[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

NSA — Continually Violating FISA Since 2004

Last year, I did a report that catalogued all the times NSA had violated FISA since the Stellar Wind phone dragnet got moved under FISA in 2004. There were the five different practices deemed violations of 1809(a)(2), which prohibits the use of any data that was illegally collected.

From 2004 until 2009, in spite of twice quarterly Office of General Counsel spot checks imposed to prevent it, “‘[v]irtually every PR/TT record’ generated [by the bulk Internet metadata program] included some data that had not been authorized for collection.” 3

From 2007 until 2011, NSA collected entirely domestic and untargeted communications as part of Multiple Communication Transaction bundles without restricting access to the unrelated communications. 4

In June 2010, NSA admitted it had improperly retained Title I data in a management system that the court had deemed an overcollection; in May 2011, FISC found this retention problematic under 1809(a)(2). The government even argued that prohibitions 5 on using unlawfully collected information “only applied to interceptions authorized by the Court and did not apply to the fruits of unlawful surveillance.”

From 2011 to 2016, NSA retained Section 702 overcollection in its management systems, in spite of the 2011 FISC retention precedent ruling such retention a violation of 1809(a)(2). 7

In 2013, NSA discovered its post-tasking checks to ensure targeted phones had not roamed into the United States had not functioned properly for some redacted period of time (possibly dating back to 2008), meaning some of the telephone collection from that period may have been collected on individuals located inside the United States in violation of 702. 8

In addition to those, NSA had continued to conduct back door searches of data collected using upstream 702 collection even after John Bates prohibited the practice in 2011.

Because upstream collection foreseeably results in the collection of domestic communications, when John Bates first permitted searches of 702 data using US person identifiers in late 2011, he prohibited such searches on upstream data, for fear it would amount to using 702 for domestic surveillance. Yet NSA starting disclosing “many” such violations as early as 2013. 9

As NSA’s compliance organizations started looking more closely in 2015 and 2016, they discovered the NSA was even conducting such searches in systems “that do not interface with NSA’s query audit system,” raising questions about their ability to oversee US person queries 10 more generally. NSA discovered that some data obtained using upstream collection had been mislabeled as PRISM collection, meaning it would get no special treatment. With one tool used 11 to conduct queries of Americans located overseas, NSA experienced an 85% noncompliance rate. 12

While Rosemary Collyer (who is the worst presiding FISA Judge ever) didn’t deem that a violation of 1809(a)(2) — meaning NSA didn’t have to segregate and destroy andy data collected improperly — it still violated the minimization procedures that control 702 collection.

So between 2004 and 2016, NSA was always breaking the rules of FISA in one way or another.

And we can now extend that timeline to 2018. The NSA just revealed that it had destroyed all the call detail records it had collected since 2015, which would be all those collected under USA Freedom Act.

Consistent with NSA’s core values of respect for the law, accountability, integrity, and transparency we are making public notice that on May 23, 2018, NSA began deleting all call detail records (CDRs) acquired since 2015 under Title V of the Foreign Intelligence Surveillance Act (FISA)

The Government relies on Title V of FISA to obtain CDRs, which do not include the content of any calls. In accordance with this law, the Government obtains these CDRs, following a specific court-authorized process.

NSA is deleting the CDRs because several months ago NSA analysts noted technical irregularities in some data received from telecommunications service providers. These irregularities also resulted in the production to NSA of some CDRs that NSA was not authorized to receive. Because it was infeasible to identify and isolate properly produced data, NSA concluded that it should not use any of the CDRs. Consequently, NSA, in consultation with the Department of Justice and the Office of the Director of National Intelligence, decided that the appropriate course of action was to delete all CDRs. NSA notified the Congressional Oversight Committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice of this decision. The Department of Justice, in turn, notified the Foreign Intelligence Surveillance Court. The root cause of the problem has since been addressed for future CDR acquisitions, and NSA has reviewed and revalidated its intelligence reporting to ensure that the reports were based on properly received CDRs.

Now it could well be these CDRs that NSA was not authorized to collect were selectors that went beyond what had been approved (though that’d be unlikely to trigger a technical alert). It may be these CDRs obtain something that counts as content — such as cookie information that identifies sublevel domains of a webpage.

But the only non content thing that is affirmatively permitted in USAF is location data, which as of last week would get treated as a search if not content. Which leads me to believe this is most likely location data (which would also explain the sudden transparency). It may be content data collected in ways the NSA didn’t understand, perhaps via apps that retain the location data shared from the phone. But it’s likely it was content data.

And given the specific reference to data “that NSA was not authorized to receive,” and the fact that NSA destroyed three years of CDRs, I suspect this, too, was deemed a violation of 1809(a)(2).

Which means the NSA’s streak of violating FISA just got extended several more years. It has been violating FISA, in one way or another, for 14 years.

The Trump People Really Really Want to Know How Much Mueller Knows about Roger Stone’s “Collusion”

In a piece that lets Roger Stone claim he un-forgot the Russian he met offering Hillary dirt for $2 million and also fails to ask Stone why it took over a month for him to correct his perjury before HPSCI and also fails to ask if there was follow-up about someone else paying for that dirt on Hillary, Ken Dilanian lets Stone float a claim that Mueller must have obtained the contents of his phone using a FISA order.

Stone also wondered to NBC News how Mueller “has copies of my text messages if not through an illegal FISA warrant. I have filed a notice of my intention to bring a lawsuit against the government for a civil rights and right to privacy violation to get to the bottom of that question.”

As I have noted repeatedly, close to the beginning of the time when Mueller has focused unrelentingly on Stone, on March 9, Mueller obtained a probable cause search warrant to obtain the contents of 5 AT&T phones, “In the Matter of the Search of Information Associated with Five Telephone Numbers Controlled by AT&T (D.D.C.) (18-sc-609).” When Paul Manafort attempted to unseal the parts of the affidavit laying out the probable cause for those phones covered by the warrant that he didn’t own, Amy Berman Jackson refused the request. The court record makes it fairly clear that the other phones don’t belong to Manafort.

THE COURT: What if — I think one of them is about phone information. What if the redacted phones are not his phone?

MR. WESTLING: I don’t have a problem with that. I think we’re talking about things that relate to this defendant in this case.

We should assume that, in addition to those five phones, there’s a warrant covering a proportional number (Verizon covers more of the cell phone market in the US than AT&T does) of Verizon phones.

All of which is to say that the most obvious explanation for how Mueller obtained the text messages Stone has selectively shared with the press showing he did accept a meeting with a Russian offering dirt on Hillary Clinton is that Mueller convinced a judge there was probable cause to believe that there was evidence of crimes were on that phone.

That is, the interest in Roger Stone is no longer strictly a counterintelligence question of whether Henry Greenberg was idly reaching out to Stone to offer dirt. Rather, it’s a question of whether, in his subsequent response (about which no journalist seems to have asked Stone questions) constitutes a crime.

In any case, Roger Stone’s attempt to turn this into another FISA pseudo scandal (including his suggestion that any warrant targeting him would be “illegal”) is just a desperate indication of how badly the Trump people want to know how much Mueller knows about the crimes Stone may have committed.

On the James Wolfe Indictment: Don’t Forget Carter Page

Last night, DOJ unsealed the indictment of James Wolfe, the former Director of Security for the Senate Intelligence Committee. He is accused of one count of false statements to the FBI. The indictment alleges that he lied about his conversation with four journalists, Ali Watkins and three others.

The NYT has revealed that Watkins, who had a three-plus year relationship with Wolfe, had years of her communications subpoenaed. They obtained years of her subscriber information, and a more narrow period of additional information from her phone. As a reminder, the subscriber information that can be obtained with a d-order is tremendously invasive — in addition to name and financial and other contact information, the government obtains IP and device addresses that allow them to map out all the communications a person uses. This post lays out what the government demands from tech companies. Obtaining it will burn all but the most disciplined operational security and with it, a journalists’ sources.

The indictment also reveals the government obtained Signal and WhatsApp call records and content; it seems to have been Wolfe’s preferred means to communicate “securely.” I suspect they obtained the communications after June 2017, by targeting Wolfe’s phone. It’s possible he voluntarily provided his phone after confronted with his lies, but I suspect they obtained the Signal content via other means, basically compromising his device as an end point. I’ll return to this, but it appears DOJ has made a decision in recent days to expose the ease with which they can obtain Signal and other secure chat apps, at least in national security investigations, perhaps to make people less comfortable using it.

What I’d like to focus on, however, is the role of Carter Page in the indictment.

The government lays out clear proof Wolfe lied about conversations with three reporters. With Watkins and another, they point to stories about Carter Page to do so. The Watkins story is this one, confirming he is the person identified in the Evgeny Buryakov indictment. Another must be one of two stories revealing Page was subpoenaed for testimony by the Senate Intelligence Committee — either this one or this one.

I’m most interested, however, in this reference to a story the FBI raised with Wolfe in its interview, a story for which (unlike the others) the indictment never confirms whether Wolfe is the source.

During the interview, FBI agents showed WOLFE a copy of a news article authored by three reporters, including REPORTER #1, about an individual (referred to herein as “MALE-l), that contained classified information that had been provided to the SSCI by the Executive Branch for official purposes

The story suggests they don’t have content for the communications between Wolfe and Reporter #1, and the call records they’re interested in ended last June (meaning the story must precede it).

For example, between in or around December 2015 and in or around June 2017, WOLFE and REPORTER #1 communicated at least five times using his SSCI email account.

For that reason, I suspect this is the story they asked about — whether Wolfe is a source for the original credible story on Carter Page’s FISA order. The focus on Page generally in the indictment suggests this investigation started as an investigation into who leaked the fact that Page had been targeted under FISA, and continued to look at the stories that revealed classified details about the investigative focus on him (stories which he rightly complained to SSCI about).

I know the focus will be on the impact on Watkins and any other journalists DOJ has subpoenaed, if they have with the others; that impact is very real and we’ll hear more about how DOJ has shifted its treatment of journalists in upcoming days.

But I’d like to consider what it means that this investigation largely stems from leaks about the investigation into Page.

Page is not at all a sympathetic person. He’s nuts, and may well be or have been a willing recruit of Russia. But there are two reasons why the leaks into the investigation into him should be of concern, along with the concern about journalism.

First, whatever the truth about Page, one reason the government treats counterintelligence wiretaps differently than criminal ones is because there are times they need to obtain content from people they don’t have probable cause are criminals. Legitimately obtained wiretaps should never be revealed except in legal proceedings anyway, but that’s all the more true where the government may be using the wiretap to learn whether someone has been recruited. Unlike Paul Manafort, Mike Flynn, and George Papadopoulos, Carter Page has not been charged, yet the leaks about the investigation into him (including of the damned Steele dossier) have branded him as a Russian spy. I’ve reported on too many cases where FISA orders were used against people who weren’t spies (particularly Chinese Americans), and it needs to be said that investigative targets are kept secret, in part, because they’ve not been charged yet.

Then there’s the flip side to the issue. All the leaks about Carter Page may well have poisoned the investigation into him in several ways. Certainly, Page and the Russians were alerted to the scrutiny he was under. If he is or was a Russian spy, the government may never make its case because the stories on Page made it a lot easier for the targets of the investigation to counter it (I actually think several of the less credible leaks about this investigation were designed to do just that).

Indeed, all the leaked stories about him may have made it politically impossible for FBI to continue the investigation. We know the FISA orders against him ceased after all the leaks about his targeting, for example. So if Page is a spy, all the publicity about this may help him get away with it.

The government has wrapped up a tidy indictment where, while they know Wolfe is a source for at least some of the suspect stories about Page, any trial would instead focus on the clear evidence Wolfe lied about things like a multi-year relationship with someone working SSCI and not classified information. Probably, the hope is he’ll plea and identify all the stories for which he has been a source. To get there, the government has used awesome powers against at least one journalist (and in Watkins’ case, it’s not at all clear they needed to do that).

That said, while I don’t defend Page as a person at all, the giddy leaks about him do come with a cost in both due process and investigative terms and it’s worth remembering that as we talk about this case.

A Thinking Person’s Guide to the Stefan Halper Conspiracy Theory

For some time, I’ve been agnostic about whether Chuck Ross’ series on Stefan Halper derived from his own discussions with George Papadopoulos, Carter Page, and Sam Clovis, or whether he relied on leaks from HPSCI.

Today, he gave one of the leading comments he often does, about Paul Ryan’s claimed concern about “FISA abuse.” (Ryan, remember, pushed through 702 reauthorization this year without reforming a single one of the abuses laid out in this report, but apparently Chuck’s gonna play along with the notion that Ryan gives a shit about FISA.)

That mirrors Ross’ own logically nonsensical focus on the dossier as a source for the Carter Page FISA order in conjunction with Halper. Which, especially since other journalists are making it clear the Halper focus is coming from Hill Republicans, suggests Ross was getting leaks from Republicans.

That’s even more true of this interview with Sam Clovis. In it, Clovis makes it very clear the meeting did not stick out in his memory.

It was an academic meeting. It was not anything other than him talking about the research that he had done on China.

[snip]

No indication or inclination that this was anything other than just wanting to offer up his help to the campaign if I needed it.

After describing how he hadn’t opened up attachments Halper sent later in the month, he said, “that is how little this registered with me.”

And yet, somehow, by March, someone had told Ross about this meeting.

Halper also requested and attended a one-on-one meeting with another senior campaign official, TheDCNF learned. That meeting was held a day or two before Halper reached out to Papadopoulos. Halper offered to help the campaign but did not bring up Papadopoulos, even though he would reach out to the campaign aide a day or two later.

Clovis seems to derive his memory of the meeting, in significant part, from the documentation he does (four emails setting the meeting up) and doesn’t (any notes) have about it.

There’s a record of the exchange of emails that we had, four emails to set the appointment.

[snip]

I had my notebook. Always take notes and always keep track of what’s going on. And there wasn’t anything — I didn’t have any notes on the meeting cause there must not have been anything substantive that took place.

That suggests someone knew to go back to look for communications involving Halper. Now, if HPSCI requested all the comms campaign aides had with investigative target Carter Page, then Clovis would have turned over these emails (which mentioned Page but probably discussed China, not Russia), and HPSCI staffers could have found the tie. If HPSCI only asked for Russia-related comms involving Page, then someone got Toensing or Clovis to search for Halper emails themselves.

Clovis explains that he’s bothered, now, about the meeting because he thinks he was used as an excuse to reach out to George Papadopoulos.

He had met with Carter Page. He had used that to get the bona fides to get an appointment with me.

[snip]

Then I think he used my meeting as bona fides to get a meeting with George Papadopoulos.

Remember, one of the inane complaints in the Nunes memo is that the Carter Page FISA application mentioned Papadopoulos.

The Schiff memo explains that Papadopoulos got mentioned because, after Alexander Downer told the FBI that Papadopoulos had told him the Russians were going to release Hillary emails to help Trump, they opened a counterintelligence investigation into the Trump campaign.

In other words, the frothy right likely believes, like Clovis, that Halper was networking as a way to get to Papadopoulos, and that in some way ties to the FISA application against Page.

And he may well have done so! As TPM clarifies some confusion created by WaPo, both Page, Clovis, and Clovis lawyer Victoria Toensing agree that Halper mentioned Page when he reached out to Clovis.

Clovis’ lawyer, Victoria Toensing, previously said, according to the Washington Post that the informant had not mentioned his other Trump contacts when reaching out to Clovis. Clovis said he wasn’t sure “where she got that information,”since she had access to the emails setting up the September 2016 meeting.

Toensing, in an phone interview Tuesday with TPM, backed up Clovis’ account. She told TPM that the informant had said in an email to Clovis that Page had recommended that they meet. She also claimed that the informant had told Page when they met at the conference that he was a big fan of Clovis’. Page confirmed Toensing’s account in an email to TPM.

Halper met with Clovis on September 1 and then reached out to Papadopoulos the next day.

Though note: Page says Halper raised Clovis at the July conference where they met, a meeting that occurred before dossier reports started getting back to FBI (particularly to the people investigating the hack-and-leak) and before the Papadopoulos report. That either suggests the FBI already had concerns about Clovis by then, or Halper was more generally networking with Page along with checking out someone who had been a live counterintelligence concern in his own right since March and for years beforehand.

Here’s where things start to go off the rails for this whole conspiracy theory, though. Clovis (who, remember, testified to Mueller’s team in the days before Papadopoulos’ cooperation agreement was unsealed, and who therefore may have his own false statements to worry about) believes that the FBI had no business trying to ask Papadopoulos about his April knowledge of Russians dealing Clinton emails in a way that would not arouse Papadopoulos’ suspicion.

What unsettled me … is what he tried to do with George Papadopoulos and that was to establish an audit trail from the campaign or somebody associated with the campaign back to those Clinton emails, whether or not they existed we don’t know.

Clovis believes, as does the entire frothy right, that the FBI had no reason to check out leads from someone who predicted the Russians would leak dirt from Hillary to help Trump a month before it became publicly known.

What were they investigating? To be investigating, there has to be some indication of a crime. And there does not appear to have been any indication for a crime. And by the way the Fourth Amendment protects you in your place and your person from investigation without a clear indication of what, uh, probable cause.

Somehow, Clovis conveniently forgets that stealing emails is a crime. And the FBI had been investigating that crime since June 2016, a month before learning that Papadopoulos might have known about the stolen emails before the FBI itself did.

In other words, at the core of this entire conspiracy theory (on top of pretending that Carter Page wasn’t already a counterintelligence concern in March, as all the designated GOP stenographers do) is the GOP fantasy that the FBI had no business trying to chase down why Papadopoulos knew of the theft before the DNC itself did.

And they’re making an enormous case out of the fact that FBI used Halper — a lifelong Republican to whom Papadopoulos could and did lie to without legal jeopardy — to interview someone Clovis claims was “ancillary” to the campaign at the time.

It’s also clear to me that they misread George’s relationship with the campaign entirely, so, because he was not, he was ancillary at best at that point.

So that appears to be where this is heading: an attempt to criminalize a Republican networking with a goal of learning whether George Papadopoulos, and through him, Sam Clovis and the rest of the campaign, committed what Papadopoulos himself has said (though this is legally incorrect) might amount to treason.

Ultimately, it comes down to this: the GOP doesn’t think Russian theft of Democratic emails was a crime and therefore doesn’t think FBI had reason to investigate Papadopoulos’ apparent foreknowledge of that crime.

I Con the Record Transparency Bingo Part One: Consider the Full Surveillance Playing Hand

Several weeks ago, the government released its yearly transparency reports:

  • FISA Court’s report: This provides a very useful description of approvals viewed from the FISA Court’s perspective. While it is the least deceptive report, FISC has only released one full year (2016) and one partial year (2015) report before, so it can’t be used to study trends or history.
  • DOJ report: This is the mostly useless report, told from the government’s standpoint, reflecting how many final applications get approved. While it isn’t very useful for nuance, it is the only measure we can use to compare last year with the full history of FISA.
  • DNI report: This is the report started in the wake of the Snowden leaks and codified in the USA Freedom Act and last year’s FISA Amendments Act. Parts of this report are very useful, parts are horribly misleading (made worse by new reporting requirements pass in the FAA reauthorization). But it requires more kinds of data than the other two reports.

I’ve been meaning to write more on the transparency reports released some weeks ago (see this post debunking the claim that we can say the FISA Court has rejected more applications than in the past). But given some misunderstandings in this post, I thought it better to lay out some general principles about how to understand what the transparency reports show us.

Consider the full surveillance playing hand

FISA is just one way that the government can collect data used for national security investigations, and because it involves a secret court, it attracts more attention than the many other ways. Worse, it often attracts the focus in isolation from other surveillance methods, meaning even experts fail to consider how authorities work together to provide different parts of the government all the kinds of data they might want. Additionally, an exclusive focus on FISA may blind people to how new restrictions or permissions in one authority may lead to changes in how the government uses another authority.

National security surveillance currently includes at least the following:

  • FISA, including individualized orders, 702, and metadata collection
  • NSLs, providing some kind of metadata with little (albeit increasing) court oversight
  • Criminal investigative methods, collecting content, metadata, and business records; in 2016 this came to include Rule 41 hacking
  • Other means to collect business records, such as private sector contractors or mandated bank reporting
  • The Cybersecurity Information Sharing Act, permitting the private sector to share cyber data “voluntarily” with the government
  • EO 12333: spying conducted overseas under Article II authority; in 2017, the Obama Administration permitted the sharing of raw data within the intelligence community (which includes FBI)

Two examples of how FISA interacts with other authorities may help to demonstrate the importance of considering all these authorities together.

The Internet dragnet moves to PRISM and SPCMA

For virtually the entirety of the time the government collected Internet metadata as metadata domestically, it was breaking the law (because the concepts of metadata and content don’t apply neatly to packet based collection). From 2009 to 2011, the government tried to fake their way through this (in part by playing games with the distinction between collection and access). By the end of 2011, however, that game became legally untenable. Plus, the restrictions the FISA Court imposed on dissemination rules and purpose (NSA was only permitted to collect this data for counterterrorism purposes) made the program less useful. As a result, the government moved the function of chaining on Internet metadata to two different areas: metadata collected under PRISM (which because it was collected as content avoided the legal problems with Internet metadata collection) and metadata collected under EO 12333 and made accessible to analysts under Special Procedures approved in 2008 and extended throughout NSA in early 2011.

Some location collections moves to criminal context

As I’ve laid out, the FISC actually takes notice of rulings in the criminal context — even at the magistrate level — and adjusts FISC rulings accordingly. They’ve done this with both Post Cut Through Dialed Digits and location data. When the FISC adopted a highest common denominator for location collection, it meant that, in jurisdictions where FBI could still obtain location data with a d order, they might do that for national security purposes rather than obtain a PRTT under FISA (to say nothing of the additional paperwork). More recently, we’ve gotten hints that FBI had ways to access cell phones in a national security realm that were unavailable in a criminal realm.

This probably goes on all the time, as FBI Agents make trade offs of secrecy, notice to defendants, paperwork and oversight, and specific collection techniques to pursue national security investigations. We don’t get great numbers for FBI collection in any case, but what we do get will be significantly affected by these granular decisions made in secret.

Understand why surveillance law changes

Additionally, it’s important to understand why surveillance laws get passed.

CISA, for example, came about (among many other reasons) because Congress wouldn’t permit the government to conduct upstream collection using Section 702 for all cybersecurity purposes. Engaging in “voluntary” sharing with backbone providers gave the government data from all kinds of hostile actors (not just nation states), with fewer restrictions on sharing, no court oversight, and no disclosure requirements.

Similarly, to this day, many privacy activists and journalists misunderstand why the government was willing (nay, happy!) to adopt USA Freedom Act. It’s not that the government didn’t collect mobile data. On the contrary, the government had been obtaining cell data from AT&T since 2011, and that was probably a resumption of earlier collection incorporating FISA changed rules on location collection. Nor was it about calling card data; that had been explicitly permitted under the old program. Rather, USAF gave the government the ability to require assistance, just as it can under Section 702. While that was instrumental in getting access to Verizon cell data (which had avoided complying because it did not retain business records in the form that complied with FISA collection rules), that also gave the ability to get certain kinds of data under the “session identifier” definition of call records in the law.

Here’s a post on all the other goodies the government got with USA Freedom Act.

One more important detail virtually unmentioned in coverage of this authority: the 215 dragnet (both the old one and the USAF one) intersect with a far vaster dragnet of metadata collected under 12333. The “bulk” is achieved — and has been since 2009! — using EO 12333 data, data which doesn’t have the same restrictions on things like location data that FISA data does. Section 215 is about getting records (and correlations) that aren’t available overseas, effectively filling in the holes in data collected overseas.

All that is necessary background to understanding numbers that track just FISA (and NSL authorities). FISA is just one part of the always evolving national security collection the government does. And as permissive as a lot of people think FISA is, in many ways it is the most closely regulated part of national security collection.

Contrary to Reports, We Cannot Say FISC Rejected a Record Number of FISA Applications Last Year

With the FISC report of its own surveillance approvals came out last week, some reporters claimed that the report showed the FISC Had rejected a record number of surveillance orders.

In my own post on the report, I noted that the rise from 8 to 18 rejected applications under the FISC standard was alarming.

The FISA Court released its second annual report on approval rates today (the obligation to produce such a report dates to 2015 and it produced a partial report covering that year). It shows that the FISA Court rejected and modified far more joint applications last year than the prior year, with just a 70% complete approval last year as compared to a 79% complete approval the year before, as reflected in this table.

[snip]

Most alarming, though, is the rise in outright rejections, from 8 to 18. This suggests the government is trying to wiretap and otherwise surveil people as agents of a foreign power that the FISC doesn’t agree are such.

And all this happened at a time when the government submitted fewer overall combined applications. Remember, the government can and sometimes does take its wiretapping elsewhere if the FISC rejects a practice.

But given that’s using a standard that has only been in place for 2.5 years, we can’t use it to make judgments across historical FISC practice.

I had explained to Whittaker before this that FISC used a different standard than DOJ, and made 4 efforts to get him to correct this headline, to no avail.

DOJ has now released its own version, which tracks approvals for final applications. It shows while it withdrew two applications (which likely means that of the three applications DOJ withdrew or changed after FISC told the government it would appoint an amicus to review the application, two were for content), all of the final applications it submitted to the court were approved.

During calendar year 2017, the Government filed 1,349 final applications to the Foreign Intelligence Surveillance Court (hereinafter “FISC”) for authority to conduct electronic surveillance and/or physical searches for foreign intelligence purposes. The 1,349 applications include applications made solely for electronic surveillance, applications made solely for physical search, and combined applications requesting authority for electronic surveillance and physical search. Of these, 1,321 applications included requests for authority to conduct electronic surveillance.

Two of these applications were withdrawn by the Government. The FISC did not deny any final, filed applications in whole, or in part. The FISC made modifications to the proposed orders in 154 final, filed applications. Thus, the FISC approved collection activity in a total of 1,319 of the applications that included requests for authority to conduct electronic surveillance.

In other words, we can’t say whether last year was an outlier, with the court rejecting a bunch more applications (though there are reasons to suggest that’s a trend), because the only metric for which we have historical numbers shows the same rubber stamp 100% approval.

Which is another way of saying that for decades the government gave us garbage numbers and only in the wake of the Snowden disclosures are we getting some meaningful metrics (though I Con the Record’s numbers are already headed in the opposite direction, becoming even less useful).

Update: I think there’s still a discrepancy in these reports. Here’s what I understand the numbers to look like (I’ve added 2016 to show how this tracks across time). Last year, to find the total number of final applications (the number DOJ uses), you could simply take the FISC number and subtract the Denied in Full number (1485-8=1477). But if you do that this year (1372-24=1348), you’re off by one. I think that’s because FISC is counting one of the applications the government claims to have withdrawn as a Denied in Part.

In 2017, the Government Withdrew Three FISA Collection Requests Rather than Face an Amicus Review

Last year’s Section 702 Reauthorization law included a bunch of technical fix language describing how appeals of FISA Court of Review decisions should work.

In this post on that technical language, I speculated that Congress may have added the language in response to a denial of a request by the FISCR, about the only thing that would have identified the need for such language.

As one piece of evidence to support that hypothesis, I noted that one of the times the FISC consulted with an amicus (probably Amy Jeffress), it did not make the topic or the result public.

There’s one other reason to think there must have been a significant denial: The report, in the 2015 FISC report, that an amicus curiae had been appointed four times.

During the reporting period, on four occasions individuals were appointed to serve as amicus curiae under 50 U.S.C. § 1803(i). The names of the three individuals appointed to serve as amicus curiae are as follows:  Preston Burton, Kenneth T. Cuccinelli II  (with Freedom Works), and Amy Jeffress. All four appointments in 2015 were made pursuant to § 1803(i)(2)(B). Five findings were made that an amicus curiae appointment was not appropriate under 50 U.S.C. § 1803(i)(2)(A) (however, in three of those five instances, the court appointed an amicus curiae under 50 U.S.C. § 1803(i)(2)(B) in the same matter).

We know of three of those in 2015: Ken Cuccinelli serving as amicus for FreedomWorks’ challenge to the restarted dragnet in June 2015, Preston Burton serving as amicus for the determination of what to do with existing Section 215 data, and Amy Jeffress for the review of the Section 702 certifications in 2015. (We also know of the consultation with Mark Zwillinger in 2016 and Rosemary Collyer’s refusal to abide by USA Freedom Act’s intent on amici on this year’s reauthorization.) I’m not aware of another, fourth consultation that has been made public, but according to this there was one more. I say Jeffress was almost certainly the amicus used in that case because she was one of the people chosen to be a formal amicus in November 2015, meaning she would have been called on twice. If it was Jeffress, then it likely happened in the last months of the year.

I raise that background because of a detail in the FISC report released yesterday, showing its approvals for 2017. It revealed that FISC told the government on three occasions it might appoint an amicus. On all three occasions, the government withdrew the request rather than undergo a FISC review with even a limited adversary.

During the reporting period, no individual was appointed to serve as amicus curiae by the FISA courts. No findings were made in 2017, pursuant to 50 U.S.C. § 1803(i)(2)(A), that an amicus curiae appointment was not appropriate. There were three matters in which the Court advised the government that it was considering appointment of an amicus curiae to address a novel or significant question of law raised in proposed applications, but the government ultimately did not proceed with the proposed applications at issue, or modified the final applications such that they did not present a novel or significant question of law, thereby obviating a requirement for consideration as to the appropriateness of appointment of amicus. These matters are reflected in the table above as, respectively, a modification to a proposed order, an application denied in full, and an application denied in part. This is the first report including information about such occurrences. A similarly small number of such events occurred during prior reporting periods but were not discussed in the reports for those years.

In one case, the government withdrew an entire application after learning the FISC might appoint an amicus to review the proposed technique. In two others, the final order in one or another way did not include the requested practice.

These three instances are not the first time the government has withdrawn a request after learning FISC would invite adversarial review. While the court doesn’t reveal how many or in what years, it does say that a “similarly small number of such events occurred during prior reporting periods.” Given that there have been just two other reporting periods (the report for part of 2015 and the report covering all of 2016), the language seems to suggest it happened in both years.

That the government has been withdrawing requests rather than submitting them to the scrutiny of an amicus suggests several things.

First, it may be withdrawing such applications out of reluctance to share details of such techniques even with a cleared amicus, not even one of the three who served as very senior DOJ officials in the past. If that’s right, that would reflect some pretty exotic requests, because some of the available amici (most notably former Assistant Attorney General David Kris) have seen all that DOJ was approving with NatSec collection.

Second, remember that for at least one practice (the collection of location information), the government has admitted to opting to using criminal process rather than FISA where more lenient precedents exist in particular jurisdictions. That might happen, for example, if a target could be targeted in a state that didn’t require a warrant for some kinds of location data whereas FISC does.

Starting in 2017, the government would have the ability to share raw EO 12333 with the FBI, which might provide another alternative means to collect the desired data.

All of which is to say these withdrawals don’t necessarily mean the government gave up. Rather, past history has shown that the government often finds another way to get information denied by the FISC, and that may have happened with these three requests.

Finally, remember that as part of 702 reauthorization last year, Ron Wyden warned that reauthorization should include language preventing the government from demanding that companies provide technical assistance (which obviously includes, but is probably not limited to, bypassing or weakening encryption) as part of 702 directives. The threat the government might do so under 702 is particularly acute, because unlike with individual orders (which is what the withdrawn requests here are), the FISC doesn’t review the directives submitted under 702. Some of these withdrawn requests — which may number as many as nine — may reflect such onerous technical requests.

Importantly, one reason the government might withdraw such requests is to avoid any denials that would serve as FISC precedent for individualized  and 702 requests. That is, if the government believed the court might deny an individual request, it might withdraw it and preserve its ability to make the very same demand in a 702 context, where the FISC doesn’t get to review the techniques use.

Whatever the case, the government has clearly been bumping up against the limits of what it believes FISC will approve in individualized requests. But that doesn’t mean it hasn’t been surpassing those limits via one or another technical or legal means.

The FISA Court Accepted 9% Fewer Combined Applications Last Year

The FISA Court released its second annual report on approval rates today (the obligation to produce such a report dates to 2015 and it produced a partial report covering that year). It shows that the FISA Court rejected and modified far more joint applications last year than the prior year, with just a 70% complete approval last year as compared to a 79% complete approval the year before, as reflected in this table.

Approval rates for combined orders, 2017 versus 2016

These are for combined orders, meaning the government wants to collect both data in motion and (collect stored data and/or conduct a physical search). Modifications usually mean additional reporting and/or minimization procedures (meaning the government had to treat the collected data with additional care). An order denied in part might prohibit the collection on one of the selectors submitted to the court, but not a bunch of other ones. An order denied in full would represent a complete rejection of a preliminary order (these won’t show up on DOJ’s numbers because those are fluffed to look good).

There are several things that might explain these numbers. First, the rising modification number might mean the government is using new techniques that present additional privacy concerns — accessing cell phones are a likely one, especially given the Riley SCOTUS precedent. Hacking is another technique that might pose specific privacy concerns, or accessing entire servers.

The denied in part number likely stems from the government asking to surveil selectors that are more attenuated from the actual target. The rejections might reflect individual selectors for which the FISC didn’t agree the government had shown probable cause the selector was being used by an agent of a foreign power.

Most alarming, though, is the rise in outright rejections, from 8 to 18. This suggests the government is trying to wiretap and otherwise surveil people as agents of a foreign power that the FISC doesn’t agree are such.

And all this happened at a time when the government submitted fewer overall combined applications. Remember, the government can and sometimes does take its wiretapping elsewhere if the FISC rejects a practice. I’ll do a follow-up post describing why this report may reflect that has happened.

Here’s this year’s report, covering 2017, and last year’s report, covering 2016. This post provides background on the requirement and how these reports differ from the required DOJ report. The full tables from the two reports are below. They show an increased rate of modifications for 1861, which are 215 orders, as well.

2018 Report (covering 2017)

2017 Report (covering 2016)

The Trump Toadies Who Are Worried about Being Unmasked

Last week, Zoe Tillman noted this FOIA lawsuit from attorney Gene Schaerr, working on behalf of someone who wants to remain anonymous “at present,” suing to obtain records on the unmasking of Trump campaign and transition officials. The thing is, Shaerr isn’t just asking for unmasking records generally.

The odd collection of people being FOIAed

He’s asking for unmasking records pertaining to a really curious group of people:

  1. Steve Bannon
  2. Rep. Lou Barletta
  3. Rep. Marsha Blackburn
  4. Florida Attorney General Pam Bondi
  5. Rep. Chris Collins
  6. Rep. Tom Marino
  7. Rebekah Mercer
  8. Steven Mnuchin
  9. Rep. Devin Nunes
  10. Reince Priebus
  11. Anthony Scaramucci
  12. Peter Thiel
  13. Donald Trump Jr.
  14. Eric Trump
  15. Ivanka Trump
  16. Jared Kushner
  17. Rep. Sean Duffy
  18. Rep. Trey Gowdy
  19. Rep. Dennis Ross
  20. Pastor Darrell C. Scott
  21. Kiron Skinner

Some of these would be obvious, of course: Trump’s spawn, Bannon, Priebus, and Mnuchin. I’m really interested to see Rebekah Mercer (especially given the more we learn on Cambridge Analytica). Mooch is there. The litigious Peter Thiel is there (making him at least a reasonable candidate to be paying for this lawsuit, except for reasons I lay out below).

Mike Flynn, the one person we know to have been unmasked, is not in there (which is particularly odd given all the efforts to find some way to unring Flynn’s guilty plea, though that came after this FOIA was filed).

Then there are the eight members of Congress (in addition to the corrupt FL AG, Pam Bondi, who helped Trump out of a legal pinch in FL after Trump gave her a donation).

Lou Barletta, who’s a loud opponent of “illegal immigration,” a member of the Homeland Security Committee, and who, not long after this FOIA was first filed, prepared a challenge to PA’s Bob Casey in the Senate last year.

Marsha Blackburn, who works on a number of data issues in Congress, and is running to replace Bob Corker as TN Senator. Blackburn worked closely with Tom Marino to shield pharma and pill mills from DEA reach.

Chris Collins from upstate NY. His most interesting committee assignment is on Energy and Commerce, though he has worked on broadband issues.

Tom Marino, former US Attorney for Pennsyltucky who is on the Judiciary Committee. Trump tried to make him the Drug Czar, until it became clear he had pushed through a bill that hurt DEA’s ability to combat the opioid epidemic.

Devin Nunes, whose efforts to undermine the Mueller investigation have been epic, and who first manufactured the unmasking scandal. He’d be a great candidate to be Schaerr’s client, except he would probably just leak this information, which he has already seen.

Sean Duffy, a WI congressman who is chair of the investigations subcommittee of the Financial Services committee, and has been an opponent of CFPB.

Trey Gowdy took over as Chair of the Oversight Committee last year and also serves on the Judiciary and Intelligence Committees. Because of those appointments, even without being designated by Devin Nunes to take the lead on the Mueller pushback, he would have already had the most visibility on the Mueller investigation. But because Nunes put him in charge of actually looking at the intelligence, he is the single Republican who has seen the bulk of the Mueller investigative materials. During Nunes week, he announces his retirement suddenly, and has warned about the seriousness of the Mueller investigation, and he just gave a crazy interview to Fox News (which I’ll return to).

Dennis Ross, from FL, serves on the Financial Services committee.

On top of the Republicans, the list includes two of the few African Americans (with David Clarke, Omarosa, and Tim Scott) who supported Trump.  Darrell Scott was head of a Michael Cohen invented diversity group hastily put together in April 2016. Kiron Skinner is a legit scholar of Reagan who teaches at Carnegie Mellon and has a bunch of other appointments.

As I said, aside from the big obvious players, this list is a curious collection. Of note, however, four people on it should have a sound understanding of how NSA spying and FISA work: Thiel, Nunes, Gowdy, and Marino. But (again aside from the big players), the international ties of most of these people (Thiel and Skinner are big exceptions) are not readily apparent.

The whack understanding of FISA laid out on the complaint

I’m interested in the FISA knowledge of some people named in this list because of the crazy depiction of FISA that the complaint lays out.

The complaint highlights two departments of NSA, claiming they’re the ones that deal with improper use of intelligence (but does not include the Inspector General).

On information and belief, at least two departments within the NSA handle complaints regarding the improper use of intelligence. These departments are known publicly by the codes “S12,” a code name apparently referring to the agency’s Information Sharing Services authority, and “SV,” a code name apparently referring to the agency’s Oversight and Compliance authority.

As part of the FOIA to NSA, Schaerr asked for anything submitted to these departments.

All reports made to S12 and SV regarding improper dissemination of any individual listed in Question 2, above. See National Security Agency, United States Signals Intelligence Directive 18, § 7.5 (January 25, 2011).

That’s an oddly specific request, unless whoever is behind this request knows there are reports there.

That might suggest Nunes, Gowdy, or Marino is behind the request. But then consider how unbelievably wrong the complaint gets FISA.

After introducing FISA, it turns exclusively to Section 702, which is odd because the unmasking pseudo-scandal has thus far been based off the unmasking of individual orders.

Plaintiff’s requests in this case concern the Defendants’ use of the Foreign Intelligence Surveillance Act of 1978 (FISA).1 Section 702 of FISA (“Section 702”) empowers the Attorney General and the Director of National Intelligence to jointly authorize “the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” 50 U.S.C. § 1881a(a) (emphasis added). Section 702 expressly forbids use of this surveillance process to target persons who are either “United States persons” or located “inside the United States.” Id. at 1881a(b).

The complaint then makes three utterly false statements about how labor is divided between the FBI, NSA, and CIA.

14. The FBI collects data on outgoing communications, i.e., from persons in the United States to persons outside the United States.

15. The NSA collects data on incoming communications, i.e., from persons outside the United States to persons inside the United States.

16. The CIA, like the FBI and NSA, analyzes the information that comes from the FBI’s and NSA’s data collection. Unlike the other agencies, the CIA uses the information to engage in international intelligence operations.

The FBI collects on domestic targets, which can include incoming and outgoing comms, plus anything domestic (such as Sergey Kislyak’s calls across town to Mike Flynn; update — the December 29 calls would have been from DC to Dominican Republic, where Flynn was vacationing). The NSA likewise collects incoming and outgoing comms, as well as stuff that takes place entirely overseas (though very little of the latter is done under 702). Both the other agencies, in addition to CIA, use FISA information to engage in international intelligence operations.

The complaint then claims, in contradiction to a bunch of public information, that minimization equates to completely anonymizing US person data.

Section 702 also requires that foreign intelligence surveillance be conducted consistently with “minimization procedures.” Id. § 1881a(e)(1). These procedures are designed to “minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons,” but in a manner still “consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” Id. § 1801(h)(1). As relevant here, minimization procedures must be designed to ensure the anonymity of United States persons who may be incidentally surveilled. Id. § 1801(h)(1), (2).

This comment comes immediately after a paragraph on finished intelligence reports, so this may be an incorrect statement of what masking is.

It then makes a claim about how data gets circulated that entirely ignores the sharing of raw data under 702, and further makes claims relying on this article that aren’t actually supported by the article (admittedly, the article doesn’t describe the sharing of raw data, but its focus in primarily on traditional FISA).

Generally, original raw intelligence is not circulated to other agencies; instead, intelligence reports are created and circulated internally. See, e.g., Gregory Korte, What is ‘unmasking?’ How intelligence agencies treat U.S. citizens, USA Today, (Apr. 4, 2017; 2:14 p.m.), https://www.usatoday.com/story/news/politics/ 2017/04/04/ what-unmasking-how-intelligence-agencies-treat-us-citizens/100026368. In the process of summarizing the intelligence, agencies exclude the names of U.S. citizens from the reports, referring to them instead with identifiers like “U.S. Person 1.” Id.

The complaint then describes what sounds like a muddle of upstream collection and back door searches, but gets both wrong.

The NSA also has the ability to search the internet data it collects by entering the name of an individual into a database search tool. This process is known as “upstreaming” and has the effect of creating additional raw intelligence that may contain the names of American persons. Such intelligence is also subject to the usual masking requirements and procedures.

This is wrong because upstream collection uses selectors, not names, whereas back door searches, which can use a name, are done by all three agencies. Such intelligence would not necessarily be masked at FBI if it made it into an investigative report.

The complaint then points to that godawful Circa report that itself muddles the difference between 702 and 704/705b to claim that they were upstream violations during the campaign cycle.

News reports—as well as a declassified Foreign Intelligence Surveillance Court (FISC) opinion—also note that some Americans had their names upstreamed, in violation of internal policies, during the 2016 election cycle, which the opinion described as a “serious Fourth Amendment issue.” See Declassified FISC Court opinion at 19-20, available at http://bit.ly/FISCopApril2017; Circa News, Obama intel agency secretly conducted illegal searches on Americans for years, May 23, 2017), https://www.circa.com/story/2017/05/23/politics/obama-intel-agencysecretly-conducted-illegal-searches-on-americans-for-years.

The violations in question, while serious, actually involve back door searches on upstream collection, and to the extent the searches were done on 704/705b targets, would only have happened were there an individualized FISA order against one of the named people (in fact, NSA’s back door searches on US persons are generally limited to people with individualized orders, those who may be targets of a foreign power, or urgent searches following a terrorist attack or similar situation).

In short, it’s a remarkable garble of how FISA really works. That doesn’t exclude Nunes’ involvement (I would hope both Marino and Gowdy have a better understanding of FISA than this, but don’t guarantee it). But it seems to be an attempt to declassify stuff it knows about, even while it exhibits a remarkable misunderstanding of what it’s talking about.

So why are all these Trump toadies worried about being unmasked

All of which brings me to the puzzle: what the hell is his anonymous client up to? Why is the client concerned about this specific selection of transition officials, but not (say) Mike Flynn?

Update: Laura Rozen notes that this list is the list provided here, except with this chunk taken out, and with some weird alpha order going on.

 

Andy Finds an Acorn: The Searches of Carter Page’s Devices

I’ve long argued that Trump opponents should include Andrew McCarthy among the right wing Trump defenders they read. That’s true, in part, because he at least feigns to be considering the public evidence (though I think he has long since gotten swept up in tribalism). Moreover, as a former prosecutor who worked on some high visibility national security cases, he knows how these things worked fifteen years ago.

His piece on the Adam Schiff memo is typical of his current work. Virtually every single point is easily refuted; most are laughable, such as when he claims the FBI’s use of his 2013 interview to prosecute some spies means his March 2016 interview was truthful.

The memo does note that “the FBI also interviewed Page multiple times about his Russian intelligence contacts.” Apparently, these interviews stretch back to 2013. The memo also lets slip that there was at least one more interview with Page in March 2016, before the counterintelligence investigation began. We must assume that Page was a truthful informant since his information was used in a prosecution against Russian spies and Page himself has never been accused of lying to the FBI.

McCarthy also adheres to the GOP propaganda line that “Democrats conveniently omit is that … the Russian spies explicitly regarded him as an ‘idiot’ (and they had not even seen him on cable TV),” which I mocked in this piece at Vice.

The Republican response to the evidence that the Trump campaign named Page a foreign policy advisor around the same time the FBI interviewed him over suspected ties with Russian spies is perhaps the most pathetic thing in here. Among other things, it complains that the Schiff memo doesn’t mention that “a Russian intelligence officer called Page ‘an idiot.’”

So the latest Memoghazi arguments might best be summarized this way: After Democrats convincingly argued Trump made a suspected Russian asset a key foreign policy advisor, Republicans insisted that doesn’t matter because the suspected Russian asset was a moron.

On one point (a point I’ve been making), however, McCarthy is right.

The Schiff memo reveals, for the first time, that DOJ obtained a FISA order covering both electronic surveillance and “physical search.” Not many people understand this, but DOJ uses physical search orders not just to authorize FBI agents to search through a person’s home, but also to search through that person’s electronic devices (and cloud providers’ cloud storage). As I explained in my post on FISA and the Space-Time Continuum, using a physical search order allows the government to search far back in time.

Domestically, there are two kinds of collection: 1805, which is the collection of data in motion — an old fashioned wiretap, and 1824, which is called a “physical search” order. The government likes to hide the fact that the collection of data at rest is accomplished with an 1824 physical search order, not 1805. So an 1824 order might be used to search a closet, or it might be used to image someone’s hard drive. Most often, 1805 and 1824 get combined, but not always (the FISC released a breakdown for these last year).

Of course (as the Gartenlaub case will show), if you image someone’s hard drive, you’re going to get data from well before the time they’ve been under a FISA order, quite possibly even from before you’ve owned your computer.

In Keith Gartenlaub’s case, a physical search order was used to conduct a black bag search of his home, during which the FBI imaged and subsequently searched the saved hard drives from the last three computers Gartenlaub had used, going back a decade, which is how FBI found child porn that hadn’t been accessed in a decade.

And, as McCarthy notes (though without explaining the electronic/physical distinction), in the case of Carter Page, depending on what minimization procedures the FISC imposed, a physical search order approved on October 21, 2016 might allow FBI to search his devices for communications he had between March and September 2016, when he was a member of the Trump campaign.

What Democrats fail to mention is that the surveillance enabled the FBI to intercept not only his forward-going communications but also any stored emails and texts he might have had. Clearly, they were hoping to find a motherlode of campaign communications. Remember, Page was merely the vehicle for surveillance; the objective was to probe Trump ties to Russia.

I’ve explained that the near-certainty that NSA obtained a 705(b) order on Page for when he traveled to Moscow, London, and the Emirates in December and January would make such backwards looking surveillance even more likely.

I’m not sure that amounts to using Page as a vehicle to surveil the Trump campaign. Depending on how you count it, FISC modified somewhere between 112 and 310 applications in 2016, easily more than they ever had before (my guess is the big spike in numbers has to do with their consideration of the Riley SCOTUS precedent as they approve more orders accessing iPhones). Modifications are how minimization procedures show up in FISA counts, and imposing limits on what the government might access from Page’s devices is the kind of thing I’d expect to see out of the FISC.

Still, McCarthy doesn’t know that FBI used Page as a vehicle; the FBI could easily argue they were trying to protect Trump from the suspected spy the campaign’s non-existent vetting had invited into its midst. And he couldn’t know whether targeting Page allowed FBI to access campaign-related communications without knowing what kind of minimization procedures were imposed, if any.

A real oversight committee would make answering such a question a priority, because it’s the kind of question that goes to the core of the impact of the Page order on Trump’s campaign, but also because the question of how FISC orders permit FBI to access decades of information is a fairly important legal issue, not least in the Ninth Circuit in the Gartenlaub case.

Alas, HPSCI is not that real oversight committee, and so no one appears to be asking that question.

image_print