might be intercepted, even if one of parties is within the United States, or one or both of the parties are non-citizen U.S. persons (i.e., a permanent resident alien). Such operations would expand the NSA’s functions beyond the monitoring only of international communications of non-U.S. persons. [my emphasis]

Importantly, these hypothetical descriptions come from the section of Yoo’s letter before it appears to begin tracking his earlier memo closely. So it’s unclear whether this description of Stellar Wind matches the one in the November 2 memo. It’s certainly possible that Yoo gave an incomplete version of what he had in the earlier memo or even pulled in (hypothetical) language from the October 4 memo. It’s possible, too, that language on domestic content collection reflected a retroactive review Yoo did of the first authorization. (An extended discussion of how Yoo’s early memos track the Authorizations — including discussion of another hypothetical memo Yoo wrote on September 17 — starts at PDF 361.)

Of particular interest, this hypothetical description includes the possibility of intercepting entirely domestic Internet communications (see emphasized language). We know — from the unredacted NSA Stellar Wind IG Report and even from the redacted Joint IG Report — that was something included in the first presidential Authorization, but not the subsequent ones.

The wording of the first authorization could have been interpreted to allow domestic content collection where both communicants were located in the U.S. or were U.S. persons. General Hayden recalled that when the Counsel to the Vice President pointed this out, General Hayden told him that NSA would not collect domestic communications because 1) NSA was a foreign intelligence agency, 2) NSA infrastructure did not support domestic collection, and 3) his personal standard was so high that there would be no problem getting a FISC order for domestic collection.

We also know NSA did collect some domestic collection — on about 3,000 selectors, possibly triggered to non-US persons within the US — at least until Stellar Wind got transitioned to FISA in 2009.

This is a minor, but potentially important one. Yoo was writing hypothetical authorizations for stuff the NSA later pretended not to be authorized to do, but was doing. Those earlier hypothetical authorizations didn’t go away. And therefore, no matter what the authorizations said, there’d still be that authorization sitting there.

SS7 and NSA’s Redundant Spying

SS7 countermeasuresOn Sunday, 60 Minutes brought attention to an issue first exposed by researchers some years back: the ease with which people can use the SS7 system that facilitates global mobile phone interoperability to spy on you.

Sharyn Alfonsi: If you just have somebody’s phone number, what could you do?

Karsten Nohl: Track their whereabouts, know where they go for work, which other people they meet when– You can spy on whom they call and what they say over the phone. And you can read their texts.

60 Minutes was smart in that they got Congressman Ted Lieu to agree to be targeted.

Congressman Lieu didn’t have to do anything to get attacked.

All Karsten Nohl’s team in Berlin needed to get into the congressman’s phone was the number. Remember SS7 –that little-known global phone network we told you about earlier?

Karsten Nohl: I’ve been tracking the congressman.

[snip]Sharyn Alfonsi: Are you able to track his movements even if he moves the location services and turns that off?

Karsten Nohl: Yes. The mobile network independent from the little GPS chip in your phone, knows where you are. So any choices that a congressman could’ve made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network. That of course, is not controlled by any one customer.

[snip]

Sharyn Alfonsi: What is your reaction to knowing that they were listening to all of your calls?

Rep. Ted Lieu: I have two. First, it’s really creepy. And second, it makes me angry.

Sharyn Alfonsi: Makes you angry, why?

Rep. Ted Lieu: They could hear any call of pretty much anyone who has a smartphone. It could be stock trades you want someone to execute. It could be calls with a bank.

Karsten Nohl’s team automatically logged the number of every phone that called Congressman Lieu — which means there’s a lot more damage that could be done than just intercepting that one phone call.

So now Lieu is furious — and pushing House Oversight Committee to conduct an investigation into SS7’s vulnerabilities.

Of course, it’s probably best to think of SS7’s vulnerabilities not as a “flaw,” as 60 Minutes describes it, but a feature. The countries that collectively aren’t demanding change are also using this vulnerability to spy on their subjects and adversaries.

But the fact that Lieu — who really is one of the smartest Members of Congress on surveillance issues — is only now copping onto the vulnerabilities with SS7 suggests how stunted our debate over dragnet surveillance was and is. For two years, we debated how to shut down the Section 215 dragnet, which collected a set of phone records that was significantly redundant with what we collected “overseas” — though in fact the telecoms’ production of such records was mixed together until 2009, suggesting for years Section 215 probably served primarily as legal cover, not the actual authorization for the collection method used. We had very credulous journalists talking about what a big gap in cell phone records NSA faced, in part because FISC frowned on letting NSA collect location data domestically. Yet all the while (as some smarter commenters here have said), NSA was surely exploiting SS7 to collect all the cell phone records it needed, including the location data. Members of Congress like Lieu — on neither the House Intelligence (which presumably has been briefed) or the House Judiciary Committees — would probably not get briefed on the degree to which our intelligence community thrives on using SS7’s vulnerabilities.

What I find perhaps most interesting about this new flurry of attention on SS7 is that the researchers behind it were hired by some “international telecoms” to find ways to improve security sometime in advance of December 2014 (when they first presented their work). The original CCC presentation on this vulnerability (see after 40:00) included a general discussion of what cell phone providers could do to increase the security of their users (see above). 60 Minutes noted that some US providers were doing more than others.

The NSA presumably could and did use entirely SS7 collection for cell phones — especially US based ones — until such time as domestic providers started making them less accessible (and once they were unaccessible overseas, then subject to legal process, though even some of the countermeasures would still leave a US user exposed to other US providers). That needs to be understood (should have been, before the passage of USA Freedom) to really understand the degree to which Congress has any influence over the NSA.

DOJ Places David Barron’s Anwar Awlaki Memos on the “Not Selected for Publication”

Sometime between March 27 and April 15 of last year, the Office of Legal Counsel posted the two memos David Barron wrote authorizing the execution of Anwar al-Awlaki (February 19, 2010; July 16, 2010) on its list of memos “Not selected for publication” in its reading room. The website explains that these are memos that have been posted through discretionary release, but “may not reflect the Office’s current views.”

Consistent with the President’s FOIA memorandum dated January 21, 2009, and the Attorney General’s FOIA guidelines dated March 19, 2009, OLC sometimes releases requested records as a matter of discretion, even if they fall within the scope of a FOIA exemption or have not been the subject of a FOIA request.  To make such documents generally available when they are the subject of repeated requests or may be of public or historical interest, the Office may post them in this electronic reading room.  Documents posted in this electronic reading room are being disclosed through discretionary release, but they have not been selected for official publication and thus they are not included among the Office’s formal published opinions.  Although these records may be of public or historical interest, the views expressed in some of these records may not reflect the Office’s current views.

Of course, a number of the memos (most but not all of which are tied to the war on terror) weren’t released at DOJ’s discretion. Rather, some of these memos (including the two Awlaki ones) were released after DOJ tried to suppress them, only to have a Federal judge force their release.

I’ve got a call in to see if OLC has some easy explanation. But I’m wondering if it means DOJ may have thought better of now Circuit Court judge David Barron’s advice that you can kill an American citizen with no real due process.

Particularly given the timing, I’m wondering whether any change in DOJ’s views about these memos would affect American citizens overseas, such as Liban Haji Mohamed, a Somali American who was put on the Most Wanted List last year, then detained (never to publicly have shown up in an American court) on March 2, 2015. Unlike Anwar al-Awlaki, Mohamed (who is the brother of Gulet Mohamed, who has had a whole different set of problems with the government) has actually been indicted.

ACLU’s Jameel Jaffer points to a potentially more cynical (and therefore likely) explanation though. As he noted last year, at about the same time DOJ was deeming the Barron memos discretionary releases, it submitted a filing in their lawsuit against ACLU, insisting that having been ordered by a court to release the memo doesn’t count as official disclosure. In a footnote of the April 2 filing, DOJ claimed,

We further note that the Court’s release of the OLC-DOD Memorandum and its order compelling disclosure by the government of additional information would not themselves constitute an independent official disclosure or waiver by the government that would strip protection from otherwise exempt information and material.

That is, during precisely the time period when it was deeming this memo discretionary on its website, it was making that argument to the courts.

So I assume they believe they still have the right to execute American citizens at their discretion. And keep their rationale for doing so secret.

The Obama Administration Almost Doubled Down on Yoo’s Illegality

Over at JustSecurity the other day, ACLU’s Patrick Toomey argued that the Administration’s current interpretation of FISA — especially its embrace of upstream surveillance — means the Obama Administration has gone beyond John Yoo’s thinking on surveillance as exhibited in his May 17, 2002 letter to FISC judge Colleen Kollar-Kotelly.

Perhaps most remarkably, however, the Obama Justice Department has pressed legal theories even more expansive and extreme than Yoo himself was willing to embrace. Yoo rounded out his Stellar Wind memo with an effort to reassure Judge Kollar-Kotelly that the government’s legal interpretation had limits, saying: “Just to be clear in conclusion. We are not claiming that the government has an unrestricted right to examine the contents of all international letters and other forms of communication.” But that is essentially the power the NSA claims today when it conducts Upstream surveillance of Americans’ Internet communications. The NSA has installed surveillance equipment at numerous chokepoints on the Internet backbone, and it is using that equipment to search the contents of communications entering or leaving the country in bulk. As the ACLU recently explained in Wikimedia v. NSA, this surveillance is the digital analogue of having a government agent open every letter that comes through a mail processing center to read its contents before determining which letters to keep. In other words, today the Obama administration is defending surveillance that was a bridge too far for even John Yoo.

I’m not sure I’m convinced. After all, the Administration claims it is not examining the contents of all international letters, but rather only looking at those where selected identifiers show up in data packets. Yeah, I know it’s a bullshit argument, but they pretend that’s not searching the contents, really. Moreover we have substantial reason to believe they were doing (some) of this anyway.

But there is a curious relationship between a claim Yoo made in his letter and the Obama Administration’s views on FISA.

In the letter, Yoo writes,

FISA purports to be the exclusive means for conducting electronic surveillance for foreign intelligence, … FISA establishes criminal and civil sanctions for anyone who engages in electronic surveillance, under color of law, except as authorized by statute, warrant, or court order. 50 U.S.C. § 1809-10. It might be thought, therefore, that a warrantless surveillance program, even if undertaken to protect the national security, would violate FISA’s criminal and civil liability provisions.

Such a reading of FISA would be an unconstitutional infringement on the President’s Article II authorities. FISA can regulate foreign intelligence surveillance only to the extent permitted by the Constitution’s enumeration of congressional authority and the separation of powers.

[snip]

[A]s we explained to Congress during the passage of the Patriot Act, the ultimate test of whether the government may engage in foreign surveillance is whether the government’s conduct is consistent with the Fourth Amendment, not whether it meets FISA.

This is especially the case where, as here, the executive branch possess [sic] the inherent constitutional power to conduct warrantless searches for national security purposes.

Effectively, Yoo is saying that even if they blow off FISA, they will be immune from the penalties under 50 USC §1809-10 so long as what they were doing fulfilled the Fourth Amendment, including an expansive reading of special needs that Yoo lays out in his memo. (Note, this was explained in the DOJ Stellar Wind IG Report — starting at PDF 47 — but this letter makes it more clear.)

As a reminder, on two occasions, John Bates disagreed with that interpretation, first in 2010 when he ruled NSA couldn’t continue to access the five years of data it overcollected under the PRTT Internet dragnet, and then again in 2011 when he said the government couldn’t disseminate the illegally collected upstream data (and Vaughn Walker disagreed in a series of rulings in the Al Haramain case in 2010, though the 9th Circuit partially overturned that in 2012). We know, thanks to Snowden, that the government considered appealing the order. And in his summary of the resolution of this issue, Bates made it clear that the government’s first response was to say that limits on illegally collected data don’t apply.

However, issues remained with respect to the past upstream collection residing in NSA’s databases. Because NSA’s upstream collection almost certainly included at least some acquisitions constituting “electronic surveillance” within the meaning of 50 U.S.C. § 1801 (f), any overcollection resulting from the government’s misrepresentation of the scope of that collection implicates 50 U.S.C. § 1809(a)(2). Section 1809(a)(2) makes it a crime to “disclose[] or use[] information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized” by statute. The Court therefore directed the government to make a written submission addressing the applicability of Section 1809(a), which the government did on November 22, 2011. See [redacted — probably a reference to Bates’ July 2010 opinion], Oct. 13, 2011 Briefing Order, and Government’s Response to the Court’s Briefing Order of Oct. 13, 2011 (arguing that Section 1809(a)(2) does not apply).

Ultimately, though, the government not only (said it) destroyed the illegal upstream data, but claims to have destroyed all its PRTT data in a big rush (so big a rush it didn’t have time to let NSA’s IG certify the intake collection of data).

And it replaced that PRTT program by searching data under SPCMA it claimed to have collected legally … somewhere.

I don’t pretend to understand precisely went on in those few weeks in 2011, though it’s clear that Obama’s Administration at least considered standing by the spirit of Yoo’s claim, even though the opinion itself had been withdrawn.

But I do know that at least through 2009, the government treated all its PRTT and Section 215 data as EO 12333 data, and in fact the providers appear not to have distinguished it either (more on this in upcoming days, hopefully). That is, it was collecting data with FISC sanction that it treated as data it collected outside of FISC sanction (that is, under EO 12333), and it was ignoring the rules FISC imposed.

Which leads me to wonder whether the government still doesn’t believe it remains immune from penalties laid out in FISA.

John Yoo’s Two Justifications for Stellar Wind

Because I’m a hopeless geek, I want to compare the what we can discern of the November 2, 2001 memo John Yoo wrote to authorized Stellar Wind with the letter he showed FISA Presiding Judge Colleen Kollar-Kotelly on May 17, 2002. The former is almost entirely redacted. But as I’ll show, the two appear to be substantially the same except for small variations within paragraphs (which possibly may reflect no more than citations). The biggest difference is that Yoo’s memo appears to have two pages of content not present in the letter to Kollar-Kotelly.

What follows is a comparison of every unredacted passage in the Yoo memo, every one of which appear in exactly the same form in the letter he wrote to Kollar-Kotelly.

The first unredacted line in Yoo’s memo — distinguishing between “electronic surveillance” covered by FISA and “warrantless searches” the President can authorize — appears in this paragraph in the letter.

FISA Safe Harbor

The line appears on page 7 of Yoo’s memo, but page 5 of his letter (which also includes some foofy introductory language for Kollar-Kotelly). That says there’s already 2 pages of information in Yoo’s memo that doesn’t appear in the letter. Yoo’s description of the surveillance program in the letter to Kollar-Kotelly is actually fairly short (and written entirely in the conditional voice), so there may be more of that in the actual memo. Also, anything that didn’t involve electronic surveillance — such as the collection of financial data — would not necessarily be relevant to FISC. But as I argue below, it’s also possible Yoo made claims about executive power in those two paragraphs that he rewrote as a two-page addition to for Kollar-Kotelly’s benefit.

The next unredacted passage in the memo consists of the first sentences of these two paragraphs.

Screen Shot 2016-04-05 at 5.34.32 PM

They appear on page 9 of Yoo’s memo and page 7 of the letter, and it appears that the space in between the two is consistent — suggesting that the interim content remains the same.

The next unredacted passage appears on page 12 of Yoo’s memo, page 10 of the letter.

FISA Restrict

While the general pagination still seems to be roughly tracking (again, suggesting the interim content is at least similar), the spacing of this paragraph is clearly different (note how the sentence begins in a different place in the column), suggesting Yoo may have made an even stronger defense of inherent authority in his memo, or perhaps that OLC has precedents for such a claim that Yoo thought inappropriate to share with the FISC. It’s possible this and later paragraph spacing differences arise from classification marks at the beginning of each paragraph, except the passages from the beginning of paragraphs seem to match up more closely than those from the middle of them.

Screen Shot 2016-04-05 at 7.30.51 PM

The next unredacted passage, on page 17 of Yoo’s memo and 15 of the letter, extend the claim that Congress can’t limit the President’s use of pen registers used to defend the nation. That’s followed closely by Yoo’s shift to arguing that intelligence gathering “in direct support” of military operations does not trigger the Fourth Amendment.

Intel Military Ops

Continue reading

1 2 3 19