With Upcoming David Medine Departure, Will PCLOB Slip Back into Meaninglessness?

/3 Comments/in /by

The Chair of the Privacy and Civil Liberties Oversight Board, David Medine, has announced he will resign effective  July 1 to work with a development organization “advising on data privacy and consumer protection for lower-income financial consumers.”

The move comes not long after Congress has, in several ways, affirmatively weakened or unexpectedly stopped short of expanding PCLOB’s mandate, by ensuring it could not review any covert programs, and by eliminating a PCLOB oversight role under OmniCISA.

In Medine’s statement, he promised the board would continue to work on their examination of CT activities relating to EO 12333.

I look forward to continuing to work on PCLOB’s current projects until my departure. I am pleased to know that, even after my departure, the Board Members and our dedicated staff remain committed to carrying forward the Board’s critical work, including its ongoing examination of counterterrorism activities under Executive Order 12333.

The EO 12333 approach (and the two CIA programs to examine) was formally approved July 1, a year to the day before Medine’s departure. It was initially scheduled to be done by the end of last year. But in their most recent semi-annual report (released at the end of December), PCLOB noted they were just starting on their public report.

In July, the Board voted to approve two in-depth examinations of CIA activities conducted under E.O. 12333. Board staff has subsequently attended briefings and demonstrations, as well as obtained relevant documents, related to the examinations. The Board also received a series of briefings from the NSA on its E.O. 12333 activities. Board staff held follow-up sessions with NSA personnel on the topics covered and on the agency’s E.O. 12333 implementing procedures. Just after the conclusion of the Reporting Period, the Board voted to approve one in-depth examination of an NSA activity conducted under E.O. 12333. Board staff are currently engaging with NSA staff to gather additional information and documents in support of this examination. Board staff also began work developing the Board’s public report on E.O. 12333, described above.

So while Medine promises PCLOB will continue to work on the EO 12333 stuff, I do worry that it will stall after his departure. I’m concerned, as well, about the makeup of the board. Board member Jim Dempsey’s term officially ended on January 29, though President Obama nominated him for another term on March 17, which means he will serve out 2016 (I believe as a temporary appointment until the end of the congressional term, but am trying to confirm; Update: this stems from PCLOB’s statute, but the appointment would extend through the end of the Congressional term), and longer if and when the Senate confirms him. But Medine’s departure will leave 2 members (counting Dempsey) who have been firmly committed to conducting this review, Rachel Brand, who has been lukewarm but positive, and Elisabeth Collins Cook who was originally opposed. That is, unless Medine is replaced in timely fashion (and given that this is a multiple year appointment, Republicans would have incentive to stall to get a GOP Chair), the board may be split on its commitment to investigating these issues.

There are a few other things happening on the EO 12333 front. Most urgently, the Intelligence Community is as we speak implementing new procedures for the sharing of EO 12333 with law enforcement agencies. PCLOB was involved in a review of those procedures, and had successfully pressed for more controls on the FBI’s back door access to 702 data (which is one reason I find the timing of Medine’s departure of particular concern). Two years after PCLOB first outed Treasury as having no EO 12333 implementing guidelines, they still have none.

That is, particularly after Congress’ successful attempts at undercutting PCLOB’s power, Medine’s departure has me seriously worried about whether the Intelligence Committee is willing to undergo any scrutiny of its EO 12333 activities.

DOJ Claims the Cybersecurity Related OLC Memo Is Also A Stellar Wind Memo

/1 Comment/in , , /by

I’ve written a bunch of times about an OLC memo Ron Wyden keeps pointing to, suggesting it should be declassified so we all can know what outrageous claims DOJ made about common commercial service agreements. Here’s my most complete summary from Caroline Krass’ confirmation process:

Ron Wyden raised a problematic OLC opinion he has mentioned in unclassified settings at least twice in the last year (he also wrote a letter to Eric Holder about it in summer 2012): once in a letter to John Brennan, where he described it as “an opinion that interprets common commercial service agreements [that] has direct relevance to ongoing congressional debates regarding cybersecurity legislation.” And then again in Questions for the Record in September.

Having been ignored by Eric Holder for at least a year and a half (probably closer to 3 years) on this front and apparently concerned about the memo as we continue to discuss legislation that pertains to cybersecurity, he used Krass’ confirmation hearing to get more details on why DOJ won’t withdraw the memo and what it would take to be withdrawn.

Wyden: The other matter I want to ask you about dealt with this matter of the OLC opinion, and we talked about this in the office as well. This is a particularly opinion in the Office of Legal Counsel I’ve been concerned about — I think the reasoning is inconsistent with the public’s understanding of the law and as I indicated I believe it needs to be withdrawn. As we talked about, you were familiar with it. And my first question — as I indicated I would ask — as a senior government attorney, would you rely on the legal reasoning contained in this opinion?

Krass: Senator, at your request I did review that opinion from 2003, and based on the age of the opinion and the fact that it addressed at the time what it described as an issue of first impression, as well as the evolving technology that that opinion was discussing, as well as the evolution of case law, I would not rely on that opinion if I were–

Wyden: I appreciate that, and again your candor is helpful, because we talked about this. So that’s encouraging. But I want to make sure nobody else ever relies on that particular opinion and I’m concerned that a different attorney could take a different view and argue that the opinion is still legally valid because it’s not been withdrawn. Now, we have tried to get Attorney General Holder to withdraw it, and I’m trying to figure out — he has not answered our letters — who at the Justice Department has the authority to withdraw the opinion. Do you currently have the authority to withdraw the opinion?

Krass: No I do not currently have that authority.

Wyden: Okay. Who does, at the Justice Department?

Krass: Well, for an OLC opinion to be withdrawn, on OLC’s own initiative or on the initiative of the Attorney General would be extremely unusual. That happens only in extraordinary circumstances. Normally what happens is if there is an opinion which has been given to a particular agency for example, if that agency would like OLC to reconsider the opinion or if another component of the executive branch who has been affected by the advice would like OLC to reconsider the opinion they will  come to OLC and say, look, this is why we think you were wrong and why we believe the opinion should be corrected. And they will be doing that when they have a practical need for the opinion because of particular operational activities that they would like to conduct. I have been thinking about your question because I understand your serious concerns about this opinion, and one approach that seems possible to me is that you could ask for an assurance from the relevant elements of the Intelligence Community that they would not rely on the opinion. I can give you my assurance that if I were confirmed I would not rely on the opinion at the CIA.

Wyden: I appreciate that and you were very straightforward in saying that. What concerns me is unless the opinion is withdrawn, at some point somebody else might be tempted to reach the opposite conclusion. So, again, I appreciate the way you’ve handled a sensitive matter and I’m going to continue to prosecute the case for getting this opinion withdrawn.

The big piece of news here — from Krass, not Wyden — is that the opinion dates to 2003, which dates it to the transition period bridging Jay Bybee/John Yoo and Jack Goldsmith’s tenure at OLC, and also the period when the Bush Administration was running its illegal wiretap program under a series of dodgy OLC opinions. She also notes that it was a memo on first impression — something there was purportedly no law or prior opinion on — on new technology.

Back in November, ACLU sued to get that memo. The government recently moved for summary judgment based on the claim that a judge in DC rejected another ACLU effort to FOIA the document, which is a referral to ACLU’s 2006 FOIA lawsuit for documents underlying what was then called the “Terrorist Surveillance Program” and which we now know as Stellar Wind. Here’s the key passage of that argument.

The judgment in EPIC precludes the ACLU’s claim here. First, EPIC was an adjudication on the merits that involved the district court’s reviewing in camera the same document that is at issue in this litigation, and granting summary judgment to the government after finding that the government had properly asserted Exemptions One, Three, and Five – the same exemptions asserted here – to withhold the document. See Colborn Decl. ¶ 13; EPIC, 2014 WL 1279280, at *1. Second, the ACLU was a plaintiff in EPIC. Id. Finally, the claims asserted in this action were, or could have been, asserted in EPIC. The FOIA claim at issue in EPIC arose from a series of requests that effectively sought all OLC memoranda concerning surveillance by Executive Branch agencies directed at communications to or from U.S. citizens.2at See id.  Even if the ACLU did not know that this specific memorandum was included among the documents reviewed in camera by the EPIC court, the ACLU had a full and fair opportunity to make any and all arguments in seeking disclosure of that document. Indeed, in EPIC, the government’s assertion of exemptions received the highest level of scrutiny available to a plaintiff in FOIA litigation—the district court issued its decision after reviewing the document in camera and determining that the government’s assertions of Exemptions One, Three, and Five were proper. Colborn Decl. ¶ 13. The ACLU’s claim in this lawsuit is therefore barred by claim preclusion.

2 One of the FOIA requests at issue in EPIC sought “[a]ll memoranda, legal opinions, directives or instructions from [DOJ departments] issued between September 11, 2001, and December 21, 2005, regarding the government’s legal authority for surveillance activity, wiretapping, eavesdropping, and other signals intelligence operations directed communications to or from U.S. citizens.” Elec. Privacy Information Ctr. v. Dep’t of Justice, 511 F. Supp. 2d 56, 63 (D.D.C. 2007).

Wyden just sent a letter to Loretta Lynch disputing some claim made in DOJ’s memorandum of law.

I encourage you to direct DOJ officials to comply with the pending FOIA request.

Additionally, I am greatly concerned that the DOJ’s March 7, 2016 memorandum of law contains a key assertion which is inaccurate. This assertion appears to be central to the DOJ’s legal arguments, and I would urge you to take action to ensure that this error is corrected.

I am enclosing a classified attachment which discusses this inaccurate assertion in more detail.

Here are some thoughts about what the key inaccurate assertion might be:

ACLU never had a chance to argue for this document as a cybersecurity document

Even the section I’ve included here pulls a bit of a fast one. It points to EPIC’s FOIA request (these requests got consolidated), which asked for OLC memos in generalized fashion, as proof that the plaintiffs in the earlier suit had had a chance to argue for this document.

But ACLU did not. They asked for “legal reviews of [TSP] and its legal rationale.” In other words, back in 2006 and back in 2014, ACLU was focused on Stellar Wind, not on cybersecurity spying (which Wyden has strongly suggested this memo implicates). So they should be able to make a bid for this OLC memo as something affecting domestic spying for a cybersecurity purpose.

DOJ claimed only Wyden had commented publicly about the document, not Caroline Krass

DOJ makes a preemptive effort to discount the possibility that Ron Wyden’s repeated efforts to draw attention to this document might constitute new facts for the ACLU to point to to claim they should get the document.

Nor is there any evidence the memorandum has been expressly adopted as agency policy or publicly disclosed. Colborn Decl. ¶¶ 23-24. Although the ACLU’s complaint points to statements about the document by Senator Wyden, he is not an Executive Branch official, and his statements cannot effect any adoption or waiver

[snip]

The ACLU may argue that statements made by Senator Ron Wyden regarding the document, including in letters to the Attorney General, constitute new facts or changed circumstances. See Compl. ¶ 2 (“In letters sent to then–Attorney General Eric Holder, Senator Wyden suggested that the executive branch has relied on the Opinion in the past and cautioned that the OLC’s secret interpretation could be relied on in the future as a basis for policy.”). But such statements do not constitute new facts or changed circumstances material to the ACLU’s FOIA claim because they do not evince any change of the Executive Branch’s position vis-à-vis the document or otherwise affect its status under FOIA. See Drake, 291 F.3d at 66; Am. Civil Liberties Union, 321 F. Supp. 2d at 34. As the Senator is not an Executive Branch official, his statements about the document do not reflect the policy or position of any Executive Branch agency. See Brennan Center v. DOJ, 697 F.3d 184, 195, 206 (2d Cir. 2012); Nat’l Council of La Raza v. DOJ, 411 F.3d 350, 356-59 (2d Cir. 2005); infra at 11-12. Senator Wyden’s statements are simply not relevant to whether the document has been properly withheld under Exemptions One, Three, and Five, and do not undermine the applicability of any of those exemptions. Additionally, the Senator has made similar statements regarding the document at issue in letters sent during at least the last four years. Compl. ¶ 2. Thus, the Senator’s statements regarding the document are not new facts since they were available to Plaintiffs well before the district court ruled in EPIC.

That’s all well and good. But the entire discussion ignores that then Acting OLC head and current CIA General Counsel Caroline Krass commented more extensively on the memo than anyone ever has on December 17, 2013 (see my transcript above). This is a still-active memo, but the then acting OLC head said this about the memo in particular.

I have been thinking about your question because I understand your serious concerns about this opinion, and one approach that seems possible to me is that you could ask for an assurance from the relevant elements of the Intelligence Community that they would not rely on the opinion. I can give you my assurance that if I were confirmed I would not rely on the opinion at the CIA.

That seems to be new information from the Executive branch (albeit before the March 31, 2014, final judgment in that other suit).

I’d say this detail is the most likely possibility for DOJ’s inaccuracy, except that Krass’ comments are in the public domain, and have been been written about by other outlets. It wouldn’t seem that Wyden would need to identify this detail in secret.

(I think it’s possible some of the newly declassified language in Stellar Wind materials may be relevant to, but I will have to return to that.)

The document may be a different document

DOJ’s memo and the Paul Colborn declaration describe this as a March 30, 2003 memo written by John Yoo.

The withheld document is a 19-page OLC legal advice memorandum to the General Counsel of an executive branch agency, drafted at the request of the General Counsel, dated March 30, 2003 and signed by OLC Deputy Assistant Attorney General John Yoo. The memorandum was written in response to confidential communications from an executive branch client soliciting legal advice from OLC attorneys. As with all such OLC legal advice memoranda, the document contains confidential client communications made for the purpose of seeking legal advice and predecisional legal advice from OLC attorneys transmitted to an executive branch client as part of government deliberative processes. In light of the fact that the document’s general subject matter is publicly known, the identity of the recipient agency is itself confidential client information protected by the attorney-client privilege.

But their claim that ACLU has already been denied this document under FOIA is based on the claim that this document is the same document as one identified in a Steven Bradbury declaration submitted in the Stellar Wind suit. Here’s how he described the document.

DAG 42 is a 19-page memorandum, dated May 30, 2003, from a Deputy Assistant Attorney General in OLC to the General Counsel of another Executive Branch agency. This document is withheld under FOIA Exemptions One, Three, and Five.

This may be an error (if so, Bradbury is probably correct, as March 30, 2003 was a Sunday), but a document dated March 30, 2003 cannot be the same document as one dated May 30, 2003. If it’s not a simple error in dates, it may suggest that the document the DC court reviewed was a later revision, perhaps one making less outrageous claims. Moreover, as I’ll show in my post on newly learned Stellar Wind information, the change in date (as well as the confirmation that Yoo wrote the memo) make the circumstances surrounding this memo far more interesting.

Update: In Ron Wyden’s amicus in this case, he made it clear the correct date is May 30, 2003.

The document may not have been properly classified

As noted, this is a March 2003 OLC memo written by John Yoo. That’s important not just because Yoo was freelancing on certain memos at the time. But more importantly, because a memo he completed just 16 days earlier violated all guidelines on classification. Here’s what former ISOO head Bill Leonard had to say about John Yoo’s March 14, 2003 torture memo.

The March 14, 2003, memorandum on interrogation of enemy combatants was written by DoJ’s Office of Legal Counsel (OLC) to the General Counsel of the DoD. By virtue of the memorandum’s classification markings, the American people were initially denied access to it. Only after the document was declassified were my fellow citizens and I able to review it for the first time. Upon doing so, I was profoundly disappointed because this memorandum represents one of the worst abuses of the classification process that I had seen during my career, including the past five years when I had the authority to access more classified information than almost any other person in the Executive branch. The memorandum is purely a legal analysis – it is not operational in nature. Its author was quoted as describing it as “near boilerplate.”! To learn that such a document was classified had the same effect on me as waking up one morning and learning that after all these years, there is a “secret” Article to the Constitution that the American people do not even know about.

[snip]

In this instance, the OLC memo did not contain the identity of the official who designated this information as classified in the first instance, even though this is a fundamental requirement of the President’s classification system. In addition, the memo contained neither declassification instructions nor a concise reason for classification, likewise basic requirements. Equally disturbing, the official who designated this memo as classified did not fulfill the clear requirement to indicate which portions are classified and which portions are unclassified, leading the reader to question whether this official truly believes a discussion of patently unclassified issues such as the President’s Commander-in-Chief authorities or a discussion of the applicability to enemy combatants of the Fifth or Eighth Amendment would cause identifiable harm to our national security. Furthermore, it is exceedingly irregular that this memorandum was declassified by DoD even though it was written, and presumably classified, by DoJ.

Given that Yoo broke all the rules of classification on March 14, it seems appropriate to question whether he broke all rules of classification on March 30, 16 days later, especially given some squirrelly language in the current declarations about the memo.

Here’s what Colborn has to say about the classification of this memo (which I find to be curious language), after having made a far more extensive withholding argument on a deliberative process basis.

OLC does not have original classification authority, but when it receives or makes use of classified information provided to it by its clients, OLC is required to mark and treat that information as derivatively classified to the same extent as its clients have identified such information as classified. Accordingly, all classified information in OLC’s possession or incorporated into its products has been classified by another agency or component with original classifying authority.

The document at issue in this case is marked as classified because it contains information OLC received from another agency that was marked as classified. OLC has also been informed by the relevant agency that information contained in the document is protected from disclosure under FOIA by statute.

As far as the memo of law, it relegates the discussion of the classified nature of this memo to a classified declaration by someone whose identity remains secret.

As explained in the classified declaration submitted for the Court’s ex parte, in camera review,1 this information is also classified and protected from disclosure by statute.

Remember, this memo is about some secret interpretation of common commercial service agreements.  Wyden believes it should be “declassified and released to the public, so that anyone who is a party to one of these agreements can consider whether their agreement should be revised or modified.”

If this is something that affects average citizens relationships with service providers, it seems remarkable that it can, at the same time, be that secret (and remain in force). While Wyden certainly seems to treat the memo as classified, I’d really love to see whether it was, indeed, properly classified, or whether Yoo was just making stuff up again during a period when he is known to have secretly made stuff up.

In any case, given DOJ’s continued efforts to either withdraw or disclose this memo, I’d safe it’s safe to assume they’re still using it.

On the Coming Showdown over Promiscuous Sharing of EO 12333 Data

/2 Comments/in , /by

A number of outlets are reporting that Ted Lieu and Blake Farenthold have written a letter to NSA Director Mike Rogers urging him not to implement the new data sharing effort reported by Charlie Savage back in February. While I’m happy they wrote the letter, they use a dubious strategy in it: they suggest their authority to intervene comes from Congress having “granted” NSA authority to conduct warrantless collection of data.

Congress granted the NSA extraordinary authority to conduct warrantless collection of communications and other data.2

2 See Foreign Intelligence Surveillance Act and the Patriot Act.

As an initial matter, they’ve sent this letter to a guy who’s not in the chain of approval for the change. Defense Secretary Ash Carter and Attorney General Loretta Lynch will have to sign off on the procedures developed by Director of National Intelligence James Clapper; they might consult with Rogers (if he isn’t the one driving the change), but he’s out of the loop in terms of implementing the decision.

Furthermore, the Congressionally granted authority to conduct warrantless surveillance under FISA has nothing to do with the authority under which NSA collects this data, EO 12333. In his story, Savage makes clear that the change relies on the [what he called “little-noticed,” which is how he often describes stuff reported here years earlier] changes Bush implemented in the wake of passage of FISA Amendments Act. As I noted in 2014,

Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.

The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,

In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.

In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.

Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.

In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.

What Bush did just as he finished moving most of Stellar Wind over to FISA authorities, was to make it permissible to share EO 12333 data with other intelligence agencies under the same kind of DNI/AG/DOD approval process already in place for surveillance. They’ve already been using this change (though as I note, in some ways the new version of EO 12333 made FAA sharing even more permissive than EO 12333 sharing). And Savage’s article describes that they’ve intended to roll out this further expansion since Obama’s first term.

Obama administration has been quietly developing a framework for how to carry it out since taking office in 2009.

[snip]

Intelligence officials began working in 2009 on how the technical system and rules would work, Mr. Litt said, eventually consulting the Defense and Justice Departments. This month, the administration briefed the Privacy and Civil Liberties Oversight Board, an independent five-member watchdog panel, seeking input. Before they go into effect, they must be approved by James R. Clapper, the intelligence director; Loretta E. Lynch, the attorney general; and Ashton B. Carter, the defense secretary.

“We would like it to be completed sooner rather than later,” Mr. Litt said. “Our expectation is months rather than weeks or years.”

All of which is to say that if Lieu and Farenthold want to stop this, they’re going to have to buckle down and prepare for a fight over separation of powers, because Congress has had limited success (the most notable successes being imposition of FAA 703-705 and Section 309 of last year’s intelligence authorization) in imposing limits on EO 12333 collection. Indeed, Section 309 is the weak protection Dianne Feinstein and Mark Udall were able to get for activities they thought should be covered under FAA.

Two more points. First, I suspect such expanded sharing is already going on between NSA and DEA. I’ve heard RUMINT that DEA has actually been getting far more data since shutting down their own dragnets in 2013. The sharing of “international” narcotics trade data has been baked into EO 12333 from the very start. So it would be unsurprising to have DEA replicate its dragnet using SPCMA. There’s no sign, yet, that DEA has been included under FAA certifications (and there’s not, as far as we know, an FAA narcotics certificate). But EO 12333 sharing with DEA would be easier to implement on the sly than FAA sharing. And once you’ve shared with DEA, you might as well share with everyone else.

Finally, this imminent change is why I was so insistent that SPCMA should have been in the Brennan Center’s report on privacy implications of EO 12333 collection. What the government was doing, explicitly, in 2007 when they rolled that out was making the US person participants in internationally collected data visible. We’ve seen inklings of how NSA coaches analysts to target foreigners to get at that US person content. The implications of basing targeting off of SPCMA enabled analysis under PRISM (which we know they do because DOJ turned over the SPCMA document, but not the backup, to FISC during the Yahoo challenge), currently, are that US person data can get selected because US persons are involved and then handed over to FBI with no limits on its access. Doing so under EO 12333 will only expand the amount of data available — and because of the structure of the Internet, a great deal of it is available.

Probably, the best way to combat this change is to vastly expand the language of FAA 703-705 to over US person data collected incidentally overseas during next year’s FAA reauthorization. But it will take language like that, because simply pointing to FISA will not change the Executive’s ability to change EO 12333 — even secretly! — at will.

The Blind Spots Brennan Center’s EO 12333 Report

/1 Comment/in /by

The Brennan Center released a report on EO 12333 Thursday that aims to spark a debate about the privacy impacts of (just) NSA’s surveillance overseas, in part by describing the privacy impacts of EO 12333.

In contrast, there has been relatively little public or congressional debate within the United States about the NSA’s overseas surveillance operations, which are governed primarily by Executive Order (EO) 12333—a presidential directive issued by Ronald Reagan in 1981 and revised by subsequent administrations. These activities, which involve the collection of communications content and metadata alike, constitute the majority of the NSA’s surveillance operations, yet they have largely escaped public scrutiny.

There are several reasons why EO 12333 and the programs that operate under its aegis have gone largely unnoticed. One is the misconception that overseas surveillance presents little privacy risk to Americans. Another is the scant information in the public domain about how EO 12333 actually operates. Finally, the few regulations that are public create a confusing and sometimes internally inconsistent thicket of guidelines.

Unfortunately the report misses some of the biggest threats EO 12333 surveillance poses to Americans’ privacy. Indeed, the report reads more like a hodgepodge of some risks, rather than a report on the ways in which the NSA and other agencies can spy on Americans overseas. When attempting to define the political battlefield in which future fights for reform will happen, we can’t afford to miss any ground.

Historical and technical discussion

Brennan’s excellent report on the FISA Court (like this report, written by Liza Goitein and Faiza Patel, though Amos Toh also worked on this recent report) started with a history of how we got to where we are now, with the FISA Court approving entire surveillance programs in secret. This report would have profited from doing the same. It would have contextualized EO 12333, as the third of a series of EOs issued in the wake of the Keith decision and the Church Committee, which arose out of a separation of powers debate between the Executive and Congress. It could have described the few details we know of the largely unknown process by which EO 12333’s protections for Americans started breaking down. It would have described how, with Stellar Wind, the Executive blew off FISA and secretly rewrote EO 12333 without notice to spy on Americans (in part by turning an existing DEA dragnet, which was at least partly authorized by domestic statute, inward). It would have described how, in the wake of the hospital confrontation, the Executive moved most of those activities under FISA, only to start moving them back (most notably with Internet metadata) as FISA again proved too restrictive, even as technology made bypassing FISA easier.

The discussion also would benefit from more discussion of the telecommunications infrastructure of the world, how packets get routed across it, and how tech companies (and the NSA!) operate servers in multiple places around the globe. As an example, the report discusses XKeyscore as a “database” even while linking to an article that describes it as a “a fully distributed processing and query system that runs on machines around the world.” I get using “database” as shorthand for repositories — I’ve done it myself, particularly for the federated queries that chained metadata from both Section 215, PRTT, and 12333 collection in unified queries (and in so doing alerted analysts when the same queries could be run entirely under EO 12333 and so be covered by more flexible rules). But understanding how that collect-and-query process exploits the flows of data across the Internet is key to understanding how even Americans talking to Americans can be exposed — but also to giving the NSA’s protections for US persons a fair shake (one of NSA’s most common Intelligence Oversight Board violations, from what we can see of the often redacted reports, seem to be about query construction, which shows NSA polices that part of the process closely). The privacy threat to Americans from EO 12333 authorized SIGINT stems from a “Collect it all” mentality and the structure of the Internet–  not from any discreet programs that employ a different approach for one particular country or unencrypted data source.

Treatment of SPCMA

I’m most baffled by the report’s silence on Special Procedures for Communications Metadata Analysis, SPCMA, especially given the report’s extended (and worthwhile) discussion of the word games DOD plays with “collection” and other terms, as in this passage based on language in place up until the moment DOJ started implementing SPCMA in 2007.

The Intelligence Law Handbook indicates that for intelligence agencies housed under the DoD, the act of “collection” is “more than ‘gathering’ — it could be described as ‘gathering, plus…’”91 But what additional action is required to complete “collection” depends on which agency you ask and which document you rely on. This makes it difficult to determine which rules, if any, apply when an intelligence agency gathers information. Our analysis shows that there are at least three definitions of “collection”:

1) the process by which information obtained is rendered “intelligible” to human understanding;

2) the process by which analysts filter out information they want from the information obtained; and

3) the gathering or obtaining of information (i.e., the ordinary meaning of the word “collection”).

Since EO 12333 procedures are triggered only upon “collection,” this ambiguity potentially allows the NSA to avoid restrictions simply by categorizing certain information as not having been “collected.”

After all, SPCMA involved precisely those same kinds of word games, creating a virgin birth for data collected overseas.

For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto, contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”

And those procedures were adopted explicitly in the service of being able to include US person data in EO 12333 analysis.

The Supplemental Procedures, attached at Tab A, would clarify that the National Security Agency (NSA) may analyze communications metadata associated with United States persons and persons believed to be in the United States.

In 2007, the government made an affirmative effort to be able to integrate foreign collected US person metadata into NSA’s analysis. It did so at a time when it was also working toward greater information-sharing between agencies (under ICREACH) and at a time when first getting the FISA Court to sanction the use of contact chaining — integrating SPCMA, though without revealing the rationale behind SPCMA!!! — as a basis for conducting domestic collection under Protect America Act. Starting in 2009 and significantly by 2011, the NSA replaced a huge domestic dragnet (one limited to counterterrorism purposes and with strict sharing rules), in part, with SPCMA (which has neither the counterterrorism limit nor the strict dissemination rules).

Screen Shot 2016-03-21 at 11.03.11 AM

In other words, amid all the examples the Brennan Report gives for how Americans might be surveilled by NSA under EO 12333 (which underplay the exposure both for international calls placed from the US and entirely domestic Internet communication), it doesn’t mention the one that had analysis including US person metadata as the explicit purpose.

Or to put it more simply, in 2007, at a time when the structure of international communication was such that it was possible to spy on entirely domestic communications overseas, the government either adopted or (my suspicion) resumed analyzing US person metadata collected overseas. That seems worth mentioning in a report on how Americans can be exposed under EO 12333. (I asked Patel why SPCMA was not included in the report but have gotten no response.) In terms of the political fight, that’s the difference between a politician trying to fight for more US person protections being called “speculative” and that same politician being able to point to actual evidence EO 12333 collection has implicated Americans’ privacy.

Other agencies

Finally, any discussion of the surveillance exposure of Americans under EO 12333 should, in my opinion, scope more broadly to include other agencies. I would include CIA (not least because PCLOB identified two CIA programs that appear to affect US persons) and Treasury (which tracks a great deal of international financial flows, even of Americans with ties to sanctioned countries; the report as a whole is unduly focused just on communications data).

But I would start with a discussion of (or at least questions we need answered about) DEA. After all, international drug investigations have always been included in EO 12333’s US person collection permissions.

Elements of the Intelligence Community are authorized to collect, retain, or disseminate information concerning United States persons only in accordance with procedures established by the head of the Intelligence Community element concerned or by the head of a department containing such element and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order, after consultation with the Director. Those procedures shall permit collection, retention, and dissemination of the following types of information:

(c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international drug or international terrorism investigation;

DEA engages in a great deal of information collection on its own right (and shares with with FBI, though the FBI went to some length to hide details of such sharing from DOJ’s Inspector General). We know many of the technologies first used on our foreign adversaries sometimes get introduced for use with Americans via DEA, most notably with that massive metadata dragnet. And DEA doesn’t have the same strict definition as a foreign intelligence organization as NSA, making the potential impact of overseas collection more direct for Americans. Plus, as the Brennan Report notes, DEA (along with Treasury) has never been in compliance with EO 12333’s requirement for enacting procedures.

I get that when non-experts think of surveillance they think of NSA. But that’s a problem, not just because NSA currently more closely hews to the rules such as they are given than DEA, CIA, and FBI are believed to do, but also because NSA has never posed the biggest threat to Americans as agencies that have the ability to prosecute Americans like FBI and DEA. If you’re going to write a report framing the debate, shouldn’t it frame it in a way that ties directly to the impact of it, even if we know far less about those areas that may have more direct impact?

This report feels like one written in the belief that you best understand surveillance by talking about law largely in isolation from technology and bureaucracy. That’s always problematic — indeed, the report suffers from some of the same blind spots that the debate about USA Freedom Act did, based as it was in knowledge about the Section 215 statute but little knowledge of its statutorily mandated minimization procedures. It’s especially problematic when writing about programs that operate in the space not limited by any law, where executive power is at its zenith.

Absent further successful effort to expand Congress’ authority over surveillance (the report describes Section 309 of last year’s Intelligence Authorization but doesn’t focus on Sections 703 through 705 of FISA Amendments Act, an earlier attempt to carve out protections for Americans under EO 12333), technology, not the law, sets the biggest limits on what the Executive can do under EO 12333.

It is time to focus more attention on EO 12333 and I’m grateful the Brennan Report has focused attention on EO 12333. But that focus should include all the ways, including the most central ones, it affects Americans.

The Government Spoliationing for a Fight with EFF

/2 Comments/in , /by

On November 6, 2007, Judge Vaughn Walker issued a preservation order in EFF’s challenge to what we now know to be Stellar Wind, the Shubert case (which would be applied to the Jewel case after that). Nevertheless, in spite of that order, in 2009 the NSA started destroying evidence that it had collected data outside of the categories Judge Colleen Kollar-Kotelly authorized way back in 2004.

Also in 2009, NSA shifted records showing 3,000 people — which highly likely included CAIR’s staff and clients — had been dragnetted without the First Amendment review mandated by Section 215 (CAIR wasn’t a plaintiff on EFF’s earlier suits but they are on EFF’s phone dragnet suit, First Unitarian United). When they did, the government even appeared to consider the existing protection order in the EFF case; I have FOIAed their deliberations on that issue, but thus far have been stonewalled.

Finally, in 2011, NSA destroyed — on very little notice and without letting their own IG confirm the destruction of data that came in through NSA’s intake process — all of its Internet dragnet data.

In other words, on three known occasions, the NSA destroyed data covered by the protection order in Northern California, one of them even after admitting a protection order might cover the data in question. In two of those cases, we know the data either exceeded FISA’s orders or violated the law.

In fact, it wasn’t until 2014, when the government started asking Judge Reggie Walton for permission to destroy the phone dragnet data and EFF complained mightily, that NSA started complying with the earlier protection order. Later that same year, it finally asked FISC to keep the Protect America Act and FISA Amendments Act data also included under that order in its minimization procedures.

These posts provide more background on this issue: postpost, post, post.

In other words, on three different occasions (even ignoring the content collection), NSA destroyed data covered by the protection order. spoiling the evidence related to EFF’s lawsuits.

Which is why I find this claim — in the January 8 filing I’ve been waiting to read, but which was just posted on March 4 (that is, 5 days after the NSA would have otherwise had to destroy everything on February 29 under USA Freedom Act).

The Government remains concerned that in these cases, absent relief from district courts or explicit agreement from the plaintiffs, the destruction of the BR Metadata, even pursuant to FISC Order, could lead the plaintiffs to accuse the Government of spoliation. In Jewel, the plaintiffs have already moved for spoliation sanctions, including an adverse inference against the Government on the standing issue, based on the destruction of aged-off BR Metadata undertaken in accordance with FISC Orders. See Jewel Pls.’ Brief Re: the Government’s Non-compliance with the Court’s Evidence Preservation Orders, ECF No. 233.

Gosh, after destroying data on at least three different occasions (again, ignoring at least two years of content they destroyed), the government is worried that if it destroyed more it might get in trouble? Please!

Elsewhere, the strategy in this filing seems to be to expand the possible universe they’d have to set aside under the three cases (plus Klayman) for which there is a protection order as to make it virtually impossible to set it aside so as to destroy the rest. In addition, having let the time when they could have set aside such data easily pass because they were still permitted to access the data (say, back in 2014, when they got caught violating their protection order), they now claim that the closure of the dragnet makes such a search virtually impossible now.

It’s a nifty gimmick. They can’t find a way to destroy the data because they already destroyed even legally suspect data. And we learn about it only now, after the data would otherwise be destroyed, but now can’t be because they didn’t find some better resolution 2 years ago.

There’s More to the SPCMA Document

/2 Comments/in /by

Long time readers likely know I’ve been obsessed with the decision, which as far as we currently know started in 2007 after Alberto Gonzales and (since returned as FBI General Counsel) James Baker left DOJ, to let DOD chain through US person identifiers on metadata collected under EO 12333, what gets described as Special Procedures Governing Communications Metadata Analysis, or SPCMA. Here’s a post that describes it at more length.

We first learned about SPCMA in June 2013, when the Guardian published a 16-page document pertaining to the approval process that had been leaked by Edward Snowden. That document consisted of:

  • A ten page memo dated November 20, 2007, from Assistant Attorney General for National Security Ken Wainstein and Acting OLC Head Steve Bradbury, analyzing the legality of SPCMA and recommending approval of the change.
  • Appendix A, consisting of a cover sheet and a two-page approval memo signed by Robert Gates on October 19, 2007 and Michael Mukasey on January 3, 2008. As I noted in this post, the signature line had to be altered after the fact to indicate Mukasey was signing it, suggesting that then Acting Attorney General Peter Keisler had refused.
  • Appendix B, a September 28, 2006 memo written to Office of Intelligence and Policy head James Baker (this was the predecessor to the NSD at DOJ) by NSA’s General Counsel Vito Potenza requesting he approve what became SPCMA (Baker did not approve it).

Though it is not included in what Snowden leaked, the memo describes a third Appendix, Appendix C:

On July 20, 2004, the General Counsel of CIA wrote to the General Counsel of NSA and to the Counsel for Intelligence Policy asking that CIA receive from NSA United States communications metadata that NSA does not currently provide to CIA. The letter from CIA is attached at Tab C.

The government has not released an official version of the packet such as it got leaked by Snowden. However, it did release Appendix A, the approval memo, in Fall 2014 as part of the declassification of the Yahoo challenge to the Protect America Act. As I laid out in this post, the government not only got this document approved after the passage of PAA and while Yahoo was challenging orders received under it, but DOJ tried to hide it from FISC Judge Reggie Walton. They only handed it over — though without the context of the approval memo that made it clear it was about contact chaining including Americans — after he had scolded DOJ several times about not handing over all the documentation related to PAA.

DOJ did not submit the procedures to FISC in a February 20, 2008 collection of documents they submitted after being ordered to by Judge Walton after he caught them hiding other materials; they did not submit them until March 14, 2008.

So to sum up: We have 16 pages (the memo and two of three appendices) thanks to Edward Snowden, and we have an official copy of just the 2-page approval memo, released on the context of the Yahoo declassification.

I lay all this out because this entry, in the National Security Division Vaughn Index provided to ACLU last month, is undoubtedly this same memo.

Screen Shot 2016-03-06 at 3.36.12 PM

The date is the same, the description is almost the same. The only difference is that the withheld document has 20 pages, as compared to the 16 pages that Snowden gave us.

From that I conclude that the 2004 CIA memo is four pages long (three, plus a cover sheet). Note the date: squarely during the period when spooks were trying to put discontinued parts of Stellar Wind under some kind of legal authority.

Here’s how the NSA declared Exemptions 1 and 3 over this document.

56. NSD fully withheld Document 4 on its Vaughn index in part because the release of any portion of that document would disclose classified information about functions or activities of NSA. The document is a 20-page document dated 20 November 2007 and is described as NSD Legal Memo on Amending DoD Procedures and Accompanying Documentation.” This document. including its full title, was withheld in full under Exemption 1 and Exemption 3. I have reviewed the information withheld and determined that the information is currently and properly classified at the SECRET level in accordance with EO 13526 because the release of this information could reasonably be expected to cause serious damage to the national security. The information withheld pertains to intelligence activities, intelligence sources or methods, or cryptology. or the vulnerabilities or capabilities of systems or projects relating to the national security and therefore meets the criteria for classification set for in Sections 1.4(c) and 1.4(g) of EO 13526. The harm to national security of releasing any portion of this document and the reasons that no portion of this document can be released without disclosing classified information cannot be fully described on the public record. As a result my ex parte. in camera classified declaration more fully explains why this document was withheld in full.

57. The information withheld in N 0 Document 4 also relates to a “function of the National Security Agency” 50 U.S.C. § 3605. Indeed. this information relates to one of NSA’s primary functions, its SIGINT mission. Any disclosure of the withheld information would reveal NSA ·s capabilities and the tradecraft used to carry out this vital mission. Further. revealing these details would disclose “information with respect to lNSA ‘s] activities” in furtherance of its SIGINT mission. 50 U .. C. § 3605. Therefore. the information withheld is also protected from release by statute and is exempt from release based on FOIA Exemption 3. 5 U.S.C. § 552(b)(3).

The government asserted secrecy over the title of an already (and officially) released document in a recent EFF challenge, so this would not be the first time the government claimed the title of an already released document was secret to prevent nasty civil liberties groups from confirming that a FOIAed document was the same as a previously known one.

In NSD’s declaration, Bradley Weigmann indicated that “the vast majority” of the document pertained to attorney-client privilege.

NSD Document 17, the vast majority of a certain memorandum in NSD Document 4, and an email message in NSD Document 31 are protected by the attorney-client privilege. These documents discuss legal issues pertaining to an NSA program, set forth legal advice prepared by NSD lawyers for other attorneys to assist those other attorneys in representing the Government, and were sought by a decision-maker for the Government to obtain legal advice on questions of law and indeed reflect such advice. As such, NSD Document 17, the vast majority of a certain memorandum in NSD Document 4, and an email message in NSD Document 31 are protected from disclosure under the attorney-client privilege.

More interestingly, by referring to “an NSA program” it seemed to tie this document with this 2003 OIPR memo.

Screen Shot 2016-03-06 at 3.54.01 PM

And this November 12, 2013 email (written during a period in the aftermath of the Snowden releases as the government was trying to decide how to respond to various FOIAs as well as Yahoo’s request to unseal its challenge, not to mention after ACLU submitted this FOIA, which was actually submitted before the first Snowden leaks).

Screen Shot 2016-03-06 at 3.55.25 PM

Note, NSD won’t tell us what date in 2003 someone at OIPR (already headed by James Baker, one of the few people briefed on Stellar Wind) wrote about “an NSA program” that appears to be tied the chaining on US person metadata.

I have long believed one of the known but still as yet undescribed modifications to Stellar Wind (there is still at least one, though I believe there are two) enacted after the hospital confrontation in 2004 has to have been either at CIA or DOD, because it doesn’t appear in the unredacted NSA IG Report Snowden gave us. Here, we see CIA unsuccessfully asking for US person metadata at the time everyone was re-establishing Stellar Wind under more legal cover. Assuming NSA document 4 is this memo, the only thing the government is withholding that we haven’t seen yet is the CIA memo. I have a lot more suspicions about this program, too, that I still need to write up.

But I suspect they’re hiding these documents from us — and just as importantly, from the FISA Court — to prevent us from putting the various details of how US person metadata has been used over time. Or rather, to prevent us from laying out how the point of these foreign-targeted surveillance programs is to spy on Americans.

ACLU has already told the government they’re challenging the withholding of these documents.

Alberto Gonzales Rejected DHS’ EO 12333 Procedures in 2006

/2 Comments/in /by

I’m lost down a rabbit hole of declarations relating to ACLU’s FOIA on EO 12333 documents (through which John Yoo’s Stellar Wind justification for Colleen Kollar-Kotelly was released). Arthur Sepeta, DHS’ declarant, had to explain the withholding of just one document, something that shows up on DOJ National Security Division’s Vaughn Index.

Sepeta’s explanation reveals that in 2006, DHS Secretary Michael Chertoff submitted some guidelines on the collection, retention, and dissemination of US person person information to comply with EO 12333. But Attorney General Alberto Gonzales rejected those guidelines. And, as Sepeta makes clear, DHS still doesn’t have any guidelines.

In this case, NSD 2 is a draft of the DHS Procedures Governing Activities of the Office oflntelligence and Analysis that Affect United States Persons. Section 2.3 of Executive Order No. 12,333 requires the head of an Intelligence Community element or the head of a Department containing an Intelligence Community element to issue “procedures” concerning the collection, retention, and dissemination of information concerning United States persons, after the Attorney General approves the procedures. On April 3, 2006, as required by section 2.3 of Executive Order No. 12,333, the Secretary of Homeland Security, as the head of a Department containing an Intelligence Community element, submitted draft Procedures Governing Activities of the Office of Intelligence and Analysis that Affect United States Persons for approval by the Attorney General. The Attorney General subsequently declined to approve the draft procedures submitted by the Secretary of Homeland Security and inter-agency negotiations over the content of these procedures remain ongoing to this day.

As I noted a year ago, in 2008, DHS adopted interim procedures, but they still haven’t finalized any.

Mind you, given the people involved, it’s unclear whether Gonzales’ rejection of DHS’ initial attempt is a good sign or bad sign.

Still, you’d think after 10 years, they would have adopted something?

That Time When John Yoo Deemed EO 12333 Optional (Working Thread)

/2 Comments/in /by

I Con the Record has just released the May 17, 2002 letter John Yoo wrote to Colleen Kollar-Kotelly justifying Stellar Wind. This either lays out for the first time or repeats Yoo’s claim — which I first reported in 2007, based on a Sheldon Whitehouse Senate address, here — that the President doesn’t have to follow EO 12333.

This will be a working thread.

(2) Note Yoo says the attacks caused 5,000 deaths, well beyond the time when authorities knew it to be closer to 3,000.

(2) Yoo mentioned the anthrax attack. Did NSA use Stellar Wind to investigate it?

(2) Yoo uses a more moderate justification here — military being deployed to protect buildings — than Goldsmith did in his 2004 memo, where he talked about specific military flights.

(2) Check EO on creating Homeland Security office on domestic program.

(2) As soon as Yoo starts talking about Stellar Wind, he adopts the conditional tense: “Electronic surveillance techniques would be part of this effort.” This of course follows on Yoo admitting Congress modified FISA (though he doesn’t name the statute).

(2) Note in this really squirrelly hypothetical section, Yoo says the surveillance could include email “within” the US, which would be entirely domestic.

(2-3) Note throughout Yoo describes Bush as “Chief Executive.”

(3) Yoo points to absence of a charter as basis for doing whatever NSA wants.

(3) “Congress, however, has not imposed any express statutory restrictions on the NSA’s ability to intercept communications that involve United States citizens or that occur domestically.” (based on the absence of such language in NSA)

(4) I believe the second redaction is designed to enable the wiretapping of people claimed to be tied to the anthrax attack.

(5) Here’s the passage that said EO 12333 is optional.

Screen Shot 2016-02-29 at 3.00.26 PM

(4-5) I find Yoo’s language the more troubling given what precedes it — the rationale.

Screen Shot 2016-02-29 at 4.06.14 PM

I’ll come back to this, but note how “domestic” gets defined here. Much of this is still on the books and explains why Muslims get treated differently.

(5, 6) Note Yoo’s explanation for doing this off the books.

  1. Need for secrecy
  2. Inability to get FISC to approve bulk content collection or domestic metadata collection
  3. No knowledge of identity of target

That’s not speed, which later became the excuse

(5) “FISA only provides a safe harbor for electronic surveillance, and cannot restrict the President’s ability to engage in warrantless searches that protect the national security.”

(5) Note Yoo refers to the metadata dragnet as “general collection,” which sounds an awful lot like a general warrant.

(7) The redactions on 7 are especially interesting given likelihood they conflict with either what K-K, Bates, or Howard subsequently approved.

(8) The timing of this is remarkable. This letter was written on the same date that Ashcroft changed the rules on the wall, which Lamberth unsuccessfully tried to impose some limits on. Then, on July 22, OLC further expanded the GJ sharing address in FN 8.

(8) Note, again, how Yoo is rewriting Keith and Katz.

(10) again, Yoo seems to be laying the groundwork for back door searches, which makes me wonder whether that’s why this got released?

(12) I don’t believe this border exception appears in Goldsmith. Which suggests there’s something with the way this was applied that is particularly problematic.

(13) This must be the language in question. Goldsmith used another means to justify cross-border collection, while admitting it outright.

(14) This language also disappears from later justifications, suggesting it is part of the problem.

Screen Shot 2016-03-02 at 9.58.37 AM

The discussion continues onto the next page. It is of particular interest that K-K got this letter, given that her category distinctions probably addressed these distinctions.

(15) Bingo. This might be a very simple explanation for why they had to go to FISC.

Screen Shot 2016-03-02 at 10.03.34 AM

(17) This passage about picking the Defense Secretary rather than AG is pretty much what I noted in my post on the underyling 4A argument, but it has ramifications for the post-2004 program. Also note how closely it piggybacks with the changes to AG guidelines and the

Screen Shot 2016-03-02 at 4.27.17 PM

This language explains why they weren’t looking in Stellar Wind for Brady material, and also explains how they do parallel construction (which plays out in the IG Report).

(19) This section lays out the need for the scary memos, without revealing to K-K they exist.

Screen Shot 2016-03-02 at 4.34.13 PM

(21) The big redacted section–the biggest redaction in the letter–suggests they’re still hiding the capture and pull up method of this, and therefore the sheer bulk of all this. That’s all the more interesting given that the wall was coming down at that moment. The other redactions in this section, too, seem to track the indexing function. Again, it’s interesting K-K had read (or reviewed) this before the PRTT discussion.

 

 

 

 

What Claims Did the Intelligence Community Make about the Paris Attack to Get the White House to Change on Encryption?

/5 Comments/in , , /by

I’m going to do a series of posts laying out the timeline behind the Administration’s changed approach to encryption. In this, I’d like to make a point about when the National Security Council adopted a “decision memo” more aggressively seeking to bypass encryption. Bloomberg reported on the memo last week, in the wake of the FBI’s demand that Apple help it brute force Syed Rezwan Farook’s work phone.

But note the date: The meeting at which the memo was adopted was convened “around Thanksgiving.”

Silicon Valley celebrated last fall when the White House revealed it would not seek legislation forcing technology makers to install “backdoors” in their software — secret listening posts where investigators could pierce the veil of secrecy on users’ encrypted data, from text messages to video chats. But while the companies may have thought that was the final word, in fact the government was working on a Plan B.

In a secret meeting convened by the White House around Thanksgiving, senior national security officials ordered agencies across the U.S. government to find ways to counter encryption software and gain access to the most heavily protected user data on the most secure consumer devices, including Apple Inc.’s iPhone, the marquee product of one of America’s most valuable companies, according to two people familiar with the decision.

The approach was formalized in a confidential National Security Council “decision memo,” tasking government agencies with developing encryption workarounds, estimating additional budgets and identifying laws that may need to be changed to counter what FBI Director James Comey calls the “going dark” problem: investigators being unable to access the contents of encrypted data stored on mobile devices or traveling across the Internet. Details of the memo reveal that, in private, the government was honing a sharper edge to its relationship with Silicon Valley alongside more public signs of rapprochement. [my emphasis]

That is, the meeting was convened in the wake of the November 13 ISIS attack on Paris.

We know that last August, Bob Litt had recommended keeping options open until such time as a terrorist attack presented the opportunity to revisit the issue and demand that companies back door encryption.

Privately, law enforcement officials have acknowledged that prospects for congressional action this year are remote. Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

Litt was commenting on a draft paper prepared by National Security Council staff members in July, which also was obtained by The Post, that analyzed several options. They included explicitly rejecting a legislative mandate, deferring legislation and remaining undecided while discussions continue.

It appears that is precisely what happened — that the intelligence community, in the wake of a big attack on Paris, went to the White House and convinced them to change their approach.

So I want to know what claims the intelligence community made about the use of encryption in the attack that convinced the White House to change approach. Because there is nothing in the public record that indicates encryption was important at all.

It is true that a lot of ISIS associates were using Telegram; shortly after the attack Telegram shut down a bunch of channels they were using. But reportedly Telegram’s encryption would be easy for the NSA to break. The difficulty with Telegram — which the IC should consider seriously before they make Apple back door its products — is that its offshore location probably made it harder for our counterterrorism analysts to get the metadata.

It is also true that an ISIS recruit whom French authorities had interrogated during the summer (and who warned them very specifically about attacks on sporting events and concerts) had been given an encryption key on a thumb drive.

But it’s also true the phone recovered after the attack — which the attackers used to communicate during the attack — was not encrypted. It’s true, too, that French and Belgian authorities knew just about every known participant in the attack, especially the ringleader. From reports, it sounds like operational security — the use of a series of burner phones — was more critical to his ability to move unnoticed through Europe. There are also reports that the authorities had a difficult time translating the dialect of (probably) Berber the attackers used.

From what we know, though, encryption is not the reason authorities failed to prevent the French attack. And a lot of other tools that are designed to identify potential attacks — like the metadata dragnet — failed.

I hate to be cynical (though comments like Litt’s — plus the way the IC used a bogus terrorist threat in 2004 to get the torture and Internet dragnet programs reauthorized — invite such cynicism). But it sure looks like the IC failed to prevent the November attack, and immediately used their own (human, unavoidable) failure to demand a new approach to encryption.

Update: In testimony before the House Judiciary Committee today, Microsoft General Counsel Brad Smith repeated a claim MSFT witnesses have made before: they provided Parisian law enforcement email from the Paris attackers within 45 minutes. That implies, of course, that the data was accessible under PRISM and not encrypted.

Imagine if Apple Were a Powerless Muslim?

/1 Comment/in , /by

In a piece on the Apple case, Amy Davidson tried to imagine the unintended consequences of broadening the application of the All Writs Act in this case.

If a case involving a non-digital phone network could be applied to smartphones, what technologies might an Apple precedent be applied to, three or four decades from now? (The N.S.A. used, or rather promiscuously misused, another pen-register case from the same era to justify its bulk data collection.) It no longer becomes fanciful to wonder about what the F.B.I. might, for example, ask coders adept in whatever genetic-editing language emerges from the recent developments in CRISPR technology to do. But some of the alarming potential applications are low-tech, too. What if the government was trying to get information not out of a phone but out of a community? Could it require someone with distinct cultural or linguistic knowledge not only to give it information but to use that expertise to devise ways for it to infiltrate that community? Could an imam, for example, be asked not only to tell what he knows but to manufacture an informant?

This is the situation that Apple is in, and that all sorts of other companies and individuals could be in eventually. There are problems enough with the insistence on a back door for devices that will be sold not only in America but in countries with governments that feel less constrained by privacy concerns than ours does. And there are reasons to be cynical about technology companies that abuse private information in their own way, or that jump in to protect not a principle but their brands. But the legal precedent that may be set here matters. By using All Writs, the government is attempting to circumvent the constitutionally serious character of the many questions about encryption and privacy. It is demanding, in effect, that the courts build a back door to the back-door debate.

She raises fair points.

Except when I read them, I thought instead of the demands FBI has already made.

FBI demanded that Lavabit turn over a key protecting all of its users to try to get to Edward Snowden, which led Ladar Levison to shut down the business, well before it got to the point where Ted Olson (who’s now helping Apple make its case, and presumably will all the way to the Supreme Court) would help him argue a legal case.

More directly on point to Davidson’s scenarios, there are numerous reports of FBI creating some artificial means of coercion — often having to do with immigration — that effectively force speech of a certain kind. That’s not far off Davidson’s example of an Imam being forced to inform (which, especially given the use of Section 215 to collect data to identify informants, might involve coercion of a different kind).

Obviously, Apple is huge and rich and powerful so it has the ability to fight such coercion (or just leave the country).

But the comparison is especially apt, I think, because it speaks to why the FBI might be willing to make such breath-taking demands from Apple. It’s used to demanding coercion, whether from smaller ISPs or Imams or Muslim immigrants. And because those people have no power to fight back, FBI has grown used to such ability to coerce cooperation.

image_print