FISA

1 2 3 153

The Government’s Classified Briefing to HJC: A New Certificate?

As I noted, after years of legislating Section 702 of the FISA Amendments Act in public, yesterday the House Judiciary Committee had a closed hearing on it, which raises all sorts of questions about what has changed.

The agencies presenting to the committee did provide an unclassified statement for the record that is mostly stuff we know (one of the most interesting details is that it considers upstream telephony collection to be a different kind of collection than upstream Internet collection). But it does provide 3 examples of things that it would explain to the committee in classified session. One is utterly predictable: examples of counterterrorism intelligence obtained under Section 702.

Section 702 collection is a major contributor to NSA’s counterterrorism reporting and on other topics as well. Since its enactment in 2008, the number of signals intelligence reports issued by NSA based at least in part on Section 702 collection has grown exponentially. CIA and FBI state that they have acquired highly valuable and often unique intelligence through Section 702 collection. Numerous real-life examples that demonstrate the broad range of important information that the Intelligence Community has obtained can be provided to the Committee in a classified setting. While these examples which identify specific targets and operations must remain classified, the following declassified example provides just one instance of the many contributions Section 702 has made to our national security.

Of course, the IC shouldn’t be permitted to present such things in secret, as so many of their cases have been shown to be bogus (or not provided 702 notice) in the past. It is now down to one unclassified case — Najibullah Zazi — where they used 702, and that wasn’t even all that central (which may be why they never did get 702 notice).

The other two are more interesting. They include:

  • What certificates the government has approved: “The Government will describe in a classified setting the certification or certifications under which the Government is currently acquiring foreign intelligence information.”
  • The contributions of Section 702 data to other kinds of foreign intelligence collection: “The Board further acknowledged the Section 702 program’s value in acquiring other foreign intelligence information, examples of which can be provided in a classified setting.”

Recall, as late as 2011, the IC was known to have 3 certificates a counterterrorism certificate, a counterproliferation one, and a foreign government one, which serves as a grab bag. Because it was so obvious the IC was using Section 702 for cybersecurity, I mistakenly claimed they had a cyber certificate, but as late as 2012, they had not yet obtained one. Perhaps the IC needed classified session to explain all this.

But how weird would it be to brief HJC on a Section 702 cyber certificate while DHS and DOJ are implementing OmniCISA, which will enable upstream searches for cyber signatures within the US? Perhaps that’s what they were doing, but it would be interesting timing.

Which makes me wonder, again, about whether there’s another kind of certificate, perhaps one targeted at Tor?

In any case, there is something significant about the set of certificates the IC has or is asking for (probably the former, given that it makes a big show here of releasing the documents tied to the 2014 certification process, but not those tied to the 2015 certification process).

I’m sure that’s not the only thing the IC wanted to brief HJC on in secret. But it does appear to be one thing they did brief in secret. (Side note: I have reason to believe the IC did not tell the truth, even within the IC, about what certificates they got at the beginning of the PRISM process, so at least this would suggest they’re now being more forthcoming.)

What Secrets Are the Spooks Telling HJC about Section 702?

There’s a paper that has been making waves, claiming it has found a formula to debunk conspiracies based on the likelihood if they were real, they would have already been leaked. Never mind that people have already found fault with the math, the study has another glaring flaw. It treats the PRISM program — and not, say, the phone dragnet — as one of its “true” unknown conspiracies.

PRISM — one part of the surveillance program authorized by Section 702 of the FISA Amendments Act — was remarkable in that it was legislated in public. There are certainly parts of Section 702 that were not widely known, such as the details about the “upstream” collection from telecom switches, but even that got explained to us back in 2006 by Mark Klein. There are even details of how the PRISM collection worked — its reliance on network mapping, the full list of participants. There are details that were exposed, such as that the government was doing back door searches on content collected under it, but even those were logical guesses based on the public record of the legislative debates.

Which is why it is so remarkable that — as I noted here and here — House Judiciary Committee Chair Bob Goodlatte has scheduled a classified hearing to cover the program that has been the subject of open hearings going back to at least 2008.

The hearing is taking place as we speak with the following witnesses.

  • Mr. Robert S. Litt
    General Counsel
    Office of the Director of National Intelligence
  • Mr. Jon Darby
    Deputy Director for Analysis and Production, Signals Intelligence Directorate
    National Security Agency
  • Mr. Stuart J. Evans
    Deputy Assistant Attorney General for Intelligence, National Security Division
    U.S. Department of Justice
  • Mr. Michael B. Steinbach
    Assistant Director for Counterterrorism
    Federal Bureau of Investigation

This suggests there is either something about the program we don’t already know, or that the government is asking for changes to the program that would extend beyond the basic concept of spying on foreigners in the US using US provider help.

I guess we’re stuck wildarseguessing what those big new secrets are, given the Intelligence Community’s newfound secrecy about this program.

Some observations about the witnesses. First, between Litt and Evans, these are the lawyers that would oversee the yearly certification applications to FISC. That suggests the government may, in fact, be asking for new authorities or new interpretations of authorities.

Darby would be in charge of the technical side of this program. Since the PRISM as it currently exists is so (technologically) simple, that suggests the new secrets may involve a new application of what the government will request from providers. This might be an expansion of upstream, possibly to bring it closer to XKeyscore deployment overseas, possibly to better exploit Tor. Remember, too, that under USA Freedom Act, Congress authorized the use of data collected improperly, provided that it adheres to the new minimization procedures imposed by the FISC. This was almost certainly another upstream collection, which means there’s likely to be some exotic new upstream application that has caused the government some problems of late.

Note that the sole FBI witness oversees counterterrorism, not cybersecurity. That’s interesting because it would support my suspicions that the government is achieving its cybersecurity collection via other means now. But also that any new programs may be under the counterterrorism function. Remember, the NatSec bosses, including Jim Comey, just went to Silicon Valley to ask for help applying algorithms to identify terrorism content. Remember, too, that such applications would have been useless to prevent the San Bernardino attack if they were focused on the public social media content. So it may be that NSA and FBI want to apply algorithms identifying radicalizers to private content.

Finally, and critically, remember the Apple debate. In a public court case, Apple and the FBI are fighting over whether Apple can be required to decrypt its customers’ smart device communications. The government has argued this is within the legal notion of “assistance to law enforcement.” Apple disagrees. I think it quite possible that the FBI would try to ask for decryption help to be included under the definition of “assistance” under Section 702. Significantly, these witnesses are generally those (including Bob Litt and FBI counterterrorism) who would champion such an interpretation.

Jim Sensenbrenner Flip-Flops Wildly on Value of Classified Hearings

Jenna McLaughlin has a report on what I noted here — House Judiciary Committee Chair Bob Goodlatte has scheduled a classified hearing to talk about Section 702 of the FISA Amendments Act on February 2. In it, she includes this unbelievable quote from Jim Sensenbrenner.

“Closed briefings are necessary for members of Congress to ask questions about classified information,” said Judiciary Committee member Jim Sensenbrenner, R-Wisc., in a statement to The Intercept. “However, I would support a subsequent open hearing on Section 702 of the Foreign Intelligence Surveillance Act because transparency and public discussion are critical to the reform and reauthorization of Section 702.”

It’s unbelievable because, after Sensenbrenner made some horseshit claims of ignorance immediately after Edward Snowden revealed the phone dragnet that had been authorized by legislation Sensenbrenner had authored, people started asking why he hadn’t gone to the classified hearings, at which DOJ briefed members about the dragnet (and FBI later lied about the abuses carried out in executing that dragnet).

Sensenbrenner’s spokesperson explained back in 2013 that he didn’t go to those classified hearing because he didn’t want to be restrained by confidentiality.

Asked whether his boss had attended any of those sessions during that period, Sensenbrenner spokesperson Ben Miller said the congressman “does not want to be limited by the restraints of confidentiality. Therefore, he believes in an open dialogue by which legislative solutions can be constructed and passed into law before the public.” Miller said Sensenbrenner had “attended confidential briefings in the past,” but didn’t say how many, which ones, or whether any dealt directly with the “sensitive” application of section 215.

[snip]

“While some members of Congress were briefed, particularly those on the intelligence committees, most, including myself, were not,” Sensenbrenner wrote in a column for The Guardian newspaper. Sensenbrenner did not disclose, as his spokesperson did for this story, that he chooses not to attend the briefings.

So back in 2013, when Sensenbrenner was disclaiming any responsibility for a dragnet, he didn’t to be restrained by what he gets told in a classified hearing.

But now, at a time when Congress might consider stopping FBI from doing its uncounted back door searches of people it has no evidence against, Sensenbrenner says “closed briefings are necessary.”

Given what 2013 Sensenbrenner said about the importance of conducting these discussions in the light of day, and given that Section 702 has always been debated in public, I would suggest Sensenbrenner’s support for closed hearings now suggests the fix is in.

One wonders what squeals of outrage Sensenbrenner will make in 2023 after new abuses of Section 702 get disclosed?

 

Silencing Whistleblowers, 12 Years Later

As reported by Zoe Tillman, Thomas Tamm, the first whistleblower to go to Eric Lichtblau with reports of Stellar Wind, is being investigated for ethical violations by the DC Bar. The complaint alleges he failed to report that people within DOJ were violating their legal obligations to superiors, up to and including the Attorney General, and that he took confidences of his client (which the complaint defines as DOJ) to the press.

The question, of course, is why the Bar is pursuing this now, years after Tamm’s actions became public. Tillman describes the complaint as having had some kind of virgin birth, from Bar members reading the news accounts rather than someone complaining.

D.C. Disciplinary Counsel Wallace Shipp Jr. declined to comment on the charges against Tamm. The ethics case was opened in 2009, but the charges weren’t filed until late December. The disciplinary counsel’s office has working in recent years to clear a backlog of old cases.

Shipp said the disciplinary counsel’s office launched the investigation after reading about Tamm’s case in news reports. It was opened under the office’s name, which generally means there is no outside complainant.

That’s a funny explanation, given that the complaint doesn’t reference the press reports, most notably Michael Isikoff’s 2008 report on Tamm’s whistleblowing, which describes Tamm going to two of his superiors (though not, admittedly, all the way to Attorney General Ashcroft).

It’s unclear to what extent Tamm’s office was aware of the origins of some of the information it was getting. But Tamm was puzzled by the unusual procedures—which sidestepped the normal FISA process—for requesting wiretaps on cases that involved program intelligence. He began pushing his supervisors to explain what was going on. Tamm says he found the whole thing especially curious since there was nothing in the special “program” wiretap requests that seemed any different from all the others. They looked and read the same. It seemed to Tamm there was a reason for this: the intelligence that came from the program was being disguised. He didn’t understand why. But whenever Tamm would ask questions about this within OIPR, “nobody wanted to talk about it.”

At one point, Tamm says, he approached Lisa Farabee, a senior counsel in OIPR who reviewed his work, and asked her directly, “Do you know what the program is?” According to Tamm, she replied: “Don’t even go there,” and then added, “I assume what they are doing is illegal.” Tamm says his immediate thought was, “I’m a law-enforcement officer and I’m participating in something that is illegal?” A few weeks later Tamm bumped into Mark Bradley, the deputy OIPR counsel, who told him the office had run into trouble with Colleen Kollar-Kotelly, the chief judge on the FISA court. Bradley seemed nervous, Tamm says. Kollar-Kotelly had raised objections to the special program wiretaps, and “the A.G.-only cases are being shut down,” Bradley told Tamm. He then added, “This may be [a time] the attorney general gets indicted,” according to Tamm. (Told of Tamm’s account, Justice spokesman Boyd said that Farabee and Bradley “have no comment for your story.”)

Compare that version with how the complaint describes Tamm doing precisely what the complaint says he failed to do.

Respondent learned that these applications involved special intelligence obtained from something referred to as “the program.” When he inquired about “the program” of other members of the Office of Intelligence Policy and Review, he was told by his colleagues that it was probably illegal.

Isikoff describes Tamm going to two of his superiors, “a senior counsel in OIPR who reviewed his work,” and “the deputy OIPR counsel,” the former of one of whom is the one who told him “I assume what they are doing is illegal.” The complaint rewrites that story — what ostensibly is the source of the complaint — and turns these superiors into “colleagues.”

Mind you, according to this story, there is one superior within OIPR to whom Tamm didn’t go: Counsel James Baker. He was the guy who was laundering applications to the FISC in ways Colleen Kollar-Kotelly found unacceptable.

Baker, of course, is currently the General Counsel of FBI, someone who reviews a slew of applications for larger programs, including those that go to FISC.

So 12 years after Tamm leaked DOJ’s secrets to the NYT, he is being investigated by the Bar because he didn’t go to the right superiors with his complaints, one of who just happens to be the FBI General Counsel.

After Lying in a Closed Surveillance Briefing in 2011, Intelligence Community Plans Another Closed Briefing

On May 18, 2011, 48 members of the House (mostly Republicans, but also including MI’s Hansen Clarke) attended a closed briefing given by FBI Director Robert Mueller and General Counsel Valerie Caproni on the USA PATRIOT Act authorities up for reauthorization. The hearing would serve as the sole opportunity for newly elected members to learn about the phone and Internet dragnets conducted under the PATRIOT Act, given Mike Rogers’ decision not to distribute the letter provided by DOJ to inform members on the secret dragnets they were about to reauthorize.

During the hearing, someone asked,

Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

One of the briefers — the summary released under FOIA does not say who — responded,

To the FBI’s knowledge, those authorities have not been abused.

As a reminder, hearing witness Robert Mueller had to write and sign a declaration for the FISC two years earlier to justify resuming full authorization for the phone dragnet because, as Judge Reggie Walton had discovered, the NSA had conducted “daily violations of the minimization procedures” for over two years. “The minimization procedures proposed by the government in each successive application and approved and adopted as binding by the orders of the FISC have been so frequently and systemically violated that it can fairly be said that this critical element of the overall BR regime has never functioned effectively,” Walton wrote in March 2009.

Now, I can imagine that whichever FBI witness claimed the FBI didn’t know about any “abuses” rationalized the answer to him or herself using the same claim the government has repeatedly made — that these were not willful abuses. But Walton stated then — and more evidence released since has made clear he was right since — that the government simply chose to subject the vast amount of US person data collected under the PATRIOT Act to EO 12333 standards, not more stringent PATRIOT Act ones. That is, the NSA, operating under FBI authorizations, made a willful choice to ignore the minimization procedures imposed by the 2006 reauthorization of the Act.

Whoever answered that question in 2011 lied, and lied all the more egregiously given that the questioner had no way of phrasing it to get an honest answer about violations of minimization procedures.

Which is why the House Judiciary Committee should pointedly refuse to permit the Intelligence Committee to conduct another such closed briefing, as they plan to do on Section 702 on February 2. Holding a hearing in secret permits the IC to lie to Congress, not to mention disinform some members in a venue where their colleagues can not correct the record (as Feingold might have done in 2011 had he learned what the FBI witnesses said in that briefing).

I mean, maybe HJC Chair Bob Goodlatte wants to be lied to? Otherwise, there’s no sound explanation for scheduling this entire hearing in closed session.

 

The FBI’s Two Weeks of Peddling Kiddie Porn and Section 702

As you may have heard, from February 20 to March 4, 2015, the FBI was operating the world’s largest kiddie porn site, during which point it hacked the site and thereby IDed the IP address of up to 1,500 users, both in the US and abroad.

Ars reported on the first known bust here and Motherboard’s Joseph Cox was one of the first to report on the scope of this enforcement action.

A new bulletin board site on the dark web was launched in August 2014, on which users could sign up and then upload whatever images they wanted. According to court documents, the site’s primary purpose was “the advertisement and distribution of child pornography.” Documents in another case would later confirm that the site was called “Playpen.”

Just a month after launch, Playpen had nearly 60,000 member accounts. By the following year, this number had ballooned to almost 215,000, with over 117,000 total posts, and an average of 11,000 unique visitors each week. Many of those posts, according to FBI testimony, contained some of the most extreme child abuse imagery one could imagine, and others included advice on how sexual abusers could avoid detection online.

An FBI complaint described the site as “the largest remaining known child pornography hidden service in the world.”

A month before this peak, in February 2015, the computer server running Playpen was seized by law enforcement from a web host in Lenoir, North Carolina, according to a complaint filed against Peter Ferrell, one of the accused in New York. (Data hosts in Lenoir contacted by Motherboard declined to comment. One of them, CentriLogic, wrote “We have no comment on the matter referenced by you. Our obligations to customers and law enforcement preclude us from responding to your inquiry.”)

But after Playpen was seized, it wasn’t immediately closed down, unlike previous dark web sites that have been shuttered by law enforcement. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a defendant in Utah. During this time, the FBI deployed what is known as a network investigative technique (NIT), the agency’s term for a hacking tool.

The other day, the judge in one of these cases, Robert Bryan, ruled that he wasn’t all that bugged by FBI running the world’s largest kiddie porn site for almost two weeks. The NYT has posted a “room for debate” op-ed weighing whether it is ethical for the FBI to run a kiddie porn site.

I’ve got an entirely different question, though one that may affect the ethics of the question. Why did the government have to take over the site itself in the first place? Why couldn’t it have hacked the site while it was still being hosted by a web host in Lenoir, NC?

Which has me wondering whether the FBI’s operation of the world’s largest porn site was an effort to hide the earlier parts of this investigation, and the authorities it used.

The evidence against the men in the cases I’ve reviewed consists of three things: the IP addressed identified in the period when the FBI operated the site, sometimes physical evidence from a search of their home, and log files and other activity information going back to the period when the website was first set up, in August 2014.

While some of those log files might have been available when the FBI took the site over, it may not have been. Still, the FBI could have gotten those files with a subpoena from the earlier period, once they identified where the site was hosted.

Still, I’m struck by the timing of the sites existence, starting in August 2014, with FBI taking it over in February 2015.

That happens to coincide interestingly with two interesting dates in the life of Section 702. On August 24, 2014, Thomas Hogan approved an expansion of Section 702 minimization procedures to permit the sharing of Section 702 obtained information with the National Center for Missing and Exploited Children.

Hogan approved a change to the FBI minimization procedures that permitted dissemination of 702-collected information to the National Center for Missing and Exploited Children if it is “evidence of a crime related to child exploitation material, including child pornography,” or for the purpose of obtaining technical assistance (the NCMEC keeps databases of images of child porn to track when new images are released).

And on February 4, 2015, Bob Litt revealed in a speech the list of crimes for which the government could use Section 702 derived information to prosecute (and he did so, seemingly, to correct comments he had made the day before that such a list had not been approved).

[T]he government will use information acquired under Section 702 as evidence in a criminal case only in cases related to national security or for certain other enumerated serious crimes, and only when the Attorney General approves. And in that respect I just want to note that this morning’s press reports that the Director of National Intelligence’s General Counsel told reporters yesterday that we hadn’t devised the list of crimes yet. The General Counsel for the Director of National Intelligence forgot that in fact we had. And so today I want to say that in fact the list of crimes other than national security crimes for which we can use Section 702 information about U.S. persons is crimes involving death, kidnapping, substantial bodily harm, conduct that is a specified offense against a minor as defined in a particular statute, incapacitation or destruction of critical infrastructure, cyber security, transnational crimes, or human trafficking.

Kiddie porn was, unsurprisingly, in that list.

Mind you, none of the defendants in this case have gotten any notice that Section 702 was used against them. But there are many conceivable ways it might have been, particularly given that, because it operated on Tor, would not have been identifiable, at first, as a US person site (and in any case, could have been “targeted” at other users on the site).

So the coincidence on the timing — with the minimization procedures changed just as the site opened up in 2014, and the authorization to use for prosecution of US persons made public just before FBI took over the site — does raise questions for me. One of which is this: did the FBI take over the server, rather than deploy the hack on it while it was running in North Carolina, to ensure that these 1,500 users wouldn’t get FISA notices?

FBI’s Open NSL Requests

DOJ’s Inspector General just released a report of all the recommendations it made prior to September 15, 2015 that are not yet closed. As it explained in the release, the IG compiled the report in response to a congressional request, but they’ve posted (and will continue to post, every 6 months) the report for our benefit as well.

Specifically, we have posted a report listing all recommendations from OIG audits, evaluations, and reviews that we had not closed as of September 30, 2015.  As you will see, most of the recommendations show a status of “resolved,” which indicates that the Department of Justice has agreed with our recommendation, but we have not yet concluded that they have fully implemented it.

As that release made clear, most of the recommendations that have not yet been closed are not open, but resolved, which means DOJ has agreed with the IG’s recommendation but has not fully implemented a fix for that recommendation.

Which leaves the “open” recommendations, which might include recommendations DOJ hasn’t agreed to address or hasn’t told the IG how they’ll address. There are 20 open recommendations in the report, most of which date to 2014. That’s largely because every single one of the 10 recommendations made in the 2014 report on National Security Letters remains open. Here are some of my posts on that report (one, two, three, four, five), but the recommendations pertain to not ingesting out-of-scope information, counting the NSL’s accurately, and maintaining paperwork so as to be able to track NSLs. [Update: as the update below notes, the FBI response to the released report claimed it was responding, in whole or in part, to all 10 recommendations, which means the “open” category here means that FBI has not had time to go back and certify that FBI has done what it said.]

Three of the other still-open recommendations pertain to hiring; they pertain to nepotism, applicants for the civil rights division wanting to enforce civil rights laws (!), and the use of political tests for positions hiring career attorneys (this was the Monica Goodling report). Another still open recommendation suggests DOJ should document why US Attorneys book hotels that are outside cost limits (this pertains, ironically, to Chris Christie’s travel while US Attorney).

The remaining 2 recommendations, both of which date to 2010, are of particular interest.

1/19/2010: A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records

The OIG recommends that the FBI should issue guidance specifically directing FBI personnel that they may not use the practices known as hot number [classified and redacted] to obtain calling activity information from electronic communications service providers.

The first pertains to the IG Report on exigent letters. The report described (starting on PDF 94) how FBI contracted with two providers for “hot number” services that would let them alert the FBI when certain numbers were being used. FBI first contracted for the service with MCI or Verizon, not AT&T (as happened with most tech novelties in this program). The newly released version of the report make it clear that redactions are redacted for b1 (classification), b4 (trade secrets), b7A (enforcement proceedings), and b7E (law enforcement technique). At one point, then General Counsel now lifetime appointed judge Valerie Caproni said the practice did not require Pen Registers.

I find this practice — and FBI’s longstanding unwillingness to forswear it — interesting for two reasons. First, most references to the practice follow “hot number” by a short redaction.

Screen Shot 2016-01-21 at 2.02.30 PM

That suggests “hot number” may just be a partial name. Given that this section makes it clear this was often used with fugitives — just as Stingrays are often most often used — I wonder whether this involved “number” and “site.” That’s especially true since Company C (again, MCI or Verizon) also tracked whether calls were being made from a particular area code or [redacted], suggesting some location tracking function.

I’m also interested in this because “hot numbers” tracks the unauthorized “alert” function the NSA was using with the phone dragnet up until 2009. As you recall, NSA analysts would get an alert if any of thousands of phone numbers got used in a given day, none of which it counted as a contact-chaining session.

In other words, this practice might be related to one or both of these things. And 6 years later, the FBI doesn’t want to forswear the practice.

9/20/2010, A Review of the FBI’s Investigations of Certain Domestic Advocacy Groups

The OIG recommends that the FBI seek to ensure that it is able to identify and document the source of facts provided to Congress through testimony and correspondence, and to the public.

This report (see one of my posts on it) reviewed why the FBI had investigated a bunch of peace and other advocacy groups as international terrorist groups dating back to 2004. ACLU had FOIAed some documents on investigations into Pittsburgh’s peace community. In response, Patrick Leahy started asking for answers, which led to obvious obfuscation from the FBI. And as I noted, even the normally respectable Glenn Fine produced a report that was obviously scoped not to find what it was looking for.

Nevertheless, a key part of the report pertained to FBI’s inability (or unwillingess) to respond to Leahy’s inquiries about what had started this investigation or to explain where the sources of information for their responses came from. (See PDF 56) The FBI, to this day, has apparently refused to agree to commit to be able to document where the information it responds to Congress comes from.

I will have more to say on this now, but I believe this is tantamount to retaining the ability to parallel construct answers for Congress. I’m quite confident that’s what happened here, and it seems that FBI has spent 6 years refusing to give up the ability to do that.

Update:

I didn’t read it when I originally reported in the NSL IG report, but it, like most IG reports, has a response from FBI, which in this case is quite detailed. The FBI claims that it had fulfilled most recommendations well before the report was released.

The response to the open exigent letter recommendation is at PDF 224. It’s not very compelling; it only promised to consider issuing a statement to say “hot number [redacted]” was prohibited.

The response to the 2014 report recommendations start on PDF 226. Of those, the FBI didn’t say they agreed with one part of one recommendations:

  • That the NSL subsystem generate reminders if an agent hasn’t verified return data for manual NSLs (which are sensitive)

In addition, with respect to the data requested with NSLs, FBI has taken out expansive language from manual models for NSLs (this includes an attachment the other discussion of which is redacted), but had not yet from the automated system.

Martin Luther King Jr., Subversives, and the PATRIOT Dragnet

In a superb column today, Alvaro Bedoya recalls the long, consistent history during which people of color and other minorities, including Martin Luther King, Jr., were targeted in the name of national security.

The FBI’s violations against King were undeniably tinged by what historian David Garrow has called “an organizational culture of like-minded white men.” But as Garrow and others have shown, the FBI’s initial wiretap requests—and then–Attorney General Robert Kennedy’s approval of them—were driven by a suspected tie between King and the Communist Party. It wasn’t just King; Cesar Chavez, the labor and civil rights leader, was tracked for years as a result of vague, confidential tips about “a communist background,” as were many others.

Many people know that during World War II, innocent Americans of Japanese descent were surveilled and detained in internment camps. Fewer people know that in the wake of World War I, President Woodrow Wilson openly feared that black servicemen returning from Europe would become “the greatest medium in conveying Bolshevism to America.” Around the same time, the Military Intelligence Division created a special “Negro Subversion” section devoted to spying on black Americans. Near the top of its list was W.E.B. DuBois, a “rank Socialist” whom they tracked in Paris for fear he would “attempt to introduce socialist tendencies at the Peace Conference.”

I think Bedoya, as many people do, gives FBI Director Jim Comey a big pass on surveillance due to the Director’s stunt of having agents-in-training study what the Bureau did to King. I have written about how Comey’s claim to caution in the face of the MLK example don’t hold up to the Bureau’s current, known activities.

Comey engages in similar obfuscation when he points to FBI’s treatment of Martin Luther King Jr., whose treatment at the hands of the FBI he holds up to FBI Agents as a warning. The FBI Director describes the unlimited amount of surveillance the Bureau subjected King to based solely on the signature of Hoover and the Attorney General  “Open-ended. No time limit. No space restriction. No review. No oversight.” While it is true that the FBI now gets court approval to track civil rights leaders, they do track them, especially in the Muslim community. And without oversight, the FBI can and does infiltrate houses of worship with informants, as they did with African-American churches during the Civil Rights movement. FBI can obtain phone and Internet metadata records without judicial oversight using National Security Letters — which they still can’t count accurately to fulfill congressionally mandated reporting. The FBI has many tools that evade the kind of oversight Comey described, and because of technology many of them are far more powerful than the tools wielded against Dr. King.

But I’m particularly interested in Bedoya’s reminder that the government targeted African Americans for surveillance as subversives in the wake of World War I.

The government’s practice of targeting specific kinds of people, often people of color, as subversives continued, after all. It’s something J. Edgar Hoover continued throughout his life, keeping a list of people to be rounded up if anything happened.

I’ve been thinking about that practice as I’ve been trying to explain, even to civil liberties supporters, why the current 2-degree targeted dragnet is still too invasive of privacy. We’ve been having this discussion for 2.5 years, and yet still most people don’t care that completely innocent people 2 degrees — 3, until 2014 — away from someone the government has a traffic-stop level of suspicion over will be subjected to the NSA’s “full analytic tradecraft.”

The discussion of a Subversives List makes me think of this article from 2007 (which I first wrote about here and here). The story explains that the thing that really freaked out the hospital “heroes” in 2004 was not the Internet dragnet itself, but instead the deployment of Stellar Wind against Main Core, which appears to be another name for this Subversives List.

While Comey, who left the Department of Justice in 2005, has steadfastly refused to comment further on the matter, a number of former government employees and intelligence sources with independent knowledge of domestic surveillance operations claim the program that caused the flap between Comey and the White House was related to a database of Americans who might be considered potential threats in the event of a national emergency. Sources familiar with the program say that the government’s data gathering has been overzealous and probably conducted in violation of federal law and the protection from unreasonable search and seizure guaranteed by the Fourth Amendment.

According to a senior government official who served with high-level security clearances in five administrations, “There exists a database of Americans, who, often for the slightest and most trivial reason, are considered unfriendly, and who, in a time of panic, might be incarcerated. The database can identify and locate perceived ‘enemies of the state’ almost instantaneously.” He and other sources tell Radar that the database is sometimes referred to by the code name Main Core. One knowledgeable source claims that 8 million Americans are now listed in Main Core as potentially suspect. In the event of a national emergency, these people could be subject to everything from heightened surveillance and tracking to direct questioning and possibly even detention.

[snip]

Another well-informed source—a former military operative regularly briefed by members of the intelligence community—says this particular program has roots going back at least to the 1980s and was set up with help from the Defense Intelligence Agency. He has been told that the program utilizes software that makes predictive judgments of targets’ behavior and tracks their circle of associations with “social network analysis” and artificial intelligence modeling tools.

“The more data you have on a particular target, the better [the software] can predict what the target will do, where the target will go, who it will turn to for help,” he says. “Main Core is the table of contents for all the illegal information that the U.S. government has [compiled] on specific targets.” An intelligence expert who has been briefed by high-level contacts in the Department of Homeland Security confirms that a database of this sort exists, but adds that “it is less a mega-database than a way to search numerous other agency databases at the same time.”

[snip]

The following information seems to be fair game for collection without a warrant: the e-mail addresses you send to and receive from, and the subject lines of those messages; the phone numbers you dial, the numbers that dial in to your line, and the durations of the calls; the Internet sites you visit and the keywords in your Web searches; the destinations of the airline tickets you buy; the amounts and locations of your ATM withdrawals; and the goods and services you purchase on credit cards. All of this information is archived on government supercomputers and, according to sources, also fed into the Main Core database.

[snip]

Main Core also allegedly draws on four smaller databases that, in turn, cull from federal, state, and local “intelligence” reports; print and broadcast media; financial records; “commercial databases”; and unidentified “private sector entities.” Additional information comes from a database known as the Terrorist Identities Datamart Environment, which generates watch lists from the Office of the Director of National Intelligence for use by airlines, law enforcement, and border posts. According to the Washington Post, the Terrorist Identities list has quadrupled in size between 2003 and 2007 to include about 435,000 names. The FBI’s Terrorist Screening Center border crossing list, which listed 755,000 persons as of fall 2007, grows by 200,000 names a year. A former NSA officer tells Radar that the Treasury Department’s Financial Crimes Enforcement Network, using an electronic-funds transfer surveillance program, also contributes data to Main Core, as does a Pentagon program that was created in 2002 to monitor anti-war protestors and environmental activists such as Greenpeace.

Given what we now know about the dragnet, this article is at once less shocking and more so. Much of the information included — phone records and emails — as well as the scale of the known lists — such as the No Fly List — are all known. Others, such as credit card purchases, aren’t included in what we know about the dragnet, though we have suspected. The purported inclusion of peace protestors, in what appears to be a reference to CIFA, is something I’ll return to.

Mostly, though, this article takes the generally now-known scope of the dragnet and claim that it serves as the function that those Subversives lists from days past have. As such (and assuming it is true in general outline, and I have significant reason to believe it is) it does two things for our understanding. First, it illustrates what I have tried to in the past, what it means to be exposed to the full complement of NSA’s analytical tradecraft. But it also reframes what our understanding of what 2-degree of suspicion from a traffic stop means.

Whether or not this Main Core description is accurate, it invites us to think of this 2-degree dragnet as a nomination process to be on the Subversives list. Unlike in Hoover’s day, when someone had to keep up a deck of index cards, here it’s one interlocking set of data, all coded to serve both as a list and a profiling system for anyone on that list.

To the extent that this dragnet still exists (or has been magnified with the rollout of XKeyscore), and it absolutely does for Muslims 2 degrees from a terrorist suspect, this is what the dragnet is all about: getting you on that list, which serves as a magnet for all the rest of your information to be sucked in and retained, so that if the government ever feels like it has to start cracking down on dissidents, it has that list, and a ton of demographic data, ready at had.

Update: See this Global Research post on COG programs.

FISC Still Sitting on Government Proposal for EFF Data

When last we checked in with the new-and-improved post USA Freedom Act FISA Court, amicus Preston Burton had helped the Court finish off the Section 215 dragnet with a strong hand, in part by asking a bunch of questions that should have been asked 9 years earlier. And in a reply to the government (the reply was released belatedly), Burton made an argument that led first to a hearing on the issue and then a briefing order for ways the government might stipulate to something in the EFF lawsuits so as to permit the FISC to lift the protection order requiring all Americans’ phone records to be kept indefinitely.

Back before it was clear why FISA Judge Michael Mosman appointed him to serve as amicus addressing the issue of retention of phone dragnet data, I suggested it might have been an effort to undermine EFF’s lawsuit against the government. After all, EFF plaintiff (in the First Unitarian Church suit challenging the dragnet) CAIR surely has standing to not only sue, but sue because of the way the dragnet chaining process subjected a bunch of CAIR’s associates to further NSA analysis solely because of their First Amendment protected affiliation with CAIR. But if the government gets to destroy all the dragnet data without first admitting that fact, then it will be hard to show how CAIR got injured.

In Burton’s reply to the government’s response to his initial brief on this question, he did the opposite, pressuring the government to find some way to accord the EFF plaintiffs standing. That led — we as we saw last week  — to an order from Mosman for briefing, due on January 8, on whether there’s a way to get rid of the data. That may not end up helping EFF, but it sure has put the government in a bad mood.

That brief would have been due last Friday, but thus far it has not shown up in the FISC docket. And we don’t even know what the process from here would be, such as whether one of the newly appointed amici will be asked to help Michael Mosman determine the outcome of the EFF data, or whether the government will be able to argue whether it should have to accommodate this lawsuit without adversary. EFF did send a letter laying out what they’d like to happen, which the government submitted along with its response.

But since then we’ve heard nothing.

NSA Privacy Officer Rebecca Richards Explains What Connection Chaining Is!

Update: I checked with the FBI on whether they were going to do a similar privacy report. After checking around, a spokesperson said, “We are not aware of our folks preparing any such similar public report.”

You’ll recall that for the year and a half that Congress was percolating over USA Freedom Act, I was trying to figure out what “connection chaining” was, but no one knew or would say?

The description of phone dragnet hops as “connections” rather than calls showed up in early versions of the bill and in dragnet orders since 2014. Ultimately, the final bill used language to describe hops that was even less explanatory, as all it requires is a session identifier connection (which could include things like cookies), without any call or text exchanged.

(iii) provide that the Government may require the prompt production of a first set of call detail records using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii);

(iv) provide that the Government may require the prompt production of a second set of call detail records using session-identifying information or a telephone calling card number identified by the specific selection term used to produce call detail records under clause (iii);

In documents released yesterday, NSA’s Privacy Officer Rebecca Richards has offered the first explanation of what that chaining process looks like. NSA’s Civil Liberties and Privacy Office released a privacy report and minimization procedures on USAF.

Curiously, the privacy report doesn’t describe two hops of provider data, though that’s meaningless, as the queries will automatically repeat “periodically” (described as daily in the bill), so the government would obtain a second hop from providers by the second day at the latest. Rather, it describes a first hop as occurring within NSA’s Enterprise Architecture, and the results of that query to be sent to providers for a second hop.

Collection: The FISC-approved specific selection term, along with any one-hop results generated from metadata NSA already lawfully possesses from previous results returned from the provider(s) and other authorities, will be submitted to the authorized provider(s). The provider(s) will return CDRs that are responsive to the request, meaning the results will consist of CDRs that are within one or two hops of a FISC-approved specific selection term. This step will be repeated periodically for the duration of the order to capture any new, responsive CDRs  but in no case will the procedures generate third or further hops from a FISC-approved specific selection term.

Here’s the key part of the picture included to describe the NSA hop that precedes the provider hop.

Screen Shot 2016-01-15 at 10.33.16 AM

The report is laudable for its very existence (I’m pestering FBI to see if we’ll get one from them) and for its willingness to use real NSA terms like “Enterprise Architecture.” It is coy in other ways, such as the full role of the FBI, the type of records queried, and — especially — the type of providers included; for the latter, the report cites page 17 of the House report, which only describes providers in this paragraph, using terms — phone company and telecommunications carrier — that are ambiguous and undefined (though someone like Apple could launch a nice lawsuit on the latter term, especially given that they are refusing to provide a back door in a case in EDNY based on the claim they’re not a carrier).

The government may require the production of up to two ‘‘hops’’—i.e., the call detail records associated with the initial seed telephone number and call detail records (CDRs) associated with the CDRs identified in an initial ‘‘hop.’’ Subparagraph (F)(iii) provides that the government can obtain the first set of CDRs using the specific selection term approved by the FISC. In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses. Together, the CDRs produced by the phone companies and those identified independently by the government constitute the first ‘‘hop.’’ Under subparagraph (F)(iv), the government can then present session identifying information or calling card numbers (which are components of a CDR, as defined in section 107) identified in the first ‘‘hop’’ CDRs to phone companies to serve as the basis for companies to return the second ‘‘hop’’ of CDRs. As with the first ‘‘hop,’’ a second ‘‘hop’’ cannot be based on, nor return, cell site or GPS location information. It also does not include an individual listed in a telephone contact list, or on a personal device that uses the same wireless router as the seed, or that has similar calling patterns as the seed. Nor does it exist merely because a personal device has been in the proximity of another personal device. These types of information are not maintained by telecommunications carriers in the normal course of business and, regardless, are prohibited under the definition of ‘‘call detail records.’’ [my emphasis]

That said, we know the term provider must be understood fairly broadly given the expanded number of providers who will be included in this program.

What this means, in effect, is that NSA and FBI (the latter does the actual application) will get a specific identifier — which could be a phone number, a SIM card number, a handset identifier, or a credit card [correction: this should be “calling card”], among other things — approved at the FISC, then go back to at least NSA’s data (and quite possibly FBI’s), and find all the contacts with something deemed to “be” that identifier that would be meaningful for a “phone company” to query their own records with, up to and including a cookie (which is, by definition, a session identifier).

Even in the report’s description of this process, there’s some slippage in the NSA query step, from an initial RAS approved phone number (202) 555-1234 to an NSA identified number from the (202) area code not provided, making an additional call.

To illustrate the process, assume an NSA intelligence analyst identifies or learns that phone number (202) 555-1234 is being used by a suspected international terrorist. This is the “specific selection term” or “selector” that will be submitted to the FISC (or the Attorney General in an emergency) for approval using the RAS standard. Also assume that, through NSA’s examination of metadata produced by the provider(s) or in NSA’s possession as a result of the Agency’s otherwise lawfully permitted signals intelligence activities (e.g., activities conducted pursuant to Section 1.7(c)(1) of Executive Order 12333, as amended), NSA determines that the suspected terrorist has used a 202 area code phone number to call (301) 555-4321. The phone number with the 301 area code is a “first-hop” result. In turn, assume that further analysis or production from the provider(s) reveals (301) 555-4321 was used to call (410) 555-5678. The number with the 410 area code is a “second-hop” result.

And in this part of the report, the provider query will return any session identifier that includes the selection terms (though elsewhere the report implies only contacts will be returned).

Once the one-hop results are retrieved from the NSA’s internal holdings, the list of FISC-approved specific selection terms, along with NSA’s internal one-hop results, are submitted to the provider(s). The provider(s) respond to the request based on the data within their holdings with CDRs that contain FISC-approved specific selection terms or the one-hop selection term. One-hop returns from providers are placed in NSA’s holdings and become part of subsequent query requests, which are executed on a periodic basis.

Described in this way, the query process sounds a lot more like what the version of the bill I dubbed USA Freedumber authorized than what the language of USA F-ReDux authorized: two steps of provider queries based off the connected selectors identified at NSA.

(iii) provide that the Government  may require the prompt production of call  detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii)  as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

Given the breathtaking variety of selector types the NSA uses, this could represent a great deal of queries on the provider side, many tracking user activity rather than user communications. And, at least given how the privacy report describes the transparency reporting, neither those interim NSA selectors nor cookies showing user activity but not communication of information would get counted in transparency reports.

The number of targets under each order: Defined as the person using the selector. For example, if a target has a set of four selectors that have been approved, NSA will count one target, not four. Alternatively, if two targets are using one selector that has been approved, NSA will count two targets.

The number of unique identifiers used to communicate information collected pursuant to an order: Defined as each unique record sent back from the provider(s).

This approach seems to solve a problem the NSA appears to have been having since 2009, how to query entirely domestic records with identifiers that have been algorithmically determined to be used by the same person. Here, the NSA will be able to match connected selectors to an approved one, and then send all of them to providers to obtain entirely domestic records.

But if I’m right in my reading of this, it leaves one hole in the privacy analysis of the this report.

Richards measures USAF, as she has other programs, against the Fair Information Practice Principles, which include a measure of Data Quality and Integrity. But the report’s analysis of that in this program completely ignores how central NSA’s own data is in the process.

Each CDR is a business record generated by a provider for the provider͛’s own business use. NSA plays no role in ensuring that the provider-generated CDRs accurately reflect the calling events that occurred over the provider’s infrastructure, but the provider(s) have their own policies, practices, and incentives for ensuring the accuracy of their records͘. NSA’s requirements for ensuring accurate, relevant, timely, and complete CDRs begin when NSA submits query requests to the provider(s), and the provider(s), in response, produce CDRs to the Agency.

At least given the description laid out throughout this report, that’s entirely wrong! NSA is centrally involved in getting from the initial selector to the selectors submitted to the providers for query. So if the NSA’s analysis, which as described may include algorithmic matching of records, is inaccurate (say, by matching burner phones inaccurately), than the provider query will return the phone and other records of completely unassociated individuals. I can’t see any way that the NSA’s own query can be exempted from accuracy review here, but it has been.

I absolutely assume NSA is confident in its analysis, but to just dismiss it as uninvolved when it precedes the provider query ignores the implementation architecture laid out in this report.

In any case, I’m grateful we’ve got this report (I may have more to say on the minimization procedures, but they, like the report, are far clearer than the ones included in the old dragnet and for Section 702, perhaps because of the involvement of a Privacy Officer). I’m still thinking through the privacy implications of this. But really, this querying process should have been revealed from the start.

1 2 3 153
Emptywheel Twitterverse
bmaz @tomwatson Bill is going rogue asshole again, Mark Penn is still in picture and FBI drops confirm of investigation. Yep all just dandy!
9mreplyretweetfavorite
emptywheel @adschina Planning on an Audible version?
16mreplyretweetfavorite
bmaz @BuglegsMcWalshy It does seem to be deja vu all over again
23mreplyretweetfavorite
emptywheel RT @adamgoldmanwp: Umm sayyaf just got charged with material support. https://t.co/E5oeQSX11K
27mreplyretweetfavorite
bmaz @brahmresnik @_DianeDouglas @kelliwardaz @SenJohnMcCain Sure. Two crazy peas in a pod.
29mreplyretweetfavorite
emptywheel One stop shopping for NSA's 702 collection. https://t.co/PGTeE6vEhg
30mreplyretweetfavorite
bmaz And now all the dutiful Clinton Team are scrambling to fend off reports of how their campaign is flailing wildly https://t.co/fQcfHp7fCj
30mreplyretweetfavorite
emptywheel Thanks to @carminemac for reminding me Bernie raised Pharma's role in opioid crisis in Jan https://t.co/cZkjKmTL6b https://t.co/nGESov3Ue7
38mreplyretweetfavorite
bmaz @pareene According to this piece, lot of Flint residents think Clinton's Flint visit a harmful political stunt https://t.co/4WBUxfFbg7
39mreplyretweetfavorite
emptywheel @JonathanCohn @billmon1 Key issue, IMO, is whether it makes it harder to get funding to dig pipe. https://t.co/ZhXTT7f9GF
1hreplyretweetfavorite
emptywheel Shorter Chris Christie: I know the *fear* of loss, but not about the attack in Boston that injured 260. https://t.co/0d2sqTEYIs
1hreplyretweetfavorite
emptywheel At least the 4 hour old oppo accounts aren't using an egg. https://t.co/IXX4GfoXDG
1hreplyretweetfavorite
February 2016
S M T W T F S
« Jan    
 123456
78910111213
14151617181920
21222324252627
2829