FISA

1 2 3 146

Did NSA Add a New Dragnet Provider with Its Latest Order?

Cryptome has published the latest phone dragnet order. Contrary to reports, the dragnet order is only for two months (until the end of August), not until the expiration of the bulk dragnet in November, plus retroactive collection to May 31. It also has new language reflecting changes in minimization requirements in USA Freedom Act, and updated language to reflect the Second Circuit’s decision in a paragraph ordering that the government inform FISC if anything changes because of the pending circuit court decisions.

But the most interesting change has to do with the redactions.

The initial redaction (which lists all the providers) is not the same size — the new order, 15-75, has a wider redaction than the last order, 15-24, but the earlier order may be a line longer. But it is very close.

But the paragraph addressing custodians of records is clearly different. Here’s what that first few lines in that paragraph in 15-24 looks like:

Screen Shot 2015-07-03 at 2.57.57 PM

Here’s what it looks like in 15-75.

Screen Shot 2015-07-03 at 3.01.01 PM

The following paragraph, which addresses Verizon, appears to be the same.

There are two things that might explain the change in redaction. First, the providers may remain the same (understood to be AT&T and Sprint), but the official name used to refer to one may have changed — though I’m not aware of any changes at AT&T or Sprint that might explain that.

Or, they may have added another provider.

Mind you, I expect the government to add new providers once they move to the new querying technique in November, as the government will almost certainly be querying more newfangled kinds of “calls” and “texts” (to include VOIP and other Internet-based communications). So I think additional providers are inevitable.

Still, at least from the redactions of this order, it appears NSA may have already added a new provider.

NSA Gets Full Take on FISA-Authorized Web Forums

Screen Shot 2015-07-02 at 6.03.50 PMAmong the document dump associated with the Intercept’s two stories on XKeyscore, there’s one that has importance outside of the discussion of how XKeyscore works in the slide deck on how XKS works on web forum data.

It reveals what was fairly predictable, but has never been confirmed: That the NSA obtains “full take” on US-based web forums that it can get FISA orders for.

This has been suggested in a number of terrorist proceedings — that the targets were first identified in a forum, and from there targeted for more surveillance (or, just as often, for an FBI undercover sting).

The XKS deck in question further makes clear that the NSA saves all of the data from such forums, so that data will come up in XKS queries going forward. Further, the NSA can pull the messages that use one of the most popular extremist tools for encryption.

All this almost certainly means that the same web forum data would be available to FBI Agents for back door searches at the Assessment level, so even the mere participation in a web forum may target someone for further investigation (or even, for coercion to become an informant himself).

Again, this has been fairly clear for some time. But this slide deck confirms what the government has been obscuring from defense attorneys.

 

XKeyscore Suffers from Same Giant Oversight Loophole as Phone Dragnet and SIGDEV: No Tech Audits

I’ve long pointed to a giant oversight hole in key NSA programs: in both the domestic phone dragnet and SIGDEV (research and development), tech activities are excluded from auditing requirements.

In a piece reviewing what happens with XKS today, Intercept’s Micah Lee points out that the same loophole appears to exist in XKeyscore, the querying system that filters through the globally collected data. Sysadmins not only don’t have their own audited log-ins (a condition that appears to be what was in existence for the PRTT dragnet until 2009), but they can access the system outside of the normal querying process that gets audited.

When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.

There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.

Now, Lee is just pointing out a problem that exists technically, based on the documents describing the system.

But as we’ve seen, with the phone dragnet, at least, this is by design. The NSA simply doesn’t track tech functions as closely as it does analysts, which are more closely watched (but some, not all, of whose activities are still subject to randomness of audits), even though some techs have more direct access to raw data (by necessity). Indeed, what Snowden accomplished would have been impossible — or at least, would have been tracked more quickly than months — if this weren’t the case.

Whether or not you support NSA’s dragnet, this is a bureaucratic problem, one that rightly raises questions about the good faith of the system.

NSA said that after Snowden they instituted two person sign-off for some activities. They’d do well to release evidence they have actually done so.

Once Again Sammy Alito’s Speculative Chain of Possibilities Proves True

Back when SCOTUS Justice Sam Alito wrote the opinion booting the ACLU-argued challenge to Section 702, he said the plaintiffs’ worries — that the US government was collecting their international communications under Section 702 — were too speculative to give them standing to challenge the constitutionality of the statute.

In sum, respondents’ speculative chain of possibilities does not establish that injury based on potential future surveillance is certainly impending or is fairly traceable to §1881a.

The named plaintiff in that suit — the NGO wildly speculating that the US government was reading its international communication with human rights victims and others — was Amnesty International.

Today, UK’s Investigatory Powers Tribunal informed Amnesty International that unnamed UK government agencies have been intercepting their communications.

In a shocking revelation, the UK’s Investigatory Powers Tribunal (IPT) today notified Amnesty International that UK government agencies had spied on the organization by intercepting, accessing and storing its communications.

[snip]

“After 18 months of litigation and all the denials and subterfuge that entailed, we now have confirmation that we were in fact subjected to UK government mass surveillance. It’s outrageous that what has been often presented as being the domain of despotic rulers has been occurring on British soil, by the British government,” said Salil Shetty, Amnesty International’s Secretary General.

Admittedly, this doesn’t confirm that Amnesty has been swept up in 702 collection, but given the likelihood that one of the agencies, plural, that has intercepted Amnesty’s communications is GCHQ, and given the broad sharing between it and its Five Eyes partner NSA, it is almost certain NSA has those communications as well (if they didn’t actually collect some of them).

Amnesty is trying to gain clarity from the US on whether it, too, has spied on the NGO.

But, predictably, Amnesty had a better idea of what a threat the government posed for its work than Sammy Alito did.

 

In Reauthorizing the Dragnet, FISC Makes a Mockery of the Amicus Provision

Between a ruling by Dennis Saylor issued on June 17, while I was away, and a ruling by Michael Mosman issued and released today, the FISA Court has done the predictable: ruled both that the lapse of the PATRIOT Act on June 1 did not mean the law reverted to its pre-PATRIOT status (meaning that it permitted collection of records beyond hotel and rental car records), and ruled that the dragnet can continue for 6 more months.

In other words, the government is back in the business of conducting a domestic dragnet of phone records. Huzzah!

As I said, the FISC’s ultimate rulings — that it will treat USA F-ReDux as if it passed before the lapse (a fair but contestable opinion) and that it will permit the dragnet to resume for 6 months — are unsurprising. It’s how they get there, and how they deal with the passage of USA F-ReDux and the rebuke from the 2nd Circuit finding the dragnet unlawful, that I find interesting.

Reading both together, in my opinion, shows how increasingly illegitimate the FISC is making itself. It did so in two ways, which I’ll address in two posts. In this one, I’ll treat the FISC’s differing approaches to the amicus provision.

USA F-ReDux was a deeply flawed bill (and some of my predictions about its weaknesses are already being fulfilled). But it was also intended as a somewhat flaccid critique of the FISC, particularly with its weak requirement for an amicus and its stated intent, if not an effective implementation, to rein in bulk collection.

Congress at least claimed to be telling the FISC it had overstepped both its general role by authorizing programmatic collection orders and its specific interpretation of Section 215. One of its solutions was a demand that FISC stop winging it.

The Court’s response to that was rather surly.

A timeline may help to show why.

June 1: Section 215 lapses

June 2: USA F-ReDux passes and government applies to restart the dragnet

June 5: Ken Cuccinelli and FreedomWorks challenge the dragnet but not resumption of post-PATRIOT Section 215 (Section 109)

June 5: Michael Mosman orders government response by June 12, a supplemental brief from FreedomWorks on Section 109 by June 12, immediate release of government’s June 2 memorandum of law

June 12: Government submits its response and FreedomWorks submits its Section 109 briefing, followed by short response to government submission

June 17: In response to two non-bulk applications, Dennis Saylor rules he doesn’t need amicus briefing to decide Section 109 question then rules in favor of restoration of post-PATRIOT Section 215

June 29: Michael Mosman decides to waive the 7-day application rule, decides to treat FreedomWorks as the amicus in this case while denying all other request for relief, and issues order restarting dragnet for until November 29 (the longest dragnet order ever)

After having been told by Congress FISC needs to start consulting with an amicus on novel issues, two judges dealt with that instruction differently.

In part, what happened here (as has happened in the past, notably when Colleen Kollar-Kotelly was reviewing the first Protect America Act certifications while Reggie Walton was presiding over Yahoo’s challenge to their orders) is that one FISC judge, Saylor, was ruling whether two new orders (BR 15-77 and 15-78) could be approved giving the lapse in Section 215 (which became a ruling on how to interpret Section 109) while another FISC judge, Mosman, was reviewing what to do with the FreedomWorks challenge. That meant both judges were reviewing what to do with Section 109 at the same time. On June 5, Mosman ordered up the briefing that would make FreedomWorks an amicus without telling them they were serving as such until today. FreedomWorks did offer up this possibility when they said they were “amenable to [designation as an amicus curiae] by this Court, as an alternative to proceeding under this Motion in Opposition,” but they also repeatedly requested an oral hearing, most recently a full 17 days ago.

The Court now turns to the Movants’ alternative request to participate as amici curiae. Congress, through the enactment of the USA FREEDOM Act, has expressed a clear preference for greater amicus curiae involvement in certain types of FISC proceedings.

[Mosman reviews of the amicus language of the law]

The Court finds that the government’s application “presents a novel or significant interpretation of the law” within the meaning of section 103(i)(2)(A). Because, understandably, no one has yet been designated as eligible to be appointed as an amicus curiae under section 103(i)(2)(A), appointment under that provision is not appropriate. Instead, the Court has chosen to appoint the Movants as amici curiae under section 103(i)(2)(B) for the limited purpose of presenting their legal arguments as stated in the Motion in Opposition and subsequent submissions to date.7

7 [footnote talking about courts’ broad discretion on how they use amicus]

That is, on June 29, Mosman found this circumstance requires an amicus under the law, and relied on briefing ordered way back on June 5 and delivered on June 12, while denying any hearing in the interim.

Meanwhile, in a June 17 ruling addressing what I consider the more controversial of the two questions Mosman treated — whether the lapse reverted Section 215 to its pre-PATRIOT status — Saylor used this logic to decide he didn’t need to use an amicus.

[3 paragraphs laying out how 103(i)(2)(A) requires an amicus unless the court finds it is not appropriate, while section 103(i)(2)(B) permits the appointment of an amicus]

The question presented here is a legal question: in essence, whether the “business records” provision of FISA has reverted to the form it took before the adoption of the USA PATRIOT Act in October 2001. That question is solely a matter of statutory interpretation; it presents no issues of fact, or application of facts to law, and requires no particular knowledge or expertise in technological or scientific issues to resolve. The issue is thus whether an amicus curiae should be appointed to assist the court in resolving that specific legal issue.

The legal question here is undoubtedly “significant” within the meaning of Section 1803(i)(2)(A). If Section 501 no longer provides that the government can apply for or obtain orders requiring the production of a broad range of business records and other tangible things under the statute, that will have a substantial effect on the intelligence-gathering capabilities of the government. It is likely “novel,” as well, as the issue has not been addressed by any court (indeed, the USA FREEDOM Act, is only two weeks old). The appointment of an amicus curiae would therefore appear to be presumptively required, unless the court specifically finds that such an appointment is “not appropriate.”

Because the the statute is new, the court is faced for the first time with the question of when it is “not appropriate” to appoint an amicus curiae. There is no obvious precedent on which to draw. Moreover, the court as a whole has not had an opportunity to consider or adopt any rules addressing the designation of amicus curiae.

The statute provides some limited guidance, in that it clearly contemplates that there will be circumstances where an amicus curiae is unnecessary (that is, “not appropriate”) even though an application presents a “novel or significant interpretation of the law.” At a minimum, it seems likely that those circumstances would include situations where the court concludes that it does not need the assistance or advice of amicus curiae because the legal question is relatively simple, or is capable of only a single reasonable or rational outcome. In other words, Congress must have intended the court need not appoint amicus curiae to point out obvious legal issues or obvious legal conclusions, even if the issue presented was “novel or significant.” Accordingly, the court believes that if the appropriate outcome is sufficiently clear, such that no reasonable jurist would reach a different decision, the appointment of an amicus curiae is not required under the statute.

This is such an instance. Although the statutory framework is somewhat tangled, the choice before the court is actually clear and stark: as described below, it can apply well established principles of statutory construction and interpret the USA FREEDOM Act in a manner that gives meaning to all its provisions, or it can ignore those principles and conclude that Congress passed an irrational statute with multiple superfluous parts.

That is, 5 days after FreedomWorks submitted briefing on the particular issue in question — Section 109 — Saylor decided he did not need an amicus even though this was obviously a novel issue. While FreedomWorks only addressed one of its responses to the question of the lapse, it did argue that, “Congress was fully aware ofthe problems associated with passing the expiration date and they chose to do nothing to fix those problems.”

And Saylor did not do what Mosman did, recognize that even though there wasn’t an amicus position set up, the court could easily find one, even if it asked the amicus to brief under 103(i)(2)(B). Indeed, by June 17, former SSCI Counsel Michael Davidson — literally the expert on FISA sunset provisions — had written a JustSecurity post describing the lapse as a “huge problem.” So by the time Saylor had suggested that “no reasonable jurist” could disagree with him, the author of the sunset provision in question had already disagreed with him. Why not invite Davidson to submit a brief?

It seems Mosman either disagrees with Saylor’s conclusion about the seriousness of Congress’ “preference for greater amicus curiae involvement” (though, having read Saylor’s opinion, he does say appointment under 103(i)(2)(A) “is not appropriate,” though without adopting his logic for that language in the least), or has been swayed by the criticism of people like Liza Goitein and Steve Vladeck responding to Saylor’s earlier opinion.

All that said, having found a way to incorporate an amicus — even one not knowingly acting as such during briefing — Mosman than goes on to completely ignore what the government and JudicialWatch said about the lapse — instead just declaring that “the government has the better end of the dispute” — and to justify that judgment, simply quoting from Saylor.

On June 1, 2015, the language of section 501 reverted to how it read on October 25, 2001. See page 2 supra. The government contends that the USA FREEDOM Act, enacted on June 2, 2015, restored the version of section 501 that had been in effect immediately before the June 1 reversion, subject to amendments made by that Act. Response at 4. Movants contend that the USA FREEDOM Act had no such effect. Supplemental Brief at 1-2. The Court concludes that the government has the better of this dispute.

Another judge of this Court recently held that the USA FREEDOM Act effectively restored the version of section 501 that had been in effect immediately before the June 1 sunset. See In reApplication of the FBI for Orders Requiring the Production ofTangible Things, Docket Nos. BR 15-77, 15-78, Mem. Op. (June 17, 2015). In reaching that conclusion, the Court noted that, after June 1, Congress had the power to reinstate the lapsed language and could exercise that power “by enacting any form of words” making clear “its intention to do so.” Id. at 9 (internal quotation marks omitted). The Court found that Congress indicated such an intention through section 705(a) of the USA FREEDOM Act, which amended the pertinent sunset clause8 by striking the date “June 1, 2015,” and replacing it with “December 15, 2019.” Id. at 7-9. Applying fundamental canons of statutory interpretation, the Court determined that understanding section 705(a) to have reinstated the recently-lapsed language of section 501 of FISA was necessary to give effect to the language of the amended sunset clause, as well as to amendments to section 501 of FISA made by sections 101 through 107 of the USA FREEDOM Act, and to fit the affected provisions into a coherent and harmonious whole. Id. at 10-12. The Court adopts the same reasoning and reaches the same result in this case.

JudicialWatch’s argument was the mirror image of Saylor’s — that “Congress was fully aware of the problems associated with passing the expiration date and they chose to do nothing to fix those problems” — and yet Mosman doesn’t deal with it in the least. His colleague had ruled, and so the government must have the better side of the argument.

That’s basically the logic Mosman uses on the underlying question, which I hope to return to. Even in making a symbolic nod to the amicus, Mosman is still engaging in the legally suspect navel gazing that has become the signature of the FISC.

Mind you, I’m not surprised by all this. That was very clearly what was going to happen to the amicus, and one reason why I said it’d be likely a 9-year process until we had an advocate that would make the FISC a legitimate court.

But this little exhibition of navel gazing has only reinforced my belief that we should not wait that long. There is no reason to have a FISC anymore, not now that virtually every District court has the ability to conduct the kind of classified reviews that FISC judges do. And as we’re about to see (Jameel Jaffer promised he’s going to ask the 2nd Circuit for an injunction today), the competing jurisdictions that in this case let District Court judges dismiss Appellate judges as less preferable than the government are going to create legal confusion for the foreseeable future (though one the government and FISC are likely going to negate by using the new fast track review process I warned about).

The FISC is beyond saving. We should stop trying.

Amazon’s Transparency Report: “Certain Purchase History”

Last week, precisely 10 days after USA F-Redux — with its different formulas allowing for provider transparency –passed, Amazon released its first transparency report. In general, the report shows that Amazon either doesn’t retain — or successfully pushes back — against a lot of requests. For example, Amazon provided no or only partial information to a third of the 813 subpoenas it received last year.

Also of note, in a post accompanying the report, Stephen Schmidt claimed that “Amazon never participated in the NSA’s PRISM program,” which may not be all that surprising given that it has only received 25 non-national security search warrants.

As I’ve already suggested, I find the most interested detail to be the timing: given that Amazon has gotten crap as the only major company not to release a transparency report before, I suspect either that Amazon had a new application 2 years ago when everyone started reporting, meaning it had to wait until the new collection had aged under the reporting guidelines, or something about the more granular reporting made the difference for Amazon. Amazon reported in the 0-250 range (including both NSLs and other FISA orders), so it may just have been waiting to be able to report that lower number.

That said, Amazon received 13 non-national security court orders (aside from the one take down order they treat separately, which I believe has to do with an ISIL site), only 4 of which they responded fully to. I think this category would be where Amazon would count pen registers. And I’d expect Amazon to get pen registers in connection with their hosting services. If any of the 0 to 250 National Security orders are pen registers, it could be fairly intrusive.

Finally, Amazon clarified (sort of) something of particular interest. While Amazon makes clear that content stored in a customer’s site is content (self-evident, I know, but there are loopholes for stored content, which is a big part of why Amazon would be of interest (and was when Aaron Swartz was using them as a hosting service).

Non-content. “Non-content” information means subscriber information such as name, address, email address, billing information, date of account creation, and certain purchase history and service usage information. Content.

“Content” information means the content of data files stored in a customer’s account.

But Amazon doesn’t include “certain purchase history information” to be content.

As the country’s biggest online store, that’s where Amazon might be of the most interest. Indeed, in the legal filings pertaining to Usaamah Abdullah Rahim (the claimed ISIL follower whom Boston cops shot and killed on June 2) show they were tracking Rahim’s Amazon purchase of a knife very closely.

If you wanted to do a dragnet of purchase records, you’d include Amazon in there one way or another. And such a dragnet order might represent just one (or four) of the fewer than 250  orders Amazon got in a year.

It’s not surprising they’re treating (“certain”) purchase records as metadata. But it is worth noting.

DOJ IG: FBI’s Secret Applications of PRTT Are Even More Secret than Its Secret Applications of Section 215

DOJ’s Inspector General just released its unclassified summary of its classified report on FBI’s use of Pen Register/Trap and Trace authority.

It is rather thin, just 5 pages long. It explains what it is in the secret report.

We described the different types of pen registers that were used and the variety of information that was collected, as well as some of the technological and legal issues the Department and FBI faced with particular uses of pen register authority. We also describe the investigative circumstances under which the authority is generally used and trends in its use. The FBI and the Intelligence Community determined that much of this information is classified or “for official use only,” and therefore we cannot include it in this Executive Summary.

Our classified report also describes the FBI’s practices for storing and handling pen register information, most of which have remained substantially unchanged since our 2007 – 2009 review period, and it provides an overview of the compliance process and a summary of the compliance incidents involving the use of pen register authority that occurred from 2007 through 2009. Our classified report also includes several findings, only one of which we can describe in this unclassified Executive Summary.

The claim is rather interesting, given that documents EPIC obtained under FOIA make it clear FBI has used PRTT orders to get location data (not at all surprising given that it does so under criminal PRTTs as well), and that it has 7 exotic applications of Post Cut Through Dialed Digits. Those EPIC documents also reveal that John Bates redefined the meaning of Dialing, Routing, Addressing, and Signaling to include some content.

How is it EPIC could obtain those documents but DOJ’s IG can’t tell us what he found about these practices?

The one conclusion DOJ’s IG can share, sort of, is that FBI has problems weeding out data it shouldn’t have.

[W]e highlighted the challenges the Department faced, and still faces, in ensuring that the government collects or uses only that information that it is lawfully permitted to obtain.

[snip]

We found that the Department’s National Security Division and FBI do not conduct systematic compliance reviews of pen registers, and instead rely on personnel assigned to cases involving pen registers to report any compliance violations.

The report repeatedly notes that “the government is not authorized under FISA to obtain the contents of wire or electronic communications with a pen register order.” Which, of course, we know it has, both under the NSA program, as well as under PCTDD (indeed, discussions with the FISC over both the content collection under the NSA collection and the PCTDD uses took place in 2009, within the scope of the report).

So I assume part of the problem — part of the reason why FBI treats its PRTT programs with greater secrecy than its Section 215 programs — is because it violates the law but doesn’t have the means in place to catch its own violations.

I mean, if FBI wants to declassify the proof that that isn’t true, by all means they should do so. But the available evidence suggests the FBI and government more generally is probably still violating the terms of PRTT under FISA.

The Timing of the Contemplated Upstream Cyber-Grab

There’s an aspect missing thus far from the discussion of NSA’s possible bid for a cyber certification under Section 702 for primary use in the collection of attack signatures that could not be attributed to a foreign government.

The timing.

The discussion of creating a new Section 702 certificate came in the aftermath of the 6-month back and forth between DOJ and the FISA Court over NSA having collected US person data as part of its upstream collection (for more detail than appears in the timeline below, see this post). During that process, John Bates ruled parts of the program — what he deemed the intentional collection of US person data within the US — to be unconstitutional. That part of his opinion is worth citing at length, because of the way Bates argues that the inability to detach entirely domestic communications that are part of a transaction does not mean that those domestic communications were “incidentally” collected. Rather, they were “intentionally” collected.

Specifically, the government argues that NSA is not “intentionally” acquiring wholly domestic communications because the government does not intend to acquire transactions containing communications that are wholly domestic and has implemented technical means to prevent the acquisition of such transactions. See June 28 Submission at 12. This argument fails for several reasons.

NSA targets a person under Section 702 certifications by acquiring communications to, from, or about a selector used by that person. Therefore, to the extent NSA’s upstream collection devices acquire an Internet transaction containing a single, discrete communication that is to, from, or about a tasked selector, it can hardly be said that NSA’s acquisition is “unintentional.” In fact, the government has argued, that the Court has accepted, that the government intentionally acquires communications to and from a target, even when NSA reasonably — albeit mistakenly — believes that the target is located outside the United States. See Docket No. [redacted]

[snip]

The fact that NSA’s technical measures cannot prevent NSA from acquiring transactions containing wholly domestic communications under certain circumstances does not render NSA’s acquisition of those transactions “unintentional.”

[snip]

[T]here is nothing in the record to suggest that NSA’s technical means are malfunctioning or otherwise failing to operate as designed. Indeed, the government readily concedes that NSA will acquire a wholly domestic “about” communication if the transaction containing the communication is routed through an international Internet link being monitored by NSA or is routed through a foreign server.

[snip]

By expanding its Section 702 acquisitions to include the acquisition of Internet transactions through its upstream collection, NSA has, as a practical matter, circumvented the spirit of Section 1881a(b)(4) and (d)(1) with regard to that collection. (44-45, 48)

There are a number of ways to imagine that victim-related data and communications obtained with an attack signature might be considered “intentional” rather than “incidental,” especially given the Snowden document acknowledging that so much victim data gets collected it should be segregated from regular collection. Add to that the far greater likelihood that the NSA will unknowingly target domestic hackers — because so much of hacking involves obscuring attribution — and the likelihood upstream collection targeting hackers would “intentionally” collect domestic data is quite high.

Plus, there’s nothing in the 2011 documents released indicating the FISC knew upstream collection included cyber signatures — and related victim data — in spite of the fact that “current Certifications already allow for the tasking of these cyber signatures.” No unredacted section discussed the collection of US person data tied to the pursuit of cyberattackers that appears to have been ongoing by that point.

Similarly, the white paper officially informing Congress about 702 didn’t mention cyber signatures either. There’s nothing public to suggest it did so after the Senate rejected a Cybersecurity bill in August, 2012, either. That bill would have authorized less involvement of NSA in cybersecurity than appears to have already been going on.

With all that in mind, consider the discussions reflected in the documents released last week. The entire discussion to use FBI’s stated needs to apply as backup to apply for a cyber certificate came at the same time as NSA is trying to decide what to do with the data it illegally collected. Before getting that certificate, DOJ approved the collection of cyber signatures under other certificates. It seems likely that this collection would violate the spirit of the ruling from just the prior year.

And NSA’s assistance to FBI may have violated the prior year’s orders in another way. SSO contemplated delivering all this data directly to FBI.

Screen Shot 2015-06-11 at 9.42.56 AM

Yet one of the restrictions imposed on upstream collection — voluntarily offered up by DOJ — was that no raw data from NSA’s upstream collection go to FBI (or CIA). If there was uncertainty where FBI’s targeting ended and NSA’s began, this would create a violation of prior orders.

Meanwhile, the reauthorization process had already started, and as part of that (though curiously timed to coincide with the release of DOJ’s white paper on 702 collection) Ron Wyden and Mark Udall were trying to force NSA to figure out how much US person data they were collecting. Not only did the various Inspectors General refuse to count that data (which would have, under the logic of Bates’ opinions finding that illegally collected data was only illegal if the government knew it was US person data, made the data illegal), but the Senate Intelligence Committee refused to consider reconstituting their Technical Advisory Committee which might be better able to assess whether NSA claims were correct.

Sometime in that period, just as Wyden was trying to call attention to the fact that NSA was collecting US person data via its upstream collection, NSA alerted the Intelligence Committees to further “overcollection” under upstream collection.

2012 Upstream Notice

As I suggested here, the length of the redaction and mention of “other authorities” may reflect the involvement of another agency like FBI. One possibility, given the description of FBI collecting on cyber signatures using both PRTT and (presumably) traditional FISA in the discussions of SSO helping the FBI conduct this surveillance (note, I find it interesting though not conclusive that there is no mention of Section 215 to collect cybersecurity data), is that the initial efforts to go after these signatures in some way resulted in overcollection. If FISC interpreted victim-related data to be overcollection — as would be unsurprising under Bates’ 2011 upstream opinion — then it would explain the notice to Congress.

One more point. In this post, I noted that USA F-ReDux authorized FISC to let the government use data it had illegally collected but which FISC had authorized by imposing additional minimization procedures. It’s just a wildarseguess, but I find it plausible that this 2012 overcollection involved cyber signatures (because we know NSA was collecting it and there is reason to believe it violated Bates’ 2011 opinion), and that any victim data now gets treated under minimization procedures and therefore that any illegal data from 2012 may now, as of last week, be used.

All of which is to say that the revelation of NSA and FBI’s use of upstream collection to target hackers involves far more legal issues than commentary on the issue has made out. And these legal issues may well have been more appropriate for the government to reveal before passage of USA F-ReDux. Continue reading

DOJ Doesn’t Care What the Text of the Law or the 2nd Circuit Says, Dragnet Edition

Since USA F-ReDux passed JustSecurity has published two posts about how the lapse of Section 215 might create problems for the dragnet. Megan Graham argued that technically USA F-ReDux would have amended Section 215 as it existed in 2001, meaning the government couldn’t obtain any records but those that were specifically authorized before the PATRIOT Act passed. And former SSCI staffer Michael Davidson argued that a technical fix would address any uncertainty on this point.

DOJ, however, doesn’t much give a shit about what USA F-ReDux actually amends. In its memorandum of law accompanying a request to restart the dragnet submitted the night USA F-ReDux passed, DOJ asserted that of course Section 215 as it existed on May 31 remains in place.

Its brief lapse notwithstanding, the USA FREEDOM Act also expressly extends the sunset of Section 215 of the USA PATRIOT Act, as amended, until December 15, 2019, id.§ 705(a), and provides that, until the effective date of the amendments made by Sections 101through103, it does not alter or eliminate the Government’s authority to obtain an order under Section 1861 as in effect prior to the effective date of Sections 101through103 of the USA FREEDOM Act. Id.§ 109(b). Because the USA FREEDOM Act extends the sunset for Section 215 and delays the ban on bulk production under Section 1861until180 days from its enactment, the Government respectfully submits that it may seek and this Court may issue an order for the bulk production of tangible things under Section 1861 as amended by Section 215 of the USA PATRIOT Act as it did in docket number BR 15-24 and prior related dockets.

It cites comments Pat Leahy and Chuck Grassley made on May 22 (without, curiously, quoting either Rand Paul or legislative record from after Mitch McConnell caused the dragnet to lapse) showing that the intent of the bill was to extend the current dragnet.

While I think most members of Congress would prefer DOJ’s argument to hold sway, I would expect a more robust argument from DOJ on this point.

Likewise their dismissal of the Second Circuit decision in ACLU v. Clapper (which they say they’re still considering appealing). While it notes the Second Circuit did not immediately issue an injunction, DOJ’s base argument is weaker: it likes FISC’s ruling better and so it thinks FISC’s District Court judges should consider but ultimately ignore what the Second Circuit said.

The Government believes that this Court’s analysis of Section 215 reflects the better interpretation of the statute, see, e.g., In Re Application of the FBI for an Order Requiring the Production of Tangible Things, docket no. BR 13-109, Amended Mem. Op., 2013 WL 5741573 (FISA Ct. Aug. 29, 2013) (Eagan, J.) and In Re Application of the FBI for an Order Requiring the Production of Tangible Things, docket no. BR 13-158, Mem. (FISA Ct. Oct. 11, 2013) (McLaughlin, J.), disagrees with the Second Circuit panel’s opinion, and submits that the request for renewal of the bulk production authority is authorized under the statute as noted above.

[snip]

The Government submits that this Court’s analysis continues to reflect the better reading of Section 1861.

This is where, incidentally, the flaccid report language attached to USA F-ReDux is so problematic. In a filing affirming the importance of legislative language, had the HJC report said something more than “Congress’ decision to leave in place the ‘‘relevance’’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term,” DOJ might have to take notice of the language. But as it is, without affirmatively rejecting FISC’s opinion, the government will pretend it doesn’t matter.

I’m no more surprised with DOJ’s argument about the Second Circuit decision than I am its insistence that lapsing a bill doesn’t have legal ramifications.

But I would expect both arguments to make some effort to appear a bit less insolent. I guess DOJ is beyond that now.

In Advance of FISA Amendments Act Reauthorization, DOJ Did Not Tell Congress about Cyber Signature Collection

As I noted here, I’m working on a post that puts last week’s report on NSA’s use of upstream Section 702 collection in context.

But first, there’s one more detail that deserves its own post.

By March 23, 2012, NSA had drafted a certificate exclusively for cyber, with the intent of getting the FISC to approve it that year (which probably would have been in October). Yet “the current Certifications already allow[ed] for the tasking of [] cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors.”

And whether or not NSA was already collecting cyber signatures in March 2012, by May, DOJ approved their collection on the Foreign Government certificate.

On May 4, 2012, DOJ sent the Intelligence Committee Chairs a white paper on Section 702 to be shared with the rest of Congress. Here’s the passage that describes how NSA uses upstream collection:

Screen Shot 2015-06-08 at 8.13.37 AM

Given that the only redaction here addresses terrorists and the unredacted remainder describes only the collection of email and phone identifiers, it seems virtually certain that the passage — and therefore the white paper — made no mention of the cyber signature collection the NSA and DOJ were actively preparing to collect, and would collect before the reauthorization of FAA that December.

It’s certainly possible DOJ gave Congress notice that the use of Section 702 had changed significantly by the time Congress voted in December, but there’s no public record of it. In the interim period, the Senate defeated a cybersecurity bill that would even have restricted NSA from obtaining domestically collected cyber data, reflecting real skepticism about spying for cybersecurity purposes in the US.

If, as the record strongly suggests, the government expanded NSA upstream 702 to include cyber signatures without telling Congress before they reauthorized the underlying authority, it would not be the first time: DOJ did not tell even the House Judiciary Committee — much less Congress as a whole — that it was using Section 215 to collect location data until after both the 2010 and 2011 Patriot Act reauthorizations.

Whatever the merit to using 702 upstream collection to hunt hackers — even ignoring the real privacy problems with it — the public record raises real questions about whether the practice was authorized and would have been authorized by Congress. Given that such collection involves an expansion of the intentional collection of domestic data, the apparent absence of Congressional sanction raises real problems about the practice (though, as I’ve suggested, Congress just retroactively authorized the use of whatever illegally-collected 702 data NSA can get FISC to approve the use of).

The NSA’s defenders like to claim Congress always gets notice. But the record shows that, over and over, NSA only asks for for forgiveness after the fact rather than asking for permission before the collection.

1 2 3 146
Emptywheel Twitterverse
bmaz @RPullen @stephenlemons @Steve_Irvin When an arbitrary, by all appearances racist, "umpire" calls anything, it is total laughable bullshit.
48mreplyretweetfavorite
emptywheel @billmon1 Also, American hubris says we'll never get in a dogfight with another industrial policy, all the contrary evidence notwithstanding
2hreplyretweetfavorite
emptywheel @billmon1 It helps if you think of it as an industrial policy instead. Pilots aren't encouraged to turn their head in industrial policies.
2hreplyretweetfavorite
emptywheel @billmon1 Fred: It doesn't much matter because USG will keep paying Lockheed no matter what we do.
2hreplyretweetfavorite
emptywheel @ZaidJilani Means you have to play the license plate game all summer.
2hreplyretweetfavorite
emptywheel @BlinnPR Google voice got collected under DEA's dragnet, so I think it gets picked up off majors' backbone.
2hreplyretweetfavorite
emptywheel Did NSA add another provider with its latest phone dragnet order? https://t.co/R4XI7iiebM
2hreplyretweetfavorite
bmaz @RPullen @stephenlemons @Steve_Irvin And, seriously, this is NOT a "left" or "right" deal, unless you are a knee jerk bigot apologist.
3hreplyretweetfavorite
bmaz @KellyFlood3 @azatty Jack Daniels Pecan and Blueberry Crumb. Yummmmm!
3hreplyretweetfavorite
bmaz @RPullen @stephenlemons @Steve_Irvin That's precious. Thanks for playing racist roulette!
3hreplyretweetfavorite
JimWhiteGNV RT @teddysanfran: Aetna/Humana: ...and then PRETENDED to oppose it! #HealthCareForALLInsuranceCompaniesProfit
3hreplyretweetfavorite
JimWhiteGNV RT @teddysanfran: Aetna/Humana: Tell me again why the health care insurance industry fought O'Care tooth and nail? Oh, right, they didn't; …
3hreplyretweetfavorite
July 2015
S M T W T F S
« Jun    
 1234
567891011
12131415161718
19202122232425
262728293031