1 2 3 143

Working Thread Burr’s 11 Bullet Points

Richard Burr finally released the bill he pulled out of his ass. This will be a working thread.

(6) Look, they expanded their bulk carve-out to cloud providers.

(ii) an electronic communication service provider, when not used as part of a specific term as described in subparagraph (A), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

(7) SPECIFIC SELECTION TERM.—The term ‘specific selection term’—

(A) means a term or set of terms that identifies or describes a person, account, address, or personal device, or another specific term, that is used by the Government to limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information; and

(B) does not include a term that solely identifies—

(i) a broad domestic geographic region, including the United States, a State, county, city, zip code, or area code, when not used as part of a specific term as described in subparagraph (A); or

(ii) an electronic communication service provider, when not used as part of a specific term as described in subparagraph (A), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

I’ve long noted that this language — which would prevent you from using a phone or email provider corporate names as your sole discriminator — did not include non-communications providers (like Western Union or Chase). But they’ve now excluded remote computing services (cloud providers) from that. Meaning they can do bulk on non-comm corporations AND cloud storage corporations.

(29) The bill treats data from Section 215 as if it were EO 12333. As a threshold level, this s weaker minimization than under the existing program (then so was USA F-ReDux). But right now nothing under EO 12333 ever gets disclosed to defendants. So this creates a black hole, meaning this stuff will never be forcibly reviewed for constitutionality.

USE OF INFORMATION.—Information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title concerning any United States person may be used and disclosed by Federal officers and employees in accordance with the guidelines approved by the Attorney General under Executive Order 12333 (or a successor order). No otherwise privileged information acquired from tangible things received by the Federal Bureau of Investigation in accordance with the provisions of this title shall lose its privileged character. No information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title may be used or disclosed by Federal officers or employees except for lawful purposes.

Here’s what the query language looks like (the “System” is defined before–we’ll just call it PRISM-Plus here).

(C) AUTHORIZED QUERIES.—Any order referred to in paragraph (1) or a directive under section 505 may permit access to the System—

(i) to perform a query using a specific selection term for which a recorded determination has been made that the specific selection term is relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism, clandestine intelligence activities, or activities in preparation therefor;

(ii) to return information as authorized under paragraph (2); or

(iii) as may be necessary for technical assurance, data management or compliance purposes, or for the purpose of narrowing the results of queries, in which case no information produced pursuant to the order may be accessed, used, or disclosed for any other purpose, unless the information is responsive to a query authorized under paragraph (2).

(2) SCOPE OF PERMISSIBLE QUERY RETURN 7 INFORMATION.—For any query performed pursuant to paragraph (1)(C)(i), the query only may return information concerning—

(A) a first set of call detail records using the specific selection term that satisfies the standard required under paragraph (1)(C)(i); or

(B) a second set of call detail records using session-identifying information or a telephone calling card number identified by the specific selection term used to produce call detail records under subparagraph (A).

First, note that language “permit access to the system.”  By whom?

This lets the government chain against foreigners for any FI purpose or against Americans for CT  or CI purposes (the latter of which includes cyber). This is a huge expansion off status quo.

The tech paragraph is nutty: it gives access to raw data but data obtained there can’t be used unless it’d be subject to a query. Which it wasn’t.

The querying language is the same from USA F-ReDux, which I argued required providers to do non-call chaining. I think that’s been the intent all along.

(33) Unlike USA F-ReDux, this bill doesn’t even pretend it’s only about phone companies. And this will double retention time periods for Verizon, and probably worse than that for Apple.

An electronic communication service provider shall notify the Attorney General if that service provider intends to retain its call detail records for a period less than 36 months.

When the provider refuses to keep data the FBI Director (Jim Comey, who has been whinging abt iMessage for months in the guise of whinging about encryption) can get FISC to require the provider to keep data for 3 years for only FI purpose.

‘(3) ORDERS.—Upon an application made pursuant to paragraph (2), if the judge finds that the failure to retain such call detail records for a period of at least 36 months is resulting in, or is reasonably likely to result in, the loss of foreign intelligence information relevant to an investigation conducted under this title, the judge may enter an ex parte order requiring the retention of such records for a period of at least 36 months.

(36) The interim procedure expands the application, I think.

(45) This incents the government to go hogwild with bulk collection.

‘(h) CLARIFICATION.—Notwithstanding any other provision of law, the Government is authorized to obtain orders in accordance with this section for the purpose of obtaining tangible things produced in bulk, in the same manner as previously authorized by the court established by section 103(a) in orders issued by that court under this title prior to June 1, 2015. The Government is further authorized to continue to retain and use tangible things produced under such orders issued by that court prior to June 1, 2015, subject to any procedures prescribed by that court

(54) This has the same emergency provision as USA F-ReDux, which is an invitation for abuse and parallel construction. It’s telling that they still want this given how everything else has been permitted.

(54) They introduce the phrase “good faith” into the immunity section, but only for those being forced to retain their records.

‘(a) IN GENERAL.—No cause of action shall lie in 6 any court against a person who—

(1) produces tangible things or provides information, facilities, or technical assistance pursuant to 9 an order issued or an emergency directive required under this title;

(2) in good faith, retains call detail records under an order pursuant to this title; or

(3) otherwise provides technical assistance to the Government under this section or to implement this title.

(57) By my read the government won’t even test its querying at providers

(57) On June 1, 2016, they assess the cost of moving to providers. But they won’t have started that yet.

(67) This language moves the Internet production back to NSLs

(b) REQUIRED CERTIFICATION.—The Director of the Federal Bureau of Investigation, or the designee of the Director in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director, may request the name, address, length of service, local and long distance toll billing records, and electronic communications transactional records of a person or entity if the Director (or the designee) certifies in writing to the wire or electronic communication service provider to which the request is made that such information is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States.

(68) When a bill creates its own special Espionage Act, you know they intend to break the law.

(a) PROHIBITION ON UNAUTHORIZED DISCLOSURE.—An officer, employee, contractor, or consultant of the United States, or an officer, employee, contractor, or consultant of a recipient of an order issued pursuant to title V of the Foreign Intelligence Surveillance Act of 1978 18 (50 U.S.C. 1861 et seq.) who—

(1) knowingly comes into possession of classified information or documents or materials containing classified information of the United States that—

(A) was submitted in connection with an application to the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a));

(B) was submitted in connection with an order approved by such court; or

(C) was acquired pursuant to an order or directive of such court; and (2)(A) knowingly and willfully communicates, transmits, or otherwise makes available to an unauthorized person, such classified information or documents or materials; or

(B) knowingly removes such classified information or documents or materials without authority and with the intent to retain such classified information or documents or materials at an unauthorized location, shall be punished according to subsection (b).

(b) TERM OF IMPRISONMENT.—A person who violates this section shall be fined under title 18, United States Code, or—

(1) for a violation of paragraph (2)(A) of subsection (a), imprisoned for not more than 10 years;

or (2) for a violation of paragraph (2)(B) of such subsection, imprisoned for not more than 1 year, or both.

(70) The bill changes the amicus in interesting ways.

(B) COVERED MATTER.—The term ‘covered matter’ means a matter before a court established under subsection (a) or (b)—

(i) that, in the opinion of such a court, presents a legal or technical issue regarding which the court’s deliberations would benefit from participation by an amicus curiae; and

(ii) that pertains to—

(I) an application for an order under this title, title III, IV, or V of 12 this Act, or section 703 or 704 of this Act;

(II) a review of a certification or procedures under section 702 of this Act; or

(III) a notice of non-compliance with any such order, certification, or procedures.


(5) DUTIES.—An amicus curiae appointed under paragraph (1) to assist with the consideration of a covered matter shall carry out the duties assigned by the appointing court.


(6) NOTIFICATION.—A court established under subsection (a) or (b) shall notify the Attorney General of each exercise of the authority to appoint an amicus curiae under paragraph (1).

First of all, this does not include all significant matters. One that would benefit might be broader, but might be more narrow.

It doesn’t include traditional FISA, nor does it include anything but certification process for 702, the latter of which suggests they have been having problems with the latter.

But non-compliance can trigger this (perhaps meaning providers can no longer have their own lawyers?)

I’m particularly intrigued that non-compliance is in here. Does that mean providers can no longer have their own lawyers? Note, too, that FISC can ask their one lawyer to represent their own views–basically no more than the staffers they already have.

Also note, the court need only appoint one lawyer here.

Which probably means this is worse than status quo.

One thing about the amicus which is very important is this is John Bates’ wish list. He was appointed by John Roberts.

Also, USAF required notice when FISC didn’t use the amicus. This only requires notice when they do.

(73) Note, I’ve always believed the fast-track to FISCR is a bad thing, because it provides a way to get appellate rubber stamp on an issue to bypass (say) the 2nd Circuit fixing something. This retains that, which leads me to believe I was right.

(74) This waters down the provider reporting permissions significantly. Fine, that’s something they can sue about!

(78) I’m not sure but I think this introduces more of a delay on new kinds of production (like under PRISM Plus??).


The Section 215 Rap Sheet

Marco Rubio, who is running for President as an authoritarian, claims that “There is not a single documented case of abuse of this program.”

He’s not alone. One after another defender of the dragnet make such claims. FBI witnesses who were asked specifically about abuses in 2011 claimed FBI did not know of any abuses (even though FBI Director Robert Mueller had had to justify FBI’s use of the program to get it turned back on after abuses discovered in 2009).

Comment — Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

A — To the FBI’s knowledge, those authorities have not been abused.

Though Section 215 boosters tend to get sort of squishy on their vocabulary, changing language about whether this was illegal, unconstitutional, or abusive.

Here’s what we actually know about the abuses, illegality, and unconstitutionality of Section 215, both the phone dragnet program and Section 215 more generally.


First, here’s what judges have said about the program:

1) The phone dragnet has been reapproved around 41 times by at least 17 different FISC judges

The government points to this detail as justification for the program. It’s worth noting, however, that FISC didn’t get around to writing an opinion assessing the program legally until 10 judges and 34 orders in.  Since Snowden exposed the program, the FISC appears to have made a concerted effort to have new judges sign off on each new opinion.

2) Three Article III courts have upheld the program:

Judges William Pauley and Lynn Winmill upheld the constitutionality of the program (but did not asses the legality of it); though Pauley was reversed on statutory, not constitutional grounds. Judge Jeffrey Miller upheld the use of Section 215 evidence against Basaaly Moalin on constitutional grounds.

3) One Article III court — Judge Richard Leon in Klayman v. Obama — found the program unconstitutional.

4) The Second Circuit (along with PCLOB, including retired Circuit Court judge Patricia Wald, though they’re not a court), found the program not authorized by statute.

The latter decision, of course, is thus far the binding one. And the 2nd Circuit has suggested that if it has to consider the program on constitution grounds, it might well find it unconstitutional as well.

Statutory abuses

1) As DOJ’s IG confirmed yesterday, for most of the life of the phone dragnet (September 2006 through November 2013), the FBI flouted a mandate imposed by Congress in 2006 to adopt Section 215-specific minimization procedures that would give Americans additional protections under the provision (note–this affects all Section 215 programs, not just the phone dragnet). While, after a few years, FISC started imposing its own minimization procedures and reporting requirements (and rejected proposed minimization procedures in 2010), it nevertheless kept approving Section 215 orders.

In other words, in addition to being illegal (per the 2nd Circuit), the program also violated this part of the law for 7 years.

2) Along with all the violations of minimization procedures imposed by FISC discovered in 2009, the NSA admitted that it had been tracking roughly 3,000 presumed US persons against data collected under Section 215 without first certifying that they weren’t targeted on the basis of First Amendment protected activities, as required by the statute.

Between 24 May 2006 and 2 February 2009, NSA Homeland Mission Coordinators (HMCs) or their predecessors concluded that approximately 3,000 domestic telephone identifiers reported to Intelligence Community agencies satisfied the RAS standard and could be used as seed identifiers. However, at the time these domestic telephone identifiers were designated as RAS-approved, NSA’s OGC had not reviewed and approved their use as “seeds” as required by the Court’s Orders. NSA remedied this compliance incident by re-designating all such telephone identifiers as non RAS-approved for use as seed identifiers in early February 2009. NSA verified that although some of the 3,000 domestic identifiers generated alerts as a result of the Telephony Activity Detection Process discussed above, none of those alerts resulted in reports to Intelligence Community agencies.

NSA did not fix this problem by reviewing the basis for their targeting; instead, it simply moved these US person identifiers back onto the EO 12333 only list.

While we don’t have the background explanation, in the last year, FISC reiterated that the government must give First Amendment review before targeting people under Emergency Provisions. If so, that would reflect the second time where close FISC review led the government to admit it wasn’t doing proper First Amendment reviews, which may reflect a more systematic problem. That would not be surprising, since the government has already been chipping away at that First Amendment review via specific orders.

Minimization procedure abuses

1) The best known abuses of minimization procedures imposed by the FISC were disclosed to the FISC in 2009. The main item disclosed involved the fact that NSA had been abusing the term “archive” to create a pre-archive search against identifiers not approved for search. While NSA claimed this problem arose because no one person knew what the requirements were, in point of fact, NSA’s Inspector General warned that this alert function should be disclosed to FISC, and it was a function from the Stellar Wind program that NSA simply did not turn off when FISC set new requirements when it rubber-stamped the program.

But there were a slew of other violations of FISC-imposed minimization procedures disclosed at that time, almost all arising because NSA treated 215 data just like it treats EO 12333, in spite of FISC’s clear requirements that such data be treated with additional protections. That includes making query results available to CIA and FBI, the use of automatic search functions, and including querying on any “correlated” identifiers. These violations, in sum, are very instructive for the USA F-ReDux debate because NSA has never managed to turn these automated processes back on since, and one thing they presumably hope to gain out of moving data to the providers is to better automate the process.

2) A potentially far more egregious abuse of minimization procedures was discovered (and disclosed) in 2012, when NSA discovered that raw data NSA’s techs were using over 3,000 files of phone dragnet data on their technical server past the destruction date.

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

But rather than investigate this violation — rather than clarify how much data this entailed, whether it had been mingled with Stellar Wind data, whether any other violations had occurred — NSA destroyed the data.

In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit. The technical server in question was not available to intelligence analysts.

From everything we’ve seen the tech and research functions are not audited, not even when they’re playing with raw data (which is, I guess, why SysAdmin Edward Snowden could walk away with so many records). So not only does this violation show that tech access to raw data falls outside of the compliance mechanisms laid out in minimization procedures (in part, with explicit permission), but that NSA doesn’t try very hard to track down very significant violations that happen.

Overall sloppiness

Finally, while sloppiness on applications is not a legal violation, it does raise concerns about production under the statute. The IG Report reviewed just six case files which used Section 215 orders. Although the section is heavily redacted, there are reasons to be significantly concerned about four of those.

  • An application made using expedited approval that made a material misstatement about where FBI obtained a tip about the content of a phone call. The FBI agent involved “is no longer with the FBI.” The target was prosecuted for unlawful disclosure of nuke information, but the Section 215 evidence was not introduced into trial and therefore he did not have an opportunity to challenge any illegal investigative methods.
  • A 2009 application involving significant minimization concerns and for which FBI rolled out a “investigative value” exception for access limits on Section 215 databases. This also may involve FBI’s secret definition of US person, which I suspect pertains to treating IP addresses as non-US persons until they know it is a US person (this is akin to what they do under 702 MPs). DOJ’s minimization report to FISC included inaccuracies not fixed until June 13, 2013.
  • A 2009 application for a preliminary investigation that obtained medical and education records from the target’s employer. FBI ultimately determined the target “had no nexus to terrorism,” though it appears FBI kept all information on the target (meaning he will have records at FBI for 30 years). The FBI’s minimization report included an error not fixed until June 13, 2013, after the IG pointed it out.
  • A cyber-investigation for which the case agent could not locate the original production, which he claims was never placed in the case file.

And that’s just what can be discerned from the unredacted bits.

Remember, too: the inaccuracies (as opposed to the material misstatement) were on minimization procedures. Which suggests FBI was either deceitful — or inattentive — to how it was complying with FISC-mandated minimization procedures designed to protect innocent Americans’ privacy.

And remember — all this is just Section 215. The legal violations under PRTT were far more egregious, and there are other known violations and misstatements to FISC on other programs.

This is a troubling program, one that several judges have found either unconstitutional or illegal.


Comey’s Emphasis on Expiring PATRIOT Provisions: Other 215 Uses and Roving Wiretaps

A number of outlets have reported that, in an appearance Wednesday at Georgetown, Jim Comey suggested the other PATRIOT Act provisions expiring on June 1, not Section 215, are the critical ones. Here’s one example:

In a speech Wednesday, FBI Director James B. Comey said losing the ability to use roving wiretaps or track lone wolves in terrorism investigations would be a “big problem.” The bureau since the 1980s has been able to follow criminal suspects as they changed phones, he said, and the Patriot Act extended that capability to terrorism cases.

“That’s going to go away” unless the law is reauthorized, Comey said.

That’s not actually what Comey said. (Starting at 20:45) Rather, he said that losing other uses of Section 215 — in situations where FBI can’t get use a grand jury subpoena or an NSL — would be “a big problem.” He did say that losing Roving Wiretap Authority would be “a big problem.” About Lone Wolf, he said only that it, “matters.”

Significant impact, in ways that we’re not talking about much, and I’m trying to make sure we’re talking about. A lot of the focus on 215 is on the NSA’s telephony metadata — should that be with the NSA, should that be with individual telepho–telephony providers and accessed by the NSA, and that’s an important discussion. That’s a useful tool the FBI [shrugs] so it’s a conversation I care about, but there are critical tools to the FBI that are going to sunset on June 1 that people don’t talk about.

The first is, Section 215 is the vehicle through which the NSA, telephony database, was assembled, but we use Section 215 in individual cases, in very important circumstances fewer than 200 times a year we go to the FISA Court in a particular case and get particular records that are important to a Counterintelligence investigation or a Counterterrorism investigation. If we lose that authority, which I don’t think is controversial with folks, that is a big problem. Because we will find ourselves in circumstances where we can’t use a grand jury subpoena or we can’t use a National Security Letter, unable to obtain information, with the court’s approval that I think everybody wants us to be able to obtain, in individual cases, so that’s a problem.

The second that’s a big problem is the Roving Wiretap Authority is gonna expire on June 1. This is an authority we’ve had in criminal cases since the early, mid-eighties, where if a drug dealer or a criminal is dropping phones repeatedly, the judge can give us authority to intercept that individual’s communications, no matter what device they’re on, so we don’t have to go back and start the process each time they dump a phone. What the PATRIOT Act did in 2001 was extend that authority to international terrorism investigations and counterintelligence investigations. That is not a controversial thing. That’s gonna go away June 1 unless it’s reauthorized.

And there’s one other provision that matters. And that’s the so-called Lone Wolf — that’s not a term I like but it’s call a Lone Wolf provision by most people. And that is if we can’t, if we can establish probable cause that someone in this country is up to terrible no good, they have probable cause to believe they are an international terrorist of some sort, but we can’t prove what particular organization they’re hooked up with, this provision would allow us — the judge — to authorize the interception, even if we can’t say, “well they’re Al Qaeda, no they’re ISIL, no they’re AQAP. That’s an important, I think uncontroversial authority, these 3 are going to go away June 1. And I don’t want them to get lost in the conversation about metadata.

The emphasis, then, is on the first two — other uses of Section 215 and Roving Wiretaps — and not Lone Wolf as much.

To be fair, Comey is likely obfuscating about all three of these.

We know that when the Internet collection that had formerly (until 2009) been done under NSLs is bulky; the FISC spent a lot of time policing minimization procedures on that collection until FBI finally started complying with the law in 2013. And when Comey says these are “individual cases,” he likely means they are things like US-based Jihadist fora encompassing the communications of many individuals, or frequent or critical cyber targets with which many individual people might communicate as well. Indeed, these collection points are probably — like the phone dragnet — tied to enterprise investigations, which would explain why grand jury subpoenas would not be available.

As for the Roving Wiretap, remember that in 2007 the FISC reinterpreted that statute in secret to mean NSA could collect from entire circuits because al Qaeda targets used many different email and phone addresses served by that circuit. While NSA is likely not relying on that particular opinion anymore (the Protect America Act and FISA Amendments Act replaced that collection), the opinion has likely been repurposed in similar ways to permit NSA to target far more broadly than actual suspect individuals. For example, for a frequent cybersecurity target, I could imagine NSA making an argument that hackers are frequently using (in reality, attacking) those servers, and therefore the FBI can collect on it. Similarly, I could imagine them using Roving Wiretaps to authorize US-based efforts to undermine the Tor network.

The same is almost certainly true of the Lone Wolf provision (in fact it has to be, because for years FBI insisted on extending even though they admitted they had never used it directly). Remember, Lone Wolves are supposed be US-based non-US persons engaged in international terrorism. But for a bunch of reasons, I suspect the provision is used to claim someone with zero tie to a terrorist organization overseas is a Lone Wolf (making him a foreign power) and then use that to claim some young Muslim man in the US “planning” plots with the foreign-based Lone Wolf can be targeted under FISA. (There must be some such explanation because there are lot of young sting targets apparently targeted using traditional FISA orders who have no discernible status as an agent of a Foreign Power.)

For what it’s worth, I suspect the extension of WMD trafficking designations under USA F-ReDux to include those who conspire with or abet actual proliferators is intended to work the same way: to expand the Foreign Power definition to encompass many fairly.

All that said, Comey’s emphasis was, in large part, on those other use of Section 215, and certainly didn’t seem to be on the Lone Wolf provision. And he may well be correct that FBI can’t replace this function easily, if my guess that FBI uses Section 215 to conduct bulky collection for enterprise investigations is correct. Moreover, note that the assessments of agents in the IG Report released yesterday — that they could not “identify any major case developments from the records obtained in response to Section 215 orders” — predates the big spike in use of Section 215 to collect those Internet communications. So the question would need to be asked again about this collection to see if it has been critical.

All that said, if these other uses are so important, than the Intelligence Community shouldn’t have played a game of chicken to retain a phone dragnet function which FBI largely duplicates with individualized collection already, which has never been critical to stopping a terrorist plot, and which may well hold up these purportedly critical other uses.

Finally! That Person Who Claims Section 215 Involves Interception of Communications!

Comey LynchFor two years, a key pushback strategy against those complaining about the phone dragnet program collecting records of every single American has been to falsely claim that opponents of the dragnet were claiming the dragnet collected content.

Of course, this was a straw man, as Mike Lee laid out brilliantly during his second speech supporting Rand Paul’s filibuster the other night.

So while it is true people point out that under section 215 of the PATRIOT Act, under this particular program, the NSA is not listening to telephone conversations. They are not listening to them.

Interestingly enough, this is very often a straw man argument that is thrown out by those who want to make sure that section 215 of the PATRIOT Act is reauthorized without any reforms. They claim that those who are opposed to this type of action are out there falsely claiming that the NSA is listening to phone calls over this program.

Well, that accusation of falsehood is, itself, false. That accusation of falsehood is, itself, a straw man effort. It is a red herring. It is a lie. It is a lie intended to malign and mischaracterize those of us who have genuine, legitimate concerns with this very program, because the fact is we don’t make that argument. The argument we are making is that the NSA doesn’t even need to do that. The NSA can tell all kinds of things about people just by looking at that data.

Because it is automated and because it is within a system thatoperates with a series of computers, they can tell very quickly it is alot less human resource-intensive than it would be if they were havingto listen to countless hours of phone conversations. It is a lot moreefficient.

Nevertheless I finally have — after two years of this debate — found someone actually suggesting that Section 215 involves the interception of communications.

Lynch Intercept

Now, to be fair, Attorney General Loretta Lynch likely misstated here. Or perhaps because she knows that the dragnet serves to identify content of interest, she may treat the two as connected (because they are to a degree program defenders like to obscure). Or maybe she is simply admitting what dragnet opponents keep arguing — that collecting metadata amounts to interception of very revealing data. [Update: As Josh Gerstein points out, she could be talking about Roving Wiretaps, which would mean CBS should not introduce this paragraph as being about the phone dragnet.]

Whatever the reason for AG Lynch to make this claim, I think it worth noting that the most prominent person suggesting that Section 215 gives “the ability to intercept communications” is the nation’s top law enforcement officer, not some dirty hippie trying to impugn the phone dragnet.

DOJ IG Report Confirms Government Flouted Statutory Requirements of Section 215 for 7 Years

For over a year, Congress has been working on a “reform” to Section 215 that it claims will rein in abusive government spying.

Also for about a year, DOJ’s Inspector General has been trying to release a Report on Section 215 use up to 2009. That investigation first began 1,800 days ago.

DOJ has finally managed to release the report.

It confirms a number of things I have been reporting for years: that the government uses the provision to collect records that have nothing to do with phone records in bulk, the majority of which are now Internet records, definitely including URLs and probably including subject lines.

But the takeaway report is something else I’ve been reporting on for some time.

The government completely blew off a requirement imposed with the 2006 PATRIOT Act Reauthorization that the FBI (which is the only agency that’s supposed to use Section 215) adopt minimization procedures specifically for Section 215. Even after FBI missed its September 2006 deadline by claiming it had Interim Procedures, FISC kept approving Section 215 orders, even including paragraphs that appear in every phone dragnet order claiming the government has met that statutory requirement. A year after DOJ’s Inspector General pointed out FBI was violating the statute, FISC started imposing its own minimization procedures and reporting requirements (though not — as a court operating with more transparency might have done — denying orders). Finally, in March 2013, DOJ adopted minimization procedures (though it did not start actually complying with them until more than four months after Edward Snowden’s leaks focused more attention on bulk 215 orders).

In other words, Congress imposed a mandate designed to protect innocent Americans’ privacy in 2006. And DOJ blew that statutory mandate off for years. And FISC let it do so for years, approving order after order requiring FBI to have fulfilled that mandate. And only after 7 years (and some unexpected transparency) did DOJ start following the law.

These are the people Congress is rushing headlong to provide new authorities (including an Emergency provision that is designed to invite abuse): government agencies who simply refuse to follow Congressional mandates.

The Paul Filibuster

As some of you were live-commenting yesterday, Rand Paul conducted a 10.5 hour filibuster of the USA F-ReDux last night.

A lot of journalists are calling it meaningless. But it may not be. As Sunlight Foundation explains, by occupying the floor for the balance of yesterday, Paul may have prevented Mitch McConnell from invoking cloture on his short-term reauthorization, leaving only USA F-ReDux as the only legislation that might possibly get through the Senate before House members start leaving for recess tonight.

What does the currently ongoing filibuster have to do with this? It’s not just that it stalls the vote in the Senate and wedges it up closer to Section 215’s expiration. If Paul and his allies get to midnight tonight, as far as we can tell, it stops the Senate from considering any bill other than the House-passed USA FREEDOM Act, or, by default, sunset before Saturday. Without this filibuster, McConnell could have moved today to proceed on from the trade vote to USA FREEDOM or the 2-month reauthorization (though the Senate will have a cloture vote on trade tomorrow no matter what), and in turn begun the cloture process, which would have matured Friday. While the House is supposed to be out on Friday, keeping the House for another day, versus through the weekend and into Memorial Day, is a bit different.

Tomorrow, two things start to kick in: NSA has to start detasking from collection, and the deadline to apply for a new FISC order passes (the latter of which I first noted months ago).

All that said, I suspect there was an underlying deal here.

That’s true because the 9 or so people who supported Paul in this filibuster were all USA F-ReDux supporters (and of them, only Ron Wyden has called for significant amendment process, which is what Paul said he was fighting for with his filibuster).

More telling, Paul stopped 11 minutes short of midnight. And McConnell seemed to expect that — he had Bill Cassidy come on the floor to submit the highways bill for cloture.

In other words, McConnell could have, but didn’t, file cloture on his short-term reauthorization last night.

It’s quite possible that the Senators from KY made an agreement to get themselves out of holes they had created for themselves, Paul, in pushing against the bill, and McConnell, in leveraging such that sunset of Section 215 became a real possibility. By appearing to be left with no choice but USAF, McConnell could then whip it, and ensure it passes, to be quickly sent to Obama for signature. If McConnell really whipped it, Paul could even cast a symbolic vote against it.

If that ends up happening, Paul’s filibuster will not be a waste. It would have prevented — or been the tactic that allowed all sides to accept the prevention — of the bill getting worse in the Senate, which was always a real possibility.

But no one should be breaking out tequila to celebrate a PATRIOT Sunset yet.

Update: McConnell apparently just filed cloture on his short-term reauthorization. That would put the vote on Saturday, with the House having to come back to deal with it.

Will Gary Peters Help Mitch McConnell Expand Illegal Surveillance?

A year ago, Michigan Senator Gary Peters voted with 302 of his House colleagues for that version of USA Freedom Act (the incarnation I called USA Freedumb). He voted for a badly flawed bill (perhaps looking forward to his Senate campaign), but he did vote for a smushy compromise to get the government out of the business of holding all Americans’ phone records.

Also about a year ago, Peters voted for the Massie-Lofgren Amendment which would have defunded back door searches of data collected under Section 702. It was an easy vote; there was little chance then Senate Appropriations Committee Chair Barb Mikulski would have let that remain in the Defense Appropriations.

But Peters at least pretended he cared about abusive surveillance.

This week, however, Peters claims to be uncertain about whether he will support a short-term extension of sunsetting PATRIOT Act authorities. His office twice did not respond to a request for clarification on this front.

Let me be very clear: supporting Mitch McConnell’s short-term extension serves just one purpose: To make the already weak reform, USA F-ReDux worse. Peters’ claimed uncertainty about what he will do just enables McConnell’s stunt to expose innocent Americans to more spying.

If, like me, you’re a Peters constituent, please call his office and urge him to hold the line on the already weak USA F-ReDux. (202) 224-6221


Mitch McConnell Prepares to Reject a 6-Month Window to Set Up Dragnet Replacement

The surveillance hawks are out feeding the propaganda machine.

First there’s Eli Lake claiming that, if Congress were to pass legislation newly immunizing and compensating providers to conduct two-hop spying on Americans, most of whom would be innocent, it would amount to “tak[ing] back some of the extraordinary powers it granted to the executive branch [by…] revok[ing] the NSA’s authority to collect telephone records in bulk.” The implication is that Congress affirmatively granted the NSA that authority.

Of course, that’s not what happened. First, the Bush Administration secretly assumed that authority as it rolled out Stellar Wind, without even fully informing Congress about it or considering the legal implications of collecting Internet metadata via telecom switches. Years later, DOJ found that part of the program unlawful. When DOJ asked the FISA Court to approve that collection — well, in truth, it didn’t ask; DOJ told the court it “shall” authorize the collection under the terms of the Pen Register statute — it specifically refused to go to Congress to get it approved. “Government cannot pursue that route because seeking legislation would inevitably compromise the secrecy of the collection program the Government wishes to undertake,” the government’s application claimed.

It took years after getting a secret court to rubber stamp, twice (in the second instance, without even writing an opinion to explain how the Section 215 statute dictating relevance might be deemed to mean all) these new dragnet collections before the Executive briefed the full Intelligence Committees, and the Executive didn’t share the materials on the program until obligated to do so by the FISA Amendments Act. Though well into 2010, the Executive was withholding documents mandated under FAA for disclosure to the oversight committees. The Executive did provide short, in some ways misleading, summaries to be shared with Congress before they reauthorized the PATRIOT Act. But not only weren’t those summaries made easily available to members, in 2011, Mike Rogers didn’t pass it on, ensuring that a sufficient number of Congressmen to make the difference in the vote could not be informed. And the briefings held instead were affirmatively misleading.

This is what Eli Lake considers Congress “granting the executive branch authority to collect[] telephone records in bulk,” which is where he gets the claim that in shifting the program to providers it would be taking away an authority.

For all its other faults and, at times, outright inaccuracies, Lake accidentally reveals the problem with Mitch McConnell’s logic calling for a 2-month reauthorization.

Opponents of the bill raise one technical concern: The legislation gives the NSA 180 days to build a new computer architecture for querying the phone company databases. It’s a tricky matter. Phone companies store the records of only their customers, whereas the NSA stored all of these records in one database.

Even Representative Adam Schiff, the ranking Democrat on the House Intelligence Committee and a supporter of the bill to curb bulk collection, acknowledged this could be a problem. Speaking to reporters Tuesday at a breakfast sponsored by the Christian Science Monitor, Schiff said: “I think if we reach an impasse on the authority sunsets, then the NSA will have some responsibility for that breach. I have been urging the NSA for quite some time now to begin the process for developing the process to take data from different providers so they can talk to each other.”

If USA F-ReDux were to pass tomorrow, NSA would have 6 months to set up the replacement (though as Schiff notes, they could have been implementing the new plan for months). Continue reading

GOP Brought in Guy Who Authorized Dragnet to Talk Dragnets

I’m far more alarmed by this tidbit in the latest report on the fight over USA F-ReDux than many who are commenting on it.

McConnell’s presser came following Senate lunches, during which former Attorney General Michael Mukasey, who served under George W. Bush, briefed Republicans on the importance of the surveillance authorities. While defending the NSA’s phone-records dragnet, Mukasey did say a recent federal appeals court deeming the program illegal could complicate McConnell’s efforts to renew the Patriot Act without changes, given the legal uncertainty that could result, according to two senators present.

“He did recommend some acknowledgment of the decision so that it is addressed in the legislation,” Sen. John Hoeven, a North Dakota Republican, said.

The Republicans sat down to talk about dragnet surveillance and they brought in Michael Mukasey, who not only presided over the expansion of Stellar Wind in the form of FISA Amendments Act, but authorized SPCMA after some previous DOJ officials appear to have refused to.

SPCMA, you’ll recall, is the authority to contact chain on US-person metadata collected under EO 12333 that current FBI General Counsel James Baker refused to authorize in an earlier position at DOJ in 2006 but which Mukasey signed in early 2008 (and DOJ then promptly hid from FISC as it was considering whether the contact chaining that provided particularly under PRISM was constitutionally sound). The actual authorization for it languished for several months, half-signed, before Mukasey signed it in the early part of his tenure as Attorney General.

There is reason to believe SPCMA — that is, Internet data collected overseas, in addition to telephone metadata — is where a lot of the Internet chaining currently occurs, with almost none of the controls (or subject limitations) that existed under the PATRIOT-Authorized Internet dragnet. There is also reason to believe that USA F-ReDux envisions the government federating queries of metadata collected under its new Call Detail Record function with SPCMA data. Finally, I suspect that the Second Circuit decision on Section 215 may have repercussions for SPCMA as well.

In other words, I find it fairly alarming that GOP brought in Michael Mukasey and his advice was to make a nod to the Second Circuit even while talking about why the authorities — plural — were important.

Which is to say I don’t think his acknowledgment that Courts are Courts is very comforting, given that he appears to recommend sustaining existing “surveillance authorities” in current bulk form.

USA F-ReDux Is Non-Exclusive, but the Second Circuit Might Be

I’m still trying to figure out WTF Mitch McConnell is doing with his Senate machinations over USA F-ReDux. Currently, he has both his short-term reauthorization and USA F-ReDux prepped for a vote, which probably means he’ll bring USA F-ReDux up for cloture or a vote, show that it doesn’t have enough support, and then use that to scaremonger the short-term reauthorization through as a way to wring more concessions out of the House.

Still, given what a dead-ender he is on a bill, USA F-ReDux, that gives the Intelligence Community so many goodies, I can’t help but wonder if there’s another explanation for his intransigence. I can think of one other possibility.

The House Judiciary Committee made it clear USA F-ReDux would be the exclusive means to obtain prospective Call Detail Records under Section 215:

This new mechanism is the only circumstance in which Congress contemplates the prospective, ongoing use of Section 501 of FISA in this manner.

But it made it equally clear it is not the exclusive means to obtain Call Detail Records. That’s because the report envisions conducting federated queries including “metadata [the government] already lawfully possess.”

The government may require the production of up to two ‘‘hops’’—i.e., the call detail records associated with the initial seed telephone number and call detail records (CDRs) associated with the CDRs identified in an initial ‘‘hop.’’ Subparagraph (F)(iii) provides that the government can obtain the first set of CDRs using the specific selection term approved by the FISC. In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses. Together, the CDRs produced by the phone companies and those identified independently by the government constitute the first ‘‘hop.’’

I suggested here that that other “lawfully possessed metadata” probably consisted of data collected under EO 12333 (and permissible for chaining on US persons under SPCMA) and PRISM metadata.

But maybe that’s not all it includes. Maybe, the government has devise a way by which AT&T (or some other backbone provider) will still provide phone records in bulk on a daily basis? Maybe — as Richard Burr claimed before he later unclaimed — the government secretly maintains an IP dragnet under some other authority?

If that was the plan (though keep in mind, USA F-ReDux passed the House after the Second Circuit decision), then the Second Circuit may have ruined that effort. The ruling should limit all collection under a “relevant to” standard, not just that conducted under Section 215. And, as Faiza Patel argued, the decision should also affect collection where the government has dodged Fourth Amendment issues by focusing on “searches” rather than “seizures.”

[A]s Jennifer Daskal explained last Friday, “collection matters.” The Second Circuit rejected the government’s contention that there was no cognizable injury until plaintiffs’ phone records were actually analyzed and reviewed. It ruled that collection is properly analyzed as “seizure,” which if unlawful constitutes a separate injury from the “search” that takes place when records are analyzed either by a human being or a computer.

As the Supreme Court has recognized, in Fourth Amendment cases the analysis of standing is intertwined with the merits question of whether there has been an invasion of a protected privacy interest. Thus, the Second Circuit’s position on collection could have serious implications for other government programs beyond the standing question.

I’ve already suggested the decision might create problems for the virgin birth DOJ secretly gave to EO 12333 data used in SPCMA.

But who knows what else it applies to?

After all, USA F-ReDux was written so as to allow other dragnets (which is what EO 12333 is, after all). But the Second Circuit may pose problems for such dragnets that USA F-ReDux did not.

Going back to Richard Burr’s odd colloquy — which his office’s excuses simply cannot rationally explain — I think it (very remotely) possible the government is dragnetting IP addresses (perhaps for cybersecurity rather than counterterrorism purposes), but worries it has lost authority to do so with the Second Circuit decision. If so, it might be using this fight over counterterrorism data collection to lay congressional support for broader dragnet collection, to be able to sustain whatever other dragnets it has in place.

1 2 3 143
Emptywheel Twitterverse
emptywheel RT @naureenshah: .@amnesty on Senate tonight: we are one step closer to a serious conversation about systemic surveillance overhaul http://…
emptywheel @JeffLandale Ut oh. Further west in Western MA than I did? (Supposed to be in W MA for a reunion as we speak)
emptywheel RT @justinamash: Statists gonna state.
emptywheel Reup: Seriously. Just click the link, you won't regret it.
emptywheel Does Eric have a Snowbot too? And is it allowed on the Senate floor?
emptywheel @jcenters She was chair of appropriations for years. Ensured that spying was handsomely rewarded the whole time.
emptywheel "And obviously of necessity."
emptywheel RT @CathyGellis: I think this Senator wants unconstitutional NSA surveillance because it employs lots of people at the NSA.
emptywheel Barb's sorry she's going home. Which is a short train ride. Betting Senators fr Hawaii don't feel that way.
emptywheel Note: Only NSA person who really got vilified was Keith Alexander. The guy who serially lied to America.
May 2015
« Apr