FISA

1 2 3 138

On Mitch’s PATRIOT Gambit

Mitch McConnell, as you’ve probably heard, has just introduced a bill to reauthorize the expiring provisions of the PATRIOT Act until 2020.

The move has elicited a bunch of outraged comments — as if anyone should ever expect anything but dickishness from Mitch McConnell. But few interesting analytical comments.

For example, Mitch is doing this under Rule 14, meaning it bypasses normal committee process. But that’s not as unusual, in ultimate effect, as people are making out. After all, last year the House Judiciary Committee was forced to adopt a much more conservative opening bill under threat of having its jurisdiction stripped entirely — something that Bob Goodlatte surely liked because it helped him rein in the reformers on his committee. Particularly given Chuck Grassley’s dawdling, I suspect something similar is at issue, an effort to give him leverage to rein in last year’s USA Freedom Act in order to undercut Mitch’s ploy.

Moreover, I think it would be utterly naive to believe Mitch and Richard Burr when they claim they would prefer straight reauthorization.

That’s because we know the IC can’t do everything they want to do under Section 215 right now. While reports that they only get 30% of calls are misleading (not least because NSA gets plenty of international calls into the US under EO 12333), for legal or technical or some other reason, the NSA isn’t currently getting all the records it needs to have full coverage. But it could get all or almost all if it worked with providers.

In addition — and this may be related — the NSA has never been able to turn its automated processes back on for US collected telephone data since they had to turn them off in 2009. They gave up trying last year, when Obama decided to move data to the providers. I suspect that the combination of mandated assistance, record delivery in optimal form, and immunity will permit NSA to dump this data into its existing automated system.

So while Mitch and Burr may pretend they’d love straight reauthorization, it is far, far more likely they’re using this gambit to demand changes to USAF that permit the IC to claim more authorities while pretending to reluctantly adopt reform.

And chief on that list is likely to be data retention, something reformers have been conspicuously silent about since Dianne Feinstein revealed USAF would have had a data retention handshake, but not a mandate. Data retention is why most SSCI members opposed USAF last year, it’s why Bill Nelson (working off his dated understanding of the program from when he served on SSCI) voted against it, and Bob Litt has renewed his emphasis on data retention.

Moreover, given the debates about encryption of the last year, especially Jim Comey’s concerns that Apple would have an unfair advantage over Verizon if it can shield iMessage data, I suspect that by data retention they also mean “forced retention of non-telephony messaging metadata.” I’m not sure whether they would be able to pull this off, but I wouldn’t be surprised if the IC plans to use “NSA reform” as an opportunity to force Apple to keep iMessage metadata.

So that’s what I expect this is about: I expect Mitch deliberately caused outright panic among those fighting straight reauthorization that even he doesn’t really want to demand more things from this “reform” bill.

 

I Con the Record’s Annual Transparency™

Amid about 100 pressing bills having to do with surveillance, I Con the Record released the yearly FISA letter and pretty Transparency Report. Here’s what I can see in it (here’s last year’s report and letter for comparison).

Probable Cause FISA

Probable cause FISA orders (Title I, III, 703, and 704) have declined from 1,767 to 1,519, but the number of targets affected has gone up, from 1,144 to 1,562. This seems to suggest that at least some of these orders must involve more than one target. There were 1,416 applications total, including 1,379 including electronic surveillance.

Also note, at least until a few years ago, NSA never used 703 in isolation, it only uses 705(b) orders, which are combinations of 703 and 704. I’m not sure how ODNI counts them, then, and whether 705(b) orders are included as 703 counts.

There were a number of modified probable cause orders this year:

FISC made modifications to the proposed orders in 19 applications.1 Thus, the FISC approved collection activity in a total of 1,379 of the applications that included requests for authority to conduct electronic surveillance.

1 In addition to the 19 orders modified with respect to applications made during the reporting period, the FISC modified two orders for applications after first granting authorization. The FISC also modified two orders for application made in a previous reporting period during the current reporting period.

That’s actually interesting: it may reflect something problematic with the way the government was obtaining this data or that it was collecting too much incidentally protected data. Or it may reflect a new approach that required some negotiation with the Court.

Section 702

As it did last year, the government only admits its one order, which hides that it has 3 or more certifications (a counterterrorism one, a counterproliferation one, and a foreign government catchall one).

The total number of targets affected has gone up, from 89,138 to 92,707. And remember, that’s just the targets. Every person who communicates with those targets will also be affected.

PRTT

The total PRTT orders are pretty flat: they went from 131 to 135. But those affected far more targets, from 319 to 516.

I strongly suspect (in part because of the way USAF carved out location reporting in its transparency procedures) that the government is hiding some kind of systematic Stingray use. So it may be that those 516 targets each suck in hundreds of thousands of Americans co-located with them.

215 orders

I didn’t realize this last year, but the government is reporting applications, not orders.There are good reasons to do this and dishonest reasons. In any case the number has remained relative flat, from 178 to 170, as have specific targets 172 to 160, and US persons who were subjects of queries, 248 to 227.

There are two far more interesting numbers.

First in 2013 (before NSA had to submit each selector to the FISA Court, but also a year with a major terrorist attack), there were 423 selectors approved to be queried in the phone dragnet. But in 2104 — when FISC started reviewing everything — just 161 selectors were approved. That may suggest (though we’d need more data we won’t get because of imminent changes of some sort or another) that the NSA queries on fewer selectors when it has to tell FISC what they are.

Even more interesting, whereas FISC modified 141 Section 215 orders in 2013, last year they just modified four applications last year. Here’s what recent numbers look like to convey how big of a change this is:

215 tracker

In the 2010 to 2012 time frame, the government admitted that these modifications were largely the court imposing minimization procedures and requiring the government report back on the implementation of those minimization procedures.

The change may mean that, in response to the Snowden disclosures, the government finally complied with the requirement mandated by Congress in 2006 that it adopt such procedures itself. It might reflect FISC’s confidence that the government was finally managing this properly. Or it might reflect that the government was collecting less incidental data. Or something else. But it is a very large change that merits further explanation.

NSLs

Both the annual number of NSLs issued and the number of requests dropped by 15%, from to 19,212 to 16,348 and 38832 to 33,024 respectively.

The number of US persons affected showed a slightly smaller drop, about 12-13%. In 2013, the government made 14,291 requests affecting 5,334 different US persons. In 2014, the government made 12,452 requests affecting 4,699 US persons.

NSA’s Dragnet Failed to “Correlate” David Headley’s Identity, One of Its Core Functions

In a piece on the GCHQ and NSA failure to identify David Headley’s role in the Mumbai terrorist attack, ProPublica quotes former CIA officer Charles Faddis on the value of bulk surveillance.

“I’m not saying that the capacity to intercept the communications is not valuable,” said Charles (Sam) Faddis, a former C.I.A. counterterror chief. “Clearly that’s valuable.” Nonetheless, he added, it is a mistake to rely heavily on bulk surveillance programs in isolation.

“You’re going to waste a lot of money, you’re going to waste a lot of time,” Faddis said. “At the end, you’re going have very little to show for it.”

The article as a whole demonstrates that in a manner I’m fairly shocked about. The NSA failed to recognize what it had in intelligence collected on Headley’s role in the attack even after the attack because they hadn’t correlated his known birth name with the name he adopted in the US.

Headley represents another potential stream of intelligence that could have made a difference before Mumbai. He is serving 35 years in prison for his role. He was a Pakistani-American son of privilege who became a heroin addict, drug smuggler and DEA informant, then an Islamic terrorist and Pakistani spy, and finally, a prize witness for U.S. prosecutors.

In recounting that odyssey, we previously explored half a dozen missed opportunities by U.S. law enforcement to pursue tips from Headley’s associates about his terrorist activity. New reporting and analysis traces Headley’s trail of suspicious electronic communications as he did reconnaissance missions under the direction of Lashkar and Pakistan’s Inter-Services Intelligence Directorate (ISI).

Headley discussed targets, expressed extremist sentiments and raised other red flags in often brazen emails, texts and phone calls to his handlers, one of whom worked closely on the plot with Shah, the Lashkar communications chief targeted by the British.

U.S. intelligence officials disclosed to me for the first time that, after the attacks, intensified N.S.A. monitoring of Pakistan did scoop up some of Headley’s suspicious emails. But analysts did not realize he was a U.S.-based terrorist involved in the Mumbai attacks who was at work on a new plot against Denmark, officials admitted.

The sheer volume of data and his use of multiple email addresses and his original name, Daood Gilani, posed obstacles, U.S. intelligence officials said. To perfect his cover as an American businessman, Headley had legally changed his name in 2006.

“They detected a guy named ‘Gilani’ writing to bad guys in Pakistan, communicating with terror and ISI nodes,” a senior U.S. intelligence official said. “He wrote also in fluent Urdu, which drew interest. Linking ‘Gilani’ to ‘Headley’ took a long time. The N.S.A. was looking at those emails post-Mumbai. It was not clear to them who he was.”

As I’ve explained, one of the things NSA does with all its data is to “correlate” selectors, so that it maps a picture of all the Internet and telecom (and brick and mortar, where they have HUMINT) activities of a person using the multiple identities that have become common in this day and age. This is a core function of the NSA’s dragnets, and it works automatically on EO 12333 data (and worked automatically on domestically-collected phone and — probably — Internet metadata until 2009).

When you think about it, there are some easy ways of matching online identities (going to a provider, mapping some IP addresses). And even the matching of “burner” IDs can be done with 94% accuracy, at least within AT&T’s system, according to AT&T’s own claims.

The NSA says they didn’t do so here because Headley had changed his name.

Headley, recall, was a DEA informant. Which means, unless these intelligence agencies are far more incompetent than I believe they are, this information was sitting in a government file somewhere: “Daood Gilani, the name of a known Urdu-fluent informant DEA sent off to Pakistan to hang out with baddies  = David Headley.” Unless Headley adopted the new name precisely because he knew it would serve to throw the IC off his trail.

And yet … NSA claims it could not, and did not, correlate those two identities and as a result didn’t even realize Headley was involved in the Mumbai bombing even after the attack.

Notably, they claim they did not do so because of the “sheer volume of data.”

In short, according to the NSA’s now operative story (you should click through to read the flaccid apologies the IC offered up for lying about the value of Sections 215 and 702 in catching Headley), the NSA’s dragnet failed at one of its core functions because it is drowning in data.

 

The Government Changed Its Mind about How Many Databases It Searched in the Hassanshahi Case after It Shut Down the DEA Dragnet

As I noted in this post, the government insists that it did not engage in parallel construction in the case of Shantia Hassanshahi, the Iranian-American busted for sanctions violations using evidence derivative of a search of what the government now claims was a DEA dragnet. “While it would not be improper for a law enforcement agency to take steps to protect the confidentiality of a law enforcement sensitive investigative technique, this case raises no such issue.”

The claim is almost certainly bullshit, true in only the narrowest sense.

Indeed, the changing story the government has offered about how they IDed Hassanshahi based off a single call he had with a phone belonging to a person of interest, “Sheikhi,” in Iran, is instructive not just against the background of the slow reveal of multiple dragnets over the same period. But also for the technological capabilities included in those claims. Basically, the government appears to be claiming they got a VOIP call from a telephony database.

As I lay out below, the story told by the government in various affidavits and declarations (curiously, the version of the first one that appears in the docket is not signed) changed in multiple ways. While there were other changes, the changes I’m most interested in pertain to:

  • Whether Homeland Security Investigator Joshua Akronowitz searched just one database — the DEA toll record database — or multiple databases
  • How Akronowitz identified Google as the provider for Hassanshahi’s phone record
  • When and how Akronowitz became interested in a call to Hassanshahi from another Iranian number
  • How many calls of interest there were

As you can see from the excerpts below, Akronowitz at first claimed to have searched “HSI-accessible law enforcement databases,” plural, and suggested he searched them himself.  In July 2014, in response to a motion to suppress (and after Edward Snowden had disclosed the NSA’s phone dragnet), Akronowitz changed that story and said he sent a research request to a single database, implying someone else did a search of just one database. Akronowitz told the same story in yet another revised affidavit submitted last October. In the declaration submitted in December but unsealed in January, DEA Assistant Special Agent Robert Patterson stuck with the single database story and used the passive voice to hide who did the database query.

While Akronowitz’ story didn’t change regarding how he discovered that Hassanshahi’s phone was a Google number, it did get more detailed in the July 2014 affidavit, which explained that he had first checked with another VOIP provider before being referred to Google.

Perhaps most interestingly, the government’s story changed regarding how many calls of interest there were, and between what numbers. In January 2013, Akronowitz said “a number of telephone calls between ‘Sheikhi’s’ known business telephone number and telephone number 818-971-9512 had occurred within a relatively narrow time frame” (though he doesn’t tell us what that time frame was). He also says that his Google subpoena showed “numerous calls to the same Iranian-based telephone number during a relatively finite period of time.” He neither explained that this number was not Sheikhi’s number — it was a different Iranian number — nor what he means by “a relatively finite period of time.”  His July and October affidavits said his research showed a contact, “on one occasion, that is, on July 4, 2011,” with Sheikhi’s number. The July affidavit maintained the claim that there were multiple calls between Hassanshahi’s number and an Iranian one: “numerous phone calls between Hassanshahi’s ‘818’ number and one Iranian phone number.” But by October, Akronowitz conceded that the Google records showed only “that Hassanshahi’s ‘818’ number made contact with an Iranian phone number (982144406457) only once, on October 5, 2011″ (as well as a “22932293” number that he bizarrely claimed was a call to Iran).  Note, Akronowitz’ currently operative story would mean the government never checked whether there were any calls between Hassanshahi and Sheikhi between August 24 and September 6 (or after October 6), which would be rather remarkable. Patterson’s December affidavit provided no details about the date of the single call discovered using what he identified as DEA’s database, but did specify that the call was made by Hassanshahi’s phone, outbound to Iran. (Patterson didn’t address the later Google production, as that was pursuant to a subpoena.)

To sum up, before Edward Snowden’s leaks alerted us to the scope of NSA’s domestic and international dragnet, Akronowitz claimed he personally had searched multiple databases and found evidence of multiple calls between Hassanshahi’s phone number and Sheikhi’s number, as well as (after getting a month of call records from Google) multiple calls to another Iranian number over unspecified periods of time. After Snowden’s leaks alerted us to the dragnet, after Dianne Feinstein made it clear the NSA can search on Iranian targets in the Section 215 database, which somehow counts as a terrorist purpose, and after Eric Holder decided to shut down just the DEA dragnet, Akronowitz changed his story to claim he had found just one call between Hassanshahi and Shiekhi, and — after a few more months — just one call from another Iranian number to Hassanshahi. Then, two months later, the government claimed that the only database that ever got searched was the DEA one (the one that had already been shut down) which — Patterson told us — was based on records obtained from “United States telecommunications service providers” via a subpoena.

Before I go on, consider that the government currently claims it used just a single phone call of interest — and the absence of any additional calls in a later months’s worth of call records collected that fall — to conduct a warrantless search of a laptop in a state (CA) where such searches require warrants, after having previously claimed there was a potentially more interesting set of call records to base that search on.

Aside from the government’s currently operative claim that it would conduct border searches based on the metadata tied to a single phone call, I find all this interesting for two reasons.

First, the government’s story about how many databases got searched and how many calls got found changed in such a way that the only admission of an unconstitutional search to the judge, in December 2014, involved a database that had allegedly been shut down 15 months earlier.

Maybe they’re telling the truth. Or maybe Akronowitz searched or had searched multiple databases — as he first claimed — and found the multiple calls he originally claimed, but then revised his story to match what could have been found in the DEA database. We don’t know, for example, if the DEA database permits “hops,” but he might have found a more interesting call pattern had he been able to examine hops (for example, it might explain his interest in the other phone number in Iran, which otherwise would reflect no more than an immigrant receiving a call from his home country).

All of this is made more interesting because of my second point: the US side of the call in question was an Internet call, a Google call, not a telephony call. Indeed, at least according to Patterson’s declaration (records of this call weren’t turned over in discovery, as far as I can tell), Hassanshahi placed the call, not Sheikhi.

I have no idea how Google calls get routed, but given that Hassanshahi placed the call, there’s a high likelihood that it didn’t cross a telecom provider’s backbone in this country (and god only knows how DEA or NSA would collect Iranian telephony provider records), which is who Patterson suggests the calls came from (though there’s some room for ambiguity in his use of the term “telecommunications service providers”).

USAT’s story on this dragnet suggests the data all comes from telephone companies.

It allowed agents to link the call records its agents gathered domestically with calling data the DEA and intelligence agencies had acquired outside the USA. (In some cases, officials said the DEA paid employees of foreign telecom firms for copies of call logs and subscriber lists.)

[snip]

Instead of simply asking phone companies for records about calls made by people suspected of drug crimes, the Justice Department began ordering telephone companies to turn over lists of all phone calls from the USA to countries where the government determined drug traffickers operated, current and former officials said.

[snip]

Former officials said the operation included records from AT&T and other telecom companies.

But if this call really was placed from a Google number, it’s not clear it would come up under such production, even under production of calls that pass through telephone companies’ backbones. That may reflect — if the claims in this case are remotely honest — that the DEA dragnet, at least, gathered call records not just from telecom companies, but also from Internet companies (remember, too, that DOJ’s Inspector General has suggested DEA had or has more than one dragnet, so it may also have been collecting Internet toll records).

And that — coupled with the government’s evolving claims about how many databases got checked and how many calls that research reflected — may suggest something else. Given that the redactions on the providers obliged under the Section 215 phone dragnet orders haven’t changed going back to 2009, when it was fairly clear there were just 3 providers (AT&T, Sprint, and Verizon), it may be safe to assume that’s still all NSA collects from. A never-ending series of leaks have pointed out that the 215 phone dragnet increasingly has gaps in coverage. And this Google call would be precisely the kind of call we would expect it to miss (indeed, that’s consistent with what Verizon Associate General Counsel — and former DOJ National Security Division and FBI Counsel — Michael Woods testified to before the SSCI last year, strongly suggesting the 215 dragnet missed VOIP). So while FISC has approved use of the “terrorist” Section 215 database for the terrorist group, “Iran,” (meaning NSA might actually have been able to query on Sheikhi), we should expect that this call would not be in that database. Mind you, we should also expect NSA’s EO 12333 dragnet — which permits contact chaining on US persons under SPCMA — to include VOIP calls, even with Iran. But depending on what databases someone consulted, we would expect gaps in precisely the places where the government’s story has changed since it decided it had searched only the now-defunct DEA database.

Finally, note that if the government was sufficiently interested in Sheikhi, it could easily have targeted him under PRISM (he did have a GMail account), which would have made any metadata tied to any of his Google identities broadly shareable within the government (though DHS Inspectors would likely have to go through another agency, quite possibly the CIA). PRISM production should return any Internet phone calls (though there’s nothing in the public record to indicate Sheikhi had an Internet phone number). Indeed, the way the NSA’s larger dragnets work, a search on Sheikhi would chain on all his correlated identifiers, including any communications via another number or Internet identifier, and so would chain on whatever collection they had from his GMail address and any other Google services he used (and the USAT described the DEA dragnet as using similarly automated techniques).  In other words, when Akronowitz originally said there had been multiple “telephone calls,” he may have instead meant that Sheikhi and Hassanshahi had communicated, via a variety of different identifiers, multiple times as reflected in his search (and given what we know about DEA’s phone dragnet and my suspicion they also had an Internet dragnet, that might have come up just on the DEA dragnets alone).

The point is that each of these dragnets will have slightly different strengths and weaknesses. Given Akronowitz’ original claims, it sounds like he may have consulted dragnets with slightly better coverage than just the DEA phone dragnet — either including a correlated DEA Internet dragnet or a more extensive NSA one — but the government now claims that it only consulted the DEA dragnet and consequently claims it only found one call, a call it should have almost no reason to have an interest in.

Continue reading

Mike Rogers Wanted to Drone Kill an American Citizen for Training with al Qaeda?

There has been some good commentary on NYT’s story on Administration debates over killing Mohanad Mahmoud al-Farekh, the American citizen who was captured and charged in federal court on April 2, after the Administration considered but then decided against drone-killing him. Both David Cole and Brett Max Kaufman ask raise some important points and questions. Of particular note, they ask what the fuck Mike Rogers was doing pushing DOD and CIA to kill a US citizen.

Yet neither of those pieces gets to something I’m puzzling over. Al-Farekh was charged in EDNY (Loretta Lynch’s district), but he was only charged with conspiracy to commit material support for terrorism, a charge that carries a 15 year maximum sentence. Basically, he is accused of conspiring with Ferid Imam who in turn trained Najibullah Zazi and his co-conspirators for their planned 2009 attack on the NY Subway system.

In approximately 2007, Farekh, an individual named Ferid Imam and a third co-conspirator departed Canada for Pakistan with the intention of fighting against American forces.  They did not inform their families of their plan before departing, but called a friend in Canada upon arrival to let him know that he should not expect to hear from them again because they intended to become martyrs.  According to public testimony in previous criminal trials in the Eastern District of New York, in approximately September 2008, Ferid Imam provided weapons and other military-type training at an al-Qaeda training camp in Pakistan to three individuals – Najibullah Zazi, Zarein Ahmedzay and Adis Medunjanin – who intended to return to the United States to conduct a suicide attack on the New York City subway system.  Zazi and Ahmedzay pleaded guilty pursuant to cooperation agreements and have yet to be sentenced; Medunjanin was convicted after trial and sentenced to life imprisonment.  Ferid Imam has also been indicted for his role in the plot.

But the evidence laid out in the complaint is rather thin, basically amounting to the second-hand reports that al-Farekh, like Zazi and his friends, traveled to Pakistan for terrorist training.

Were we really going to kill this dude with a drone because he got terrorist training in Pakistan? That’s it?

Now, it’s quite possible the government is just charging him with the crimes the evidence for which they can introduce in a trial — though note that the government got a FISC warrant to collect on him (though it’s possible this is drone-based collection, and so sensitive enough they wouldn’t want to use it at trial).

Drones spotted him several times in the early months of 2013, and spy agencies used a warrant issued by the Federal Intelligence Surveillance Court to monitor his communications.

It’s equally possible that al-Farekh will be indicted on further charges, a more central role in plotting attacks out of the tribal lands of Pakistan. Similarly, it’s possible that al-Farekh’s High Value Interrogation Group interrogation — reported as well in this WaPo story — provided valuable intelligence on other militants that will have nothing to do with his own trial.

Still, both the earlier WaPo story (written in part by Adam Goldman, who wrote the book on the Zazi case) and the NYT story hint that the claims made about al-Farekh’s activities in 2013 have proven to be overblown. The WaPo doesn’t provide much detail.

Officials said there were questions about how prominent a role Farekh played in al-Qaeda.

The NYT provides more.

But the Justice Department, particularly Attorney General Eric H. Holder Jr., was skeptical of the intelligence dossier on Mr. Farekh, questioning whether he posed an imminent threat to the United States and whether he was as significant a player in Al Qaeda as the Pentagon and the C.I.A. described.

[snip]

Once in Pakistan, Mr. Farekh appears to have worked his way up the ranks of Al Qaeda, his ascent aided by marrying the daughter of a top Qaeda leader.

American officials said he became one of the terrorist network’s planners for operations outside Pakistan, a position that included work on the production and distribution of roadside bombs used against American troops in Afghanistan.

Some published reports have said that Mr. Farekh held the third-highest position in Al Qaeda, but Americans officials said the reports were exaggerated.

His level in the Qaeda hierarchy remains a matter of some dispute. Several American officials said that the criminal complaint against him underplayed his significance inside the terrorist group, but that the complaint — based on the testimony of several cooperating witnesses — was based only on what federal prosecutors believed they could prove during a trial.

This, then — along with the explicit connection with the Awlaki case, based as it was, at least at first, on Umar Farouk Abdulmutallab’s interrogation and all the reasons to doubt it — seems the big takeaway. We almost killed this dude, but now all we can prove is that he trained in Pakistan.

Ironically, Philip Mudd argues for the NYT that we can’t capture these people because we’d have to rely on our intelligence partners.

But many counterterrorism specialists say capturing terrorism suspects often hinges on unreliable allies. “It’s a gamble to rely on a partner service to pick up the target,” said Philip Mudd, a former senior F.B.I. and C.I.A. official.

Of course, these are often the same people we rely on for targeting intelligence, including against both Awlaki and al-Farekh. What does it say that we’d believe targeting information from allies, but not trust them to help us arrest the guys they apparently implicate?

Whatever that says, the story thus far (it could change) is that al-Farekh was almost killed on inadequate evidence because CIA and DOD were champing at the bit. That ought to be the big takeaway.

 

DEA’s Dragnet and David Headley

In a piece on the DEA dragnet the other day, Julian Sanchez made an important point. The existence of the DEA dragnet — and FBI’s use of it in previous terrorist attacks — destroys what little validity was left of the claim that NSA needed the Section 215 dragnet after 9/11 to close a so-called “gap” they had between a safe house phone in Yemen and plotters in the US (though an international EO 12333 database would have already proven that wrong).

First, the program’s defenders often suggest that had we only had some kind of bulk telephone database, the perpetrators of the 9/11 attacks could have been identified via their calls to a known safehouse in Yemen.  Now, of course, we know that there was such a database—and indeed, a database that had already been employed in other counterterror investigations, including the 1995 Oklahoma City bombing. It does not appear to have helped.

But the DEA dragnet is even more damning for another set of claims, and for another terrorist attack such dragnets failed to prevent: former DEA informant David Headley, one of the key planners of the 2008 Mumbai attack.

Headley provided DEA the phone data they would have needed to track him via their dragnet

As ProPublica extensively reported in 2013, Headley first got involved in Lashkar-e-Taiba while he remained on the DEA’s payroll, at a time when he was targeting Pakistani traffickers. Indeed, after 9/11, his DEA handler called him for information on al Qaeda. All this time, Headley was working phone based sources.

Headley returned to New York and resumed work for the DEA in early 2000. That April, he went undercover in an operation against Pakistani traffickers that resulted in the seizure of a kilo of heroin, according to the senior DEA official.

At the same time, Headley immersed himself in the ideology of Lashkar-i-Taiba. He took trips to Pakistan without permission of the U.S. authorities. And in the winter of 2000, he met Hafiz Saeed, the spiritual leader of Lashkar.

Saeed had built his group into a proxy army of the Pakistani security forces, which cultivated militant groups in the struggle against India. Lashkar was an ally of al Qaeda, but it was not illegal in Pakistan or the United States at the time.

[snip]

Headley later testified that he told his DEA handler about his views about the disputed territory of Kashmir, Lashkar’s main battleground. But the senior DEA official insisted that agents did not know about his travel to Pakistan or notice his radicalization.

On Sept. 6, 2001, Headley signed up to work another year as a DEA informant, according to the senior DEA official.

On Sept. 12, Headley’s DEA handler called him.

Agents were canvassing sources for information on the al Qaeda attacks of the day before. Headley angrily said he was an American and would have told the agent if he knew anything, according to the senior DEA official.

Headley began collecting counterterror intelligence, according to his testimony and the senior DEA official. He worked sources in Pakistan by phone, getting numbers for drug traffickers and Islamic extremists, according to his testimony and U.S. officials.

Even at this early stage, the FBI had a warning about Headley, via his then girlfriend who warned a bartender Headley had cheered the 9/11 attack; the bartender passed on the tip. And Headley was providing the DEA — which already had a dragnet in place — phone data on his contacts, including Islamic extremists, in Pakistan.

ProPublica’s sources provide good reason to believe DEA, possibly with the FBI, sent Headley to Pakistan even after that tip, and remained an informant until at least 2005.

So the DEA (or whatever agency had sent him) not only should have been able to track Headley and those he was talking to using their dragnet, but they were using him to get phone contacts they could track (and my understanding is that agreeing to be an informant amounts to consent to have your calls monitored, though see this post on the possible “defeat” of informant identifiers).

Did Headley’s knowledge of DEA’s phone tracking help the Mumbai plotters avoid detection?

Maybe. And/or maybe Headley taught his co-conspirators how to avoid detection.

Of course, Headley could have just protected some of the most interesting phone contacts of his associates (but again, DEA should have tracked who he was talking to if they were using him to collect telephony intelligence).

More importantly, he may have alerted Laskar-e-Taiba to phone-based surveillance.

In a December joint article with the NYT, ProPublica provided details on how one of Headley’s co-conspirators, Zarrar Shah, set up a New Jersey-based VOIP service so it would appear that their calls were originating in New Jersey.

Not long after the British gained access to his communications, Mr. Shah contacted a New Jersey company, posing online as an Indian reseller of telephone services named Kharak Singh, purporting to be based in Mumbai. His Indian persona started haggling over the price of a voice-over-Internet phone service — also known as VoIP — that had been chosen because it would make calls between Pakistan and the terrorists in Mumbai appear as if they were originating in Austria and New Jersey.

“its not first time in my life i am perchasing in this VOIP business,” Mr. Shah wrote in shaky English, to an official with the New Jersey-based company when he thought the asking price was too high, the GCHQ documents show. “i am using these services from 2 years.”

Mr. Shah had begun researching the VoIP systems, online security, and ways to hide his communications as early as mid-September, according to the documents.

[snip]

Eventually Mr. Shah did set up the VoIP service through the New Jersey company, ensuring that many of his calls to the terrorists would bear the area code 201, concealing their actual origin.

We have reason to believe that VOIP is one of the gaps in all domestic-international dragnets that agencies are just now beginning to close. And by proxying through the US, those calls would have been treated as US person calls (though given the clear foreign intelligence purpose, they would have met any retention guidelines, though may have been partly blocked in CIA’s dragnet). While there’s no reason to believe that Headley knew that, he likely knew what kind of phone records his handlers had been most interested in.

But it shouldn’t have mattered. As the article makes clear, GCHQ not only collected the VOIP communications, but Shah’s communications as he set them up.

Did FBI claim it tracked Headley using the NSA dragnet when it had actually used the DEA one?

I’ve been arguing for years that if dragnet champions want to claim they work, they need to explain why they point to Headley as a success story because they prevented his planned attack on a Danish newspaper, when they failed to prevent the even more complex Mumbai attack. Nevertheless, they did claim it — or at least strongly suggest it — as a success, as in FBI Acting Assistant Director Robert Holley’s sworn declaration in Klayman v. Obama.

In October 2009, David Coleman Headley, a Chicago businessman and dual U.S. and Pakistani citizen, was arrested by the FBI as he tried to depart from Chicago O’Hare airport on a trip to Pakistan. At the time of his arrest, Headley and his colleagues, at the behest of al-Qa’ida, were plotting to attack the Danish newspaper that published cartoons depicting the Prophet Mohammed. Headley was later charged with support for terrorism based on his involvement in the planning and reconnaissance for the 2008 hotel attack in Mumbai. Collection against foreign terrorists and telephony metadata analysis were utilized in tandem with FBI law enforcement authorities to establish Headley’s foreign ties and put them in context with his U.S. based planning efforts.

That said, note how Holley doesn’t specifically invoke Section 215 (or, for that matter, Section 702, which the FBI had earlier claimed they used against Headley)?

Now compare that to what the Privacy and Civil Liberties Oversight Board said about the use of Section 215 against Headley.

In October 2009, Chicago resident David Coleman Headley was arrested and charged for his role in plotting to attack the Danish newspaper that published inflammatory cartoons of the Prophet Mohammed. He was later charged with helping orchestrate the 2008 Mumbai hotel attack, in collaboration with the Pakistan-based militant group Lashkar-e-Taiba. He pled guilty and began cooperating with authorities.

Headley, who had previously served as an informant for the Drug Enforcement Agency, was identified by law enforcement as involved in terrorism through means that did not involve Section 215. Further investigation, also not involving Section 215, provided insight into the activities of his overseas associates. In addition, Section 215 records were queried by the NSA, which passed on telephone numbers to the FBI as leads. Those numbers, however, only corroborated data about telephone calls that the FBI obtained independently through other authorities.

Thus, we are aware of no indication that bulk collection of telephone records through Section 215 made any significant contribution to the David Coleman Headley investigation.

First, by invoking Headley’s role as an informant, PCLOB found reason to focus on DEA right before they repeatedly point to other authorities: Headley was IDed by “law enforcement” via means that did not involve 215, his collaborators were identified via means that did not involve 215, and when they finally did query 215, they only “corroborated data about telephone calls that the FBI had obtained independently through other authorities.”

While PCLOB doesn’t say any of these other authorities are DEA’s dragnet, all of them could be (though some of them could also be NSA’s EO 12333 dragnet, or whatever dragnet CIA runs, or GCHQ collection, or Section 702, or — some of them — FBI NSL-based collection, or tips). What does seem even more clear now than when PCLOB released this is that NSA was trying to claim credit for someone else’s dragnet, so much so that even the FBI itself was hedging claims when making sworn declarations.

Of course, whatever dragnet it was that identified Headley’s role in Laskar-e-Taiba, even the DEA’s own dragnet failed to identify him in the planning stage for the larger of the attacks.

If the DEA’s own dragnet can’t find its own informant plotting with people he’s identified in intelligence reports, how successful is any dragnet going to be?

 

Is Stingray Unique or Does All National Security Information Sharing Involve Such Silencing?

In the last few days, there have been two developments on Stingray transparency. First, the Erie County Sheriff’s office complied with a NYCLU FOIA for Stingray documents. So they released documents showing somewhat modest (though still troubling, often unsupported by any legal process) use of their Stingray. Meanwhile, in Maryland, a policy detective testified about some — but not all — details of Baltimore Police Department’s far more extensive use of its unit. (See also AP’s coverage of the hearing.)

Detective Emmanuel Cabreja, a member of the Police Department’s Advanced Technical Team, testified that police own a Hailstorm cell site simulator — the latest version of the stingray — and have used the technology 4,300 times since 2007.

Cabreja said he had used it 600 to 800 times in less than two years as a member of the unit.

[snip]

Cabreja testified Wednesday during a pretrial hearing in the case of Nicholas West, 21, and Myquan Anderson, 17. West and Anderson were charged in October 2013 with armed carjacking, armed robbery, theft and other violations stemming from an attack on a man in Federal Hill.

Cabreja took what he said was a copy of the nondisclosure agreement to court. It was dated July 2011 and bore the signatures of then-Police Commissioner Frederick H. Bealefeld III and then-State’s Attorney Gregg Bernstein.

Defense attorney Joshua Insley asked Cabreja about the agreement.

“Does this document instruct you to withhold evidence from the state’s attorney and Circuit Court, even upon court order to produce?” he asked.

“Yes,” Cabreja said.

Cabreja did not comply with a defense subpoena to produce the device in court. He said he was barred from doing so by the nondisclosure agreement.

In both cases, we finally got a copy of the Non-Disclosure Agreement FBI has been forcing localities to sign on Stingray users. Here’s the Erie one (and here’s MuckRock’s analysis of the slow process of liberating these); the non-disclosures appear to be identical, except for the names of the jurisdiction and signers.

Tech people tracking this development are still mystified by the extreme secrecy that has held sway up until now. People have known about Stingrays for years, so why is the FBI working so hard to hide it and why are localities willing to lose convictions to fulfill the NDAs they’ve signed? (See this Chris Soghoian and Stephanie Pell paper on that take.)

As I have said, I think the FBI may be hiding more than just localities’ own use of Stingrays. It may be hiding its own use of Stingrays that may go well beyond what localities do with them (this MN version was the previously most informative version of the NDA for comparison). Indeed, the newly disclosed language in the NDA on deconfliction reveals that users “will coordinate with the FBI in advance of its use of the wireless collection equipment/technology to ensure de-confliction of respective missions.”

Now, in addition to the NDA, Erie also released a list of its use of its Stingray. Of the 47 uses described, it partnered with the FBI 4 times — though all but one of those included Marshal Service involvement in finding a fugitive, with the remaining one involving drugs. So that says FBI will borrow localities’ Stingrays, though nowhere near as often as USMS (which asked for Erie’s help 17 times). The remainder of the requests all helped local law enforcement, ranging from NY State Police, Park police, Buffalo PD, smaller cities, and even colleges. That is, effectively Erie served as the (or a) local service for other law enforcement agencies.

But there was nothing national security related in any of that usage. And while Buffalo is not the terrorist hotspot Dick Cheney made it out to be when he tried to suspect posse comitatus to start policing Lackawanna, there is a Muslim community that FBI is known to have tracked closely.

So while it’s unclear whether FBI’s requirements on deconfliction refer to its own potential need for a local Stingray or whether they have their own Stingrays they don’t want conflicting with Erie’s, FBI does seem to have envisioned the possibility of one agency’s Stingray use stepping on another agency’s.

Note, too, another thing FBI has been hiding — mention of manuals and equipment — may serve to hide the specifications of the equipment held locality, which is tied closely to capabilities (which I think might actually be an acceptable thing to keep secret, as different versions of different Stingrays have different functionalities).

But I’d like to entertain another possibility: that the NDAs we’re seeing show the outlines underlying much of the vastly expanded information and technology sharing that has happened since 9/11.

Consider: FBI is the fulcrum of all the post-9/11 information sharing from the federal government on down to localities (the same kind of quiltwork of localities as rely on the Erie Stingray). And a great deal of that intelligence will be sensitive — perhaps even more so than the Stingrays themselves. And, similarly, when that data derives from FISA or some other intelligence process, FBI is going to be just as adamant that the localities hide the provenance of it, using all the same parallel construction techniques as demanded by the NDA.

The Memoranda of Understanding for Joint Terrorism Task Forces (Massachusetts State Police; Houston Police Department) — through which a lot of that info-sharing happens — include similar features that are in some ways more restrictive, and in some ways less so. Records are possessed by FBI, ensuring they can’t be shared. JTTF gets investigative exclusivity, so it can conduct its own parallel construction if it deems necessary. Members of JTTFs get security clearances, which would impose even stronger obligations to secrecy as the Stingray NDAs, but members are also required not to disclose sensitive information to others. That is, there, the information sharing happens within a structure that ensures (or at least puts the FBI in charge of) much of the same secrecy that would exist on Stingrays, albeit tied to the institution and stricter NDAs of clearances.

FBI’s Section 702 minimization procedures permits the dissemination of FISA-derived information that is evidence of a crime or related to child exploitation, including kiddie porn, to local authorities. It can also disseminate intelligence on potential attacks or sabotage. But it doesn’t precisely explain how that dissemination would occur, beyond that it would comply with similar dissemination within the Federal government.

I may be missing it, but there must be a great deal of information sharing protocols that have similarities to the Stingray NDAs: that give people without clearance that need “sources and methods” information to do their jobs access, but in such a way that FBI retains all the control over the information.

That is, is it possible that it’s not just the Stingray over which the FBI supersedes justice and democratic transparency to its own prerogatives?

A Guide to the 5+ Known Intelligence Community Telecommunications Metadata Dragnets

I’ve been laying this explanation out since USA Today provided new details on DEA’s International Dragnet, but it’s clear it needs to be done in more systematic fashion, because really smart people continue to mistakenly treat the Section 215 database as the analogue to the DEA dragnet described by USAT, which it’s not. There are at least five known telecommunications dragnets (some of which appear to integrate other kinds of metadata, especially Internet metadata). Here’s a quick guide to what is known about each (click to enlarge, let me know of corrections/additions, I will do running updates to make this more useful):

150410 Dragnets

NSA, International

When people think about the NSA dragnet they mistakenly think exclusively of Section 215. That is probably the result of a deliberate strategy from the government, but it leads to gross misunderstanding on many levels. As Richard Clarke said in Congressional testimony last year, Section “215 produces a small percentage of the overall data that’s collected.”

Like DEA, NSA has a dragnet of international phone calls, including calls into the United States. This is presumably limited only by technical capability, meaning the only thing excluded from this dragnet are calls NSA either doesn’t want or that it can’t get overseas (and note, some domestic cell phone data may be available offshore because of roaming requirements). David Kris has said that what collection of this comes from domestic providers comes under 18 U.S.C. § 2511(2)(f). And this dragnet is not just calls: it is also a whole slew of Internet data (because of the structure of the Internet, this will include a great deal of US person data). And it surely includes a lot of other data points, almost certainly including location data. Analysts can probably access Five Eyes and other intelligence partner data, though this likely includes additional restrictions.

There are, within this dragnet, two sets of procedures for accessing it. There is straight EO 12333, which appears to defeat US person data (so if you’re contact chaining and a known US person is included in the chain, you won’t see it). This collection requires only a foreign intelligence purpose (which counternarcotics is explicitly included in). Standard NSA minimization procedures apply, which — given that this is not supposed to include US person data — are very permissive.

Starting in 2008 (and probably before 2004, at least as part of Stellar Wind), specially-trained analysts are also permitted to include US persons in the contact chaining they do on EO 12333 data, under an authority call “SPCMA” for “special procedures.” They can’t target Americans, but they can analyze and share US person data (and NSA has coached analysts how to target a foreign entity to get to the underlying US data). This would be treated under NSA’s minimization procedures, meaning US person data may get masked unless there’s a need for it. Very importantly, this chaining is not and never was limited to counterterrorism purposes — it only requires a foreign intelligence purpose. Particularly because so much metadata on Americans is available overseas, this means NSA can do a great deal of analysis on Americans without any suspicion of criminal ties.

Both of these authorities appear to link right into other automatic functions, including things like matching identities (such that it would track “emptywheel” across all the places I use that as my uniquename) and linking directly up to content, if it has been collected.

NSA, Domestic

Screen Shot 2014-02-16 at 10.42.09 PM Then there is the Section 215 dragnet, which prior to 2006 was conducted with telecoms voluntarily producing data but got moved to Section 215 thereafter; there is a still-active Jack Goldsmith OLC opinion that says the government does not need any additional statutory authorization for the dragnet (though telecoms aside from AT&T would likely be reluctant to do so now without liability protection and compensation).

Until 2009, the distinctions between NSA’s EO 12333 data and Section 215 were not maintained. Indeed, in early 2008 “for purposes of analytical efficiency,” the Section 215 data got dumped in with the EO 12333 data and it appears the government didn’t even track data source (which FISC made them start doing by tagging each discrete piece of data in 2009), and so couldn’t apply the Section 215 rules as required.  Thus, until 2009, the Section 215 data was subjected to the automatic analysis the EO 12333 still is. That was shut down in 2009, though the government kept trying to find a way to resume such automatic analysis. It never succeeded and finally gave up last year, literally on the day the Administration announced its decision to move the data to the telecoms.

The Section 215 phone dragnet can only be used for counterterrorism purposes and any data that gets disseminated outside of those cleared for BRFISA (as the authority is called inside NSA) must be certified as to that CT purpose. US person identifiers targeted in the dragnet must first be reviewed to ensure they’re not targeted exclusively for First Amendment reasons. Since last year, FISC has pre-approved all identifiers used for chaining except under emergencies. Though note: Most US persons approved for FISA content warrants are automatically approved for Section 215 chaining (I believe this is done to facilitate the analysis of the content being collected).

Two very important and almost universally overlooked points. First, analysts access (or accessed, at least until 2011) BRFISA data from the very same computer interface as they do EO 12333 data (see above, which would have dated prior to the end of 2011). Before a chaining session, they just enter what data repositories they want access to and are approved for, and their analysis will pull from all those repositories. Chaining off data from more than one repository is called a “federated” query. And the contact chaining they got — at least as recently as 2011, anyway — also included data from both EO 12333 collection and Section 215 collection, both mixed in together. Importantly, data with one-end in foreign will be redundant, collected under both EO 12333 and 215. Indeed, a training program from 2011 trained analysts to re-run BRFISA queries that could be replicated under EO 12333 so they could be shared more permissively. That said, a footnote (see footnote 13) in phone dragnet orders that has mostly remained redacted appears to impose the BRFISA handling rules on any data comingled with it, so this may limit (or have imposed new more recent limits) on contact chaining between authorities.

As I noted, NSA shut down the automatic features on BRFISA data in 2009. But once data comes back in a query, it can be subjected to NSA’s “full range of analytical tradecraft,” as every phone dragnet order explains. Thus, while the majority of Americans who don’t come up in a query don’t get subjected to more intrusive analysis, if you’re 3 hops (now 2) from someone of interest, you can be — everything, indefinitely. I would expect that to include trolling all of NSA’s collected data to see if any of your other identifiable data comes up in interesting ways. That’s a ton of innocent people who get sucked into NSA’s maw and will continue to even after/if the phone dragnet moves to the providers.

DEA, International

As I said, the analogue to the program described by the USA Today, dubbed USTO, is not the Section 215 database, but instead the EO 12333 database (indeed, USAT describes that DEA included entirely foreign metadata in their database as well). The data in this program provided by domestic providers came under 21 USC 876 — basically the drug war equivalent of the Section 215 “tangible things” provision. An DEA declaration in the Shantia Hassanshahi case claims it only provides base metadata, but it doesn’t specify whether that includes or excludes location.  As USAT describes (and would have to be the case for Hassanshahi to be busted for sanctions violations using it, not to mention FBI’s success at stalling of DOJ IG’s investigation into it), this database came to be used for other than counternarcotics purposes (note, this should have implications for EO 12333, which I’ll get back to). And, as USAT also described, like the NSA dragnet, the USTO also linked right into automatic analysis (and, I’m willing to bet good money, tracked multiple types of metadata). As USAT describes, DEA did far more queries of this database than of the Section 215 dragnet, but that’s not analogous; the proper comparison would be with NSA’s 12333 dragnet, and I would bet the numbers are at least comparable (if you can even count these automated chaining processes anymore). DEA says this database got shut down in 2013 and claims the data was purged. DEA also likely would like to sell you the Brooklyn Bridge real cheap.

DEA, Domestic

There’s also a domestic drug-specific dragnet, Hemisphere, that was first exposed by a NYT article. This is not actually a DEA database at all. Rather, it is a program under the drug czar that makes enhanced telecom data available for drug purposes, while the records appear to stay with the telecom.

This seems to have been evolving since 2007 (which may mark when telecoms stopped turning over domestic call records for a range of purposes).  At one point, it pulled off multiple providers’ networks, but more recently it has pulled only off AT&T’s networks (which I suspect is increasingly what has happened with the Section 215 phone dragnet).

But the very important feature of Hemisphere — particularly as compared to its analogue, the Section 215 dragnet — is that the telecoms perform the same kind of analysis they would do for their own purposes. This includes using location data and matching burner phones (though this is surely one of the automated functions included in NSA’s EO 12333 dragnet and DEA’s USTO). Thus, by keeping the data at the telecoms, the government appears to be able to do more sophisticated kinds of analysis on domestic data, even if it does so by accessing fewer records.

That is surely the instructive motivation behind Obama’s decision to “let” NSA move data back to the telecoms. It’d like to achieve what it can under Hemisphere, but with data from all telecom providers rather than just AT&T.

CIA

At least as the NSA documents concerning ICREACH tell it, CIA and DEA jointly developed a sharing platform called PROTON that surely overlaps with USTO in significant ways. But PROTON appeared to reside with CIA (and FBI and NSA were late additions to the PROTON sharing). PROTON included CIA specific metadata (that is, not telecommunications metadata but rather metadata tracking their own HUMINT).  But in 2006 (these things all started to change around that time), NSA made a bid to become the premiere partner here with ICREACH, supporting more types of metadata and sharing it with international partners.

So we don’t know what CIA’s own dragnet looks like, just that it has one, one not bound to just telecommunications.

In addition, CIA has a foreign intelligence equivalent of Hemisphere, where it pays AT&T to “voluntarily” hand over data that is at least one-end foreign (and masks the US side unless the record gets referred to FBI).

Finally, CIA can “upload or transfer some or all” of the metadata that it pulls off of raw PRISM data received under 702 into its other databases. While this has to be targeted off a foreign target, that surely includes a lot of US person data, and metadata including Internet based calls, photos, as well as emails. CIA does a lot of metadata queries for other entities (other IC agencies? foreign partners? who knows!), and they don’t count it, so they are clearly doing a lot of it.

FBI

As far as we know, FBI does not have a true “bulk” dragnet, sucking up all the phone or Internet records for the US or foreign switches. But it surely has fairly massive metadata repositories itself.

Until 2006, it did, however, have something almost identical to what we understand Hemisphere to be, all the major telecoms, sitting onsite, ready to do sophisticated analysis of numbers offered up on a post-it note, with legal process to follow (maybe) if anything nifty got turned over. Under this program, AT&T offered some bells and whistles, included “communities of interest” that included at least one hop. That all started to get moved offsite in 2006, when DOJ’s IG pointed out that it didn’t comply with the law, but all the telecoms originally contracted (AT&T and the companies that now comprise Verizon, at least), remained on contract to provide those services albeit offsite for a few years. In 2009, one of the telecoms (which is likely part or all of Verizon) pulled out, meaning it no longer has a contract to provide records in response to NSLs and other process in the form the FBI pays it to.

FBI also would have a database of the records it has collected using NSLs and subpoenas (I’ll go look up the name shortly), going back decades. Plus, FBI, like CIA, can “upload or transfer some or all” of the metadata that it pulls off of raw PRISM data received under 702. So FBI has its own bulky database, but all of the data in it should have come in in relatively intentional if not targeted fashion. What FBI does have should date back much longer than NSA’s Section 215 database (30 years for national security data) and, under the new Section 309 restrictions on EO 12333 data, even NSA’s larger dragnet. On top of that, AT&T still provides 7 bells and whistles that are secret and that go beyond a plain language definition of what they should turn over in response to an NSL under ECPA (which probably parallel what we see going on in Hemisphere). In its Section 215 report, PCLOB was quite clear that FBI almost always got the information that could have come out of the Section 215 dragnet via NSLs and its other authorities, so it seems to be doing quite well obtaining what it needs without collecting all the data everywhere, though there are abundant reasons to worry that the control functions in FBI’s bulky databases are craptastic compared to what NSA must follow.

Yes, Section 215 Might Be Used to Get Dick Pics — or Porn Searches and Dick Uploads

John Oliver did an interview with Edward Snowden that aired on his show last night. After showing Snowden that most random people stopped in Times Square didn’t know or care what Snowden had done (starting at 22:30), Oliver then showed that they would care if this were all about the government collecting dick pics.

So Snowden goes through and describes (after 28:00) what authorities the government might use to collect dick pics, focusing largely on different aspects of Section 702 and EO 12333. But (at 30:00), Snowden says the NSA (Oliver should have been asking about the government, not NSA) couldn’t use Section 215 to get dick pics, though they could use the phone dragnet to find out if you’ve been calling a penis enlargement center.

Not so fast, Ed!

It is, hypothetically, possible that the government (more likely FBI than NSA) could use Section 215 to get dick pics, provided there were some entity that had a collection of dick pics it was interested in. It would only 1) need to find that entity that had these dick pics as records, 2) come up with some reason why they needed the dick pics for either a counterterrorism or counterintelligence purpose, and 3) convince the rubber stamp FISA Court that these dick pics were “relevant to” a counterterrorism or counterintelligence FBI investigation (which we know FISC interprets unbelievably broadly) but that FBI wasn’t seeking the dick pics solely on the basis of the target’s First Amendment protected, um, speech. Hypothetically possible, at least, if unlikely. A dick pic is a tangible thing.

Furthermore, it is almost certain that the FBI (again, not the NSA, but if the FBI does it, it is more likely targeted at an American) is using Section 215 to get URL searches and data flows — along with fairly comprehensive online profiles — on users. So in addition to Snowden’s explanation of using the phone dragnet to see if you’ve called a penis enlargement center, the FBI may be using Section 215 to track a user’s porn watching habits and even if they’ve been uploading their own dick pics to some server. There likely are dick pics in this collection (though the FISC almost certainly requires minimization if the collection, so may limit the FBI’s ability to retain dick pics unless it can claim it needs them for an investigative purpose). (Though note, a recent Shane Harris story reveals NSA needs its own porn room because its analysts spend so much time analyzing what they collect.)

Again, Section 215 is far more than the phone dragnet, it is designed to support fairly creative collection of “tangible things” so long as there is an attenuated national security purpose to do so, and we know it supports a great deal of collection on users’ Internet use.

And while dick pics might be just a hypothetical case, far easier to imagine would be FBI using Section 215 to obtain DNA — perhaps from hospitals, perhaps from hotels where targets had stayed, obviously from cops (though they could get that through info sharing). DNA is, after all, a tangible thing. And we know that the government has a DNA database of Gitmo detainees, so they have been amassing DNA to positively ID both the targets but also family members of targets.

One more note. Several of the ways the NSA has gotten dick pics — via Yahoo video chats, stealing from Google servers overseas — may have become less accessible to the government overseas as companies move to encrypt more of their traffic. I assume they’ll find some new way to get these. But for the moment, the government may be ingesting fewer dick pics than they were in 2013.

Section 215’s Multiple Programs and Where They Might Hide after June 1

In an column explicitly limited to the phone dragnet, Conor Friedersdorf pointed to a post I wrote about Section 215 generally and suggested I thought the phone dragnet was about to get hidden under a new authority.

Marcy Wheeler is suspicious that the Obama Administration is planning to continue the dragnet under different authorities.

But my post was about more that just the phone dragnet. It was about two things: First, the way that, rather than go “cold turkey” after it ended the Internet dragnet in 2011 as the AP had claimed, NSA had instead already started doing the same kind of collection using other authorities that — while they didn’t collect all US traffic — had more permissive rules for the tracking they were doing. That’s an instructive narrative for the phone dragnet amid discussions it might lapse, because it’s quite possible that the Intelligence Community will move to doing far less controlled tracking, albeit on fewer Americans, under a new approach.

In addition, I noted that there are already signs that the IC is doing what Keith Alexander said he could live with a year ago: ending the phone dragnet in exchange for cybersecurity information sharing. I raised that in light of increasing evidence that the majority of Section 215 orders are used for things related to cybersecurity (though possibly obtained by FBI, not NSA). If that’s correct, Alexander’s comment would make sense, because it would reflect that it is working cybersecurity investigations under protections — most notably, FISC-supervised minimization — all involved would rather get rid of.

Those two strands are important, taken together, for the debate about Section 215 expiration, because Section 215 is far more than the dragnet. And the singular focus of everyone — from the press to activists and definitely fostered by NatSec types leaking — on the phone dragnet as Section 215 sunset approaches makes it more likely the government will pull off some kind of shell game, moving the surveillances they care most about (that is, not the phone dragnet) under some new shell while using other authorities to accomplish what they need to sustain some kind of  phone contact and connection chaining.

So in an effort to bring more nuance to the debate about Section 215 sunset, here is my best guess — and it is a guess — about what they’re doing with Section 215 and what other authorities they might be able to use to do the same collection.

Here are the known numbers on how Section 215 orders break out based on annual reports and this timeline.

215 Tracker

The Phone Dragnet

Since its transfer under Section 215 in 2006, the phone dragnet has generally made up 4 or 5 orders a year (Reggie Walton imposed shorter renewal periods in 2009 as he was working through the problems in the program). 2009 is the one known year where many of the modified orders — which generally involve imposed minimization procedures — were phone dragnet orders.

We  know that the government believes that if Section 215 were to sunset, it would still have authority to do the dragnet. Indeed, it not only has a still-active Jack Goldsmith memo from 2004 saying it can do the dragnet without any law, it sort of waved it around just before the USA Freedom  Act debate last year as if to remind those paying attention that they didn’t necessarily think they needed USAF (in spite of comments from people like Bob Litt that they do need a new law to do what they’d like to do).

But that depends on telecoms being willing to turn over the dragnet data voluntarily. While we have every reason to believe AT&T does that, the government’s inability to obligate Verizon to turn over phone records in the form it wants them is probably part of the explanation for claims the current dragnet is not getting all the cell records of Americans.

A number of people — including, in part, Ron Wyden and other SSCI skeptics in a letter written last June — think the government could use FISA’s PRTT authority (which does not sunset) to replace Section 215, and while they certainly could get phone records using it, if they could use PRTT to get what it wants, they probably would have been doing so going back to 2006 (the difference in authority is that PRTT gets actual activity placed, whereas 215 can only get records maintained (and Verizon isn’t maintaining the records the government would like it to, and PRTT could not get 2 hops).

For calls based off a foreign RAS, the government could use PRISM to obtain the data, with the added benefit that using PRISM would include all the smart phone data — things like address books, video messaging, and location — that the government surely increasingly relies on. Using PRISM to collect Internet metadata is one of two ways the government replaced the PRTT Internet dragnet. The government couldn’t get 2 hops and couldn’t chain off of Americans, however.

I also suspect that telecoms’ embrace of supercookies may provide other options to get the smart phone data they’re probably increasingly interested in.

For data collected offshore, the government could use SPCMA, the other authority the government appears to have replaced the PRTT Internet dragnet with. We know that at least one of the location data programs NSA has tested out works with SPCMA, so that would offer the benefit of including location data in the dragnet. If cell phone location data is what has prevented the government from doing what they want to do with the existing phone dragnet, SPCMA’s ability to incorporate location would be a real plus for NSA, to the extent that this data is available (and cell phone likely has more offshore availability than land line).

The government could obtain individualized data using NSLs — and it continues to get not just “community of interest” (that is, at least one hop) from AT&T, but also 7 other things that go beyond ECPA that FBI doesn’t want us to know about. But using NSLs may suffer from a similar problem to the current dragnet, that providers only have to provide as much as ECPA requires. Thus, there, too, other providers are probably unwilling to provide as much data as AT&T.

Telecoms might be willing to provide data the government is currently getting under 215 under CISA and CISA collection won’t be tied in any way to ECPA definitions, though its application is a different topic, cybersecurity (plus leaks and IP theft) rather than terrorism. So one question I have is whether, because of the immunity and extended secrecy provisions of CISA, telecoms would be willing to stretch that?

Other Dragnets

In addition to the phone dragnet, FBI and other IC agencies seem to operate other dragnets under Section 215. It’s probably a decent guess that the 8-13 other 215 orders prior to 2009 were for such things. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year. Other items discussed involve hotel dragnets and explosives precursor dragnets, the latter of which would have been expanded after the 2009 Najibullah Zazi investigation. In other words, there might be up to 5 dragnets, each representing 4-5 orders a year (assuming they work on the same 90-day renewal cycle), so a total of around 22 of the roughly 175 orders a year that aren’t the phone dragnet (the higher numbers for 2006 are known to be combination orders both obtaining subscription data for PRTT orders and location data with a PRTT order; those uses stopped in part with the passage of PATRIOT reauthorization in 2006 and in part with FISC’s response to magistrate rulings on location data from that year).

Some of these dragnets could be obtained, in more limited fashion, with NSLs (NSLs currently require reporting on how many US persons are targeted, so we will know if they move larger dragnets to NSLs). Alternately, the FBI may be willing to do these under grand jury subpoenas or other orders, given the way they admitted they had done a Macy’s Frago Elite pressure cooker dragnet after the Boston Marathon attack. The three biggest restrictions on this usage would be timeliness (some NSLs might not be quick enough), the need to have a grand jury involved for some subpoenas, and data retention, but those are all probably manageable hurdles.

The Internet content

Finally, there is the Internet content — which we know makes up for a majority of Section 215 orders — that moved to that production from NSLs starting in 2009. It’s probably a conservative bet that over 100 of current dragnet orders are for this kind of content. And we know the modification numbers for 2009 through 2011 — and therefore, probably still — are tied to minimization procedure requirements imposed by the FISC.

A recent court document from a Nicholas Merrill lawsuit suggests this production likely includes URL and data flow requests. And the FBI has recently claimed –for what that’s worth — that they rely on Section 215 for cybersecurity investigations.

Now, for some reason, the government has always declined to revise ECPA to restore their ability to use NSLs to obtain this collection, which I suspect is because they don’t want the public to know how extensive the collection is (which is why they’re still gagging Merrill, 11 years after he got an NSL).

But the data here strongly suggests that going from NSL production to Section 215 production has not only involved more cumbersome application processes, but also added a minimization requirement.

And I guarantee you, FBI or NSA or whoever is doing this must hate that new requirement. Under NSLs, they could just horde data, as we know both love to do, the FBI even more so than the NSA. Under 215s, judges made them minimize it.

As I noted above, this is why I think Keith Alexander was willing to do a CISA for 215 swap. While CISA would require weak sauce Attorney General derived “privacy guidelines,” those would almost certainly be more lenient than what FISC orders, and wouldn’t come with a reporting requirement. Moreover, whereas at least for the phone dragnet, FISC has imposed very strict usage requirements (demanding that a counterterrorism dragnet be used only for counterterrorism purposes), CISA has unbelievably broad application once that data gets collected — not even requiring that terrorist usages be tied to international terrorism, which would seem to be a violation of the Keith Supreme Court precedent).

All of this is to suggest that for cybersecurity, IP theft, and leak investigations, CISA would offer FBI their ideal collection approach. It would certainly make sense that Alexander (or now, Admiral Mike Rogers and Jim Comey) would be willing to swap a phone dragnet they could largely achieve the same paltry results for using other authorities if they in exchange got to access cybersecurity data in a far, far more permissive way. That’d be a no-brainer.

There’s just one limitation on this formula, potentially a big one. CISA does not include any obligation. Providers may share data, but there is nothing in the bill to obligate them to do so. And to the extent that providers no longer provide this data under NSLs, it suggests they may have fought such permissive obligation in the past. It would seem that those same providers would be unwilling to share it willingly.

But my thoughts on CISA’s voluntary nature are for another post.

One final thought. If the government is contemplating some or all of this, then it represents an effort — one we saw in all versions of dragnet reform to greater (RuppRoge) or lesser degrees (USAF) — to bypass FISC. The government and its overseers clearly seem to think FISC-ordered minimization procedures are too restrictive, and so are increasingly (and have been, since 2009) attempting to replace the role played by an utterly dysfunctional secret court with one entirely within the Executive.

This is the reason why Section 215 sunset can’t be treated in a vacuum: because, to the extent that the government could do this in other authorities, it would largely involve bypassing what few restrictions exist on this spying. Sunsetting Section 215 would be great, but only if we could at the same time prevent the government from doing similar work with even fewer controls.

1 2 3 138
Emptywheel Twitterverse
bmaz @william_pitts Also, it was Mike that told me to follow you, so you can blame him....
4hreplyretweetfavorite
bmaz @william_pitts ...was insane. Anyway, hope to meet you at some point. Cheers.
4hreplyretweetfavorite
bmaz @william_pitts No, me either. I couldn't even respond to him during his Arias live coverage because the dung that then came into my timeline
4hreplyretweetfavorite
bmaz @william_pitts I've seen what Kiefer runs into. Brutal.
4hreplyretweetfavorite
bmaz @william_pitts also, frankly, you and I probably don't know each other well enough for me to have snarked at you like I did. That's my bad.
4hreplyretweetfavorite
bmaz @william_pitts Jeebus, there are other prickly cacti out there??
4hreplyretweetfavorite
bmaz @william_pitts Hey, even if there was no mistake, that is cool. I make snarky comments, I ought take them too. But I do like your work fwiw.
4hreplyretweetfavorite
bmaz @william_pitts Err, that should read "your work"
4hreplyretweetfavorite
bmaz @william_pitts I do appreciate your coverage+view. If you are such a tender little mercy, you ought wake up. Let work work stand up, it does
4hreplyretweetfavorite
bmaz @william_pitts It's stupefying that this is your response to somebody who has appreciated your coverage. Don't be a holier than thou jerk.
4hreplyretweetfavorite
bmaz @kjzzphoenix @yvonnewingett Really, y'all are going to fall for Mel McDonald's hand crafted hasty spin? Do you not know Mel? Don't be rooks.
4hreplyretweetfavorite
bmaz It strikes me as beyond stupefying any reporter who deigns to be from a "real" news source yaks about Kanye/Kim West https://t.co/Y5aRVEHHWN
4hreplyretweetfavorite
April 2015
S M T W T F S
« Mar    
 1234
567891011
12131415161718
19202122232425
2627282930