Christopher Wray Departs from Jim Comey’s “Balance” on Encryption

In his statement before the House Judiciary Committee last week, FBI Director Christopher Wray raised encryption, as FBI Directors do when they go before Congress.

His comments on encryption have a really bizarre line, complaining that, “The more we as a society rely on electronic devices to communicate and store information, the more likely it is that information that was once found in filing cabinets, letters, and photo albums will now be stored only in electronic form.” The reverse is really the issue: our electronic devices now make it really easy to get and search through what previously might be hidden in a (locked!) filing cabinet. They also encourage us to write in texts what we used to say in phone or direct conversations. So the reality is all this digitalization just makes it easier to engage in one stop evidence shopping with someone’s phone.

The more interesting thing, to me, is the way in which Wray’s rhetoric deviates sharply from that of Jim Comey.

Comey, you’ll remember, always liked to talk about the “balance” between security and privacy. He used that formulation most times he discussed back doors in encryption.

And he gave an entire speech on it last year in the wake of the San Bernardino phone challenge.

In America we’ve always balanced privacy and security. It can be messy, it can be painful, but we’ve always worked through the three branches of government to achieve that balance in a sensible way.

[snip]

We have to find thoughtful, productive ways to talk about issues of privacy and security, and here’s the thing, by thoughtful I don’t mean that I’m right, and you’re wrong. I could be wrong about the way I assess, the way I perceive, the way I balance, the way I reason, but I think all productive conversations start from a place of humility. I could be wrong.

[snip]

[L]itigation is a terrible place to have any discussion about a complicated policy issue, especially one that touches on our values, on the things we care about most, on technology, on trade-offs, and balance.

[snip]

We are all people trying to do the right thing as we see the right. It is not for the FBI to decide how this country should govern itself.

It’s not for the FBI to decide what the right approach is here. Our job is to investigate. Our job is to tell you, the people who pay for us, when the tools you count on us to use aren’t working so much anymore, so you can figure out what to do about that. It’s also not the job of the technology companies to tell us—to tell you—what to do about this. Their job is to innovate and come up with the next great thing, and they’re spectacular at that, which is to be treasured. How we move forward needs to be resolved by the American people, and especially the young who know technology so well, and who care so deeply about getting the hard things right.

In his statement, Wray seems to be invoking this Comey formulation when he rejects the entire notion.

Some observers have conceived of this challenge as a trade-off between privacy and security. In our view, the demanding requirements to obtain legal authority to access data—such as by applying to a court for a warrant or a wiretap—necessarily already account for both privacy and security. The FBI is actively engaged with relevant stakeholders, including companies providing technological services, to educate them on the corrosive effects of the Going Dark challenge on both public safety and the rule of law, and with the academic community and technologists to work on technical solutions to this problem.

Wray appears to be rejecting Comey’s (usually false) show of seeking the right balanced between access and encryption, and instead saying a warrant is all it needs. That, in spite of the fact that Congress has specifically stopped short of requiring technical access for some of the applications that Wray and Comey were complaining about. Not to mention the fact that FBI doesn’t ever get a warrant to get to US person content via back door searches or the 2014 exception.

Ultimately, of course, the effect is the same: FBI is going to continue demanding back doors into encryption.

But Wray, apparently, doesn’t even feel the need to feign an interest in the debate.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

“Circumventing” Encryption Is Different than “Weakening” or “Altering” It

I’m still catching up to the Questions for the Record that ODNI submitted to the Senate Intelligence Committee after its June hearing on 702. So I’d like to look more closely at something from the QFRs first reported by Zack Whittaker on encryption.

It has to do with a response to a Ron Wyden question about whether 702 provides authority to “circumvent or weaken” encryption.

Whittaker notes what I pointed out here — because of the way 702 works, “the court is never going to review the individual directives which is where the specific technical assistance gets laid out (unless a provider is permitted to challenge those directives).” That’s the headline point of his piece, one I agree with.

The US government does not need the approval of its secret surveillance court to ask a tech company to build an encryption backdoor.

Whittaker also notes that this language falls far short of denying (or confirming) whether it has asked for a back door. Meaning, it’s possible they asked a provider for a back door, and the provider complied without being forced to.

That said, I wanted to point out the limits to this claim from Whittaker.

In its answers, the government said it has “not to date” needed to ask the FISC to issue an order to compel a company to backdoor or weaken its encryption.

It is true that the government says it has not asked an ECSP to “alter the encryption provided by a service or product it offers.”

But that answer is non-responsive to the totality of Wyden’s question, which asks if the government ordered a provider to “circumvent or weaken” encryption. The government only addresses the latter question, whether the government has altered (presumably by weakening) encryption. It hasn’t answered, at all, whether it has ordered a provider to “circumvent” encryption.

That’s an important point regardless. These QFRs are always carefully crafted, particularly in responses to Wyden (or the few other people who actually exercise oversight).

I think it’s particularly important given something that happened with iOS in the last year: rather than just answering, yes or no, before a phone trusts a computer (meaning it will share its contents with iTunes and therefore potentially with Apple), iOS 11 now requires you to enter your password before a phone will trust a computer.

A different and more significant change is requiring the passcode to “trust” a new computer. Currently, when the police wish to search a phone, they unlock it either with the fingerprint reader, by convincing the suspect to unlock the phone (e.g. to look up a phone number), or they simply seize the phone while it is unlocked. None of these avenues directly implicate suspects’ constitutional rights. Once the unlocked phone is obtained, officials connect the device to a computer running forensics software, or even just iTunes, direct the device to “trust” the new computer when prompted, and download a backup that contains almost all of the relevant information stored on the phone. Requiring the passcode in order to sync the device with a new machine means that, even with an unlocked device, a party that wants access is now limited to searching the phone manually for visible items and can only perform that search while the phone remains unlocked.

I had already been thinking trusted backups provided a way the government could, through Apple, obtain contents from phones that would otherwise be hard to decrypt (I believe it would require altering iTunes, not the encryption itself). Such an approach would be particularly useful for NatSec investigations, where collecting contents wasn’t so much about solving an already committed crime (which is what all the iPhones the government hasn’t been able to break into were collected for), but to prevent one or otherwise collect prospective data.

I don’t even know if this is technically feasible. Nor do I know whether someone would be better sticking with iOS 10 and just rigorously refusing to trust a given computer or upgrading to iOS 11 and never entering that password.

But I do know this passage on encryption is — with respect to whether the government has ever ordered a company to circumvent encryption — a non-denial.

And I have learned that non-denials, especially in response to Wyden, generally should be closely scrutinized.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Christopher Wray Was Doing Great Until He Accused Chad of Spewing Jihadist Propaganda

In his first House Judiciary Committee oversight hearing today, FBI Director Christopher Wray responded to questions about FBI Agent Peter Strzok by explaining there was an ongoing Inspector General investigation into Strzok’s role in the investigation into Hillary’s treatment of classified information more times (at least 16) than he dodged answers in his confirmation hearing (11).

At that level, it was a typical HJC hearing, as each side spent more time pitching their partisan spin (with Democrats asking a string of questions Wray was unable to answer about Russia) rather than — with a few exceptions — conducting much oversight.

That said, I really appreciated two aspects of Wray’s testimony today. First, with the very notable exception of FISA matters (specifically, any FISA applications tied to Trump’s associates, and whether they derived in any way from the Steele dossier), Wray seemed genuinely willing to accept HJC’s mandate to conduct oversight.

As I’ve already noted, I get that HJC can be full of partisan hacks. But it is also the case that the Executive branch, particularly something as powerful as the FBI, must be subject to the oversight requests of Congress. And under both the Bush and Obama Administrations, FBI and DOJ largely treated their oversight committees with (sometimes deserved, but often undeserved) contempt. Even where Wray was bullshitting members of Congress, such as when he pretended that moving Strzok to human resources wasn’t a demotion, he at least appeared to treat their inquiries with respect.

Perhaps, if it is treated with respect it sometimes doesn’t deserve, HJC will come to become the committee FBI and DOJ need as an oversight body.

The other thing I appreciated — particularly in the wake of Jim Comey’s treatment of everything as a fight between “good guys” and “bad guys” — was Wray’s repeated invocation of the humanness of FBI and its officials. For example, in what must have been a rehearsed response to a question about the reputation of the FBI, Wray said, “Do we make mistakes? You bet we make mistakes. Just like everyone who is human makes mistakes,” before describing how the IG (which is currently investigating Strzok) provides the opportunity to “hold our folks accountable, if that’s appropriate.” Somewhat less convincingly, in response to a question from Cedric Richmond, who cleverly noted that the FBI Headquarters is still named after the architect of COINTELPRO, J Edgar Hoover, Wray again stressed the humanity of FBI. “It’s something we’re not proud of but it is also something we’ve learned from … We’re human, we make mistakes. We have things that we’ve done well. We’ve had things we done badly, and when we’ve done badly we try to learn from them.”

Given FBI’s intransigence on back door searches and Wray’s own evolving understanding of the problems caused by the designation Black Identity Extremist (not to mention what appears to be undeserved self-congratulation about how many — or rather few — open investigation into white supremacist terrorists the FBI has) I’m not convinced the FBI really has learned those lessons. It is still too white and too male of an organization to understand how much it polices some of the same things COINTELPRO did, and with even more intrusive tools.

But I am heartened that the FBI Director, perhaps largely because of the focus on Strzok, publicly recognized that FBI is not always the good guy, contrary to what Comey internalized and evangelized over and over. In discussions with Karen Bass about the BIE designation, too, it sounded like he was at least able to listen, even if he refused to withdraw the intelligence report that created the designation.

That said, Wray made several outright errors that need to be corrected.

The first two, both about Section 702, came in response to questions by Ted Poe (who was one of just a few people to raise Section 702, in spite of the fact that I’ve heard from numerous staffers they can’t get answers about key aspects of how 702 works). First, addressing Poe’s claim that back door searches are abusive, Wray claimed that courts that had considered the querying had found it to be consistent with the Fourth Amendment.

Every court, every  court, to have looked at the way in which Section 702 is handled, including the querying, has concluded that it’s being done consistent with the Fourth Amendment.

As the EFF laid out, that’s not actually true. The Ninth Circuit punted on precisely the issue of back door searches.

When Wray mentions the Ninth Circuit, he is likely referencing a 2016 decision by the U.S. Court of Appeals for the Ninth Circuit. In the opinion for USA v. Mohamed Osman Mohamud, the appeals court ruled that, based on the very specific evidence of the lawsuit, data collected under Section 702 did not violate a U.S. person’s Fourth Amendment rights. But the judge explicitly wrote that this lawsuit did not involve some of the more “complex statutory and constitutional issues” potentially raised by Section 702.

Notably, the judge wrote that the Mohamud case did not involve “the retention and querying of incidentally collected communications.” That’s exactly what we mean when we talk about “backdoor searches.”

Wray is mischaracterizing the court’s opinion. He is wrong.

In addition, Wray claimed that,

The individuals that are incidentally collected — the US person information that is incidentally collected — are people that are in communication with foreigners who are the subject of foreign intelligence investigations, so like an ISIS recruiter, there’s a US person picked up, that person would have been in email contact, for example, with an ISIS recruiter.

While I’m not certain precisely what gets dumped into the FBI database that is queried, it is false to claim that every US person who has information collected would necessarily have been in communication with the target. That’s because PRISM providers are cloud storage providers and NSA gets anything a target stores and then some, and because people email very interesting stuff to each other all the time. That means there’s a whole bunch of other things that might implicate US persons swept up in the PRISM collection that gets shared, in raw form, with the FBI.

I wanted to point to an assumption virtually everyone has been making about PRISM collection and its suitability for back door searches that may not be valid. If you think about the hack-and-leak dumps in recent years, for example, often the most damaging, as well as the most ridiculous infringements on privacy, involve email attachments, such as the list of most Democratic members of Congress’ email many passwords for which were easily obtainable online, or phone conversations about routine housekeeping or illness. And that’s just attachments; most of the PRISM providers are actually cloud storage providers, in addition to being electronic communication providers, and from the very first requests to Yahoo there was mission creep of all the types of things the government might demand.

And while NSA and FBI aren’t supposed to keep stuff that doesn’t count as foreign intelligence or criminal information, it’s clear (from the WaPo report) that NSA, at least, does.

So as we talk about how inappropriate the upstream back door searches were and are because they can search on stuff that’s not foreign intelligence information, we should remember that the very same thing is likely true of back door searches of  the fruits of searches on a person’s cloud storage account.

Plus, while the example of an ISIS recruiter makes for good show, the targets will also include people like Chinese scientists and Russian businessmen, among other things. There are completely innocent reasons — like science!!! — to speak to such targets. And yet if FBI does a back door search on Americans who’ve engaged in such innocent discussions it can and almost certainly has led to innocent people being targeted unfairly.

It bothers me that me — a dirty fucking hippie blogger, though admittedly one who has become (as a Congressional staffer introduced me as earlier this year) as expert on FISA as anyone outside of government — knows these details better than the FBI Director (who, after all, was involved in not providing defendants adequate notice of this stuff during its illegal go-around under Stellar Wind).

But Wray’s biggest error, on a different topic, came later. After first dodging Pramila Jayapal’s questions about whether Trump’s tweets have contributed to the spike of hate crimes this year by suggesting the data was untrustworthy (!!!), Director Wray than answered her question about the Muslim ban this way.

An awful lot of our terror investigations do also involve immigration violations, so there is a close nexus between immigration violations and counterterrorism investigations, and an awful lot of the terrorist investigations we have involve global jihadist rhetoric, which is disproportionately concentrated in certain countries.

One reason terror investigations involve immigration violations is because that’s an easy way to punish someone who hasn’t actually committed any crime (and given that most terrorist attacks are not recent immigrants, sort of beside the point).

But the notion that immigration from Muslim majority countries — like the six included in the current Muslim ban: Iran, Libya, Syria, Yemen, Somalia, and Chad — is dangerous because global jihadist rhetoric arises from those countries is the height of nonsense. That’s because the most effective recruiter of Americans for almost a decade was a man, Anwar al-Awlaki, who wrote much of his propaganda here or in the UK; while his rhetoric subsequently did get published from Yemen, he’s been dead for 6 years, with far less jihadist rhetoric in English from there. And while Syria, Somalia, and Libya do export hateful rhetoric, so did Iraq and does Saudi Arabia and Pakistan, two countries we haven’t banned. Iran certainly exports a great deal of anti-American rhetoric, but it is not recruiting terrorists here and most of its anti-American actions are legitimate state-based opposition derived from power relations, not religion. And Awlaki is by no means the only producer of anti-American rhetoric in majority Christian countries, including but not limited to the US and UK.

Ultimately, of course, Jayapal was talking about Trump’s Muslim ban, the one that bans elite Venezuelans and North Koreans along with weaker Muslim ones. And while he didn’t go as far as to say that Kim Jong-Un was spewing jihadist rhetoric, that’s the logic here.

But by implication, he was talking about Chad, which in spite of its cooperation on terrorism, got added to the list because Trump is incompetent. To suggest Chad is a propaganda threat and the US and UK are not is the height of folly.

But that’s what the FBI Director claimed today to avoid criticizing Trump’s bigotry.

Update: For some reason I was writing Cedric Richmond’s last name wrong all day today. I’ve corrected my use of “Johnson” instead of “Richmond” here. My apologies to him for my still uncorrected tweets.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

A Dragnet of emptywheel’s Most Important Posts on Surveillance, 2007 to 2017

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten this week.

To celebrate, the emptywheel team has been sharing some of our favorite work from the last decade. This is my massive dragnet of surveillance posts.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2007

Whitehouse Reveals Smoking Gun of White House Claiming Not to Be Bound by Any Law

Just days after opening the new digs, I noticed Sheldon Whitehouse entering important details into the Senate record — notably, that John Yoo had pixie dusted EO 12333 to permit George Bush to authorize the Stellar Wind dragnet. In the ten years since, both parties worked to gradually expand spying on Americans under EO 12333, only to have Obama permit the sharing of raw EO 12333 data in its last days in office, completing the years long project of restoring Stellar Wind’s functionalities. This post, from 2016, analyzes a version of the underlying memo permitting the President to change EO 12333 without providing public notice he had done so.

2008

McConnell and Mukasey Tell Half Truths

In the wake of the Protect America Act, I started to track surveillance legislation as it was written, rather than figure out after the fact how the intelligence community snookered us. In this post, I examined the veto threats Mike McConnell and Michael Mukasey issued in response to some Russ Feingold amendments to the FISA Amendments Act and showed that the government intended to use that authority to access Americans’ communication via both what we now call back door searches and reverse targeting. “That is, one of the main purposes is to collect communications in the United States.”

9 years later, we’re still litigating this (though, since then FISC has permitted the NSA to collect entirely domestic communications under the 2014 exception).

2009

FISA + EO 12333 + [redacted] procedures = No Fourth Amendment

The Government Sez: We Don’t Have a Database of All Your Communication

After the FISCR opinion on what we now know to be the Yahoo challenge to Protect American Act first got declassified, I identified several issues that we now have much more visibility on. First, PAA permitted spying on Americans overseas under EO 12333. And it didn’t achieve particularity through the PAA, but instead through what we know to be targeting procedures, including contact chaining. Since then we’ve learned the role of SPCMA in this.

In addition, to avoid problems with back door searches, the government claimed it didn’t have a database of all our communication — a claim that, narrowly parsed might be true, but as to the intent of the question was deeply misleading. That claim is one of the reasons we’ve never had a real legal review of back door searches.

Bush’s Illegal Domestic Surveillance Program and Section 215

On PATRIOTs and JUSTICE: Feingold Aims for Justice

During the 2009 PATRIOT Act reauthorization, I continued to track what the government hated most as a way of understanding what Congress was really authorizing. I understood that Stellar Wind got replaced not just by PAA and FAA, but also by the PATRIOT authorities.

All of which is a very vague way to say we probably ought to be thinking of four programs–Bush’s illegal domestic surveillance program and the PAA/FAA program that replaced it, NSLs, Section 215 orders, and trap and trace devices–as one whole. As the authorities of one program got shut down by exposure or court rulings or internal dissent, it would migrate to another program. That might explain, for example, why Senators who opposed fishing expeditions in 2005 would come to embrace broadened use of Section 215 orders in 2009.

I guessed, for example, that the government was bulk collecting data and mining it to identify targets for surveillance.

We probably know what this is: the bulk collection and data mining of information to select targets under FISA. Feingold introduced a bajillion amendments that would have made data mining impossible, and each time Mike McConnell and Michael Mukasey would invent reasons why Feingold’s amendments would have dire consequences if they passed. And the legal information Feingold refers to is probably the way in which the Administration used EO 12333 and redacted procedures to authorize the use of data mining to select FISA targets.

Sadly, I allowed myself to get distracted by my parallel attempts to understand how the government used Section 215 to obtain TATP precursors. As more and more people confirmed that, I stopped pursuing the PATRIOT Act ties to 702 as aggressively.

2010

Throwing our PATRIOT at Assange

This may be controversial, given everything that has transpired since, but it is often forgotten what measures the US used against Wikileaks in 2010. The funding boycott is one thing (which is what led Wikileaks to embrace Bitcoin, which means it is now in great financial shape). But there’s a lot of reason to believe that the government used PATRIOT authorities to target not just Wikileaks, but its supporters and readers; this was one hint of that in real time.

2011

The March–and April or May–2004 Changes to the Illegal Wiretap Program

When the first iteration of the May 2004 Jack Goldsmith OLC memo first got released, I identified that there were multiple changes made and unpacked what some of them were. The observation that Goldsmith newly limited Stellar Wind to terrorist conversations is one another reporter would claim credit for “scooping” years later (and get the change wrong in the process). We’re now seeing the scope of targeting morph again, to include a range of domestic crimes.

Using Domestic Surveillance to Get Rapists to Spy for America

Something that is still not widely known about 702 and our other dragnets is how they are used to identify potential informants. This post, in which I note Ted Olson’s 2002 defense of using (traditional) FISA to find rapists whom FBI can then coerce to cooperate in investigations was the beginning of my focus on the topic.

2012

FISA Amendments Act: “Targeting” and “Querying” and “Searching” Are Different Things

During the 2012 702 reauthorization fight, Ron Wyden and Mark Udall tried to stop back door searches. They didn’t succeed, but their efforts to do so revealed that the government was doing so. Even back in 2012, Dianne Feinstein was using the same strategy the NSA currently uses — repeating the word “target” over and over — to deny the impact on Americans.

Sheldon Whitehouse Confirms FISA Amendments Act Permits Unwarranted Access to US Person Content

As part of the 2012 702 reauthorization, Sheldon Whitehouse said that requiring warrants to access the US person content collected incidentally would “kill the program.” I took that as confirmation of what Wyden was saying: the government was doing what we now call back door searches.

2013

20 Questions: Mike Rogers’ Vaunted Section 215 Briefings

After the Snowden leaks started, I spent a lot of time tracking bogus claims about oversight. After having pointed out that, contrary to Administration claims, Congress did not have the opportunity to be briefed on the phone dragnet before reauthorizing the PATRIOT Act in 2011, I then noted that in one of the only briefings available to non-HPSCI House members, FBI had lied by saying there had been no abuses of 215.

John Bates’ TWO Wiretapping Warnings: Why the Government Took Its Internet Dragnet Collection Overseas

Among the many posts I wrote on released FISA orders, this is among the most important (and least widely understood). It was a first glimpse into what now clearly appears to be 7 years of FISA violation by the PRTT Internet dragnet. It explains why they government moved much of that dragnet to SPCMA collection. And it laid out how John Bates used FISA clause 1809(a)(2) to force the government to destroy improperly collected data.

Federated Queries and EO 12333 FISC Workaround

In neither NSA nor FBI do the authorities work in isolation. That means you can conduct a query on federated databases and obtain redundant results in which the same data point might be obtained via two different authorities. For example, a call between Michigan and Yemen might be collected via bulk collection off a switch in or near Yemen (or any of the switches between there and the US), as well as in upstream collection from a switch entering the US (and all that’s assuming the American is not targeted). The NSA uses such redundancy to apply the optimal authority to a data point. With metadata, for example, it trained analysts to use SPCMA rather than PATRIOT authorities because they could disseminate it more easily and for more purposes. With content, NSA appears to default to PRISM where available, probably to bury the far more creative collection under EO 12333 for the same data, and also because that data comes in structured form.

Also not widely understood: the NSA can query across metadata types, returning both Internet and phone connection in the same query (which is probably all the more important now given how mobile phones collapse the distinction between telephony and Internet).

This post described how this worked with the metadata dragnets.

The Purpose(s) of the Dragnet, Revisited

The government likes to pretend it uses its dragnet only to find terrorists. But it does far more, as this analysis of some court filings lays out.

2014

The Corporate Store: Where NSA Goes to Shop Your Content and Your Lifestyle

There’s something poorly understood about the metadata dragnets NSA conducts. The contact-chaining isn’t the point. Rather, the contact-chaining serves as a kind of nomination process that puts individuals’ selectors, indefinitely, into the “corporate store,” where your identity can start attracting other related datapoints like a magnet. The contact-chaining is just a way of identifying which people are sufficiently interesting to submit them to that constant, ongoing data collection.

SPCMA: The Other NSA Dragnet Sucking In Americans

I’ve done a lot of work on SPCMA — the authorization that, starting in 2008, permitted the NSA to contact chain on and through Americans with EO 12333 data, which was one key building block to restoring access to EO 12333 analysis on Americans that had been partly ended by the hospital confrontation, and which is where much of the metadata analysis affecting Americans has long happened. This was my first comprehensive post on it.

The August 20, 2008 Correlations Opinion

A big part of both FBI and NSA’s surveillance involves correlating identities — basically, tracking all the known identities a person uses on telephony and the Internet (and financially, though we see fewer details of that), so as to be able to pull up all activities in one profile (what Bill Binney once called “dossiers”). It turns out the FISC opinion authorizing such correlations is among the documents the government still refuses to release under FOIA. Even as I was writing the post Snowden was explaining how it works with XKeyscore.

A Yahoo! Lesson for USA Freedom Act: Mission Creep

This is another post I refer back to constantly. It shows that, between the time Yahoo first discussed the kinds of information they’d have to hand over under PRISM in August 2007 and the time they got directives during their challenge, the kinds of information they were asked for expanded into all four of its business areas. This is concrete proof that it’s not just emails that Yahoo and other PRISM providers turn over — it’s also things like searches, location data, stored documents, photos, and cookies.

FISCR Used an Outdated Version of EO 12333 to Rule Protect America Act Legal

Confession: I have an entire chapter of the start of a book on the Yahoo challenge to PRISM. That’s because so much about it embodied the kind of dodgy practices the government has, at the most important times, used with the FISA Court. In this post, I showed that the documents that the government provided the FISCR hid the fact that the then-current versions of the documents had recently been modified. Using the active documents would have shown that Yahoo’s key argument — that the government could change the rules protecting Americans anytime, in secret — was correct.

2015

Is CISA the Upstream Cyber Certificate NSA Wanted But Didn’t Really Get?

Among the posts I wrote on CISA, I noted that because the main upstream 702 providers have a lot of federal business, they’ll “voluntarily” scan on any known cybersecurity signatures as part of protecting the federal government. Effectively, it gives the government the certificate it wanted, but without any of the FISA oversight or sharing restrictions. The government has repeatedly moved collection to new authorities when FISC proved too watchful of its practices.

The FISA Court’s Uncelebrated Good Points

Many civil libertarians are very critical of the FISC. Not me. In this post I point out that it has policed minimization procedures, conducted real First Amendment reviews, taken notice of magistrate decisions and, in some cases, adopted the highest common denominator, and limited dissemination.

How the Government Uses Location Data from Mobile Apps

Following up on a Ron Wyden breadcrumb, I figured out that the government — under both FISA and criminal law — obtain location data from mobile apps. While the government still has to adhere to the collection standard in any given jurisdiction, obtaining the data gives the government enhanced location data tied to social media, which can implicate associates of targets as well as the target himself.

The NSA (Said It) Ate Its Illegal Domestic Content Homework before Having to Turn It in to John Bates

I’m close to being able to show that even after John Bates reauthorized the Internet metadata dragnet in 2010, it remained out of compliance (meaning NSA was always violating FISA in obtaining Internet metadata from 2002 to 2011, with a brief lapse). That case was significantly bolstered when it became clear NSA hastily replaced the Internet dragnet with obtaining metadata from upstream collection after the October 2011 upstream opinion. NSA hid the evidence of problems on intake from its IG.

FBI Asks for at Least Eight Correlations with a Single NSL

As part of my ongoing effort to catalog the collection and impact of correlations, I showed that the NSL Nick Merrill started fighting in 2004 asked for eight different kinds of correlations before even asking for location data. Ultimately, it’s these correlations as much as any specific call records that the government appears to be obtaining with NSLs.

2016

What We Know about the Section 215 Phone Dragnet and Location Data

During the lead-up to the USA Freedom Debate, the government leaked stories about receiving a fraction of US phone records, reportedly because of location concerns. The leaks were ridiculously misleading, in part because they ignored that the US got redundant collection of many of exactly the same calls they were looking for from EO 12333 collection. Yet in spite of these leaks, the few figured out that the need to be able to force Verizon and other cell carriers to strip location data was a far bigger reason to pass USAF than anything Snowden had done. This post laid out what was known about location data and the phone dragnet.

While It Is Reauthorizing FISA Amendments Act, Congress Should Reform Section 704

When Congress passed FISA Amendments Act, it made a show of providing protections to Americans overseas. One authority, Section 703, was for spying on people overseas with help of US providers, and another was for spying on Americans overseas without that help. By May 2016, I had spent some time laying out that only the second, which has less FISC oversight, was used. And I was seeing problems with its use in reporting. So I suggested maybe Congress should look into that?

It turns out that at precisely that moment, NSA was wildly scrambling to get a hold on its 704 collection, having had an IG report earlier in the year showing they couldn’t audit it, find it all, or keep it within legal boundaries. This would be the source of the delay in the 702 reauthorization in 2016, which led to the prohibition on about searches.

The Yahoo Scan: On Facilities and FISA

The discussion last year of a scan the government asked Yahoo to do of all of its users was muddled because so few people, even within the privacy community, understand how broadly the NSA has interpreted the term “selector” or “facility” that it can target for collection. The confusion remains to this day, as some in the privacy community claim HPSCI’s use of facility based language in its 702 reauthorization bill reflects new practice. This post attempts to explain what we knew about the terms in 2016 (though the various 702 reauthorization bills have offered some new clarity about the distinctions between the language the government uses).

2017

Ron Wyden’s History of Bogus Excuses for Not Counting 702 US Person Collection

Ron Wyden has been asking for a count of how many Americans get swept up under 702 for years. The IC has been inventing bogus explanations for why they can’t do that for years. This post chronicles that process and explains why the debate is so important.

The Kelihos Pen Register: Codifying an Expansive Definition of DRAS?

When DOJ used its new Rule 41 hacking warrant against the Kelihos botnet this year, most of the attention focused on that first-known usage. But I was at least as interested in the accompanying Pen Register order, which I believe may serve to codify an expansion of the dialing, routing, addressing, and signaling information the government can obtain with a PRTT. A similar codification of an expansion exists in the HJC and Lee-Leahy bills reauthorizing 702.

The Problems with Rosemary Collyer’s Shitty Upstream 702 Opinion

The title speaks for itself. I don’t even consider Rosemary Collyer’s 2017 approval of 702 certificates her worst FISA opinion ever. But it is part of the reason why I consider her the worst FISC judge.

It Is False that Downstream 702 Collection Consists Only of To and From Communications

I pointed out a number of things not raised in a panel on 702, not least that the authorization of EO 12333 sharing this year probably replaces some of the “about” collection function. Most of all, though, I reminded that in spite of what often gets claimed, PRISM is far more than just communications to and from a target.

UNITEDRAKE and Hacking under FISA Orders

A document leaked by Shadow Brokers reveals a bit about how NSA uses hacking on FISA targets. Perhaps most alarmingly, the same tools that conduct such hacks can be used to impersonate a user. While that might be very useful for collection purposes, it also invites very serious abuse that might create a really nasty poisonous tree.

A Better Example of Article III FISA Oversight: Reaz Qadir Khan

In response to Glenn Gerstell’s claims that Article III courts have exercised oversight by approving FISA practices (though the reality on back door searches is not so cut and dry), I point to the case of Reaz Qadir Khan where, as Michael Mosman (who happens to serve on FISC) moved towards providing a CIPA review for surveillance techniques, Khan got a plea deal.

The NSA’s 5-Page Entirely Redacted Definition of Metadata

In 2010, John Bates redefined metadata. That five page entirely redacted definition became codified in 2011. Yet even as Congress moves to reauthorize 702, we don’t know what’s included in that definition (note: location would be included).

FISA and the Space-Time Continuum

This post talks about how NSA uses its various authorities to get around geographical and time restrictions on its spying.

The Senate Intelligence Committee 702 Bill Is a Domestic Spying Bill

This is one of the most important posts on FISA I’ve ever written. It explains how in 2014, to close an intelligence gap, the NSA got an exception to the rule it has to detask from a facility as soon as it identifies Americans using the facility. The government uses it to collect on Tor and, probably VPN, data. Because the government can keep entirely domestic communications that the DIRNSA has deemed evidence of a crime, the exception means that 702 has become a domestic spying authority for use with a broad range of crimes, not to mention anything the Attorney General deems a threat to national security.

“Hype:” How FBI Decided Searching 702 Content Was the Least Intrusive Means

In a response to a rare good faith defense of FBI’s back door searches, I pointed out that the FBI is obliged to consider the least intrusive means of investigation. Yet, even while it admits that accessing content like that obtained via 702 is extremely intrusive, it nevertheless uses the technique routinely at the assessment level.

Other Key Posts Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

10 Years of emptywheel: Key Non-Surveillance Posts 2016-2017

10 Years of emptywheel: Jim’s Dimestore

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

HPSCI’s Big Reform to Section 702: Figure Out What “Derived From” Means, Six Months Too Late

During the precise period when news that Mike Flynn was pleading guilty to lying about conversations picked up on intercepts of Sergey Kislyak, the House Intelligence Committee was marking up their terrible Section 702 bill. The markup was a squabble fest, with a strict party line vote approving the measure, because the language on unmasking the HPSCI Republicans included in the last minute bill very specifically focuses on the transition period unmasking that got Flynn in trouble,

(6) If a covered request is made during a period beginning on the date of a general election for President and ending on the date on which such President is inaugurated—

(A) the documentation under paragraph (1) includes whether—

(i) the individual of a requesting element who is making the request knows or believes that any United States person identity sought by the request is of an individual who is a member of the transition team of the President-elect and Vice-President-elect; or

(ii) based on the intelligence community report to which the request pertains, the originating element knows or reasonably believes that any United States person identity sought by the request is of an individual who is a member of the transition team of the President-elect and Vice-President-elect;

But the far more interesting detail came as Devin Nunes described an amendment to the manager’s amendment, I believe on behalf of Adam Schiff.

It would require the government to tell the relevant oversight committees what “derived from” means under FISA.

SEC. 210. BRIEFING ON NOTIFICATION REQUIREMENTS.

Not later than 180 days after the date of the enactment of this Act, the Attorney General, in consultation with the Director of National Intelligence, shall provide to the Committee on the Judiciary and the Permanent Select Committee on Intelligence of the House of Representatives and the Committee on the Judiciary and the Select Committee on Intelligence of the Senate a briefing with respect to how the Department of Justice interprets the requirements under sections 106(c), 305(d), and 405(c) of the Foreign Intelligence Surveillance Act of 1978 50 U.S.C. 1806(c), 1825(d), and 1845(c)) to notify an aggrieved person under such sections of the use of information obtained or derived from electronic surveillance, physical search, or the use of a pen register or trap and trace device. The briefing shall focus on how the Department interprets the phrase ‘‘obtained or derived from’’ in such sections.

Understand, knowing what derived from means is utterly fundamental to enacting the least bit of oversight over FISA. Particularly given the abundant evidence that DOJ is not giving the legally required notice (and given that, because this notice language is not part of the minimization procedures that FISC polices), HPSCI would need to know to know if, as seems apparent, DOJ is basically a scofflaw on defendant notice.

But rather than holding hearings and demanding answers to this question (NSA Subcommittee Ranking Member Jim Himes revealed he has not been in any consultation on 702 reauthorization at all this year), HPSCI instead decided to pass a law requiring that they be told 6 months after they can do anything about it.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

“Hype:” How FBI Decided Searching 702 Content Was the Least Intrusive Means

Former FBI Special Agent Asha Rangappa has a defense of back door searches at Just Security that (unlike most defenses of 702) actually takes on those searches as practiced in most problematic way at FBI, rather than as done in much more controlled fashion at NSA.

FBI does federated searches

I think she nitpicks a few issues. For example, she claims that back door opponents claim there is a “stand-alone computer in the middle of each FBI office with a big sign that reads ‘702 DATABASE ‘” but then goes on to claim “FBI uses one database for all of its investigative functions,” even while admitting that the FBI really does “federated queries” of multiple repositories. The distinction — particularly given that we know the database comes with access limits tied to job function — could offer solutions to concerns about 702 data (including providing access to just metadata, a proposal I’m not a fan of but one she attacks in the post). She also ignores the FBI’s use of “ad hoc databases” that have posed access and data protection concerns in the past.  Which is to say, the technical realities of how FBI Agents access this data soup are more complex than she lays out, and those complexities should be part of the discussion because they present additional risks and opportunities.

FBI’s raw data will be US-person focused

Rangappa minimizes what percentage of raw data obtained by FBI would include US person contact.

According to FBI Director Christopher Wray, the FBI receives about 4.3 percent of the NSA’s total collection – and since not every incidental communication will necessarily involve an USPER, the number of communications involving Americans are likely less than that.

While the FBI does have global investigations, the FBI is going to have few full investigations that have no domestic component. Investigations focused on US victims (say a US company hacked by Russian or Chinese state actors) won’t include many US interlocutors, but the other most likely 702 related investigations would all be focused on international communications: who suspected extremists were talking to in the US, what Iranians were buying dual use or other proliferation products, including from US companies, which Americans that Chinese scientists or Russian businessmen were engaging with closely. The 5,000 or so targets sucked into FBI would be the 5,000 targets in most frequent contact with Americans, by design. That has been the entire justification for this collection program since its inception as Stellar Wind.

And — as Ron Wyden recently made clear — it is permissible to target a foreigner if collecting on a US person is one purpose of the targeting, so long as the foreigner is targetable in his own right. Indeed, we can probably point to examples where that happened. That’s going to increase the US content pulled in with those 5,000 targets.

702 can target a whole bunch of selectors

And I believe this is misleading.

PRISM allows the NSA to target non-U.S. persons reasonably believed to be located abroad based on “selectors” – like an email address or a phone number (but not keywords or names) – which will reasonably return foreign intelligence information.

It is true that upstream collection doesn’t use keywords (and has halted about collection altogether). It is true that the most common selector provided in a directive to Google will be an email address. But there are a slew of other kinds of selectors that NSA and FBI can target. That includes IP addresses, which given the 2014 exception means entirely domestic communications can be collected. Even ignoring the targeting of IP addresses that Americans are known to also use (which will come into FBI’s possession a different way), the collection on chat room IPs, just as one example, might suck up a lot more US person content than individual emails might. And the FBI can also search for things like cookies or encryption tools, which will pull in different kinds of content.

FBI’s queries are not all routinely audited

I think Rangappa overstates the tracking of queries and makes an outright error when she claims that backdoor searches are “routinely audited.”

Every query, furthermore, is documented and placed in a case file. (If we learned anything from James Comey, it’s that the FBI puts everything down on paper.) In fact, every query conducted by the FBI is recorded and must be traceable back to an authorized purpose and a case file.  Agent queries are routinely audited, and a failure of an agent to provide an authorized purpose for conducting a query can be grounds for sanctions, suspension, or even termination.

She overstates the tracking of queries because by design there’s not a case file for many of the queries in question, because they’re done at the assessment stage. Moreover, if the FBI tracked its queries as well as Rangappa claims, it could provide documentation of what was going on to oversight bodies, but it has persistently claimed it could not do so, not in public, and not even in private.

More importantly, the FBI’s use of 702 is simply not audited adequately. That’s true, in part, because in 2012-2013, FBI moved much of its FISA activity to field offices, and not every field office gets audited every six months.

During this reporting period, however, FBI transitioned much of its dissemination from FBI Headquarters to FBI field offices. NSD is conducting oversight reviews of FBI field offices use of these disseminations, but because every field office is not reviewed every six months, NSD no longer has comprehensive numbers on the number of disseminations of United States person information made by FBI.

In 2015 — the most recent period for which we’ve gotten a Semiannual Report — NSD only reviewed minimization at 15 field offices (and ODNI did not attend all of these).

During these field office reviews, NSD also audits a sample of FBI personnel queries in systems that contain unminimized Section 702 collection. As detailed in the attachments to the Attorney General’s Section 707 Report, NSD conducted minimization reviews at 15 FBI field offices during this reporting period and reviewed cases involving Section 702-tasked facilities.

FBI has 56 field offices. And while I’m confident that NSD focuses its 702 reviews on the offices that work with FISA most often — places like DC, NY, LA, SF, and places with significant foreign population, like Detroit and Minneapolis — that means that when a field office that doesn’t use FISA often (say, if an Agent in Milwaukee were researching a hacker named MalwareTech), a combination of inexperience and lax oversight might be especially likely to result in problems.  And note, in any office, just a sample of queries gets reviewed, as the government explained to FISC last year, and the tracking isn’t detailed enough to figure out what occurred with a query without talking to the Agent who did it.

Additionally, NSD conducts minimization reviews in multiple FBI field offices each year. As part of these minimization reviews, NSD and FBI National Security Law Branch have emphasized the above requirements and processes during field office training. Further, during the minimization reviews, NSD audits a sample of queries performed by FBI personnel in the databases storing raw FISA-acquired information, including raw section 702-acquired information. Since December 2015, NSD has reviewed these queries to determine if any such queries were conducted solely for the purpose of retaining evidence of a crime. If such a query was conducted, NSD would seek additional information from the relevant FBI personnel as to whether FBI personnel received and reviewed section 702-acquired information of or concerning a U.S. person in response to such a query.

Notably, the one case where FBI reported a criminal return on a criminal search in 702 information only got reported after NSD did follow-up questioning. So yeah, NSD spends 4 days at Main Justice reviewing this stuff and goes to 27% of the field offices every six months, but that’s a far cry from “routinely auditing” queries.

The importance of investigative levels

The most remarkable thing about Rangappa’s post, however, is how well she exhibits the absurdity of what really goes on here. She correctly states — as I reported here — that FBI only obtains 702 content in full investigations. And she provides a short description of FBI’s three investigative levels.

Specifically, the NSA passes on to the FBI information collected on selectors associated with “Full Investigations” opened by the FBI. Full Investigations are the most serious class of investigations within the Bureau, and require the most stringent predicate to open: There must be an “articulable factual basis” that a federal crime has occurred or is occurring or a threat to national security exists.  (Two other investigative classifications, Preliminary Investigations and Threat Assessments, have lower thresholds to open and shorter time limits to remain open.)

She helpfully describes how investigations work through stages, with new investigative methods approved for each

Querying DIVS is, quite literally, the first and most basic thing the FBI does in its investigative sequence. Depending on the kind of information the search returns, an agent will then take the next prescribed step as outlined in the FBI’s Domestic and Investigative Operations Guide (DIOG) until a case is either opened for further investigation, or the matter is resolved in the negative and closed.

She then dismisses the concern that FBI does queries of 702 data at the assessment level without really addressing it.

Much of the criticism of the FBI’s use of 702 centers around the fact that agents can query subjects in their databases even if there is no evidence of criminal wrongdoing. However, as any law enforcement official will tell you, criminals and spies don’t show up on the doorstep of law enforcement with all of their evidence and motives neatly tied up in a bow. Cases begin with leads, tips, or new information obtained in the course of other cases. Often, the discrete pieces of information the FBI receives may not in and of themselves constitute criminal acts – and the identifying information provided to the FBI may be incomplete. However, anytime the FBI receives a credible piece of information that could indicate a potential violation of the law or a threat to national security, it has a legal duty determine whether a basis for further investigation exists. It is for this reason that a query of its existing databases is essential before proceeding further.

Somehow, the necessity of investigating a tip requires not an assessment of the lead itself, but querying a vast data store to see if the lead connects to any other known evidence even if that evidence is not itself evidence of criminal behavior. (One of the reasons FBI does that — which I’ve written about elsewhere — is to make it easier to find informants.)

That logic — which absolutely reflects the logic under which FBI operates — is all the more bizarre given the fact that the FBI is obliged, under the same DIOG Rangappa cites as the basis for the step-by-step development of an FBI case, to always consider using the “least intrusive” means as laid out by this language in the Attorney General Guidelines.

The conduct of investigations and other activities authorized by these Guidelines may present choices between the use of different investigative methods that are each operationally sound and effective, but that are more or less intrusive, considering such factors as the effect on the privacy and civil liberties of individuals and potential damage to reputation. The least intrusive method feasible is to be used in such situations.

DIOG section 4.4, which lays out what least intrusive means, says that “wiretaps … are very intrusive.” It says that “collecting information regarding an isolated event, such as a certain phone number called … is less intrusive or invasive of an individual’s privacy than collecting a complete communications … profile.” It states that, “If, for example, the threat is remote, the individual’s involvement is speculative, and the probability of obtaining probative information is low, intrusive methods may not be justified, and, in fact, may do more harm than good.”

Ultimately, though, the DIOG swallows all these rules by stating that, “FBI employees may use any lawful method allowed, even if intrusive, where the intrusiveness is warranted by the threat to the national security.” The logic must be — probably not born out even by FBI’s limitation to obtaining raw 702 data tied to Full Investigations — that for any person tied to a Full Investigation, any possible tie to an American about whom someone has submitted a tip, national security overrides all FBI’s rules about least intrusive methods.

But nonetheless, the FBI’s own guidelines admit how intrusive it is to start an investigation by looking at entire conversations rather than simply seeing the record of a email sent. That is, however, what the routine practice is.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

WAG: The Government Made a Significant FISA Back Door Request Just Before December 9, 2015

As I’ve noted, we can be virtually certain that the government has started demanding back doors from tech companies via FISA requests, including Section 702 requests that don’t include any court oversight of assistance provided. Wyden said as much in his statement for the SSCI 702 reauthorization bill request.

It leaves in place current statutory authority to compel companies to provide assistance, potentially opening the door to government mandated de-encryption without FISA Court oversight.

We can point to a doubling of Apple national security requests in the second half of 2016 as one possible manifestation of such requests.

The number of national security orders issued to Apple by US law enforcement doubled to about 6,000 in the second half of 2016, compared with the first half of the year, Apple disclosed in its biannual transparency report. Those requests included orders received under the Foreign Intelligence Surveillance Act, as well as national security letters, the latter of which are issued by the FBI and don’t require a judge’s sign-off.

We might even be able to point to a 2015 request that involved an amicus (likely Amy Jeffress) and got appealed.

Given those breadcrumbs, I want to return to this post on the demand for a back door into the work phone of the San Bernardino killer, Syed Rezwan Farook. In it, I presented a number of other data points to suggest such a request may have come in late 2015. First, in a court filing, Apple claimed to object to a bunch of requests for All Writs Act assistance to break into its phones on the same day, December 9, 2015.

As I noted the other day, a document unsealed last week revealed that DOJ has been asking for similar such orders in other jurisdictions: two in Cincinnati, four in Chicago, two in Manhattan, one in Northern California (covering three phones), another one in Brooklyn (covering two phones), one in San Diego, and one in Boston.

According to Apple, it objected to at least five of these orders (covering eight phones) all on the same day: December 9 (note, FBI applied for two AWAs on October 8, the day in which Comey suggested the Administration didn’t need legislation, the other one being the Brooklyn docket in which this list was produced).

Screen Shot 2016-02-24 at 7.23.53 PM

The government disputes this timeline.

In its letter, Apple stated that it had “objected” to some of the orders. That is misleading. Apple did not file objections to any of the orders, seek an opportunity to be heard from the court, or otherwise seek judicial relief. The orders therefore remain in force and are not currently subject to litigation.

Whatever objection Apple made was — according to the government, anyway — made outside of the legal process.

But Apple maintains that it objected to everything already in the system on one day, December 9.

Why December 9? Why object — in whatever form they did object — all on the same day, effectively closing off cooperation under AWAs in all circumstances?

I suggested that one explanation might have been a FISA request for the same thing. Apple would know that FISC takes notice of magistrate decisions, and would want to avoid fighting that battle on two fronts.

There are two possibilities I can think of, though they are both just guesses. The first is that Apple got an order, probably in an unrelated case or circumstance, in a surveillance context that raised the stakes of any cooperation on individual phones in a criminal context. I’ll review this at more length in a later post, but for now, recall that on a number of occasions, the FISA Court has taken notice of something magistrates or other Title III courts have done. For location data, FISC has adopted the standard of the highest common denominator, meaning it has adopted the warrant standard for location even though not all states or federal districts have done so. So the decisions that James Orenstein in Brooklyn and Sheri Pym in Riverside make may limit what FISC can do. It’s possible that Apple got a FISA request that raised the stakes on the magistrate requests we know about. By objecting across the board — and thereby objecting to requests pertaining to iOS 8 phones — Apple raised the odds that a magistrate ruling might help them out at FISA. And if there’s one lawyer in the country who probably knows that, it’s Apple lawyer Marc Zwillinger.

At the time, Tim Cook suggested that “other parts of government,” aside from the FBI, were asking for more, suggesting the NSA might be doing so.

Aside the obvious reasons to wonder whether Apple got some kind of FISA request, in his interview with ABC the other day, Tim Cook described “other parts of government” asking for more and more cases (though that might refer to state and city governments asking, rather than FBI in a FISA context).

The software key — and of course, with other parts of the government asking for more and more cases and more and more cases, that software would stay living. And it would be turning the crank.

The other possibility is that by December 9, Apple had figured out that — a full day after Apple had started to help FBI access information related to the San Bernardino investigation, on December 6 — FBI took a step (changing Farook’s iCloud password) that would make it a lot harder to access the content on the phone without Apple’s help.

Obviously, there are other possible explanations for these intersecting breadcrumbs (including that the unidentified 2015 amicus appointment was for some other issue, and that it didn’t relate to appeals up to and including the Supreme Court). But if these issues were all related it’d make sense.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

The Intelligence Community’s Swiss Cheese Preemptive 702 Unmasking Reports: Now with Twice the Holes!

Because a white man still liked by some members of Congress had FISA-collected conversations leaked to the press, Republicans who used to applaud surveillance started to show some more concerns about it this year. That has been making reauthorization of Section 702 unexpectedly challenging. Both the HJC and SJC bills reauthorizing the law include new reporting requirements, which include mandates to provide real numbers for how many Americans get unmasked in FISA reports. There’s no such requirement on the SSCI bill.

Instead, explicitly in response to concerns raised in SSCI’s June 7 hearing on 702 reauthorization (even though the concern was also raised earlier in HJC and SJC hearings), I Con the Record has released an ODNI report on disseminations under FISA, a report it bills as “document[ing] the rigorous and multi-layered framework that safeguards the privacy of U.S. person information in FISA disseminations.”

The report largely restates language that is available in the law or declassified targeting and minimization procedures, though there are a few tidbits worth noting. Nevertheless, the report falls far short of what the SJC and HJC bills lay out, which is a specific count and explanation of the unmasking that happens (though NSA, in carrying out a review of a month’s worth of serialized reports, examining out their treatment of masking, does model what HJC and SJC would request).

The report consists of the DNI report with separate agency reports. I’ll deal with the latter first, then return to the DNI report.

NSA

The NSA report starts by narrowing the scope of the dissemination it will cover significantly in two ways.

This report examines the procedures and practices used by the National Security Agency (NSA) to protect U.S. person information when producing and disseminating serialized intelligence reports derived from signals intelligence (SIGINT) acquired pursuant to Title I and Section 702 of the Foreign Intelligence Surveillance Act of 1978, as amended (FISA). 1

1This report is limited to an examination of the procedures and practices used to protect FISA-acquired U.S. person information disseminated in serialized intelligence reports. This report does not examine other means of dissemination. For purposes of this report, the term “dissemination” should be interpreted as a reference to serialized intelligence reporting, unless otherwise indicated.

First, it treats just Title I and Section 702. That leaves out at least two other known collection techniques of content (to say nothing of metadata) under FISA: Title III (FBI probably does almost all of this, though it might be accomplished via hacking) and Section 704/705b targeting Americans overseas (which has been a significant problem of late).

More importantly, by limiting the scope to serialized reports, NSA’s privacy officer completely ignores the two most problematic means of disseminating US person data: by collecting it off Tor and other location obscured nodes and then deeming it evidence of a crime that can be disseminated in raw form to FBI, and by handing raw data to the FBI (and, to a lesser extent, CIA and NCTC).

As the report turns to whether NSA’s procedures meet Fair Information Practice Principles, then, the exclusion of these four categories of data permit the report to make claims that would be unsustainable if those data practices were included in the scope of the report.

The principle of Data Minimization states that organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose. The steps taken from the outset of the SIGINT production process to determine what U.S. person information can and should be disseminated directly demonstrate how this principle is met, as do NSA’s procedures and documentation requirements for the proactive and post-publication release of U.S. identities in disseminated SIGINT.

The principle of Use Limitation provides that organizations should use PII solely for the purposes specified in the notice. In other words, the sharing of PII should be for a purpose compatible with the purpose for which it was collected. NSA’s SIGINT production process directly reflects this principle.

[snip]

The principle of Accountability and Auditing states that organization should be accountable for complying with these principles, providing training to all employees and contractors who use personally identifiable information, auditing the actual use of personally identifiable information to demonstrate compliance with these principles and all applicable privacy protections.

For example, the collection of US person data off a Tor node is not relevant to the specified purpose (nor are the criminal categories under which NSA will pass on data). That’s true, too, of Use Limitation: the government is collecting domestic child porn information in the name of foreign intelligence, and the government is doing back door searches of raw 702 data for any matter of purpose. Finally, we know that the government has had auditing problems, particularly with 704/705b. Is that why they didn’t include it in the review, because they knew it would fail the auditing requirement?

CIA

CIA’s report is not as problematic as NSA’s one, but it does have some interesting tidbits. For example, because it mostly disseminates US person information for what it calls tactical purposes and to a limited audience, it rarely masks US person identities.

More specifically, unlike general “strategic” information regarding broad foreign intelligence threats, CIA’s disseminations of information concerning U.S. persons were “tactical” insofar as they were very often in response to requests from another U.S. intelligence agency for counterterrorism information regarding a specific individual, or in relation to a specific national security threat actor or potential or actual victim of a national security threat.

Relatedly, because these disseminations were generally for narrow purposes and sent to a limited number of recipients, the replacement of a U.S. person identity with a generic term (e.g., “named U.S. person,” sometimes colloquially referred to as “masking”) was rare, due to the need to retain the U.S. person identity in order to understand the foreign intelligence information by this limited audience.

CIA, like NSA, has its own unique definition of “dissemination:” That which gets shared outside the agency.

Information shared outside of CIA is considered a dissemination, and is required to occur in accordance with approved authorities, policies, and procedures.

Much later, dissemination is described as retaining information outside of an access-controlled system, which suggests fairly broad access to the databases that include such information.

Prior to dissemination of any information identifying, or even concerning, a U.S. person, the minimization procedures require that CIA make a determination that the information concerning the U.S. person may be retained outside of access-controlled systems accessible only to CIA personnel with specialized FISA training to review unevaluated information. I

Whereas NSA focused very little attention on its targeting process (which allows it to collect entirely domestic communications), CIA outsources much of its responsibility for limiting intake to FBI and NSA (note, unlike NSA, it includes Title III collection in its report, but also doesn’t treat 704/705b). For example, it focuses on the admittedly close FISA scrutiny FBI applications undergo for traditional FISA targeting, but then acknowledges that it can get “unevaluated” (that is, raw) information in some cases.

If requested by FBI in certain cases, unevaluated information acquired by FBI can be shared with CIA.

Likewise, the CIA notes that it can nominate targets to NSA, but falls back on NSA’s targeting process to claim this is not a bulk collection program (one of CIA’s greatest uses of this data is in metadata analysis).

CIA may nominate targets to NSA for Section 702 collection, but the ultimate decision to target a non-U.S. person reasonably believed to be located outside the United States rests with NSA.

[snip]

Section 702 is not a bulk collection program; NSA makes an individualized decision with respect to each non-U.S. person target.

Thus, the failure of the NSA report to talk about other collection methods (in CIA’s case, of incidental US person data in raw data) ports the same failure onto CIA’s report.

NCTC

NCTC’s report is perhaps the most amusing of all. It provides the history of how it was permitted to obtain raw Title I and Title III data in 2012 and 702 data in 2017 (like everyone else, it is silent on 704/705b data, though we know from this year’s 702 authorization they get that too), then says its use and dissemination of 702 data is too new to have been reviewed much.

Because NCTC just recently (in April 2017) obtained FISC authority to receive unminimized Section 702-acquired counterterrorism information, only a small number of oversight reviews have occurred. CLPT is directly involved in such reviews, including reviews of disseminations.

In other words, it is utterly silent about its dissemination of Title I and Title III data compliance. It is likewise silent on a dissemination that is probably unique to NCTC: the addition of US person names to watchlists based off raw database analysis. The dissemination of US person names in this way aren’t serialized reports, but they have a direct impact on the lives of Americans.

FBI

It’s hard to make sense of the FBI document because it lacks logical organization and includes a number of typos. More importantly, over and over it either materially misrepresents the truth (particularly in FBI’s access to entirely domestic communications collected under 702) or simply blows off requirements (most notably with its insistence that back door searches are important, without making any attempt to assess the privacy impact of them).

Bizarrely, the FBI treats just Title I and 702 in its report, even though it would be in charge of Title III collection in the US, and 705b collection would be tied to traditional FISA authorities.

Like CIA, FBI’s relies on NSA’s role in targeting, without admitting that NSA can collect on selectors that it knows to also be used by US persons, and can disseminate the US person data to FBI in case of a crime. Indeed, FBI specifically neglects to mention the 2014 exception whereby NSA doesn’t have to detask from a facility once it discovers US persons are using it as well as the foreign targets.

Targets under Section 702 collection who are subsequently found to be U.S. persons, or non-U.S. persons located in the U.S., must be detasked immediately

The end result if materially false, and false in a way that would involve dissemination of US person data (though not in a serialized report) from NSA to FBI.

The FBI report also pretends that a nomination would pertain primarily to an email address, rather than (for example) and IP address, in spite of later quoting from minimization procedures that reveal it is far broader than that: “electronic communication accounts/addresses/identifiers.”

After talking about its rules on dissemination, the FBI quickly turns to federated database “checks.”

Among other things, since 9/11, the FBI has dedicated considerable time, effort, and money to develop and operate a federated database environment for its agents and analysts to review information across multiple datasets to establish links between individuals and entities who may be associated with national security and/or criminal investigations. This allows FBI personnel to connect dots among various sources of information in support of the FBI’s investigations, including accessing data collected pursuant to FISA in a manner that is consistent with the statute and applicable FISA court orders. The FBI has done this by developing a carefully overseen system that enables its personnel to conduct database checks that look for meaningful connections in its data in a way that protects privacy and guards civil liberties. Maintaining the capability to conduct federated database checks is critical to the FBI’s success in achieving its mission.

But it doesn’t distinguish the legal difference between dissemination and checks. Far more importantly, it doesn’t talk about the privacy impact of these “checks,” a tacit admission that FBI doesn’t even feel the need to try to justify this from a privacy perspective.

Unlike NSA, FBI talks about the so-called prohibition on reverse targeting.

Reverse targeting is specifically prohibited under Section 702.31 “Reverse targeting” is defined as targeting a non-U.S. person who is reasonably believed to be located outside of the U.S. with the true purpose of acquiring communications of either (1) a U.S. person or (2) any individual reasonably believed to be located inside of the U.S. with whom the non-U.S. person is in contact.32

Yet we know from Ron Wyden that this prohibition actually permits FBI to nominate a foreigner even if a purpose of that targeting is to get to the Americans communications.

FBI talks about its new Title I minimization procedures, without mentioning that requirements on access controls and auditing arose in response to violations of such things.

The SMPs require, for example, FISA-acquired information to be kept under appropriately secure conditions that limit access to only those people who require access to perform their official duties or assist in a lawful and authorized governmental function.37 The SMP also impose an auditing requirement for the FBI to “maintain accurate records of all persons who have accessed FISA-acquired information in electronic and data storage systems and audit its access records regularly to ensure that FISA-acquired information is only accessed by authorized individuals.”38

And nowhere does FBI talk about the dissemination of US person data to ad hoc databases.

Remarkably, unlike NSA, FBI didn’t actually appear to review its dissemination practices (at least there’s no described methodology as such). Instead, it reviews its dissemination policy.

The instant privacy review found that the FBI’s SMP and Section 702 MP, which are subject to judicial review, protect the privacy rights of U.S. persons by limiting the acquisition, retention, and dissemination of their non-publicly available information without their consent. In addition, both sets of minimization procedures require that FISA-acquired information only be used for lawful purposes.42

Then it engages in a cursory few line review of whether it complies with FIPP. Whereas NSA assessed compliance with “Transparency, Use Limitation, Data Minimization, Security, Quality and Integrity, Accountability, and Auditing (but found Purpose specification not considered directly relevant), FBI at first assessed only Purpose specification. After noting that such a privacy review is not required in any case because FBI’s systems have been deemed a national security system, it then asserts that “DOJ and FBI conducted a review for internal purposes to ensure that all relevant privacy issues are addressed. These reviews ensure that U.S. person information is protected from potential misuse and/or improper dissemination.”

Later, it uses the affirmative permission to share data with other state and local law enforcement and foreign countries as a privacy limit, finding that it fulfills data minimization and transparency (and purpose, again).

Like the SMP for Title I of FISA, the Section 702 MP permits the FBI to disseminate Section 702-acquired U.S. person information that reasonably appears to be foreign intelligence information or is necessary to understand foreign intelligence information or assess its importance to federal, state, local, and tribal officials and agencies with responsibilities relating to national security that require access to intelligence information.50 The FBI is also permitted to disseminate U.S. person information that reasonably appears to be evidence of a crime to law enforcement authorities.51 In addition, the Section 702 MP provides guidelines that must be met before dissemination of U.S. person information to foreign governments is allowed.52 The dissemination of Section 702 information to a foreign government requires legal review by the NSCLB attorney assigned to the case.53 In light of the above judicially-reviewed minimization procedures for the dissemination of FISA acquired information, the FBI’s current implementation satisfies the data minimization and transparency FIPPs.

With respect to dissemination, FBI focuses on finished intelligence reports, not investigative files, where most data (including data affecting Mike Flynn) would be broadly accessed. Then, far later, it says this review found no violations, “in finished intelligence.”

Finally, the instant review found no indication of noncompliance with the required authorities governing dissemination of U.S. person information in finished intelligence.

At this point, the report appears to be a flashing siren of all the things it either clearly didn’t investigate or wouldn’t describe. Which worries me.

It then turns FBI’s failures to give notice that data derives from FISA as a privacy benefit, rather than a violation of the laws mandating disclosure.

While the redaction of U.S. person information may commonly be referred to as “masking,” the FBI does not generally use that term.

In addition, disseminations or disclosures of FISA-acquired information must be accompanied by a caveat. All caveats must contain, at a minimum, a warning that the information may not be used in a legal proceeding without the advanced authorization of the FBI or Attorney General.48 This helps ensure the information is properly protected.

And in the four paragraphs FBI dedicates to public transparency, it not only doesn’t admit that it has been exempted from most reporting on 702 use, but it doesn’t once mention mandated notice to defendants, which it has only complied with around 8 times.

There are many ways FBI could have handled this report to avoid making it look like a guilty omission that, while its finished intelligence reports aren’t a big US person data dissemination problem, virtually every other way it touches 702 data is. But it didn’t try any of those. Instead, it just engaged in omission after omission.

DNI

My unease over the giant holes in the FBI report carry over to a one detail in the DNI report. It’s only there that the government admits something that Semiannual 702 reports have admitted since FBI dispersed targeting to field offices. While the 702 reviews review pretty much everything NSA does and many things CIA does, the reviews don’t review all FBI disseminations, and they only include in their sample disseminations affirmatively identified as US person information.

As it pertains to reviewing dissemination of Section 702 information, ODNI and DOJ’s National Security Division (NSD) review many of the agencies’ disseminations as part of the oversight reviews to assess compliance with each agency’s respective minimization procedures and with statutory requirements.25 NSD and ODNI examine the disseminations to assess whether any information contained therein that appears to be of or concerning U.S. persons meets the applicable dissemination standard found in the agency’s minimization procedures; whether other aspects of the dissemination requirements (to include limitations on the dissemination of attorney-client communications and the requirement of a FISA warning statement as required by 50 U.S.C. § 1806(b)) have been met; and whether the information disseminated is indicative of reverse targeting of U.S. persons or persons located in the United States.

25For example, as it pertains to NSA, NSD currently reviews all of the serialized reports (with ODNI reviewing a sample) that NSA has disseminated and identified as containing Section 702-acquired U.S. person information. For CIA and NCTC, NSD currently reviews all dissemination (with ODNI reviewing a sample) of information acquired under Section 702 that the agency identified as potentially containing U.S. person information. For FBI, both NSD and ODNI currently review a sample of disseminations of information acquired under Section 702 that FBI identifies as potentially containing U.S. person information.

This is one of a number of reasons why FBI only identified one criminal 702 query last year — only after that one query was selected as part of the review, and only after some haranguing, was it identified as an entirely criminal query.

The DNI report makes one more incorrect claim — that all incidents of non-compliance have been remediated.

Disseminating FISA information in a manner that violates the minimization procedures would, therefore, be a violation of the statute, as would use or disclosure of the information for unlawful purposes. As noted above, identified incidents of non-compliance with the minimization procedures, to include improper disseminations, are reported to the FISC and to the congressional intelligence committees and those incidents are remediated.

That was true before this year, I guess. But Rosemary Collyer, in a deviation from past practice of requiring the government to destroy data collected without authorization, did not require NSA to destroy the poison fruit of unauthorized 704b and other back door queries (though perhaps DNI believes their claim is true given the way everyone has avoided talking about the more troubled collection techniques).

The DNI report ends with a boast about what it calls “transparency.”

These reviews also illustrate the importance of transparency. Historically, many of the documents establishing this framework were classified and not available to the public. In recent years, much progress has been made in releasing information from these documents, and providing context and explanations to make them more readily understandable. We trust that these reviews are a further step in enhancing public understanding of these key authorities. It is important to continue with transparency efforts like these on issues of public concern, such as the protection of U.S. person information in FISA disseminations.

It is true that these reports rely on a great deal of declassified information. But that does not amount to “transparency,” unless you’re defining that to mean something that hides the truth with a bunch of off-topic mumbo jumbo.

This report appears to be an attempt to stave off real reporting requirements for unmasked information — an attempt to placate the Republicans who are rightly troubled that the contents of FISA intercepts in which Mike Flynn was incidentally collected.

But no person concerned about the impact on US persons of FISA should find these reports reassuring. On the contrary, the way in which, agency after agency, the most important questions were dodged should raise real alarms, particularly with respect to FBI.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

Leahy-Lee versus USA Lip Service: An Improvement, But Still a Domestic-as-Foreign Surveillance Bill

Patrick Leahy and Mike Lee have introduced their version of Section 702 reauthorization, which like HJC they also call USA Liberty and like that bill doesn’t improve liberty. For convenience and because I refuse to use Orwellian terms to whitewash surveillance, I’ll refer to them going forward as Leahy-Lee and USA Lip Service, respectively.

Leahy-Lee is an improvement on USA Lip Service.

Leahy-Lee’s warrant requirement is real

That’s true, first of all, because the warrant requirement to access content via back door searches is real. The bill requires a probable cause warrant for both foreign intelligence and criminal purposes. And because it is a meaningful warrant requirement, the count of how many warrants are obtained will also be real.

The bill permits searches on (and with AG-plus-designates approval, access to) metadata-plus. Like USA Lip Service, the bill doesn’t define the expanded definition of metadata, though it appears to permit the same location-based access that USA Lip Service does.

The bill is silent on whether metadata from searches can be the sole evidence in the warrant application to FISC, which may water down the warrant requirement dramatically.

Leahy-Lee doesn’t sunset the prohibition on about collection

Also unlike USA Lip Service, Leahy-Lee does not sunset the prohibition on about collection.

There are two areas where USA Lip Service is different in ways that may make it better.

USA Lip Service may not track White House unmasking

First, in a report on the number of unmaskings, USA Lip Service requires reports on the number of unmaskings by any “element of the Federal Government.”

(3) The number of—

(A) United States persons whose information is unmasked pursuant to the procedures adopted under subsection (e)(4) of such section;

(B) requests made by an element of the Federal Government, listed by each such element, to unmask information pursuant to such subsection; and

(C) requests that resulted in the dissemination of names, titles, or other identifiers potentially associated with individuals pursuant to such subsection, including the element of the intelligence community and position of the individual making the request.

Leahy-Lee only requires reporting under clause B from the IC.

(B) requests made by an element of the intelligence community, listed by each such element, to unmask information pursuant to such subsection;

That may have the effect of missing any unmasking done at the White House. I don’t much care about this stuff, but for Republicans that do, it’s an interesting omission in the Senate bill.

Leahy-Lee doesn’t limit use of information to 702 certificates

Perhaps most interesting, Leahy-Lee doesn’t have language that was added in the manager’s amendment of USA Lip Service, which would restrict the use of information collected under Section 702 to topics generally covered by the known certificates for it: terrorists, spies, proliferation, nation-state hacking, and other critical infrastructure issues.

(2) LIMITATION ON USE OF CERTAIN EXCEPTED QUERIED INFORMATION.—No information accessed or disseminated pursuant to section 702(j)(2)(D)(iv), or evidence derived therefrom, may be received in evidence or otherwise used pursuant to paragraph (1), except—

(A) with the prior approval of the Attorney General; and

(B) in a proceeding or investigation in which the information or evidence is directly related to and necessary to address a specific threat of—

(i) an act of terrorism specified in clauses (i) through (iii) of section 2332b(g)(5)(B) of title 18, United States Code;

(ii) espionage (as used in chapter 37 of title 18, United States Code);

(iii) proliferation or use of a weapon of mass destruction (as defined in section 2332a(c) of title 18, United States Code);

(iv) a cybersecurity threat (as defined in section 101(5) of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501(5)) from a foreign country;

(v) incapacitation or destruction of critical infrastructure (as defined in section 1016(e) of the USA PATRIOT Act (42 16 U.S.C. 5195c(e))); or

(vi) a threat to the armed forces of the United States or an ally of the United States or to other personnel of the United States Government or a government of an ally of the United States.

Leahy-Lee still permits the collection of entirely domestic communications

The difference is important because Leahy-Lee does nothing to stop the known collection of entirely domestic communications, which I have reported involves the collection of Tor and (probably) VPN traffic. At least under HJC, that information can’t be used for many of the domestic crime purposes explicitly laid out in the SSCI bill, including murder, child porn, human trafficking (presumably including sex work), and narcotics trafficking. But Leahy-Lee would permit those uses.

Leahy rolled out his bill with this erroneous statement from Liza Goitein.

Elizabeth Goitein, co-director of the Brennan Center’s Liberty and National Security Program, said:  “This bill fixes the most serious problem with Section 702 surveillance today: the government’s ability to read Americans’ e-mails and listen to their telephone calls without a warrant,” and called the legislation “a very promising development in the reform debate.”

This is false. Leahy-Lee still permits the government to access (and with DIRNSA approval, retain) the entirely domestic communications of the 430,000 Americans that use Tor each day. Perhaps that’s why Leahy had Goitein make the comment, because he surely knows this is false.

ACLU comes out in support of a bill they admit is constitutionally deficient

And Goitein’s Brennan Center is not the only NGO supporting this bill. ACLU released a statement that can only be described as schizophrenic in support of the bill. While ACLU’s legislative counsel, Neema Singh Guliani, thankfully makes none of the errors that Goitein makes, she nevertheless admits that 702 remains constitutionally problematic.

“While this bill does not address all the constitutional concerns with Section 702, it represents an important step forward from the dismal status quo. The ACLU supports this bill, and urges Congress to ensure its reforms become law.”

And the statement goes on to lay out, correctly, several advantages of the Wyden-Paul bill, including ensuring that defendants (and affected people, like lawyers from ACLU working with targeted clients internationally) get notice and can challenge collection.

The ACLU urges improvements to the bill that would require a court order to access metadata collected under Section 702, narrow collection, and ensure the government provides appropriate notice.

Congress is currently considering several bills in advance of the Section 702 reauthorization deadline. Sens. Ron Wyden (D-Ore.) and Rand Paul (R-Ky.) have introduced S.1997, the USA Rights Act, which completely closes the backdoor search loophole, ends the collection of known domestic communications, and takes steps to ensure that the government provides notice to individuals who have Section 702 information used against them. The ACLU supports this bill.

I’m very confused — and, as a member, gravely concerned — about why the ACLU would adopt such a schizophrenic strategy, and why it would lobby in favor of things that its other lawyers are litigating against.

ACLU risks losing the ability to sue on these issues in the future if it remains on this bill (which is one reason I was so glad they didn’t back USA Freedom in 2015). And if they can’t sue, than we can’t fix the issues that ACLU, in its statement, lays out as problems in Leahy-Lee.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

On 702, NSA Wants to Assure You You’re Not a Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target

NSA just released a touchy-feely Q&A, complete with a touchy-feely image of the NSA, explaining “the Impact of Section 702 on the Typical American.”

I shall now shred it.

First note that this document deals with 702? It should be dealing with Title VII, because the entire thing gets reauthorized by 702 reauthorization. That means Sections 704 and 705(b), which are used to target Americans, will be reauthorized. And they have had egregious problems in recent years (even if the problems only affect some subset of around 300 Americans). Sure, Paul Manafort and Carter Page are not your “typical” Americans, but abuses against them would be problematic for reasons that could affect Americans (not least that they could fuck up the Mueller probe if FISA disclosure for defendants weren’t so broken).

The piece starts by talking about how the IC uses 702 to “hunt” for information on “adversaries,” which it suggests include terrorists and hackers.

The U.S. Intelligence Community relies on Section 702 of the Foreign Intelligence Surveillance Act in the constant hunt for information about foreign adversaries determined to harm the nation or our allies. The National Security Agency (NSA), for example, uses this law to target terrorists and thwart their plans. In a time of increasing cyber threats, Section 702 also aids the Intelligence Community’s cybersecurity efforts.

Somehow, it neglects to mention the foreign government certificate — which can target people who aren’t “adversaries” at all, but instead foreign muckety mucks we want to know about — or the counterproliferation certificate — which can target businesses of all kinds that deal in dual use technologies. Not to mention the SysAdmins that it might target for all these purposes.

The piece then lays out in two paragraphs and six questions (I include just one below) the basic principles that 702 can only “target” foreigners overseas.

Under Section 702, the government cannot target a U.S. person anywhere in the world, or any person located in the United States.

Under Section 702, NSA can target foreigners reasonably believed to be located outside the United States only if it has a basis to believe it will acquire certain types of foreign intelligence information that have been authorized for collection.

[snip]

Q: Can I, as an American, be the target of Section 702 surveillance?

A: No. As an American citizen, you cannot be the target of surveillance under Section 702. Even if you were not an American, you could not be targeted under Section 702 if you were located in the United States.

Effectively, this passage might as well say, “target target target target target target target target target target
target target target target target target target target target,” which is how many times (19) the word is used in the touchy-feely piece. The word “incidental” appears just once, where it entertains what happens if one of “Mary’s” foreign relatives were in a terrorist organization.

Q: One of Mary’s foreign relatives in South America is a member of an international terrorist group. Could Mary’s conversations with that relative be collected under Section 702?

A: Yes, it’s possible, if the U.S. government is aware of the relative’s membership in a terrorist group and the relative is one of the 106,000 targets under Section 702. However, even if this scenario occurred, there would still be protections in place for Mary, a U.S. citizen, if her conversations with that target were incidentally intercepted. For example:

U.S. intelligence agencies’ court-approved minimization procedures are specifically designed to protect the privacy of U.S. persons by, among other things, limiting the circumstances in which NSA can include the identity of a U.S. person in an intelligence report. Moreover, even where those procedures allow the NSA to include the identity of a U.S. person in an intelligence report, NSA frequently substitutes the U.S. person identity with a generic phrase or term, such as “U.S. person 1” or “a named U.S. person.” NSA calls this “masking” the identity of the U.S. person.

There are also what’s known as “age-off requirements”: After a certain period of time, the IC must delete any unminimized Section 702 information, regardless of the nationality of the communicants.

I guess the NSA figured if they used “Fatima,” whose relatives were in Syria, this scenario would be too obvious?

Yet in this, the only discussion of “incidental” collection, the NSA doesn’t explain how it is used — for example to find informants (meaning Fatima might be coerced into informing on her mosque if she discussed her tax dodging with her cousin) or to find 2nd degree associates (meaning Fatima’s friend in the US, Mohammed, might get an FBI visit because Fatima’s cousin in Syria is in ISIS). It also doesn’t explain that the “age-off” is five years, if Fatima is lucky enough to avoid having the FBI deem her conversations with her cousin in Syria interesting. If not, the data will sit on an FBI server for 30 years, ready to provide an excuse to give Fatima extra attention next time some bigot gets worried because he sees her taking pictures at Disney World.

Curiously, while the NSA doesn’t address the disproportionate impact of 702 on Muslims, it does pretend to address the disproportionate impact on Asians or their family members — people like like Xiaoxiang Xi and Keith Gartenlaub.

Q: Could the government target my colleague, who is a citizen of an Asian country, as a pretext to collect my communications under Section 702?

A: No. That would be considered “reverse targeting” and is prohibited.

Thanks to Ron Wyden, we know how cynically misleading this answer is. He explained in the SSCI 702 reauthorization bill report that the government may,

conduct unlimited warrantless searches on Americans, disseminate the results of those searches, and use that information against those Americans, so long as it has any justification at all for targeting the foreigner.

Effectively, the government has morphed the “significant purpose” logic from the PATRIOT Act onto 702, meaning collecting foreign intelligence doesn’t have to be the sole purpose of targeting a foreigner; learning about what an American is doing, such as a scientist engaging in scientific discussion, can be one purpose of the targeting.

After dealing with unmasking, the NSA then performs the always cynical move of asking whether the NSA can query US person content.

Q: Can NSA use my information to query lawfully collected 702 data?

A: NSA can query already lawfully collected Section 702 information using a U.S. person’s name or identifier (such as an e-mail account or phone number) only if the query is reasonably designed to identify foreign intelligence information.

However, a U.S. person is still afforded protection. The justification for the query must be documented. The process for conducting a query is also subject to internal controls. Such queries are reviewed by the Department of Justice and the Office of the Director of National Intelligence to ensure they meet the relevant legal requirements. Additionally, if the query was subsequently identified as being improper, it would be reported to the Foreign Intelligence Surveillance Court and to Congress.

This passage is absolutely correct. But also absolutely beside the point, because NSA sends a significant chunk of its collection to the FBI where it can be searched to assess leads and search for evidence of crimes, and where queries get nowhere near the kind of oversight that NSA queries get.

Then the piece tries to explain the need for all the secrecy.

Q: Terrorists aim to hurt Americans and our allies, so why doesn’t the Intelligence Community share more Section 702 information about how the IC goes after them?

A: The Intelligence Community has dramatically enhanced transparency, especially regarding its implementation of Section 702. Thousands of pages of key documents have been officially released, and are available on IC on the Record. The public has more information than ever before on how the IC uses this critical foreign surveillance authority. That said, the IC must continue to protect classified information. This includes specifics on whether or not it has collected information about any particular individual.

If terrorists could find out that NSA had intercepted their communications, terrorists would likely change their communications methods to avoid further detection.

This is, partly, a straw man. People aren’t really asking to know NSA’s individual targets. They’re asking to know whether the government has back doored their iPhones via demands under FISA, or whether the NSA is collecting on the 430,000 Americans that use Tor every day, or if they’re also using this “foreign intelligence” collection program to hunt Americans buying drugs on Dark Markets or even BLM activists that our racist Attorney General has deemed a threat to national security. And in the name of keeping secrets from terrorists (who actually have the feedback mechanism of observing what gets their associates drone-killed to learn what gets collected), the government is refusing to admit that the answer to all those questions is yes: yes, the government has back doored our iPhones, yes, the government is spying on the 430,000 Americans that use Tor, and yes, for those who use Tor to buy drugs, they may even use 702 data to prosecute you.

Finally, the NSA pretends that everyone else in the world has a program just like this.

Q: Is the U.S. government the only one in the world with intercept programs like 702?

A: No. Many other countries have intelligence surveillance intercept programs, nearly all of which have far fewer privacy protections. Section 702 and its supporting policies and practices stand out in terms of strength of oversight, privacy protections, and public transparency.

It is true that other countries have “intercept programs,” but with the exception of China and Russia’s access to domestic Internet companies, no other country has a program “like 702” that, by virtue of the United States hosting the world’s most popular Internet companies, gives the US the luxury of spying on the rest of the world using a nice note to Google rather than having to hack users individually (or hack all users, as Russia did with Yahoo).

So, yes, the NSA has now offered a picture of itself, literally and metaphorically, that minimizes the scope, the thousands of spies it employs, and the reach, both domestic and global. But it’s a profoundly misleading picture.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.