Since it was first proposed, I’ve been warning (not once but twice!) about the FISCR Fast Track, a part of the USA Freedom Act that would permit the government to immediately ask the FISA Court of Review to review a FISC decision. The idea was sold as a way to get a more senior court to review dodgy FISC decisions. But as I noted, it was also an easy way for the government to use the secretive FISC system to get a circuit level decision that might preempt traditional court decisions they didn’t like (I feared they might use FISCR to invalidate the Second Circuit decision finding the phone dragnet to be unlawful, for example).
Sure enough, that’s how it got used in its first incarnation — not just to confirm that the FISC can operate by different rules than criminal courts, but also to put down a judges rebellion.
As I noted back in 2014, the FISC has long permitted the government to collect Post Cut Through Dialed Digits using FISA pen registers, though it requires the government to minimize anything counted as content after collection. PCTDD are the numbers you dial after connecting a phone call — perhaps to get a particular extension, enter a password, or transfer money. The FBI is not supposed to do this at the criminal level, but can do so under FISA provided it doesn’t use the “content” (like the banking numbers) afterwards. FISC reviewed that issue in 2006 and 2009 (after magistrates in the criminal context deemed PCTDD to be content that was impermissible).
At least year’s semiannual FISC judges’ conference, some judges raised concerns about the FISC practice, deciding they needed to get further briefing on the practice. So when approving a standing Pen Register, the FISC told the government it needed further briefing on the issue.
The government didn’t deal with it for three months until just as they were submitting their next application. At that point, there was not enough time to brief the issue at the FISC level, which gave then presiding judge Thomas Hogan the opportunity to approve the PRTT renewal and kick the PCTDD issue to the FISCR, with an amicus.
This minimized the adversarial input, but put the question where it could carry the weight of a circuit court.
Importantly, when Hogan kicked the issue upstairs, he did not specify that this legal issue applies only to phone PRTTs.
At the FISCR, Mark Zwillinger got appointed as an amicus. He saw the same problem as I did. While the treatment of phone PCTDD is bad but, if properly minimized, not horrible, it becomes horrible once you extend it to the Internet.
The FISCR didn’t much care. They found the collection of content using a PRTT, then promising not to use it except to protect national security (and a few other exceptions to the rule that the government has to ask FISC permission to use this stuff) was cool.
Along the way, the FISCR laid out several other precedents that will have really dangerous implications. One is that content to a provider may not be content.
This is probably the issue that made the bulk PRTT dragnet illegal in the first place (and created problems when the government resumed it in 2010). Now, the problem of collecting content in packets is eliminated!
Along with this, the FISCR extended the definition of “incidental” to apply to a higher standard of evidence.
Thus, it becomes permissible to collect using a standard that doesn’t require probable cause something that does, so long as it is “minimized,” which doesn’t always mean it isn’t used.
Finally, FISCR certified the redefinition of “minimization” that FISC has long adopted (and which is crucial in some other programs). Collecting content, but then not using it (except for exceptions that are far too broad), is all good.
In other words, FISCR not only approved the narrow application of using calling card data but not bank data and passwords (except to protect national security). But they also approved a bunch of other things that the government is going to turn around and use to resume certain programs that were long ago found problematic.
I don’t even hate to say this anymore. I told privacy people this (including someone involved in this issue personally). I was told I was being unduly worried. This is, frankly, even worse than I expected (and of course it has been released publicly so the FBI can start chipping away at criminal protections too).
Yet another time my concerns have been not only borne out, but proven to be insufficiently cynical.
Since NSA’s practice of conducting back door searches — searches of already collected data based off the targeting of foreigners — became widely known, the spooks have offered a few assurances about why we don’t have to worry about these back door searches. For example, the US person identifiers have to be pre-approved and the NSA won’t conduct back door searches of upstream data, which sometimes includes entirely domestic communications.
According to the Semiannual Reports on Section 702 released some weeks ago, those assurances are fairly hollow, or at least were during the 2013 to 2014 timeframe.
The March 2014 report, which covers the period from December 1, 2012 through May 31, 2013, revealed that the semiannual review process could not directly monitor back door searches on US person identifiers because that information is not kept in a centralized place.
It should be noted both that NSA’s efforts to review queries are not limited to Section 702 authorities and that, at this time, content queries are not specifically identified as containing United States person identifiers. As such, and as the Government previously represented to Congress, NSD and ODNI cannot at this time directly monitor content queries using United States person identifiers because these records are not kept in a centrally located repository. While the changes described above in NSA’s super audit process have not changed this status, NSA is exploring whether future queries using United States person identifiers could be identified and centralized. In the meantime, and in accordance with NSA’s minimization procedures, NSD and ODNI review NSA’s approval of any United States person identifiers used to query unminimized Section 702- acquired communications.
This appears to indicate that internal overseers could not audit the actual queries completed, but instead only reviewed the identifiers used to query data to make sure they were approved. Which, in turn, means the NSA’s targeting of foreigners and dissemination of reports on them got monitored more closely than NSA’s spying on Americans.
The following report — completed in October 2014 and covering the period June 1, 2013 through November 30, 2013 — reports a predictable consequence of the inability to monitor the actual queries conducted as back door searches: prohibited back door searches on upstream data.
(TS//SI//NF) The joint oversight team, however, is concerned about the increase in incidents involving improper queries using United States person identifiers, including incidents involving NSA’s querying of Section 702-acquired data in upstream data using United States Person identifiers. Specifically, although section 3(b)(5) of NSA’s Section 702 minimization procedures permits the scanning of media using United States person identifiers, this same section prohibits using United States person identifiers to query Internet communications acquired through NSA’s upstream collection techniques. NSA [redacted] incidents of non-compliance with this subsection of its minimization procedures, many of which involved analysts inadvertently searching upstream collection. For example, [redacted], the NSA analyst conducted approved querying with United States persons identifiers ([redacted]), but inadvertently forgot to exclude Section 702-acquired upstream data from his query.
While the actual number is redacted, the number is high enough to refer to to “many” improper searches of upstream content.
That explicit violation of the rules set by Bates in 2011 was part of a larger trend of back door search violations, including analysts not obtaining approval to query Americans’ identifiers.
(TS//SI//NF) In addition, section 3(b)(5) of NSA’s Section 702 minimization procedures requires that queries using United States person identifiers must be first be approved in accordance with NSA internal procedures. In this reporting period, [redacted] NSA was in non-compliance with this requirement, either because a prior authorization was not obtained or the authorization to query had expired. For example, in NSA Incidents [redacted] NSA analysts performed queries using United States person identifiers that had not been approved as query terms. These queries occurred for a variety of reasons, including because analysts continued queries on terms that they suspected (but had not confirmed) were used by United States persons, forgot to exclude Section 702 data from queries [redacted], or did not realize that [redacted] constitute a United States person identifier even if the analyst was seeking information on a non-United States person.
Among other things, the third redaction in this passage appears to suggest that analysts conduct back door searches on data generally, presumably including both EO 12333 and 702 obtained data, but have to affirmatively exclude Section 702 data to stay within the rules laid out in the minimization procedures.
Consider the timing of this: the reporting of “many” back door search and other US person query violations occurred in the first post-Snowden period. While the fact NSA did back door searches was knowable from the 2012 SSCI report on Section 702 renewal, it did not become general knowledge among members of Congress and the general public until Snowden leaked more explicit confirmation of it. And all of a sudden, as soon as people started complaining about back door searches and Congress considered regulating it, NSA’s overseers discovered that NSA wasn’t following an explicit prohibition on searching upstream data. One of several risks of back door searching upstream data is it may amount to searching data collected domestically, or even entirely domestic communications.
And while the details get even more redacted, it appears the problem did not go away in the following period, the December 1, 2013 through May 31, 2014 reviews reported in a June 2015 report. After a very long redaction on targeting, the report recommends NSA require analysts to state whether they believe they’re querying on a US person.
Additionally, but separately, the joint oversight team believes NSA should assess modifications to systems used to query raw Section 702-acquired data to require analysts to identify when they believe they are using a United States person identifier as a query term. Such an improvement, even if it cannot be adopted universally in all NSA systems, could help prevent instances of otherwise approved United States person query terms being used to query upstream Internet transactions, which is prohibited by the NSA minimization procedures.64
The footnote that modifies that discussion is entirely redacted.
The June 2015 report was the most recent one released, so it is unclear whether simply requiring analysts to confirm that they are querying Americans solved the improper back door searches of upstream data. But at least as of the most recently released report, the two most troubling aspects of Section 702 surveillance — the upstream searching on Internet streams and back door unwarranted searches on US person identifiers — were contributing to “many” violations of NSA’s rules.
Since Jim Comey’s showy press conference yesterday, the press has rehashed Jim Comey’s carefully cultivated image as a Boy Scout, with outlet after outlet replaying the story of how he ran up some hospital steps once.
Sadly, even DOJ beat journalists seem unable to point out that that image has been carefully cultivated over years. Comey is a PR master.
But as I have written on several occasions, the story is more complicated. That’s true, first of all, because the 2004 hospital confrontation, in which Comey and a bunch of other DOJ officials threatened to quit and therefore allegedly shut down some illegal wiretap programs, did not end in March 2004. On the contrary, for the main unlawful program we know about — the Internet dragnet — that confrontation ended in July 2004 when, after some serious arm-twisting, DOJ got FISC presiding judge Colleen Kollar-Kotelly to authorize substantially the same Internet dragnet they refused to authorize themselves. The arguments they used to pull that off are fairly breath-taking.
First, they told Kollar-Kotelly she had to reauthorize the dragnet because terrorists wanted to plan an election year plot; as I note below, that claim was largely based on a fabrication.
Then, they argued that the standard for approval of a bulk Pen Register/Trap and Trace order was the same (arguably lower) as any other PRTT order focused on an individual. Kollar-Kotelly, DOJ argued, had no discretion over whether or how to approve this.
DOJ told Kollar-Kotelly she had no authority to do anything but approve their expansive plan to collect Internet data from telecom switches. “[T]he Court ‘shall’ authorize a pen register … if an application brought before it complies with the requirements of the statute.” Even though, by collecting Internet metadata in bulk, the government would take away FISC’s authority to review whether the targets were agents of a foreign power, DOJ argued she had no authority to determine whether this bulk data — which she deemed an “enormous” amount — was “relevant” to the FBI’s investigations into terrorism.
And that meaning — which the government expanded even further in 2006 to claim the phone records of every single American were “relevant” to the FBI’s standing terrorism investigations — “requires no stretching of the ordinary meaning of the terms of the statute at all,” they claimed, in apparent seriousness.
DOJ further argued that’s the way the FISA court — which Congress created in 1978 to provide real judicial review while permitting the executive to keep its foreign spying secret — is supposed to work. Having FISC rubber-stamp the program they themselves had refused to authorize “promotes both of the twin goals of FISA,” DOJ argued, “facilitating the foreign-intelligence collection needed to protect American lives while at the same time providing judicial oversight to safeguard American freedoms.”
Their claim this involved oversight is especially rich given that DOJ and FISC argued then — and continued to argue at least through 2010 when John Bates would reauthorize and expand this dragnet — that the FISC had no authority to impose minimization procedures for bulk collected data, which has historically been the sole way FISC exercises any oversight. Then, during the period of the very first dragnet order, NSA “discovered” it was violating standards Kollar-Kotelly imposed on the collection (effectively, violating the minimization procedures). But in spite of the fact that she then imposed more requirements, including twice quarterly spot checks on the collection, those violations continued unabated until NSA’s Inspector General finally started, on Reggie Walton’s order, an (aborted) real review of the collection in 2009. At that point, OGC all of a sudden “discovered” that their twice-quarterly spot checks had failed to notice that every single record NSA had collected during that 5 year period had violated FISC standards.
In short, the program was never, ever, in legal compliance. That was the solution Comey achieved to the unlawful program he got shut down.
DOJ’s — Jim Comey’s — efforts to undercut FISC not only led to other really problematic FISC decisions based on this precedent (including, but not limited to, the phone dragnet in 2006 and upstream collection in 2007), but also gave illegal collection the patina of legality solely by making someone else authorize a program she couldn’t oversee.
Along with radically changing the nature of FISC in the wake of the hospital confrontation, DOJ — Jim Comey — affirmatively bypassed Congress because they didn’t want to tell America it was spying on them in bulk.
DOJ pointed to language showing Congress intended pen registers to apply to the Internet; they pointed to the absence of language prohibiting a pen register from being used to collect data from more than a single user, as if that’s the same as collecting from masses of people and as if that proved congressional intent to wiretap everyone.
And then they dismissed any potential constitutional conflict involved in such broad rereadings of statutes passed by Congress. “In almost all cases of potential constitutional conflict, if a statute is construed to restrict the executive, the executive has the option of seeking additional clarifying legislation from Congress,” the heroes of the hospital confrontation admitted. The White House had, in fact, consulted Majority Leader Tom DeLay about doing just that, but he warned it would be too difficult to get new legislation. So two months later, DOJ argued Congress’ prerogative as an independent branch of government would just have to give way to secrecy. “In this case, by contrast, the Government cannot pursue that route because seeking legislation would inevitably compromise the secrecy of the collection program the Government wishes to undertake.”
This was a pretty big assault on separation of powers, and not one justified by the efficacy of the program or the needs of the collection.
While I won’t go into it here, this is all about the best known part of the Stellar Wind program that was not so much “shut down” as “dumped into someone else’s legal lap.” There’s another aspect of Stellar Wind — one I don’t yet fully understand — that Comey reauthorized on his own, one that has gotten no reporting. I hope to return to this.
There’s an intimately related effort Comey gets some credit for which in fact led to fairly horrible conclusions: torture. Jack Goldsmith, with Comey’s backing, also withdrew the shoddy John Yoo memo authorizing waterboarding and other torture (Goldsmith also prevented Yoo from retroactively authorizing more techniques).
But on July 2, 2004 — two weeks before Goldsmith left — the intelligence community found another detainee it just had to torture, Janat Gul, based on already questioned claims he wanted to plan an election year attack. They had a Principal’s Committee meeting to discuss what to do. After Jim Comey and John Bellinger left the meeting, the PC agreed to engage in torture again (though not waterboarding). Five days later Goldsmith wrote to ensure the IC knew this meant they had to follow the guidelines laid out under the original Yoo memo. By September, after Gul and some associates had been tortured extensively — each time with Dan Levin writing what I’m sure he imagined to be a soundly reviewed approval for the torture — Levin had approved waterboarding again, along with the techniques Goldsmith had prevented Yoo from retroactively and unilaterally authorizing. OLC repeatedly promised a more fulsome memo laying out the approval offered, ostensibly in reaction to an immediate need, in 2004. Jim Comey initiated that process in fall and December 2004. But in the end, the technique memos completed by Steven Bradbury in May 2005 authorized both waterboarding, as well as all the other conditions (primarily techniques use in combination) Comey seems to have tried to have set to make them impossible to use again. Comey resigned right before these memos were finalized, so it’s possible he made another — failed — attempt to prevent the illegal program by threatening to quit; he did, however, stick around for another three months before he moved onto his sinecures at Lockheed and Bridgewater.
Here’s the tragic thing about this unsuccessful effort to impose order on the torture program: it, like the Iraq War itself, was based on a fabricator.
CIA came to Comey and others, said, “this guy wants to attack the presidential elections so we need a dragnet and torture,” to which DOJ said okay.
The CIA in March 2004 received reporting from a source the torture report calls “Asset Y,” who said a known Al-Qaeda associate in Pakistan, Janat Gul — whom CIA at the time believed was a key facilitator — had set up a meeting between Asset Y and Al-Qaeda’s finance chief, and was helping plan attacks inside the United States timed to coincide with the November 2004 elections. According to the report, CIA officers immediately expressed doubts about the veracity of the information they’d been given by Asset Y. A senior CIA officer called the report “vague” and “worthless in terms of actionable intelligence.” He noted that Al Qaeda had already issued a statement “emphasizing a lack of desire to strike before the U.S. election” and suggested that since Al-Qaeda was aware that “threat reporting causes panic in Washington” and inevitably results in leaks, planting a false claim of an election season attack would be a good way for the network to test whether Asset Y was working for its enemies. Another officer, assigned to the group hunting Osama bin Laden, also expressed doubts.
Nevertheless, the CIA took seriously Asset Y’s claim that Gul was involved in an election plot and moved quickly to gain custody of him after his arrest by Pakistan in June 2004. Even before CIA rendered Gul to its custody, Tenet started lobbying to get torture techniques reapproved for his interrogation.
On June 29, Tenet wrote National Security Adviser Condoleezza Rice seeking approval to once again use some of the techniques whose use he suspended less than four weeks earlier, in the hope of gathering information on the election season plot. “Given the magnitude of the danger posed by the pre-election plot and Gul’s almost certain knowledge of any intelligence about that plot” Tenet wrote, relying on Asset Y’s claims, “I request the fastest possible resolution of the above issues.”
Soon after the reauthorization of the torture and the Internet dragnet, the CIA realized ASSET Y’s story wasn’t true. By September, an officer involved in Janat Gul’s interrogation observed, “we lack credible information that ties him to pre-election threat information or direct operational planning against the United States, at home or abroad.” In October, CIA reassessed ASSET Y, and found him to be deceptive. When pressured, ASSET Y admitted had had made up the story of a meeting set up by Gul. ASSET Y blamed his CIA handler for pressuring him for intelligence, leading him to lie about the meeting.
By 2005, CIA had concluded that ASSET Y was a fabricator, and Janat Gul was a “rather poorly educated village man [who is] quite lazy [who] was looking to make some easy money for little work and he was easily persuaded to move people and run errands for folks on our target list” (though the Agency wasn’t always forthright about the judgment to DOJ).
During Comey’s entire effort — to put order to the dragnet, to put order to the torture — he was in fact being led by the nose by the CIA, once again using the report of a fabricator to authorize actions the US had no business engaging in.
If that were all, I’d consider this a tragic story: poor Jim Comey trying to ensure the US does good, only to be undermined by the dishonest folks at the CIA, using asymmetric information again to ensure their ass gets covered legally.
But here’s the part that, in my opinion, makes being snookered by the CIA unforgivable. Thus far, Comey has refused to read the full Torture Report to learn how badly he got snookered, even though he promised Dianne Feinstein to do so in his confirmation process.
I am specifically intrigued by Comey’s apparent lack of curiosity about the full report because of his actions in 2005.
As these posts lay out (one, two), Comey was involved in the drafting of 2 new OLC memos in May 2005 (though he may have been ignorant about the third). The lies CIA told OLC in 2004 and then told OLC again in 2005 covering the same torture were among the worst, according to Mark Udall. Comey even tried to hold up the memo long enough to do fact gathering that would allow them to tie the Combined memo more closely to the detainee whose treatment the memo was apparently supposed to retroactively reauthorize. But Alberto Gonzales’ Chief of Staff Ted Ullyot told him that would not be possible.
Pat [Philbin] explained to me (as he had to [Steven Bradbury and Ted Ullyot]) that we couldn’t make the change I thought necessary by Friday [April 29]. I told him to go back to them and reiterate that fact and the fact that I would oppose any opinion that was not significantly reshaped (which would involve fact gathering that we could not complete by Friday).
[Ullyot] mentioned at one point that OLC didn’t feel like it would accede to my request to make the opinion focused on one person because they don’t give retrospective advice. I said I understood that, but that the treatment of that person had been the subject of oral advice, which OLC would simply be confirming in writing, something they do quite often.
At the end, he said that he just wanted me to know that it appeared the second opinion would go [Friday] and that he wanted to make sure I knew that and wanted to confirm that I felt I had been heard.
Presuming that memo really was meant to codify the oral authorization DOJ had given CIA (which might pertain to Hassan Ghul or another detainee tortured in 2004), then further details of the detainee’s torture would be available in the full report. Wouldn’t Comey be interested in those details now?
But then, so would details of Janat Gul’s torture, whose torture was retroactively authorized in an OLC memo Comey himself bought off on. Maybe Comey has good reason not to want to know what else is in the report.
Sure, he may be doing so to prevent Jason Leopold from liberating the report via FOIA. But in doing so, he is also refusing to examine his own actions, his own willingness to reauthorize the dragnet and torture he had just shut down in the service of a lie. He is refusing to consider whether the deals he made with the devil in 2004 were unsound.
Even here, I might just consider this a tragic story, of a morally just man bested by bureaucratic forces both more sinister and dishonest than Comey.
Except for Comey’s Manichean view of the world.
His world is separated into the Good Guys who should have access to encryption and the Bad Guys who should not, the loyal people like Hillary who can be “extremely careless in their handling of very sensitive, highly classified information” with no legal consequences and the disloyal people like Thomas Drake who get prosecuted for doing the very same things.
That’s not the world where self-proclaimed Boy Scout Jim Comey assents to the reauthorization of torture and dragnets based on a fabrication with no repercussions or even soul-searching.
I mean, I get it. There is no place for Boy Scouts in the top ranks of our national security state. I get that you’re going to lose bureaucratic fights to really immoral causes and manipulative spooks. I get you’re sometimes going to get the so-called trade-off between liberty and security wrong, especially when you get lied to.
But given that reality, there is no place for pretend Boy Scouts. There is no place to pretend your world is as easy as running up some hospital steps, victory!, we’ve vanquished presidential abuses so let’s go dismantle separation of powers! That’s just naive, but in the service of the FBI Director, it legitimizes a really unjust — morally-rather-than-legally-based — method of policing.
Comey seems to believe his self-created myth at this point, and that’s a very dangerous spot for a guy deigning to be the investigator and prosecutor of who is loyal and who disloyal.
Update: Matthew Miller wrote up his criticism of Comey’s abuse of power here.
Update: Here’s an interview I did for Pacifica on the email question generally.
At the Intercept earlier this week, Peter Maass described an interview he had with a former NSA hacker he calls Lamb of God — this is the guy who did the presentation boasting “I hunt SysAdmins.” On the interview, I agree with Bruce Schneier that it would have been nice to hear more from Lamb of God’s side of things.
But the Intercept posted a number of documents that should have been posted long, long ago, covering how the NSA “shapes” Internet traffic and how it identifies those using Tor and other anonymizers.
Both describe how the NSA will force Internet traffic to cross switches where it has collection capabilities. We’ve known they do this. Beyond just the logic of it, some descriptions of NSA’s hacking include descriptions of tracking traffic to places where a particular account can be hacked.
But the acknowledgement that they do this and discussions of how they do so is worth closer attention.
That’s true, first of all, because of wider discussions of cable maps. In discussing the various ways to make Internet traffic cross switches to which the NSA has access, Lamb of God facetiously (as is his style) suggests you could bomb or cut all the cable lines that feed links to which the NSA doesn’t have access.
Lamb of God dismisses this possibility as “fun to think about, but not very reasonable.”
But we know that cable lines do get cut. Back in 2008, for example, there were a slew of cables coming into the Middle East that got cut at one time (though that may have been designed to cut Internet communication more generally). Then there’s the time in 2012 when NSA tried to insert an exploit into a Syrian route, only to knock out almost all of the country’s Internet traffic.
One day an intelligence officer told him that TAO—a division of NSA hackers—had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead—rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet—although the public didn’t know that the US government was responsible. (This is the first time the claim has been revealed.)
Inside the TAO operations center, the panicked government hackers had what Snowden calls an “oh shit” moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.
Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”
Again, we’ve known this happened, which is why it would have been nice to have this presentation three years ago, if only to explain the concept to those who don’t factor it into considerations of how the NSA works.
The other reason this is important is because of the possibility the NSA could deliberately shape traffic to take it out of FISA-controlled domestic space and into EO 12333-governed international space, a possibility envisioned in a 2015 paper. The slides from the paper present the same techniques laid out in the NSA presentation as hypothetical. And, as their more accessible write up explains, the NSA’s denials about this practice don’t actually address their underlying argument, which is that 1) the technology would make this easy, 2) the legal regime is outdated and thereby tolerates such loopholes, and 3) the parts of declassified versions of USSID-18 that might address it are all redacted.
In the paper, we reveal known and new legal and technical loopholes that enable internet traffic shaping by intelligence authorities to circumvent constitutional safeguards for Americans. The paper is in some ways a classic exercise in threat modeling, but what’s rather new is our combination of descriptive legal analysis with methods from computer science. Thus, we’re able to identify interdependent legal and technical loopholes, mostly in internet routing. We’ll definitely be pursuing similar projects in the future and hope we get other folks to adopt such multidisciplinary methods too.
As to the media coverage, the CBS News piece contains some outstanding reporting and an official NSA statement that seeks – but fails – to debunk our analysis:
However, an NSA spokesperson denied that either EO 12333 or USSID 18 “authorizes targeting of U.S. persons for electronic surveillance by routing their communications outside of the U.S.,” in an emailed statement to CBS News.
“Absent limited exception (for example, in an emergency), the Foreign Intelligence Surveillance Act requires that we get a court order to target any U.S. person anywhere in the world for electronic surveillance. In order to get such an order, we have to establish, to the satisfaction of a federal judge, probable cause to believe that the U.S. person is an agent of a foreign power,” the spokesperson said.
The NSA statement sidetracks our analysis by re-framing the issue to construct a legal situation that conveniently evades the main argument of our paper. Notice how the NSA concentrates on the legality of targeting U.S. persons, while we argue that these loopholes exist when i) surveillance is conducted abroad and ii) when the authorities do not “intentionally target a U.S. person.” The NSA statement, however, only talks about situations in which U.S. persons are “targeted” in the legal sense.
As we describe at length in our paper, there are several situations in which authorities don’t intentionally target a U.S. person according to the legal definition, but the internet traffic of many Americans can in fact be affected.
Once you’re collecting in bulk overseas, you have access to US person communications with a far lower bar than you do under the FISA regime (which is what John Napier Tye strongly suggested he had seen).
This is one of the reasons I think the NSA’s decision not to answer obvious questions about where FISA ends and EO 12333 begins, in the context of concerns Snowden raised at precisely the time he was learning about this traffic shaping, to be very newsworthy. Using traffic shaping to access US person content even if it’s only in bulk (in the same way that hacking Google cables overseas) clearly bypasses the FISA regime. We don’t know that they do this intentionally for US traffic. But we do know it would be technically trivial for the NSA to pull off, and we do know that multiple NSA documents make it clear they were playing in that gray area at least until 2013 (and probably 2014, when Tye came forward).
The traffic shaping paper ultimately tries to point out how our legal regime fails to account for obvious technical possibilities, technical possibilities we know NSA exploits, at least overseas. Particularly as ODNI threatens to permit the sharing EO 12333 data more broadly — along with access to back door searches — this possibility needs to be more broadly discussed.
As far as the public record shows, Ron Wyden first started complaining about the Common Commercial Service OLC Memo in late 2010, in a letter with Russ Feingold written “over two years” before January 14, 2013. As I’ve written, John Yoo wrote the memo on May 30, 2003, as one of the last things he did before he left the Office of Legal Council. It seems to have something to do with both the Stellar Wind program and cybersecurity, and apparently deals with agreements with private sector partners. At least one agency has operated consistently with the memo (indeed, Ron Wyden’s secret memo submitted to the court probably says the memo was implemented) but the government claims that doesn’t mean that agency relied on the memo and so the ACLU can’t have it in its FOIA lawsuit.
According to a letter liberated by Jason Leopold, however, someone in Congress was raising concerns about a memo — which is probably the same one — even before Wyden and Feingold were. On June 30, 2010, then Chair of the House Intelligence Committee Silvestre Reyes wrote Attorney General Holder a letter about a May 30, 2003 memo. On October 5, Ron Weich wrote Reyes,
We have conferred with Committee staff about your letter and your concerns regarding the potential implications of the opinion. We appreciate your concerns and your recognition of the complexities of the issues involved in our consideration of your request. We will let you know as soon as we are in a position to provide additional information.
In other words, three months after one of the top ranking intelligence overseers in government raised concerns about the memo, DOJ wrote back saying they weren’t yet “in a position to provide additional information.”
That seems like a problem to me.
It also seems to be another data point suggesting that — whatever the government did back in 2003, after Yoo wrote the memo — it was being discussed more generally in 2010, possibly with an eye to implement it.
Update: On reflection, I may have overstated how sure we can be that this May 30 opinion is the same opinion. I’ve adjusted the post accordingly.
Kash Hill has a fascinating story about a Facebook flip-flop over a story she reported yesterday.
It started when — as increasingly happens in her work — someone came to her with a scary problem. Facebook recommended he friend someone he had only just met for the first time at a meeting for parents of suicidal teens. In response, Facebook confirmed they do use co-location for such recommendations.
Last week, I met a man who was concerned that Facebook has used his smartphone location to figure out people he might know. After he attended a gathering for suicidal teens, Facebook recommended one of the other parents there as a friend, even though they seemingly had nothing else in common but being in the same place at the same time. He asked me whether Facebook was using location to figure out if people knew each other.
I was skeptical, because that seemed like such an egregious violation of privacy. On Friday, I emailed Facebook:
A Facebook user told me that he attended an event last week with people he’d never met before. The next morning, one of the people at the event came up as a suggested friend. They had no other ties beyond being in the same room the night before. Could their shared location have resulted in the suggestion?
A spokesperson responded, saying that location is one of the signals for “People You May Know.”
But then, as people started making a stink about this, Facebook reached out again and offered this oblique reversal.
Thus I reported that “Facebook is using your phone’s location to suggest new friends—which could be a privacy disaster.” The story garnered lots of negative feedback, with people upset about Facebook using their location information this way without telling them.
Then, on Monday night, the Facebook spokesperson reached out again, saying the company had dug into the matter and found that location isn’t currently used. She sent an updated statement:
“We’re not using location data, such as device location and location information you add to your profile, to suggest people you may know. We may show you people based on mutual friends, work and education information, networks you are part of, contacts you’ve imported and other factors.”
One part of this comment is easy: Facebook is not using locations you mark for yourself (so if I said I was in Grand Rapids, they wouldn’t use that to find new Grand Rapids friends for me). But it’s not really clear what they mean by “device location.” Determined by what? GPS? Cell tower? IP location? Wifi hotspot colocation?
Which got me thinking about the way that federal law enforcement (in both the criminal and FISA context, apparently) are obtaining location data from social media as a way to tie physical location to social media activity.
[Magistrate Stephen Smith] explained he had had several hybrid pen/trap/2703(d) requests for location and other data targeting WhatsApp accounts. And he had one fugitive probation violation case where the government asked for the location data of those in contact with the fugitive’s Snapchat account, based on the logic that he might be hiding out with one of the people who had interacted with him on Snapchat. The providers would basically be asked to to turn over the cell site location information they had obtained from the users’ phone along with other metadata about those interactions. To be clear, this is not location data the app provider generates, it would be the location data the phone company generates, which the app accesses in the normal course of operation.
Doing so with Facebook would be particularly valuable, as you could target an event (say, a meeting of sovereign citizens) and find out who had attended the meeting to see whose location showed up there. The application would be even more useful with PRISM, because if you were targeting meetings overseas, you wouldn’t need to worry about the law on location data.
In other words, I started wondering whether Facebook is using this application — and was perfectly willing to tell Hill about it — until the FBI or someone started complaining that people would figure out one of their favorite new law enforcement (and intelligence) methods.
Hill is still pressing Facebook for real answers (and noted that Facebook may be violating FTC rules if they are doing this, so expects answers from there if not from Facebook directly).
Still, I’m wondering if FBI is now telling our private spy companies they can’t reveal the techniques law enforcement most likes to rely on.
As a number of outlets have reported, Ron Wyden has placed a hold on the Intelligence Authorization in an attempt to thwart FBI’s quest to be able to obtain Electronic Communication Transaction Records with just a National Security Letter.
But Wyden’s released statement on that hold differs in emphasis from what he said in his Senate address announcing the hold yesterday. The statement describes how all toll records — from emails, texts, or web browsing — can infringe on privacy.
The fact of the matter is that ‘electronic communication transaction records’ can reveal a great deal of personal information about individual Americans. If government officials know that an individual routinely emails a mental health professional, or sends texts to a substance abuse support group, or visits a particular dating website, or the website of a particular political group, then the government knows a lot about that individual. Our Founding Fathers rightly argued that such intrusive searches should be approved by independent judges.
But in his floor statement, Wyden went on at length about the particular threat posed by obtaining web browsing history (this starts after 4:40).
For example, the National Security Letters could be used to collect what are called Electronic Communication Transaction Records. This would be email and chat records and text message logs, and in particular, Mr. President, and I’ve had Senators come up to me to ask me about whether this could be true, folks at home this weekend, when I was out and responding to questions about this, people asked, “Does this really mean that the government can get the Internet browsing history of an individual without a warrant even when the government has the emergency authority if it’s really necessary?”
And the answer to that question, Mr. President, is yes, the government can. The government can get access to web browsing history under the Intelligence Authorization legislation, under the McCain amendment, and they can do it without getting a warrant, even when the government can go get it without a warrant when there is an emergency circumstance.
Now the reality is web browsing history can reveal an awful lot of information about Americans. I know of little information, frankly Mr. President, that could be more intimate than that web browsing history. If you know that a person is visiting the website of a mental health professional, or a substance abuse support group, or a particular political organization, or — say — a particular dating site, you know a tremendous amount of private and personal and intimate information about that individual — that’s what you get when you can get access to their web browsing history without a warrant, even when the government’s interest is protected, as I’ve said, in an emergency.
The reality is getting access to somebody’s web browsing history is almost like spying on their thoughts. This level of surveillance absolutely ought to come with court oversight, and as I’ve spelled out tonight, that is possible in two separate ways — the traditional approach with getting a warrant, and then under Section 102, which I wrote as part of USA Freedom Act, the government can get the information when there’s an emergency and come back later after the fact and settle up.
Wyden’s statement makes a few other things clear. First, by focusing on the emergency provision of USA Freedom Act, Wyden illustrates that the FBI is trying to avoid court oversight, not so much obtain records quickly (though there would be more paperwork to a retroactive Section 215 order than an NSL).
That means two things. First, as I’ve noted, FBI is trying to avoid the minimization procedures the FISC spent three years imposing on FBI. Right now, we should assume that FISC would prohibit FBI from retaining all of the data it obtains from web searches, but if it moved (back) to NSL collection it would have no such restriction.
The other thing obtaining ECTRs with NSLs would do, though, is avoid a court First Amendment review, which should be of particular concern with web search history, since everything about web browsing involves First Amendment speech. Remember, a form of emergency provision (one limited to Section 215’s phone chaining application) was approved in February 2014. But in the September 2014 order, the FISC affirmatively required that such a review happen even with emergency orders. A 2015 IG Report on Section 215 (see page 176) explains why this is the case: because once FISC started approving seeds, NSA’s Office of General Counsel stopped doing First Amendment reviews, leaving that for FISC. It’s unclear whether it took FISC several cycles to figure that out, or whether they discovered an emergency approval that infringed on First Amendment issues. Under the expanded emergency provision under USAF, someone at FBI or DOJ’s National Security Division would do the review. But FBI’s interest in avoiding FISC’s First Amendment review is of particular concern given that FBI has, in the past, used an NSL to obtain data the FISC refused on First Amendment grounds, and at least one of the NSL challenges appears to have significant First Amendment concerns.
In the Senate yesterday, Senator Wyden strongly suggested the FBI wants this ECTR provision so it can “spy on their thoughts” without a warrant. We know from other developments that doing so using an NSL — rather than an emergency Section 215 order — would bypass rigorous minimization and First Amendment review.
In other words, the FBI wants to spy on — and then archive — your thoughts.
One thing I’ve been pondering as I’ve been going through the Snowden emails liberated by Jason Leopold is the transition Snowden made just before he left. They show that in August 2012, Snowden was (as we’ve heard) a Dell contractor serving as a SysAdmin in Hawaii.
The training he was taking (and complaining about) in around April 5 – 12, 2013 was in preparation to move into an analyst role with the National Threat Operations Center.
That would mean Snowden would have been analyzing US vulnerabilities to cyberattack in what is a hybrid “best defense is a good offense” mode; given that he was in HI, these attacks would probably have been launched predominantly from, and countermeasures would be focused on, China. (Before Stewart Baker accuses me of showing no curiosity about this move, as Baker did about the Chinese invitation to Snowden’s girlfriend to a pole dancing competition, I did, but got remarkably little response from anyone on it.)
It’s not clear why Snowden made the switch, but we have certainly seen a number of cybersecurity related documents — see the packet published by Charlie Savage in conjunction with his upstream cyber article. Even the PRISM PowerPoint — the second thing released — actually has a cybersecurity focus (though I think there’s one detail that remains redacted). It’s about using upstream to track known cyberthreat actors.
I suspect, given the inaccuracies and boosterism in this slide deck, that it was something Snowden picked up while at Booz training, when he was back in Maryland in April 2013. Which raises certain questions about what might have been available at Booz that wasn’t available at NSA itself, especially given the fact that all the PRISM providers’ names appear in uncoded fashion.
Incidentally, Snowden’s job changes at NSA also reveal that there are Booz analysts, not NSA direct employees, doing Section 702 analysis (though that is technically public). In case that makes you feel any better about the way the NSA runs it warrantless surveillance programs.
Anyway, thus far, all that makes sense: Snowden got into a cybersecurity role, and one of the latest documents he took was a document that included a cybersecurity function (though presumably he could have gotten most of the ones that had already been completed as a SysAdmin before that).
But one of the most sensitive documents he got — the Verizon Section 215 primary order — has nothing to do with cybersecurity. The Section 215 dragnet was supposed to be used exclusively for counterterrorism. (And as I understand it, there are almost no documents, of any type, listing provider names in the Snowden stash, and not all that many listing encoded provider names). But the Verizon dragnet order it is dated April 23, 2013, several weeks into the time Snowden had moved into a cybersecurity analytical role.
There’s probably an easy explanation: That even though NSA is supposed to shift people’s credentials as they move from job to job, it hadn’t happened for Snowden yet. If that’s right, it would say whoever was responsible for downgrading Snowden’s access from SysAdmin to analyst was slow to make the change, resulting in one of the most significant disclosures Snowden made (there have been at least some cases of credentials not being adjusted since Snowden’s leaks, too, so they haven’t entirely addressed what would have to be regarded as a major fuck-up if that’s how this happened).
Interestingly, however, the declassification stamp on the document suggests it was classified on April 12, not April 23, which may mean they had wrapped up the authorization process, only to backdate it on the date it needed to be reauthorized. April 12, 2013 was, I believe, the last day Snowden was at Fort Meade.
Whatever the underlying explanation, it should be noted that the most sensitive document Snowden leaked — the one that revealed that the government aspired to collect phone records from every single Verizon customer (and, significantly, the one that made court challenges possible) — had to have been obtained after Snowden formally left his SysAdmin, privileged user, position.
In our piece on NSA’s response to requests for records of Edward Snowden’s complaints, Jason Leopold and I reported that a senior NSA official apologized to Admiral Mike Rogers for providing insufficient context about Snowden’s contacts with oversight entities before Snowden’s email to OGC got released on May 29, 2014. (See PDF 6 for the email and response as they got publicly released.) More importantly, we reported that the apology — written after several days of fact-checking — included at least one clear error. After we pointed that out to the intelligence community and asked questions for clarification, the NSA significantly moved the goalposts on its claims about whether Snowden had raised concerns, denying that Snowden had talked to the top three NSA officials rather than lower level ones. Here’s why I think that’s significant.
On April 8, 2014, NSA learned that an upcoming Vanity Fair piece would include a claim from Edward Snowden that “I contacted N.S.A. oversight and compliance bodies.” (PDF 13)
Apparently in response to that claim, on the following day a woman involved in training in Signals Intelligence Compliance and Oversight (what the NSA calls SV) wrote up an exchange she had with Snowden a year earlier. (PDF 147) Here’s how that email appeared on April 10, after at least one draft.
The individual appeared at the side of my desk in the SV training area during the timeframe between 5 – 12 April 2013, shortly after lunch time. He did not introduce himself and instead asked if he could talk to someone about the OVSC1203 [Section 702] course. I indicated that he could talk to me. He seemed upset and proceeded to say that he had tried to take OVSC1203 and that he had failed. He then commented that he felt we had trick questions throughout the course content that made him fail. SV Training has standard (canned) responses we use to respond to questions like this. I introduced myself and provided the information to him. My comments were standard and part of our “canned” responses, and informed him that the OVSC courses did not contain any trick questions and that all of the answers to the test questions could be located within the course content (our standard response when someone states they have failed any of our courses). Also, as part of our standard response with this type of question, we remind the student that the course is open book and not timed, also part of our routine canned response. I also reminded him that students receive multiple attempts to successfully pass the course and if they are not successful after multiple attempts he would need to contact us for further assistance. He seemed to have calmed down by then and said he still thought the questions tricked the students but he would try again.
Several pieces of evidence in the email collection suggest this email was the first time she wrote up the exchange (though I imagine there’s an FBI 302 of an interview with her). Not only did no other written version of it get turned over in Leopold’s FOIA, but when the Chief of SV explained the exchange to superiors, no claim of contemporaneous report was made. (PDF 255) Similarly, there’s no definitive written evidence of this report getting reported to the various investigators (though there is one piece of evidence it may have been orally described). In addition, the woman had to revise at least the dates during which she described the exchange taking place on April 10, suggesting she wasn’t working from an existing written document. (PDF 300)
On May 29, 2014, first Dianne Feinstein (there’s evidence she was prodded by someone at NSA or ODNI) released Snowden’s email exchange with OGC, then NSA formally released it.
Later the evening of May 29, Edward Snowden told WaPo the release did not include “correspondence” with SV in which he said they “believed that a classified executive order could take precedence over an act of Congress.”
Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. It also did not include concerns about how indefensible collection activities – such as breaking into the back-haul communications of major US internet companies – are sometimes concealed under E.O. 12333 to avoid Congressional reporting requirements and regulations.
About an hour and a half after Feinstein had released Snowden’s email on May 29 but before WaPo published Snowden’s claim, the Media Leaks Task Force discovered the write-up of the SV exchange from April, but did not release it publicly (meaning when Snowden made his claim, he did not know they had written up the exchange). Around, or even before that, OGC realized that some of the discussions they were having would have to be turned over in response to this FOIA, and then-General Counsel Raj De “ask[ed] that no one else comment on the low-side [less secure] (or add additional folks to the e-mail exchange),” (PDF 148), so it’s not clear subsequent discussions about this exchange got released in the FOIA.
In the days thereafter, NSA Chief of Staff Elizabeth Brooks got asked to fact check the claims that had been made so far, with the SV Chief and Deputy Chief providing more details on the exchange. It appears there was a senior meeting, probably including Admiral Rogers, at 10AM on June 3, at which someone (probably Brooks) wrote down (PDF 261) “conversation between Snowden & compliance officer where he complained / wants in writing exactly what Snowden has done in writing and verbally.”
Later that day, “the accountable NSA official for Media Disclosures issues” wrote Admiral Rogers a pretty remarkable apology for not providing sufficient context about Snowden’s interactions. (PDF 96) It’s remarkable that it happened — kudos to Admiral Rogers for trying to get clarity on this issue. But it’s remarkable, too, because even after the two day fact-checking process, the apology endeavoring to keep NSA leadership fully informed did not do so.
For example, the apology does not tell Rogers that the face-to-face exchange could have happened on one of the same days as the OGC email (and definitely happened within the same week), making it more likely the OGC email and the SV face-to-face exchange were actually two parts of the same exchange (Snowden would have known SV had been involved in his OGC response from both the final response he got, as well as the email forwarding the question from OGC to SV, which got forwarded to him). The apology also, like NSA’s response to this FOIA, doesn’t disclose what got discussed between 7 people as they decided who and how to respond to Snowden’s email (the apology itself, because it gave Rogers the redacted version of Snowden’s email released to the public, would have obscured that 6 people were involved in this response, but he could have gotten that information in previous email threads had he read them closely). It also makes what — given the evidence in the emails, at least — appears to be a clear error by claiming that the SV woman wrote up her exchanges with Snowden in response to NSA’s request for information on contacts with him: “In response to the June 2013 Agency All (See Attachment B) [the SV training woman] provided in writing her account of these engagements.”
That claim appears to be erroneous on two counts.
Ben Wittes has started a series of posts on how to tyrant-proof the presidency. His first post argues that Jennifer Granick’s worries about surveillance and Conor Friedersdorf’s worries about drone-killing are misplaced. The real risk, Wittes argues, comes from DOJ.
What would a president need to do to shift the Justice Department to the crimes or civil infractions committed—or suspected—by Trump critics and opponents? He would need to appoint and get confirmed by the Senate the right attorney general. That’s very doable. He’d want to keep his communications with that person limited. An unspoken understanding that the Justice Department’s new priorities include crimes by the right sort of people would be better than the sort of chortling communications Richard Nixon and John Mitchell used to have. Want to go after Jeff Bezos to retaliate for the Washington Post‘s coverage of the campaign? Develop a sudden trust-busting interest in retailers that are “too big”; half the country will be with you. Just make sure you state your non-neutral principles in neutral terms.
There are other reasons to expect a politically abusive president to focus on the Justice Department and other domestic, civilian regulatory and law enforcement agencies: one is that the points of contact between these agencies and the American people are many, whereas the population’s points of contact with the intelligence community are few. The delusions of many civil libertarians aside, the intelligence community really does focus its activities overseas. To reorient it towards domestic oppression would take a lot of doing. It also has no legal authority to do things like arresting people, threatening them with long prison terms, fining them, or issuing subpoenas to everyone they have ever met. By contrast, the Justice Department has outposts all over the country. Its focus is primarily domestic. It issues authortitative legal guidance within the executive branch to every other agency that operates within the country. And it has the ability to order people to produce material and testify about whatever it wants to investigate.
What’s more, when it receives such material, it is subject to dramatically laxer rules as to its use than is the intelligence community. Unlike, say, when NSA collects material under Section 702, when the Justice Department gets material under a grand jury subpoena, there aren’t a lot of use restrictions (other than Rule 6(e)’s prohibition against leaking it); and there is no mandatory period after which DOJ has to destroy it. It has countless opportunities, in other words, to engage in oppressive activities, and it is largely not law but norms and human and institutional decency that constrain it.
I don’t necessarily disagree with the premise. Indeed, I’ve argued it for years — noting, for example, that a targeted killing in the US would look a lot more like the killing of Imam Luqman Abdullah in 2009 (or the killing of Fred Hampton in 1969) than drone killing of Anwar al-Awlaki in 2011 (given that Abdullah’s selling of stolen items got treated as terrorism in part because of his positive statements about Awlaki, it is not inconceivable FBI started infiltrating his mosque because of SIGINT).
My gripe (I have to have gripes because it is Wittes) is on two points. First, Wittes far overestimates how well the protections against abuse currently work. He seems to believe the Levi Guidelines remain in place unchanged, that the 2008 and 2011 and serial secret changes to the Domestic Investigations and Operations Guide since then have not watered down limits on investigations for protected activities. He suggests it was a good thing to use prosecutorial discretion to chase drugs in the 1990s and terrorism in the 2000s, and doesn’t consider why the rich donors who’ve done as much damage as terrorists to the country — the banksters, even those that materially supported terrorists — have gotten away with wrist-slap fines. It was not a good thing to remain obsessed with terrorists while the banksters destroyed our economy through serial global fraud (a point made even by former FBI agents).
We already have a dramatically unequal treatment of homegrown extremists in this country based on religion (compare the treatment of the Malheur occupiers with that of any young Muslim guy tweeting about ISIS who then gets caught in an FBI sting). We already treat Muslims (and African Americans and — because we’re still chasing drugs more than we should — Latinos) differently in this country, even though the guy running for President on doing so as a campaign plank isn’t even in office yet!
The other critical point Wittes missed in his claim that “delusional” civil libertarians don’t know that “the intelligence community really does focus its activities overseas” is that DOJ, in the form of FBI and DEA, is the Intelligence Community, and their intelligence focus is not exclusively overseas (nor is the intelligence focus of other IC members DHS — which has already surveilled Black Lives Matter activists — and Treasury). The first dragnet was not NSA’s, but the DEA one set up under Bill Clinton. One big point of Stellar Wind (which is what Wittes mocked Granick for focusing on) was to feed FBI tips of people the Bureau should investigate, based solely on their associations. And while Wittes is correct that “when the Justice Department gets material under a grand jury subpoena, there aren’t a lot of use restrictions (other than Rule 6(e)’s prohibition against leaking it); and there is no mandatory period after which DOJ has to destroy it,” it is equally true of when FBI gets raw 702 data collected without grand jury scrutiny.
FBI can conduct an assessment to ID the racial profile of a community with raw 702 data, it can use it to find and coerce potential informants, and it can use it for non-national security crimes. That’s the surveillance Wittes says civil libertarians are delusional to be concerned about, being used with inadequate oversight in the agency Wittes himself says we need to worry about.
Four different times in his post, Wittes contrasts DOJ with the intelligence community, without ever considering what it means that DOJ’s components FBI and DEA are actually part of it, that part of it that takes data obtained from NSA’s surveillance and uses it (laundered through parallel construction) against Americans. You can’t contrast the FBI’s potential impact with that of the IC as Wittes does, because the FBI is (one of) the means by which IC activities impact Americans directly.
Yes, DOJ is where President Trump (and President Hillary) might abuse their power most directly. But in arguing that, Wittes is arguing that the President can use the intelligence community abusively.