1 2 3 148

Apple’s Transparency Numbers Suggest Claims of Going Dark Overblown

Apple recently released its latest transparency report for the period ending June 30, 2015. By comparing the numbers for two categories with previous reports (2H 2013, 1H 2014, 2H 2014)  we can get some sense of how badly Apple’s move to encrypt data has really thwarted law enforcement.

Thus far, the numbers show that “going dark” may be a problem, but nowhere near as big of one as, say, NY’s DA Cy Vance claims.

The easier numbers to understand are the national security orders, presented in the mandated bands.

Screen Shot 2015-09-30 at 4.34.08 PM

Since the iPhone 6 was introduced in September 2014, the numbers for orders received have gone up — one band in the second half of 2014, and two more bands in the first half of this year. Curiously, the number of accounts affected haven’t gone up that much, possibly only tens or a hundred more accounts. And Apple still gets nowhere near the magnitude of requests Yahoo does, which number over 42,000.

Equally curiously, in the last period, Apple clearly received more NatSec orders than accounts affected, which is the reverse of what other companies show (before Apple had appeared close to one-to-one). One thing that might explain this is the quarterly renewal of Pen Register orders for metadata of US persons (which might be counted as 4 requests for each account affected).

In other words, clearly NatSec requests have gone up, proportionally significantly, though Apple remains a tiny target for NatSec requests compared to the bigger PRISM participants.

The law enforcement account requests are harder to understand.

Screen Shot 2015-09-30 at 1.51.47 PM

Note, Apple distinguishes between device requests, which are often users seeking help with a stolen iPhone, and account requests, which are requests for either metadata or content associated with an account (and could even include purchase records). The latter are the ones that represent law enforcement trying to get data to investigate a user, and that what I’ve laid out the latter data here [note, I fully expect to have made some data errors here, and apologize in advance — please let me know what you see!!].

Here, too, Apple has seen a significant increase, of 23%, over the requests it got in the second half of last year. Though, note, the iPhone 6 introduction would not be the only thing that would affect this: so would, probably, the June 2014 Riley Supreme Court decision, which required law enforcement to get a warrant to access cell phones, would also lead law enforcement to ask Apple for data more often.

Interestingly, however, there were fewer accounts implicated in the requests in the last half of the year, suggesting that for some reason law enforcement was submitting requests with a slew of accounts listed for each request. Whereas last year, LE submitted an average of over 6.5 accounts per request, this year they have submitted fewer than 3 accounts per request. This may reflect LE was submitting more identifiers from the same account — who knows?

The percentage of requests where content was obtained has gone up too, from 16% in 2013 to 24% in the first period including the iPhone 6 to 30% last quarter. Indeed, over half the period-on-period increase this period may stem from an increase in content requests (that is, the 107 more requests where content was obtained in the first half of the year, which was a period in which Apple got 183 more requests overall). Still, that number, 107 more successful requests for content this year than the second half of last year, seems totally disproportionate to NYC DA Cy Vance’s claim that the NYPD was unable to access the content in 74 iPhones since the iPhone 6 was established (though note, that might represent 1 request for content from 74 iPhones).

Perhaps the most interesting numbers to compare are the number of times Apple objected (because the agency didn’t have the right kind of legal process or a signed document) and the number of times Apple disclosed no data (which would include all those times Apple successfully objected — which appears to include all those in the first number — as well as those times Apple didn’t have the account, as well as times Apple was unable to hand over the data because a user hadn’t used default iCloud storage for messages. [Update, to put this more simply, the way to find the possible number of requests where encryption prevented Apple from sharing information is to subtract the Apple objected number from the no data number.] In the second half of 2013, Apple did not disclose any data 28.5% of the time. In the first half of this year, Apple did not disclose any data in just 18.6% of requests. Again, there are a lot of reasons why Apple would not turn over any data at all. But in general, cops are getting data more of the time when they give Apple requests than they were a few years ago.

More importantly, for just 65 cases in the first half of this year and 80 cases in the second half of last year did Apple not turn over any data for a request for reasons other than some kind of legal objection — and those numbers are both lower than the two half years preceding them. Each of those requests might represent hundreds of phones, but overall it’s a tiny number. So tiny it’s tough to understand where the NYPD’s 74 locked iPhones (unless they did request data and Apple actually had it).

There’s one more place where unavailable encrypted data might show up in these numbers: in the number of specific accounts for which data was disclosed. But as a percentage, what happened this year is not that different from what happened in 2013. In the second half of 2013, Apple provided some data (and this can be content or metadata) for 57.6% of the accounts specified in requests. In the first half of this year, Apple provided some data for 51.6% of the accounts specified in requests — not that huge a difference. And of course, the second half of last year, which may be an outlier, but during much of which the iPhone 6 was out, Apple provided data for 88.5% of the accounts for which LE asked for data.

Overall, it’s very hard to see where the FBI and other law enforcement agencies are going dark — though they are having to ask Apple for content more  often (which I consider a good thing).

Update: In talking to EFF’s Nate Cardozo about Apple’s most recent report, we agreed that Apple’s new category for Emergency Requests may be one other place where iPhone data is handed over (it doesn’t exist in the reports for previous half year periods). Apple defines emergency content this way:

Table 3 shows all the emergency and/or exigent requests that we have received globally. Pursuant to 18 U.S.C. §§ 2702(b)(8) and 2702(c)(4) Apple may voluntarily disclose information, including contents of communications and customer records, to a federal, state, or local governmental entity if Apple believes in good faith that an emergency involving imminent danger of death or serious physical injury to any person requires such disclosure without delay. The number of emergency requests that Apple deemed to be exigent and responded to is detailed in Table 3.

Given the scale of Apple’s other requests, though not in the scale of cloud requests comparatively, these are significant numbers, especially for the US (107) and UK (98).

Of significant note, Apple may give out content under emergency requests.

This is more likely to be a post-Riley response than an encryption response, but still notable given the number.

Someone Tell Bill Nelson Apple Isn’t a Telecom and that Metadata Is Available with Encryption

There were a number of interesting exchanges in the Senate Armed Services Committee on cybersecurity hearing today, which I’ll return to in a bit. But for the moment I wanted to point to this bizarre exchange featuring Bill Nelson.

Nelson: Admiral, I’m concerned about all of these private telecoms that are going to encrypt. If you have encryption of everything, how, in your opinion, does that affect Section 702 and 215 collection programs?

Rogers: It certainly makes it more difficult.

Nelson: Does the Administration have a policy position on this?

Rogers: No. I think we’re still — I mean, we’re the first to acknowledge this is an incredibly complicated issue, with a lot of very valid perspectives. And we’re still, I think, collectively trying to work through what’s the right way ahead, here, recognizing that there’s a lot of very valid perspectives but from the perspective as CyberCommand and NSA as I look at this issue, there’s a huge challenge here that we have got to deal with.

Nelson: A huge challenge? And I have a policy position. And that is that the telecoms better cooperate with the United States government or else … it just magnifies the ability for the bad guys to utilize the Internet to achieve their purposes.

Bill Nelson is apparently very upset by the increasing use of encryption, but seems to believe Apple — which is at the center of these discussions — is a telecom. I’m happy to consider Apple a “phone company,” given that iMessage messages would go through the Internet and Apple rather than cell providers, and I think the IC increasingly thinks of Apple as a phone company. But it’s not a telecom, which is a different legal category.

He also believes that Apple’s encryption would hurt NSA’s Section 215 collection program. And NSA Director Mike Rogers appears to agree!

It shouldn’t. While Apple’s use of encryption will make it harder to get iMessage content, the metadata should still be available. So I’m rather curious why it is that Rogers agreed with Nelson?

In any case, Nelson doesn’t seem very interested in why Rogers immediately noted how complicated this question is — this is, after all, a hearing on cybersecurity and we know the Administration admits that more widespread encryption actually helps cybersecurity (especially since sophisticated hackers will be able to use other available encryption methods).

But I am intrigued that Rogers didn’t correct Nelson’s assertion that encryption would hurt the Section 215 program.

Update: This, from Apple’s transparency report, is one more reason Rogers’ agreement that encryption creates problems for the Section 215 program is so curious.

To date, Apple has not received any orders for bulk data.

Preston Burton Was Not Necessarily Appointed to Represent Privacy Interests; Was He Appointed to Undercut EFF?

In my post on Michael Mosman’s appointment of Preston Burton as an amicus to decide whether NSA should be permitted to keep bulk telephony data collected under section 215 past November 28, 2015 I noted he was appointed pursuant to provisions of USA F-ReDux. But I want to correct something: Burton was not — at least not necessarily — appointed to protect civil liberties and privacy.

In his order appointing Burton, here’s how Mosman cited USA F-ReDux.

This appointment is made pursuant to section, 103(i)(2)(B) of the Foreign Intelligence Surveillance Act (“FISA”), codified at 50 U.S.C. § 1803(i)(2)(B), as most recently amended by the USA FREEDOM Act, Pub. L. No. 114-23, 129 Stat. 268, 272 (2015).


By the terms of 50 U.S.C. § 1803(i)(2)(A), the Court “shall appoint” to serve as amicus curiae an individual who has been designated as eligible for such service under section 1803(i)(l) “to assist … in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law, unless the court issues a finding that such appointment is not appropriate.” Under section 1803(i)(l), the presiding judges of the Foreign Intelligence Surveillance Court and the Foreign Intelligence Surveillance Court of Review have until November 29, 2015, to jointly designate individuals to serve as amici under section  1803(i)(l). 1 To date, no such designations have been made. Under present circumstances, therefore, the appointment of such an individual “is not appropriate” under section 1803(i)(2)(A), because, as of yet, there are no designated individuals who can serve.

Section 1803(i)(2)(B) provides that the Court “may appoint an individual or organization to serve as amicus curiae … in any instance as such court deems appropriate.” Persons appointed under this provision need not have been designated under section 1803(i)(l ). Pursuant to section l 803(i)(3)(B), however, they must “be persons who are determined to be eligible for access to classified information, if such access is necessary to participate in the matters in which they may be appointed.”

Here, the Court finds it appropriate to appoint Preston Burton as amicus curiae under section 1803(i)(2)(B). Mr. Burton is well qualified to assist the Court in considering the issue specified herein. The Security and Emergency Planning Staff (SEPS) of the Department of Justice has advised that he is eligible for access to classified information.

Effectively, he points to the new language on amicus curiae as “codifying” the authority FISC already had (and has already used, when permitting Center for National Security Studies to file an amicus on phone dragnet orders and tech companies to submit amici briefs in discussions about transparency, though the latter was dismissed before the court considered those briefs, not to mention FISCR’s permission of ACLU and NACDL to submit briefs in In Re Sealed Case in 2002).

He then notes that he cannot appoint one of the 5 selected amici set up to consider “novel or significant interpretation of law” because FISC hasn’t gotten around to appointing those 5 people yet (they have until early December to do so and seem to be taking their time).

He then points to a second means of appointing an amicus — 1803(i)(2)(B) — which says the court “may” appoint an amicus “in any instance as such court deems appropriate or, upon motion, permit an individual or organization leave to file an amicus curiae brief,” as his basis for appointing Burton.

Mosman doesn’t explain why he “finds it appropriate” to appoint an amicus here, unlike when he deemed FreedomWorks an amicus addressing the issue of whether USA F-ReDux restored the phone dragnet to its prior state and therefore justified another phone dragnet order. This is what he said in that instance.

The Court finds that the government’s application “presents a novel or significant interpretation of the law” within the meaning of section 103(i)(2)(A). Because, understandably, no one has yet been designated as eligible to be appointed as an amicus curiae under section 103(i)(2)(A), appointment under that provision is not appropriate. Instead, the Court has chosen to appoint the Movants as amici curiae under section 103(i)(2)(B) for the limited purpose of presenting their legal arguments as stated in the Motion in Opposition and subsequent submissions to date.

Nor does Mosman explain what, in particular, qualifies Burton to serve as amicus here, which might provide some insight as to why he decided it appropriate to appoint an amicus at all. He just says he’s qualified and is eligible for access to classified information. Even under the appointed amici, FISC can appoint someone for reasons other than privacy, and that’s all the more true for this optional appointment.

So reports — including by me! — that Burton would represent the interests of civil liberties may not be correct. For all we know, he could be representing the interests of the spies or DC Madams.

I find Mosman’s silence on his appointment of Burton interesting for two reasons.

First, the genesis of this entire request and deferral is unclear. Back in July — after it had gotten its first post-USA F-ReDux order, and a month before this current one was approved — ODNI issued a statement out of the blue asserting they could keep the data.

On June 29, 2015, the Foreign Intelligence Surveillance Court approved the Government’s application to resume the Section 215 bulk telephony metadata program pursuant to the USA FREEDOM Act’s 180-day transition provision. As part of our effort to transition to the new authority, we have evaluated whether NSA should maintain access to the historical metadata after the conclusion of that 180-day period.

NSA has determined that analytic access to that historical metadata collected under Section 215 (any data collected before November 29, 2015) will cease on November 29, 2015. However, solely for data integrity purposes to verify the records produced under the new targeted production authorized by the USA FREEDOM Act, NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months.

Separately, NSA remains under a continuing legal obligation to preserve its bulk 215 telephony metadata collection until civil litigation regarding the program is resolved, or the relevant courts relieve NSA of such obligations. The telephony metadata preserved solely because of preservation obligations in pending civil litigation will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.

When that second dragnet order came out in August, I noticed NSA had applied for authority to keep the data, but that Mosman had deferred his answer to whether they could.

The Application requests authority for the Government to retain BR metadata after November 28, 2015, in accordance with the Opinion and Order of this Court issued on March 12,. 2014 in docket number BR 14-01, and subject to the conditions stated therein, including the requirement to notify this Court of any material developments in civil litigation pertaining to such BR metadata. The Application also requests authority, for a period ending on February 29, 2016 for appropriately trained and authorized technical personnel (described in subparagraph B. above) to access BR metadata to verify the completeness and accuracy of call detail records produced under the targeted production orders authorized by the USA FREEDOM Act. The Court is taking these requests under advisement and will address them in a subsequent order or orders. Accordingly, this Primary Order does not authorize the retention and use of BR metadata beyond November 28, 2015.

So for some reason, ODNI was asserting they were going to keep the data before they had asked whether they could — or perhaps when ODNI made that assertion someone at DOJ or in FISC realized they needed to ask permission first. I have asked ODNI for an explanation on this. Update: ODNI General Counsel Bob Litt didn’t exactly explain the timing, but did say “No one ever had any doubt that we would have to ask the court” for permission to keep this data.

But I also find Mosman’s silence about why he appointed Burton curious given that the FISC judge clearly thinks both retention issues — whether the data should be retained under EFF’s protection order issued in NDCA, and whether the data can be retained for 3 months after expiration of the 6 month extension for technical verification — are at issue.

That’s because there’s a far more qualified potential amicus to address the EFF retention issue: EFF. Indeed, Jon Eisenberg, who argued the al-Haramain suit, is a Special Counsel associated with EFF, and he either still has or is qualified to have a Top Secret clearance, and still gets classified documents in Gitmo detainee suits. Particularly given DOJ’s serial failure to accurately represent the nature of EFF’s suit (post one, post two, post three), and DOJ’s failure to notice Reggie Walton (to say nothing of Yahoo itself) of all issues relevant to Yahoo’s challenge of Protect America Act, it would be far better to have someone who has worked on these issues already and who at least has an association with EFF to weigh in, because the FISC is going to get a far better idea of the issues involved, including the stakes for privacy. So why did Mosman appoint a less qualified amicus to address this issue?

Luckily, in deeming FreedomWorks an appropriate amicus in June, Mosman has demonstrated a willingness to appoint amici for the other reason permitted under 103(i)(2)(B), because an organization asks for leave to file one. So maybe EFF should ask! I’ve asked EFF if they will respond to this appointment, but have not received an answer.

The big question, in that situation, would be whether EFF would be given the same information he has already promised to Burton, which includes the application to the court. Again, given DOJ’s serial misinformation of the court on the EFF request, it would sure be interesting to see what representations it made in that application.

Q: Whose Secrets Are More Sensitive than the DC Madam’s? A: NSA’s.

On September 17, FISC Judge Michael Mosman appointed the first known amicus under the terms laid out in USA F-ReDux; notice of which got posted yesterday (Mosman could have done so before USA F-ReDux, of course, but he did cite the statute in making the appointment). The question this amicus will help him determine is whether FISC should permit the government to retain bulk collected data past November 28, when the six month extension of the program ends. The government wants to retain the data it is collecting today for three months to make sure the new dragnet program collects the same data as the last one. But the data in question also includes data being held under an old protection order renewed last year as part of EFF’s suits against government dragnets; I suspect that data would show the extent to which one of the plaintiffs in EFF’s First Unitarian Church suit was dragnetted, and as such is critical to showing injury in that suit.

Mosman had deferred the decision on whether or not to let the government keep that data when he signed the August 28 dragnet order.

So who is the lawyer who will represent the interests of civil liberties and privacy in this question? [Update: In this post, I note Mosman may not have appointed Burton to represent privacy at all.]

White collar defense attorney Preston Burton. In addition to Russian moles Aldrich Ames and Robert Hanssen, Burton represented Monica Lewinsky and the DC Madam, Deborah Jeane Palfrey.

Burton is, undoubtedly, an excellent lawyer. And his experience representing the biggest spies of the last several decades surely qualifies him to work with the phone dragnet data, including data that probably shows NSA mapped out an entire civil liberties’ organization’s structure using the phone dragnet 5 years ago. Though given this description, it’s not clear Burton would learn of that information from the government’s application, which is what he’ll get.

Pursuant to 50 U.S.C. § l 803(i)(6)(A)(i), the Court has detennined that the government’s application (including exhibits and attachments) and the full, unredacted Primary Order in this docket are relevant to the duties of the amicus. By September 22, 2015, or after receiving confirmation from SEPS that the amicus has received the appropriate clearances and access approvals for such materials, whichever is later, the Clerk of the Court shall make these materials available to the amicus.

Moreover, remember the government can claim privilege over this data and not share it with Burton. Mosman even invited the government to tell the Court sharing information with Burton was not consistent with national security (though he set a deadline for doing so for September 21, so I assume they did not complain).

But it’s entirely unclear to me why Burton would be picked to represent the privacy interests of Americans, including those whose First Amendment rights had been violated under this program, in deciding whether to keep or destroy this data. Mosman made no mention of those interests when he explained his choice.

Mr. Burton is well qualified to assist the Court in considering the issue specified herein. The Security and Emergency Planning Staff (SEPS) of the Department of Justice has advised that he is eligible for access to classified information.

Which is why I take this to be one more in the series of Burton’s famous clients, in which discretion about DC’s secrets is the most important factor.

Delusional DOJ Claims Documents Declassified, Released Under FOIA Not Declassified, Not Authentic

Screen Shot 2015-08-28 at 11.22.34 AM
Back in March, NYT’s Charlie Savage sued to get the NSA to respond to a FOIA request asking for “copies of — and declassification review of, as necessary” a bunch of things, including IG reports on “bulk phone records collection activities under Section 215 of the PATRIOT Act.”

In late August, they delivered an installment of their response to that suit to him including a series of IG Reports on the 215 program. Among other things, the FOIA response included an August 2, 2010 letter to FISC Judge John Bates referring to a compliance violation in Docket BR 10-10 (the order is dated February 26, 2010). In referring to the caption of that docket (and the caption redactions in other dockets are consistent in size), it named Verizon Wireless.

As I pointed out at the time, this provides Larry Klayman and other Verizon Wireless subscribers challenging the phone dragnet basis to establish standing to sue. While in the Klayman suit, Judge Richard Leon invited Klayman just to add a plaintiff who subscribed to Verizon Business Services, in Northern CA, EFF requested the 9th Circuit take judicial notice of the document.

So now DOJ has gone a bit batshit. (Josh Gerstein first reported on this here.) It mocks that EFF head Cindy Cohn “apparently believes” it fair to conclude Verizon Wireless took part in the phone dragnet because of a reference to “a company name that includes the term ‘Verizon Wireless’ in the caption of a purported FISC filing” that happens to govern the entire phone dragnet. It suggests the accuracy of the document DOJ gave to Savage can be reasonably questioned, apparently disputing its own FOIA response to Savage. And it bitches that EFF “does not contend that this document was declassified,” even though it was given to Savage pursuant to his request for “declassification review [] as necessary.”

In short, in an effort to argue the document doesn’t say what it says (which may, I admit, not mean what it says, but such is the wackiness of the secret FISA Court and the secret phone dragnet), DOJ is saying that DOJ didn’t provide Charlie Savage authentic, declassified documents like he sued to get. DOJ uses words like “purported” to describe DOJ’s own FOIA response.

I mean, I’ll grant you, those of us outside DOJ often doubt the accuracy of their FOIA responses to us. But usually DOJ at least pretends they’re giving us authentic documents.

DOJ Threatens to Invoke State Secrets Over Something Released in FOIA

Screen Shot 2015-08-28 at 11.22.34 AM
In a hearing today, Judge Richard Leon said that Larry Klayman could pursue his dragnet challenge by adding a plaintiff who did business with Verizon Business Services. But as part of Klayman’s effort, he noted — weakly — that evidence got released showing Verizon Wireless was included in the dragnet. Klayman cited just the Charlie Savage article, not the document released under FOIA showing VZ Wireless on a FISC caption (though I presume his underlying 49 page exhibit includes the actual report — just not necessarily with the passage in question highlighted).

It was disclosed on August 12, 2015 by Charlie Savage of The New York Times that Verizon Wireless, as this Court had already ruled in its Order of December 16, 2013, at all material times was conducting and continuing to conduct unconstitutional and illegal dragnet “almost Orwellian” surveillance on Plaintiffs and millions of other American citizens. See Exhibit 1, which is a Government document evidencing this, incorporated herein by reference, and see Exhibit 2, the New York Times article.

Moreover, Klayman surely overstated what the inclusion of VZ Wireless in a phone dragnet Primary Order caption from 2010 showed. Which probably explains why DOJ said “The government has not admitted in any way, shape, or form that Verizon Wireless participated” in the Section 215 phone dragnet, according to Devlin Barrett.

The point is, they should have to explain why it is that, according to a document they’ve released, VZ Wireless was targeted under the program. Perhaps we’ll get that in Northern California, where EFF very competently pointed to what evidence there was.

Which is why the government’s threat to invoke state secrets was so interesting.

The Court should avoid discovery or other proceedings that would unnecessarily implicate classified national-security information, and the potential need to assert and resolve a claim of the state secrets privilege: Plaintiffs’ proposed amendments, in particular their new allegations regarding the asserted participation of Verizon Wireless in the Section 215 program, implicate matters of a classified nature. The Government has acknowledged that the program involves collection of data from multiple telecommunications service providers, and that VBNS (allegedly the Little Plaintiffs’ provider) was the recipient of a now-expired April 25, 2013, FISC Secondary Order. But otherwise the identities of the carriers participating in the program, now, or at any other time, remain classified for reasons of national security. See Klayman, 2015 WL 5058403, at *6 (Williams, S.J.).

At this time the Government Defendants do not believe that it would be necessary to assert the state secrets privilege to respond to a motion by Plaintiffs for expedited injunctive relief that is based on the allegations of the Little Plaintiffs, or even the proposed new allegations (and exhibit) regarding Verizon Wireless. Nor should it be necessary to permit discovery into matters that would risk or require the disclosure of classified national-security information and thus precipitate the need to assert the state secrets privilege. Nevertheless, if Plaintiffs were permitted to seek discovery on the question of whether Verizon Wireless is now or ever has been a participating provider in the Section 215 program, the discovery sought could call for the disclosure of classified national-security information, in which case the Government would have to consider whether to assert the state secrets privilege over that information.

As the Supreme Court has advised, the state secrets privilege “is not to be lightly invoked.” United States v. Reynolds, 345 U.S. 1, 7 (1953). “To invoke the . . . privilege, a formal claim of privilege must be lodged by the head of the department which has control over the matter after actual personal consideration by that officer.” Id. at 7-8. To defend an assertion of the privilege in court also requires the personal approval of the Attorney General. Policies and Procedures Governing Invocation of the State Secrets Privilege at 1-3, The Government should not be forced to make so important a decision as whether or not to assert the state secrets privilege in circumstances where the challenged program is winding down and will end in a matter of weeks. Moreover, discovery into national-security information should be unnecessary to the extent the standing of the newly added Little Plaintiffs, and the appropriateness of injunctive relief, may be litigated without resort to such information.

If, however, discovery into national-security information is permitted, the Government must be allowed sufficient time to give the decision whether to assert the state secrets privilege the serious consideration it requires. And if a decision to assert the privilege is made, the Government must also be given adequate time to prepare the senior-level declarations and other materials needed to support the claim of privilege, to ensure that the national security interests at stake are appropriately protected. See, e.g., Mohamed v. Jeppesen Dataplan, Inc., 614 F.3d 1070, 1077, 1090 (9th Cir. 2009).

I think it’s quite possible that VZW was not turning over phone records under the Section 215 program in 2010 (which is quite another matter than suggesting NSA was not obtaining a great deal, if not most, of VZW phone records generally). I believe it quite likely NSA obtained some VZW records under Section 215 during the 2010 period.

But I also believe explaining the distinctions between those issues would be very illuminating.

Meanwhile, the threat of stalling, with all the attendant rigamarole, served to scare Leon — he wants this to move quickly as badly as Klayman does. After all, Leon will have much less ability to issue a ruling that will stand after November 28, when the current dragnet dies.

We shall see what happens in CA when DOJ attempts to make a similar argument.

Transcribing James Clapper

Hamid Karzai refused to meet with Obama during a surprise visit just after MYSTIC disclosures, so Obama called from Air Force One instead.

Hamid Karzai refused to meet with Obama during a surprise visit just after MYSTIC disclosures, so Obama called from Air Force One instead.

Yesterday, during the Q&A to his speech at INSA (which is where defense and intelligence contractors huddle with government paymasters), James Clapper conceded that Edward Snowden brought needed transparency but had also damaged operations. Rather than obliquely pointing to the exposure that Skype was no longer safe from surveillance, as he and his ilk normally do, Clapper pointed to what he claimed was a concrete example: what journalists have reported as revelations about full take cell phone content (SOMALGET or MYSTIC) leading to loss of access in Afghanistan.

After Clapper made the claim, a lot of reporters did what reporters do: they transcribed his comments uncritically. Lots of journalists did this, but here’s WaPo’s version from Ellen Nakashima:

One of the disclosures based on documents leaked by Edward Snowden, the former National Security Agency contractor, prompted the shutdown of a key intelligence program in Afghanistan, the nation’s top spy said Wednesday.

“It was the single most important source of force protection and warning for our people in Afghanistan,” Director of National Intelligence James R. Clapper Jr. said at an intelligence conference.

He was addressing a question about the impact of revelations by Snowden, whose leaks led to a global debate about the proper scope of U.S. surveillance at home and abroad.

Nakashima and other reporters assumed Clapper meant the MYSTIC/SOMALGET program, which Nakashima noted the WaPo first described (on March 18, 2014), followed by The Intercept two months later (on May 19, 2014), followed by WikiLeaks revealing Afghanistan as the target country several days later (on May 23, 2014). [Update: Note Cryptome correctly determined Afghanistan was the country on May 19, the day the Intercept published.]

Having laid all that out, however, Nakashima doesn’t quote the part of Clapper’s answer that would either discredit his description or reveal it’s something else. Here’s Ars Technica’s transcription of that part of it.

And programs that had a real impact on the security of American forces overseas, including one program in Afghanistan, “which he exposed and Glenn Greenwald wrote about, and the day after he wrote about it, the program was shut down by the government of Afghanistan,” Clapper noted.

If it’s the MYSTIC/SOMALGET program Clapper was really talking about, then his claim is self-refuting. Because either folks in Afghanistan recognized the program themselves back when WaPo wrote about it in March 2014, or probably didn’t until WikiLeaks confirmed they were the target. It wouldn’t have been Greenwald’s story, in which he withheld the information the government requested in any case.

For the moment, I’m going to assume that was the program, but let’s remember it might not be.

If so, consider what Clapper has done. As I mentioned, normally when people want to beat up Snowden, they point to his disclosure NSA had compromised Skype. But they never confirm that — they just mention it obliquely. Here, Clapper has confirmed the thing (actually just one of the things) that NSA had asked Greenwald to withhold. Given how vague WikiLeaks was about how they knew (after all, they’re not known to have the Snowden documents themselves), if this is MYSTIC/SOMALGET it seems that Clapper has definitively confirmed something that was at least of unknown provenance before.

Although, for reasons of source protection we cannot disclose how, WikiLeaks has confirmed that the identity of victim state is Afghanistan.

In other words, Clapper has confirmed something that hadn’t been confirmed before, precisely because the journalists involved had deferred to the government’s request not to publish it.

Or did he?

Clapper claimed “the program was shut down by the government of Afghanistan.”

Admittedly, the MYSTIC/SOMALGET disclosures came at an awkward time for US-Afghan relations. Hamid Karzai had been pushing back against night raids, prisoner transfers, and CIA militias. In part because the US wouldn’t cede Afghan sovereignty on such issues, Karzai was refusing to sign the Bilateral Security Agreement (raising the same kind of SOFA negotiation problems that forced us to withdraw troops from Iraq). Throughout this two month period, the election and run-off were going on.

So the disclosure that the US had compromised Afghanistan’s entire cell phone system — and implicitly, had copies of every cell call that Karzai and his potential replacements might make — would surely anger the Afghans, especially Karzai. Notably, two days after the WikiLeaks disclosure, Karzai refused to meet when President Obama made a surprise visit to the country on May 25, so (as shown by the White House image above) Obama called him from Air Force One instead.

But if that’s the case — if Afghanistan forced the US to shut down the full-take collection of cell phone content even as Obama was making surprise last minute visits (which may even have been an attempt to convince Karzai to reverse that decision) — then the fault lies not just, or even primarily, with Snowden. It lies with a long history of US refusal to cede to Afghanistan’s demands for some kind of functional sovereignty. This telecom disclosure may have been one more in a series of aggravations, but it was by no means the only one. Moreover, given that President Ghani’s relationship with the US is, thus far at least, far better than Karzai’s was at the time, it’s quite possible he has permitted the US to resume full-take collection.

James Clapper would be a lot more likely to confirm that Afghanistan had shut down NSA’s full-take collection if it had been resumed again under Karzai’s successor. Not least, because it would provide adversaries with false confidence the NSA didn’t have full take coverage.

Now consider this description of the Bahamian fallout from the equivalent disclosure. It shows that two parties were involved — the country’s telecom as well as the government. Indeed, all stories on this make it clear telecom providers are centrally involved in the collection program.

Moreover, the Intercept version of the story makes it quite clear they withheld not just the target country, but also the provider at the center of it.

The NSA documents don’t specify who is providing access in the Bahamas. But they do describe SOMALGET as an “umbrella term” for systems provided by a private firm, which is described elsewhere in the documents as a “MYSTIC access provider.” (The documents don’t name the firm, but rather refer to a cover name that The Intercept has agreed not to publish in response to a specific, credible concern that doing so could lead to violence.) Communications experts consulted by The Intercept say the descriptions in the documents suggest a company able to install lawful intercept equipment on phone networks.

And they withheld it for the same reason, because revealing it would lead to violence. That provider name has not been made public (though for a variety of reasons I think that’s the key secret here). Shutting down the system would have to involve, at a minimum, the Afghan government, this provider, plus Afghanistan’s multiple cell providers.

There are more reasons to believe Clapper’s story is bullshit. From the 2005 STELLAR WIND disclosures, which revealed the US was collecting all US-Afghanistan calls, to reports as early as 2008 that the Taliban were targeting cell providers because they recognized the security risk the networks posed, there is zero chance our adversaries in Afghanistan were unaware that the US had close to full dominance over the communications lines. There were also earlier Snowden disclosures — including Tempora, XKeyscore, and what sounded like transcripts obtained using a Stingray from a Afghan raid — that would have confirmed that view. The US is collecting close to everything from most countries where it remains at war, via a variety of overlapping means. There’s little about this disclosure in particular that added to the risk — but then, our adversaries had long been learning of our tactics and adjusting accordingly.

There is, then, the possibility it was one of these other disclosures Clapper was whining about — such as the potential Stingray one.

But if Clapper was talking about SOMALGET, and if it is true that the full-take collection got shut down, it means he and the government are blaming Snowden for long-term mismanagement of the Afghan relationship. It also may well mean that Ghani has let the US resume collection and Clapper’s public “confirmation” was designed — in addition to launching some unwarranted shots at Edward Snowden — to create the false impression the collection remains inactive.

James Clapper is a confirmed liar. Even setting aside his lies to Congress, it is his job to lie to adversaries. While that doesn’t mean journalists shouldn’t report what he says, there’s a great deal of context that should accompany such transcriptions.

Stingrays and Public Safety Operations

In my piece on the loopholes in the new Stingray policy, I noted that public safety applications for Stingray use might fall under what the policy calls the “exceptional circumstances” that aren’t exigent but nevertheless don’t require a warrant.

I’m not sure whether the exigent/emergency use incorporates the public safety applications mentioned in the non-disclosure agreements localities sign with the FBI, or if that’s included in this oblique passage.

There may also be other circumstances in which, although exigent circumstances do not exist, the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In such cases, which we expect to be very limited, agents must first obtain approval from executive-level personnel at the agency’s headquarters and the relevant U.S. Attorney, and then from a Criminal Division DAAG. The Criminal Division shall keep track of the number of times the use of a cell-site simulator is approved under this subsection, as well as the circumstances underlying each such use.

In short, many, if not most, known uses are included in exceptions to the new policy.

We know there are public safety applications, because they are permitted even to localities by FBI’s Non-Disclosure Agreements.

Screen Shot 2015-09-07 at 4.52.54 PM

I suspect these uses are for public events to both track the presence of known targets and to collect who was present in case of any terrorist event or other serious disruption. Indeed, for a lot of reasons — notably the odd testimony of FBI’s telecom forensics witness, the way FBI’s witnesses were bracketed off from investigators, and some oddness about when and how they found the brothers’ phones (and therefore the brothers) — I suspect someone was running Stingrays at the Boston Marathon. A Stingray (or many) deployed at public events to help protect them (assuming, of course, the terrorists that attack such an event aren’t narcs for the DEA, as people have speculated Tamerlan Tsarnaev was).

Newsweek asked DOJ whether that exceptional circumstances paragraph covered the use of Stingrays in public places included in a policy released by the FBI in December and they confirmed it is (here’s my post on the December release, which anticipates all the loopholes in the policy I IDed the other day).

In December 2014, the FBI, which falls under Justice Department’s new policy, explained to members of Congress the situations in which it does not need a warrant to deploy the technology. They include: “(1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.”

Newsweek reached out to the Justice Department to determine whether its new policy allows the FBI to continue using stingrays without warrants in public places. In short, it does, fitting within the policy’s “exceptional circumstances” category.

“If somebody is in a public park, that is a public space,” Patrick Rodenbush, a Justice Department spokesman, says as an example, adding the condition that “circumstances on the ground make obtaining a warrant impracticable,” though he did not elaborate on what “impracticable” entails. But the dragnet nature of stingray collection means cellphone data of a person sitting in a nearby house may be picked up as well. “That’s why we have the deletion policy that we do,” Rodenbush responds. “In some cases it’s everyday that [bystander information] is deleted, it depends what they are using it for.… In some cases it is a maximum of 30 days.”

He adds: “The circumstances under which this exception will be granted will be very limited. Agents operating under this exception are still required to obtain a court order pursuant to the Pen Register Statute, and comply with the policy’s requirements to obtain senior-level department approval.”

Equally important as admitting that DOJ will use this in public places (like big sporting events) is Rodenbush’s confirmation that DOJ will obtain only Pen Registers for these uses.

That means they’ll virtually never get noticed to defendants, because the government will claim the evidence did not get introduced in court (just as no evidence collected from a Stingray was introduced, if they were used, in Dzhokhar’s case; in Dzhokhar’s case there was always another GPS device that showed his location).

The more I review this new policy and the December one the more I’m convinced they change almost nothing except the notice to the judge and the minimization (both still important improvements), except insofar as they recreate ignorance of Stingray use precisely in cases like public safety operations.


Did FBI Use Katrina as an Excuse for DIY Location Collection?

fisa-prtt-bar-graphLast week, Muckrock’s Shawn Musgrave wrote a piece showing that, in the wake of Katrina and a slew of other 2005 hurricanes, in 2006 FBI’s Wireless Intercept and Tracking Team said they needed more equipment from Harris Corporation, the maker of Stingrays. They justified it because the hurricanes degraded the capabilities of something, which remains redacted. But as Musgrave notes, the storms took out a lot of the telecom infrastructure, which may be what the redacted passages describe.

“In the summer of 2005, the U.S. Gulf Coast bore the brunt of several hurricanes, including Hurricane Katrina which severely degraded the capabilities of the [redacted],” the memo reads in part. Subsequent, heavily redacted sentences suggest that the storm crippled the FBI’s capacity to conduct certain types of cell phone tracking operations via equipment on-hand at the time of landfall.


Hurricane Katrina incapacitated wide swaths of telecommunications infrastructure along the Gulf Coast, including thousands of cell phone towers. Power outages also meant many people were unable to recharge their mobile devices. It’s thus unclear which Harris Corporation product the FBI’s cell phone tracking team identified as a critical solution.

In other words, it appears that almost a year after Katrina, the FBI used the 2005 damage to telecom infrastructure as justification for getting an urgent purchase of Harris equipment, possibly Stingrays, approved.

I find the timing curious. After all, Congress approved a slew of funding right after Katrina. And Congress was debating budgetary issues in October 2005. While there’s nothing that ties this request to a budget request, it just seems odd that FBI would have identified a need in September 2005, and then sat on that urgent request until the following July. Though that July request specifically mentioning Katrina seems to be the same request that got filed in March and was in process in April that did not mention Katrina in unredacted sections. That’s not as distant from the hurricanes that purportedly identified the need, but still an odd delay for something urgent.

There’s something else that was happening in 2005 and 2006, though, that may have been as central in creating a need for Stingrays as damage to telecom equipment caused by hurricanes.

On October 14, 2005, a magistrate judge in Texas refused a request to yoke a Pen Register order onto a subscriber record subpoena to obtain location data from a telecom. Then some other magistrates started joining in. This created two problems. First, how would FBI get that location information in criminal cases. But also, in December 2005, Congress moved towards limiting the use of Section 215 orders to things that may be obtained with a subpoena, a move that would become official with the renewal of the PATRIOT Act on March 9, 2006. So even while magistrates were hashing out how the FBI might obtain such information from telecoms in garden variety criminal cases (a debate that is currently before SCOTUS), FISC and the government appear to have been having the same debate behind closed doors. In February 2006, FISC required briefing on what appears to be a parallel use of PRTT combined with a subpoena — a FISA PRTT yoked to a Section 215 order. And while the exact timing isn’t clear, we know those combined orders ended in 2006.

In other words, hurricanes may have damaged telecom infrastructure leading FBI to rely more on Stingrays. But at the same time, the legal landscape for location requests was changing, perhaps even more dramatically on the FISA side than on the criminal side.

And we know — yesterday’s change in policy admitted to FISA uses for Stingrays, though we knew this already — that FBI does use Stingrays to obtain location data under FISA as well as under criminal cases.

Katrina may have created part of the need for FBI to do more Do It Yourself location tracking, bypassing the telecoms. But legal issues created a need too, and I’d be willing to bet that the big urgency to expand FBI’s DIY location tracking abilities in 2006 had quite a bit to do with the need to find another way of location tracking, preferably one with a lot fewer people reviewing the paperwork involved.

If I’m right, then it would suggest some interesting things about the fluctuations in PRTTs (I stole the table above from EPIC). That is, in 2006, there were significant drops in PRTTs, followed by a huge drop in 2008.

On the criminal side, FBI still gets PRTT orders when it uses a Stingray. I assume the same is true on the FISA side (though it would be a lot harder to enforce here, especially because no defendant would ever get notice). But we also know the government has been hiding bulk collection under single orders, so it wouldn’t take too many orders to incorporate a lot of people.

Did FBI stock up on Harris equipment because of the weather, or because of the law?

The Loopholes in DOJ’s New Stingray Policy

DOJ just announced a new policy on use of Stingrays which requires a warrant and minimization of incidentally-collected data. It’s big news and an important improvement off the status quo.

But there are a few loopholes.

Exigent and emergency uses

First, the policy reserves exigent uses. The exigent uses include most of DOJ Agencies known uses of Stingrays now.

These include the need to protect human life or avert serious injury; the prevention of the imminent destruction of evidence; the hot pursuit of a fleeing felon; or the prevention of escape by a suspect or convicted fugitive from justice.


In addition, in the subset of exigent situations where circumstances necessitate emergency pen register authority pursuant to 18 U.S.C. § 3125 (or the state equivalent), the emergency must be among those listed in Section 3125: immediate danger of death or serious bodily injury to any person; conspiratorial activities characteristic of organized crime; an immediate threat to a national security interest; or an ongoing attack on a protected computer (as defined in 18 U.S.C. § 1030) that constitutes a crime punishable by a term of imprisonment greater than one year.

We know the US Marshals constitute the most frequent users of admitted Stingray use — they’d be covered in prevention of escape by a fugitive. DEA seems to use them a lot (though I think more of that remains hidden). That’d include “conspiratorial activities characteristic of organized crime.” And it’s clear hackers are included here, which includes the first known use, to capture Daniel Rigmaiden.

And I’m not sure whether the exigent/emergency use incorporates the public safety applications mentioned in the non-disclosure agreements localities sign with the FBI, or if that’s included in this oblique passage.

There may also be other circumstances in which, although exigent circumstances do not exist, the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In such cases, which we expect to be very limited, agents must first obtain approval from executive-level personnel at the agency’s headquarters and the relevant U.S. Attorney, and then from a Criminal Division DAAG. The Criminal Division shall keep track of the number of times the use of a cell-site simulator is approved under this subsection, as well as the circumstances underlying each such use.

In short, many, if not most, known uses are included in exceptions to the new policy.

Notice to defendants

The many known uses of Stingrays where warrants would not be necessary — and where DOJ would therefore just be using a PRTT — are of particular importance given the way new disclosure requirements work. There are, to be sure, admirable new requirements to tell judges what the fuck they’re approving and what it means. But nothing explicitly says defendants will not get noticed. DOJ has said no past or current usage of Stingrays will get noticed to defendants. And all these non-warrant uses of Stingrays will be noticed either, probably. In other words, this returns things to the condition where defendants won’t know — because they would normally expect to see a warrant that wouldn’t exist in these non-warrant uses.

Sharing with localities

The policy doesn’t apply to localities, which increasingly have their own Stingrays they permit federal agencies to use. Curiously, the language applying this policy to federal cooperation with localities would suggest the federal rules only apply if the Feds are supporting localities, not if the reverse (FBI borrowing Buffalo’s Stingray, for example) is the case.

The Department often works closely with its State and Local law enforcement partners and provides technological assistance under a variety of circumstances. This policy applies to all instances in which Department components use cell-site simulators in support of other Federal agencies and/or State and Local law enforcement agencies.

Thus, it may leave a big out for the kind of cooperation we know to exist.

National security uses

Then, of course, the policy only applies in the criminal context, though DOJ claims it will adopt a policy “consistent” with this one on the FISC side.

This policy applies to the use of cell-site simulator technology inside the United States in furtherance of criminal investigations. When acting pursuant to the Foreign Intelligence Surveillance Act, Department of Justice components will make a probable-cause based showing and appropriate disclosures to the court in a manner that is consistent with the guidance set forth in this policy.

BREAKING! FBI has been using Stingrays in national security investigations! (Told ya!)

This language is itself slippery. FISC use of Stingrays probably won’t be consistent on the FISC side (even accounting for the many ways exigent uses could be claimed in national security situations), because we know that FISC already has different rules for PRTT on the FISC side, in that it permits collection of post cut through direct dialed numbers — things like extension numbers — so long as that gets minimized after the fact. The section on minimization here emphasizes the “law enforcement” application as well. So I would assume that not only will national security targets of Stingrays not get noticed on it, but they may use different minimization rules as well (especially given FBI’s 30 year retention for national security investigation data).

Other agencies use of Stingrays for content

DOJ suggests that DOJ never collects content using Stingrays by stating that its Stingrays always get set not to collect content.

Moreover, cell-site simulators used by the Department must be configured as pen registers, and may not be used to collect the contents of any communication, in accordance with 18 U.S.C. § 3127(3). This includes any data contained on the phone itself: the simulator does not remotely capture emails, texts, contact lists, images or any other data from the phone. In addition, Department cell-site simulators do not provide subscriber account information (for example, an account holder’s name, address, or telephone number).

But the rest of the policy makes it clear that department agents will work with other agencies on Stingray use. Some of those — such as JSOC — not only would have Stingrays that get content, but can even partner within the US with FBI.  So DOJ hasn’t actually prohibited its agencies from getting content from a Stingray (domestically — it goes without saying they’re permitted to do so overseas), just that it won’t do so using its own Stingrays.

Funny definitional games

Finally, while not necessarily a loophole (or at least not one I completely understand yet), I’m interested in this definition.

In the context of this policy, the terms “collection” and “retention” are used to address only the unique technical process of identifying dialing, routing, addressing, or signaling information, as described by 18 U.S.C. § 3 I 27(3), emitted by cellular devices. “Collection” means the process by which unique identifier signals are obtained; “retention” refers to the period during which the dialing, routing, addressing, or signaling information is utilized to locate or identify a target device, continuing until tlle point at whic!h such information is deleted.

This definition (which only applies to this policy and therefore perhaps not to national security uses of Stingrays) employs an entirely different definition for collection and retention than other collection that relies on collection then software analysis. Under upstream collection, for example, the government calls this definition of “retention” something closer to “collection.” Don’t get me wrong — this is probably a better definition than that used in other contexts. But I find it funny that FBI employs such different uses of these words in very closely connected contexts.

So, in sum, this is a real victory, especially the bit about actually telling judges what they’re approving when they approve it.

But there are some pretty obvious loopholes here….

Update: ACLU also welcomes this while pointing to some of the limits of the policy.

Update: Here are some of my posts on the FISA uses of PRTT, including (we now know) Stingrays.

1 2 3 148
Emptywheel Twitterverse
JimWhiteGNV Today's Nobel Prize announcement is giving me flashbacks to my grad school and postdoc days researching DNA repair.
emptywheel @EveningStarNM actually not what DoD said. Plus they claim investigation ongoing. Also ignores public comments fr Afghans.
emptywheel @EveningStarNM Bc DOD has SPECIFICALLY SAID this wasn't US SOF taking fire. You're inventing facts now.
emptywheel @EveningStarNM Bullshit. I said, "Don't call this an accident when we don't know." I'm DOING what you claim to want to do.
emptywheel @EveningStarNM Thanks. Clean up your own house, then! You are doing precisely what you complain about and still don't understand that!
emptywheel @EveningStarNM Ok. Thanks. That apply to MSF too? Or it's okay to suggest they were shielding Taliban?
emptywheel @EveningStarNM But we DO have evidence of 2 things: Afghans raided this hospital in July, Afghans initially said they struck on purpose.
emptywheel @EveningStarNM Yes. Like you just did. This convo started w/me complaining that journos were reporting as *fact* something, that = accident.
emptywheel @EveningStarNM No. You're exhibiting prejudice, but don't realize it! It's actually sort of cute.
emptywheel Can think of few worse people to ask this Q than McCain. Esp since he's making big push to keep troops in Afg.
emptywheel @EveningStarNM In other words, after saying we have to wait, you're not only not doing so but collapsing 2 levels of involvement. Congrats!
emptywheel @EveningStarNM And part of that is not calling it an accident when the available evidence says it probably wasn't.
October 2015
« Sep