The Intelligence Community’s Swiss Cheese Preemptive 702 Unmasking Reports: Now with Twice the Holes!

/11 Comments/in , /by

Because a white man still liked by some members of Congress had FISA-collected conversations leaked to the press, Republicans who used to applaud surveillance started to show some more concerns about it this year. That has been making reauthorization of Section 702 unexpectedly challenging. Both the HJC and SJC bills reauthorizing the law include new reporting requirements, which include mandates to provide real numbers for how many Americans get unmasked in FISA reports. There’s no such requirement on the SSCI bill.

Instead, explicitly in response to concerns raised in SSCI’s June 7 hearing on 702 reauthorization (even though the concern was also raised earlier in HJC and SJC hearings), I Con the Record has released an ODNI report on disseminations under FISA, a report it bills as “document[ing] the rigorous and multi-layered framework that safeguards the privacy of U.S. person information in FISA disseminations.”

The report largely restates language that is available in the law or declassified targeting and minimization procedures, though there are a few tidbits worth noting. Nevertheless, the report falls far short of what the SJC and HJC bills lay out, which is a specific count and explanation of the unmasking that happens (though NSA, in carrying out a review of a month’s worth of serialized reports, examining out their treatment of masking, does model what HJC and SJC would request).

The report consists of the DNI report with separate agency reports. I’ll deal with the latter first, then return to the DNI report.

NSA

The NSA report starts by narrowing the scope of the dissemination it will cover significantly in two ways.

This report examines the procedures and practices used by the National Security Agency (NSA) to protect U.S. person information when producing and disseminating serialized intelligence reports derived from signals intelligence (SIGINT) acquired pursuant to Title I and Section 702 of the Foreign Intelligence Surveillance Act of 1978, as amended (FISA). 1

1This report is limited to an examination of the procedures and practices used to protect FISA-acquired U.S. person information disseminated in serialized intelligence reports. This report does not examine other means of dissemination. For purposes of this report, the term “dissemination” should be interpreted as a reference to serialized intelligence reporting, unless otherwise indicated.

First, it treats just Title I and Section 702. That leaves out at least two other known collection techniques of content (to say nothing of metadata) under FISA: Title III (FBI probably does almost all of this, though it might be accomplished via hacking) and Section 704/705b targeting Americans overseas (which has been a significant problem of late).

More importantly, by limiting the scope to serialized reports, NSA’s privacy officer completely ignores the two most problematic means of disseminating US person data: by collecting it off Tor and other location obscured nodes and then deeming it evidence of a crime that can be disseminated in raw form to FBI, and by handing raw data to the FBI (and, to a lesser extent, CIA and NCTC).

As the report turns to whether NSA’s procedures meet Fair Information Practice Principles, then, the exclusion of these four categories of data permit the report to make claims that would be unsustainable if those data practices were included in the scope of the report.

The principle of Data Minimization states that organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose. The steps taken from the outset of the SIGINT production process to determine what U.S. person information can and should be disseminated directly demonstrate how this principle is met, as do NSA’s procedures and documentation requirements for the proactive and post-publication release of U.S. identities in disseminated SIGINT.

The principle of Use Limitation provides that organizations should use PII solely for the purposes specified in the notice. In other words, the sharing of PII should be for a purpose compatible with the purpose for which it was collected. NSA’s SIGINT production process directly reflects this principle.

[snip]

The principle of Accountability and Auditing states that organization should be accountable for complying with these principles, providing training to all employees and contractors who use personally identifiable information, auditing the actual use of personally identifiable information to demonstrate compliance with these principles and all applicable privacy protections.

For example, the collection of US person data off a Tor node is not relevant to the specified purpose (nor are the criminal categories under which NSA will pass on data). That’s true, too, of Use Limitation: the government is collecting domestic child porn information in the name of foreign intelligence, and the government is doing back door searches of raw 702 data for any matter of purpose. Finally, we know that the government has had auditing problems, particularly with 704/705b. Is that why they didn’t include it in the review, because they knew it would fail the auditing requirement?

CIA

CIA’s report is not as problematic as NSA’s one, but it does have some interesting tidbits. For example, because it mostly disseminates US person information for what it calls tactical purposes and to a limited audience, it rarely masks US person identities.

More specifically, unlike general “strategic” information regarding broad foreign intelligence threats, CIA’s disseminations of information concerning U.S. persons were “tactical” insofar as they were very often in response to requests from another U.S. intelligence agency for counterterrorism information regarding a specific individual, or in relation to a specific national security threat actor or potential or actual victim of a national security threat.

Relatedly, because these disseminations were generally for narrow purposes and sent to a limited number of recipients, the replacement of a U.S. person identity with a generic term (e.g., “named U.S. person,” sometimes colloquially referred to as “masking”) was rare, due to the need to retain the U.S. person identity in order to understand the foreign intelligence information by this limited audience.

CIA, like NSA, has its own unique definition of “dissemination:” That which gets shared outside the agency.

Information shared outside of CIA is considered a dissemination, and is required to occur in accordance with approved authorities, policies, and procedures.

Much later, dissemination is described as retaining information outside of an access-controlled system, which suggests fairly broad access to the databases that include such information.

Prior to dissemination of any information identifying, or even concerning, a U.S. person, the minimization procedures require that CIA make a determination that the information concerning the U.S. person may be retained outside of access-controlled systems accessible only to CIA personnel with specialized FISA training to review unevaluated information. I

Whereas NSA focused very little attention on its targeting process (which allows it to collect entirely domestic communications), CIA outsources much of its responsibility for limiting intake to FBI and NSA (note, unlike NSA, it includes Title III collection in its report, but also doesn’t treat 704/705b). For example, it focuses on the admittedly close FISA scrutiny FBI applications undergo for traditional FISA targeting, but then acknowledges that it can get “unevaluated” (that is, raw) information in some cases.

If requested by FBI in certain cases, unevaluated information acquired by FBI can be shared with CIA.

Likewise, the CIA notes that it can nominate targets to NSA, but falls back on NSA’s targeting process to claim this is not a bulk collection program (one of CIA’s greatest uses of this data is in metadata analysis).

CIA may nominate targets to NSA for Section 702 collection, but the ultimate decision to target a non-U.S. person reasonably believed to be located outside the United States rests with NSA.

[snip]

Section 702 is not a bulk collection program; NSA makes an individualized decision with respect to each non-U.S. person target.

Thus, the failure of the NSA report to talk about other collection methods (in CIA’s case, of incidental US person data in raw data) ports the same failure onto CIA’s report.

NCTC

NCTC’s report is perhaps the most amusing of all. It provides the history of how it was permitted to obtain raw Title I and Title III data in 2012 and 702 data in 2017 (like everyone else, it is silent on 704/705b data, though we know from this year’s 702 authorization they get that too), then says its use and dissemination of 702 data is too new to have been reviewed much.

Because NCTC just recently (in April 2017) obtained FISC authority to receive unminimized Section 702-acquired counterterrorism information, only a small number of oversight reviews have occurred. CLPT is directly involved in such reviews, including reviews of disseminations.

In other words, it is utterly silent about its dissemination of Title I and Title III data compliance. It is likewise silent on a dissemination that is probably unique to NCTC: the addition of US person names to watchlists based off raw database analysis. The dissemination of US person names in this way aren’t serialized reports, but they have a direct impact on the lives of Americans.

FBI

It’s hard to make sense of the FBI document because it lacks logical organization and includes a number of typos. More importantly, over and over it either materially misrepresents the truth (particularly in FBI’s access to entirely domestic communications collected under 702) or simply blows off requirements (most notably with its insistence that back door searches are important, without making any attempt to assess the privacy impact of them).

Bizarrely, the FBI treats just Title I and 702 in its report, even though it would be in charge of Title III collection in the US, and 705b collection would be tied to traditional FISA authorities.

Like CIA, FBI’s relies on NSA’s role in targeting, without admitting that NSA can collect on selectors that it knows to also be used by US persons, and can disseminate the US person data to FBI in case of a crime. Indeed, FBI specifically neglects to mention the 2014 exception whereby NSA doesn’t have to detask from a facility once it discovers US persons are using it as well as the foreign targets.

Targets under Section 702 collection who are subsequently found to be U.S. persons, or non-U.S. persons located in the U.S., must be detasked immediately

The end result if materially false, and false in a way that would involve dissemination of US person data (though not in a serialized report) from NSA to FBI.

The FBI report also pretends that a nomination would pertain primarily to an email address, rather than (for example) and IP address, in spite of later quoting from minimization procedures that reveal it is far broader than that: “electronic communication accounts/addresses/identifiers.”

After talking about its rules on dissemination, the FBI quickly turns to federated database “checks.”

Among other things, since 9/11, the FBI has dedicated considerable time, effort, and money to develop and operate a federated database environment for its agents and analysts to review information across multiple datasets to establish links between individuals and entities who may be associated with national security and/or criminal investigations. This allows FBI personnel to connect dots among various sources of information in support of the FBI’s investigations, including accessing data collected pursuant to FISA in a manner that is consistent with the statute and applicable FISA court orders. The FBI has done this by developing a carefully overseen system that enables its personnel to conduct database checks that look for meaningful connections in its data in a way that protects privacy and guards civil liberties. Maintaining the capability to conduct federated database checks is critical to the FBI’s success in achieving its mission.

But it doesn’t distinguish the legal difference between dissemination and checks. Far more importantly, it doesn’t talk about the privacy impact of these “checks,” a tacit admission that FBI doesn’t even feel the need to try to justify this from a privacy perspective.

Unlike NSA, FBI talks about the so-called prohibition on reverse targeting.

Reverse targeting is specifically prohibited under Section 702.31 “Reverse targeting” is defined as targeting a non-U.S. person who is reasonably believed to be located outside of the U.S. with the true purpose of acquiring communications of either (1) a U.S. person or (2) any individual reasonably believed to be located inside of the U.S. with whom the non-U.S. person is in contact.32

Yet we know from Ron Wyden that this prohibition actually permits FBI to nominate a foreigner even if a purpose of that targeting is to get to the Americans communications.

FBI talks about its new Title I minimization procedures, without mentioning that requirements on access controls and auditing arose in response to violations of such things.

The SMPs require, for example, FISA-acquired information to be kept under appropriately secure conditions that limit access to only those people who require access to perform their official duties or assist in a lawful and authorized governmental function.37 The SMP also impose an auditing requirement for the FBI to “maintain accurate records of all persons who have accessed FISA-acquired information in electronic and data storage systems and audit its access records regularly to ensure that FISA-acquired information is only accessed by authorized individuals.”38

And nowhere does FBI talk about the dissemination of US person data to ad hoc databases.

Remarkably, unlike NSA, FBI didn’t actually appear to review its dissemination practices (at least there’s no described methodology as such). Instead, it reviews its dissemination policy.

The instant privacy review found that the FBI’s SMP and Section 702 MP, which are subject to judicial review, protect the privacy rights of U.S. persons by limiting the acquisition, retention, and dissemination of their non-publicly available information without their consent. In addition, both sets of minimization procedures require that FISA-acquired information only be used for lawful purposes.42

Then it engages in a cursory few line review of whether it complies with FIPP. Whereas NSA assessed compliance with “Transparency, Use Limitation, Data Minimization, Security, Quality and Integrity, Accountability, and Auditing (but found Purpose specification not considered directly relevant), FBI at first assessed only Purpose specification. After noting that such a privacy review is not required in any case because FBI’s systems have been deemed a national security system, it then asserts that “DOJ and FBI conducted a review for internal purposes to ensure that all relevant privacy issues are addressed. These reviews ensure that U.S. person information is protected from potential misuse and/or improper dissemination.”

Later, it uses the affirmative permission to share data with other state and local law enforcement and foreign countries as a privacy limit, finding that it fulfills data minimization and transparency (and purpose, again).

Like the SMP for Title I of FISA, the Section 702 MP permits the FBI to disseminate Section 702-acquired U.S. person information that reasonably appears to be foreign intelligence information or is necessary to understand foreign intelligence information or assess its importance to federal, state, local, and tribal officials and agencies with responsibilities relating to national security that require access to intelligence information.50 The FBI is also permitted to disseminate U.S. person information that reasonably appears to be evidence of a crime to law enforcement authorities.51 In addition, the Section 702 MP provides guidelines that must be met before dissemination of U.S. person information to foreign governments is allowed.52 The dissemination of Section 702 information to a foreign government requires legal review by the NSCLB attorney assigned to the case.53 In light of the above judicially-reviewed minimization procedures for the dissemination of FISA acquired information, the FBI’s current implementation satisfies the data minimization and transparency FIPPs.

With respect to dissemination, FBI focuses on finished intelligence reports, not investigative files, where most data (including data affecting Mike Flynn) would be broadly accessed. Then, far later, it says this review found no violations, “in finished intelligence.”

Finally, the instant review found no indication of noncompliance with the required authorities governing dissemination of U.S. person information in finished intelligence.

At this point, the report appears to be a flashing siren of all the things it either clearly didn’t investigate or wouldn’t describe. Which worries me.

It then turns FBI’s failures to give notice that data derives from FISA as a privacy benefit, rather than a violation of the laws mandating disclosure.

While the redaction of U.S. person information may commonly be referred to as “masking,” the FBI does not generally use that term.

In addition, disseminations or disclosures of FISA-acquired information must be accompanied by a caveat. All caveats must contain, at a minimum, a warning that the information may not be used in a legal proceeding without the advanced authorization of the FBI or Attorney General.48 This helps ensure the information is properly protected.

And in the four paragraphs FBI dedicates to public transparency, it not only doesn’t admit that it has been exempted from most reporting on 702 use, but it doesn’t once mention mandated notice to defendants, which it has only complied with around 8 times.

There are many ways FBI could have handled this report to avoid making it look like a guilty omission that, while its finished intelligence reports aren’t a big US person data dissemination problem, virtually every other way it touches 702 data is. But it didn’t try any of those. Instead, it just engaged in omission after omission.

DNI

My unease over the giant holes in the FBI report carry over to a one detail in the DNI report. It’s only there that the government admits something that Semiannual 702 reports have admitted since FBI dispersed targeting to field offices. While the 702 reviews review pretty much everything NSA does and many things CIA does, the reviews don’t review all FBI disseminations, and they only include in their sample disseminations affirmatively identified as US person information.

As it pertains to reviewing dissemination of Section 702 information, ODNI and DOJ’s National Security Division (NSD) review many of the agencies’ disseminations as part of the oversight reviews to assess compliance with each agency’s respective minimization procedures and with statutory requirements.25 NSD and ODNI examine the disseminations to assess whether any information contained therein that appears to be of or concerning U.S. persons meets the applicable dissemination standard found in the agency’s minimization procedures; whether other aspects of the dissemination requirements (to include limitations on the dissemination of attorney-client communications and the requirement of a FISA warning statement as required by 50 U.S.C. § 1806(b)) have been met; and whether the information disseminated is indicative of reverse targeting of U.S. persons or persons located in the United States.

25For example, as it pertains to NSA, NSD currently reviews all of the serialized reports (with ODNI reviewing a sample) that NSA has disseminated and identified as containing Section 702-acquired U.S. person information. For CIA and NCTC, NSD currently reviews all dissemination (with ODNI reviewing a sample) of information acquired under Section 702 that the agency identified as potentially containing U.S. person information. For FBI, both NSD and ODNI currently review a sample of disseminations of information acquired under Section 702 that FBI identifies as potentially containing U.S. person information.

This is one of a number of reasons why FBI only identified one criminal 702 query last year — only after that one query was selected as part of the review, and only after some haranguing, was it identified as an entirely criminal query.

The DNI report makes one more incorrect claim — that all incidents of non-compliance have been remediated.

Disseminating FISA information in a manner that violates the minimization procedures would, therefore, be a violation of the statute, as would use or disclosure of the information for unlawful purposes. As noted above, identified incidents of non-compliance with the minimization procedures, to include improper disseminations, are reported to the FISC and to the congressional intelligence committees and those incidents are remediated.

That was true before this year, I guess. But Rosemary Collyer, in a deviation from past practice of requiring the government to destroy data collected without authorization, did not require NSA to destroy the poison fruit of unauthorized 704b and other back door queries (though perhaps DNI believes their claim is true given the way everyone has avoided talking about the more troubled collection techniques).

The DNI report ends with a boast about what it calls “transparency.”

These reviews also illustrate the importance of transparency. Historically, many of the documents establishing this framework were classified and not available to the public. In recent years, much progress has been made in releasing information from these documents, and providing context and explanations to make them more readily understandable. We trust that these reviews are a further step in enhancing public understanding of these key authorities. It is important to continue with transparency efforts like these on issues of public concern, such as the protection of U.S. person information in FISA disseminations.

It is true that these reports rely on a great deal of declassified information. But that does not amount to “transparency,” unless you’re defining that to mean something that hides the truth with a bunch of off-topic mumbo jumbo.

This report appears to be an attempt to stave off real reporting requirements for unmasked information — an attempt to placate the Republicans who are rightly troubled that the contents of FISA intercepts in which Mike Flynn was incidentally collected.

But no person concerned about the impact on US persons of FISA should find these reports reassuring. On the contrary, the way in which, agency after agency, the most important questions were dodged should raise real alarms, particularly with respect to FBI.

Share this entry

Leahy-Lee versus USA Lip Service: An Improvement, But Still a Domestic-as-Foreign Surveillance Bill

/2 Comments/in /by

Patrick Leahy and Mike Lee have introduced their version of Section 702 reauthorization, which like HJC they also call USA Liberty and like that bill doesn’t improve liberty. For convenience and because I refuse to use Orwellian terms to whitewash surveillance, I’ll refer to them going forward as Leahy-Lee and USA Lip Service, respectively.

Leahy-Lee is an improvement on USA Lip Service.

Leahy-Lee’s warrant requirement is real

That’s true, first of all, because the warrant requirement to access content via back door searches is real. The bill requires a probable cause warrant for both foreign intelligence and criminal purposes. And because it is a meaningful warrant requirement, the count of how many warrants are obtained will also be real.

The bill permits searches on (and with AG-plus-designates approval, access to) metadata-plus. Like USA Lip Service, the bill doesn’t define the expanded definition of metadata, though it appears to permit the same location-based access that USA Lip Service does.

The bill is silent on whether metadata from searches can be the sole evidence in the warrant application to FISC, which may water down the warrant requirement dramatically.

Leahy-Lee doesn’t sunset the prohibition on about collection

Also unlike USA Lip Service, Leahy-Lee does not sunset the prohibition on about collection.

There are two areas where USA Lip Service is different in ways that may make it better.

USA Lip Service may not track White House unmasking

First, in a report on the number of unmaskings, USA Lip Service requires reports on the number of unmaskings by any “element of the Federal Government.”

(3) The number of—

(A) United States persons whose information is unmasked pursuant to the procedures adopted under subsection (e)(4) of such section;

(B) requests made by an element of the Federal Government, listed by each such element, to unmask information pursuant to such subsection; and

(C) requests that resulted in the dissemination of names, titles, or other identifiers potentially associated with individuals pursuant to such subsection, including the element of the intelligence community and position of the individual making the request.

Leahy-Lee only requires reporting under clause B from the IC.

(B) requests made by an element of the intelligence community, listed by each such element, to unmask information pursuant to such subsection;

That may have the effect of missing any unmasking done at the White House. I don’t much care about this stuff, but for Republicans that do, it’s an interesting omission in the Senate bill.

Leahy-Lee doesn’t limit use of information to 702 certificates

Perhaps most interesting, Leahy-Lee doesn’t have language that was added in the manager’s amendment of USA Lip Service, which would restrict the use of information collected under Section 702 to topics generally covered by the known certificates for it: terrorists, spies, proliferation, nation-state hacking, and other critical infrastructure issues.

(2) LIMITATION ON USE OF CERTAIN EXCEPTED QUERIED INFORMATION.—No information accessed or disseminated pursuant to section 702(j)(2)(D)(iv), or evidence derived therefrom, may be received in evidence or otherwise used pursuant to paragraph (1), except—

(A) with the prior approval of the Attorney General; and

(B) in a proceeding or investigation in which the information or evidence is directly related to and necessary to address a specific threat of—

(i) an act of terrorism specified in clauses (i) through (iii) of section 2332b(g)(5)(B) of title 18, United States Code;

(ii) espionage (as used in chapter 37 of title 18, United States Code);

(iii) proliferation or use of a weapon of mass destruction (as defined in section 2332a(c) of title 18, United States Code);

(iv) a cybersecurity threat (as defined in section 101(5) of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501(5)) from a foreign country;

(v) incapacitation or destruction of critical infrastructure (as defined in section 1016(e) of the USA PATRIOT Act (42 16 U.S.C. 5195c(e))); or

(vi) a threat to the armed forces of the United States or an ally of the United States or to other personnel of the United States Government or a government of an ally of the United States.

Leahy-Lee still permits the collection of entirely domestic communications

The difference is important because Leahy-Lee does nothing to stop the known collection of entirely domestic communications, which I have reported involves the collection of Tor and (probably) VPN traffic. At least under HJC, that information can’t be used for many of the domestic crime purposes explicitly laid out in the SSCI bill, including murder, child porn, human trafficking (presumably including sex work), and narcotics trafficking. But Leahy-Lee would permit those uses.

Leahy rolled out his bill with this erroneous statement from Liza Goitein.

Elizabeth Goitein, co-director of the Brennan Center’s Liberty and National Security Program, said:  “This bill fixes the most serious problem with Section 702 surveillance today: the government’s ability to read Americans’ e-mails and listen to their telephone calls without a warrant,” and called the legislation “a very promising development in the reform debate.”

This is false. Leahy-Lee still permits the government to access (and with DIRNSA approval, retain) the entirely domestic communications of the 430,000 Americans that use Tor each day. Perhaps that’s why Leahy had Goitein make the comment, because he surely knows this is false.

ACLU comes out in support of a bill they admit is constitutionally deficient

And Goitein’s Brennan Center is not the only NGO supporting this bill. ACLU released a statement that can only be described as schizophrenic in support of the bill. While ACLU’s legislative counsel, Neema Singh Guliani, thankfully makes none of the errors that Goitein makes, she nevertheless admits that 702 remains constitutionally problematic.

“While this bill does not address all the constitutional concerns with Section 702, it represents an important step forward from the dismal status quo. The ACLU supports this bill, and urges Congress to ensure its reforms become law.”

And the statement goes on to lay out, correctly, several advantages of the Wyden-Paul bill, including ensuring that defendants (and affected people, like lawyers from ACLU working with targeted clients internationally) get notice and can challenge collection.

The ACLU urges improvements to the bill that would require a court order to access metadata collected under Section 702, narrow collection, and ensure the government provides appropriate notice.

Congress is currently considering several bills in advance of the Section 702 reauthorization deadline. Sens. Ron Wyden (D-Ore.) and Rand Paul (R-Ky.) have introduced S.1997, the USA Rights Act, which completely closes the backdoor search loophole, ends the collection of known domestic communications, and takes steps to ensure that the government provides notice to individuals who have Section 702 information used against them. The ACLU supports this bill.

I’m very confused — and, as a member, gravely concerned — about why the ACLU would adopt such a schizophrenic strategy, and why it would lobby in favor of things that its other lawyers are litigating against.

ACLU risks losing the ability to sue on these issues in the future if it remains on this bill (which is one reason I was so glad they didn’t back USA Freedom in 2015). And if they can’t sue, than we can’t fix the issues that ACLU, in its statement, lays out as problems in Leahy-Lee.

Share this entry

On 702, NSA Wants to Assure You You’re Not a Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target Target

/7 Comments/in /by

NSA just released a touchy-feely Q&A, complete with a touchy-feely image of the NSA, explaining “the Impact of Section 702 on the Typical American.”

I shall now shred it.

First note that this document deals with 702? It should be dealing with Title VII, because the entire thing gets reauthorized by 702 reauthorization. That means Sections 704 and 705(b), which are used to target Americans, will be reauthorized. And they have had egregious problems in recent years (even if the problems only affect some subset of around 300 Americans). Sure, Paul Manafort and Carter Page are not your “typical” Americans, but abuses against them would be problematic for reasons that could affect Americans (not least that they could fuck up the Mueller probe if FISA disclosure for defendants weren’t so broken).

The piece starts by talking about how the IC uses 702 to “hunt” for information on “adversaries,” which it suggests include terrorists and hackers.

The U.S. Intelligence Community relies on Section 702 of the Foreign Intelligence Surveillance Act in the constant hunt for information about foreign adversaries determined to harm the nation or our allies. The National Security Agency (NSA), for example, uses this law to target terrorists and thwart their plans. In a time of increasing cyber threats, Section 702 also aids the Intelligence Community’s cybersecurity efforts.

Somehow, it neglects to mention the foreign government certificate — which can target people who aren’t “adversaries” at all, but instead foreign muckety mucks we want to know about — or the counterproliferation certificate — which can target businesses of all kinds that deal in dual use technologies. Not to mention the SysAdmins that it might target for all these purposes.

The piece then lays out in two paragraphs and six questions (I include just one below) the basic principles that 702 can only “target” foreigners overseas.

Under Section 702, the government cannot target a U.S. person anywhere in the world, or any person located in the United States.

Under Section 702, NSA can target foreigners reasonably believed to be located outside the United States only if it has a basis to believe it will acquire certain types of foreign intelligence information that have been authorized for collection.

[snip]

Q: Can I, as an American, be the target of Section 702 surveillance?

A: No. As an American citizen, you cannot be the target of surveillance under Section 702. Even if you were not an American, you could not be targeted under Section 702 if you were located in the United States.

Effectively, this passage might as well say, “target target target target target target target target target target
target target target target target target target target target,” which is how many times (19) the word is used in the touchy-feely piece. The word “incidental” appears just once, where it entertains what happens if one of “Mary’s” foreign relatives were in a terrorist organization.

Q: One of Mary’s foreign relatives in South America is a member of an international terrorist group. Could Mary’s conversations with that relative be collected under Section 702?

A: Yes, it’s possible, if the U.S. government is aware of the relative’s membership in a terrorist group and the relative is one of the 106,000 targets under Section 702. However, even if this scenario occurred, there would still be protections in place for Mary, a U.S. citizen, if her conversations with that target were incidentally intercepted. For example:

U.S. intelligence agencies’ court-approved minimization procedures are specifically designed to protect the privacy of U.S. persons by, among other things, limiting the circumstances in which NSA can include the identity of a U.S. person in an intelligence report. Moreover, even where those procedures allow the NSA to include the identity of a U.S. person in an intelligence report, NSA frequently substitutes the U.S. person identity with a generic phrase or term, such as “U.S. person 1” or “a named U.S. person.” NSA calls this “masking” the identity of the U.S. person.

There are also what’s known as “age-off requirements”: After a certain period of time, the IC must delete any unminimized Section 702 information, regardless of the nationality of the communicants.

I guess the NSA figured if they used “Fatima,” whose relatives were in Syria, this scenario would be too obvious?

Yet in this, the only discussion of “incidental” collection, the NSA doesn’t explain how it is used — for example to find informants (meaning Fatima might be coerced into informing on her mosque if she discussed her tax dodging with her cousin) or to find 2nd degree associates (meaning Fatima’s friend in the US, Mohammed, might get an FBI visit because Fatima’s cousin in Syria is in ISIS). It also doesn’t explain that the “age-off” is five years, if Fatima is lucky enough to avoid having the FBI deem her conversations with her cousin in Syria interesting. If not, the data will sit on an FBI server for 30 years, ready to provide an excuse to give Fatima extra attention next time some bigot gets worried because he sees her taking pictures at Disney World.

Curiously, while the NSA doesn’t address the disproportionate impact of 702 on Muslims, it does pretend to address the disproportionate impact on Asians or their family members — people like like Xiaoxiang Xi and Keith Gartenlaub.

Q: Could the government target my colleague, who is a citizen of an Asian country, as a pretext to collect my communications under Section 702?

A: No. That would be considered “reverse targeting” and is prohibited.

Thanks to Ron Wyden, we know how cynically misleading this answer is. He explained in the SSCI 702 reauthorization bill report that the government may,

conduct unlimited warrantless searches on Americans, disseminate the results of those searches, and use that information against those Americans, so long as it has any justification at all for targeting the foreigner.

Effectively, the government has morphed the “significant purpose” logic from the PATRIOT Act onto 702, meaning collecting foreign intelligence doesn’t have to be the sole purpose of targeting a foreigner; learning about what an American is doing, such as a scientist engaging in scientific discussion, can be one purpose of the targeting.

After dealing with unmasking, the NSA then performs the always cynical move of asking whether the NSA can query US person content.

Q: Can NSA use my information to query lawfully collected 702 data?

A: NSA can query already lawfully collected Section 702 information using a U.S. person’s name or identifier (such as an e-mail account or phone number) only if the query is reasonably designed to identify foreign intelligence information.

However, a U.S. person is still afforded protection. The justification for the query must be documented. The process for conducting a query is also subject to internal controls. Such queries are reviewed by the Department of Justice and the Office of the Director of National Intelligence to ensure they meet the relevant legal requirements. Additionally, if the query was subsequently identified as being improper, it would be reported to the Foreign Intelligence Surveillance Court and to Congress.

This passage is absolutely correct. But also absolutely beside the point, because NSA sends a significant chunk of its collection to the FBI where it can be searched to assess leads and search for evidence of crimes, and where queries get nowhere near the kind of oversight that NSA queries get.

Then the piece tries to explain the need for all the secrecy.

Q: Terrorists aim to hurt Americans and our allies, so why doesn’t the Intelligence Community share more Section 702 information about how the IC goes after them?

A: The Intelligence Community has dramatically enhanced transparency, especially regarding its implementation of Section 702. Thousands of pages of key documents have been officially released, and are available on IC on the Record. The public has more information than ever before on how the IC uses this critical foreign surveillance authority. That said, the IC must continue to protect classified information. This includes specifics on whether or not it has collected information about any particular individual.

If terrorists could find out that NSA had intercepted their communications, terrorists would likely change their communications methods to avoid further detection.

This is, partly, a straw man. People aren’t really asking to know NSA’s individual targets. They’re asking to know whether the government has back doored their iPhones via demands under FISA, or whether the NSA is collecting on the 430,000 Americans that use Tor every day, or if they’re also using this “foreign intelligence” collection program to hunt Americans buying drugs on Dark Markets or even BLM activists that our racist Attorney General has deemed a threat to national security. And in the name of keeping secrets from terrorists (who actually have the feedback mechanism of observing what gets their associates drone-killed to learn what gets collected), the government is refusing to admit that the answer to all those questions is yes: yes, the government has back doored our iPhones, yes, the government is spying on the 430,000 Americans that use Tor, and yes, for those who use Tor to buy drugs, they may even use 702 data to prosecute you.

Finally, the NSA pretends that everyone else in the world has a program just like this.

Q: Is the U.S. government the only one in the world with intercept programs like 702?

A: No. Many other countries have intelligence surveillance intercept programs, nearly all of which have far fewer privacy protections. Section 702 and its supporting policies and practices stand out in terms of strength of oversight, privacy protections, and public transparency.

It is true that other countries have “intercept programs,” but with the exception of China and Russia’s access to domestic Internet companies, no other country has a program “like 702” that, by virtue of the United States hosting the world’s most popular Internet companies, gives the US the luxury of spying on the rest of the world using a nice note to Google rather than having to hack users individually (or hack all users, as Russia did with Yahoo).

So, yes, the NSA has now offered a picture of itself, literally and metaphorically, that minimizes the scope, the thousands of spies it employs, and the reach, both domestic and global. But it’s a profoundly misleading picture.

Share this entry

How FBI Could Use Reverse Targeting to Use Section 702 against Keith Gartenlaub

/2 Comments/in , /by

Some weeks ago, in a post named, “Evidence the US Government Used Section 702 against Keith Gartenlaub[‘s Parents-in-Law],” I laid out the evidence that Section 702 was used against Keith Gartelaub. As I showed,

  • A warrant in his case seemed to parallel construct Yahoo and Google content, often a sign the government is trying to introduce a second source for PRISM content
  • In spite of reference to Skype metadata, nothing in the court case ever seemed to reflect the content from those calls, in spite of the fact they’d be readily collectible
  • After approving the sharing of FISA information with the National Center for Missing and Exploited Children for traditional FISA data, the government approved such sharing for 702 data the day before they arrested Gartenlaub

But there was just one problem with that argument — one made clear in the title of the post. Ultimately, the government is only supposed to be allowed to target foreigners like Gartenlaub’s “well connected” Chinese parents-in-law, not Gartenlaub. Yet by all appearances, the investigation started with Gartenlaub, basically by deciding that allegations of Boeing theft must mean there was a Boeing theft at Gartenlaub’s location and then, very quickly, settling on Gartenlaub as the likely culprit.

Around January 28, 2013: Agent Wesley Harris reads article that leads him to start searching for Chinese spies at Boeing

February 7, 8, and 22, 2013: Harris interviews Gartenlaub

June 18, 2013: Agent Harris obtains search warrant for Gartenlaub and his wife, Tess Yi’s, Google and Yahoo accounts

So if Agent Harris did obtain 702 data between February, when he first showed interest in Gartenlaub, and June, when he appeared to be parallel constructing Google and Yahoo content, it would have been for the purpose of obtaining information on Gartenlaub, already a focus of the investigation.

That would pretty clearly be reverse targeting (unless, for some reason, the FBI already had a big stash of his in-laws’ communications in their 702 collection, in which it’d come up in a back door search).

In other words, while there’s a good deal of circumstantial evidence that the government used 702 to spy on his conversations with his in-laws, that shouldn’t be allowed under a common sense definition of what reverse targeting does.

Except, as Senator Wyden’s 702 reform and the SSCI bill report make clear, that kind of reverse targeting actually is permitted by current practice.

In his comments to the SSCI bill report, for example, Wyden explained,

The bill does not include a meaningful prohibition on reverse targeting, which would require a warrant when a significant purpose of targeting a foreigner is actually to collect the communications of the American communicant. The current standard permits the government to conduct unlimited warrantless searches on Americans, disseminate the results of those searches, and use that information against those Americans, so long as it has any justification at all for targeting the foreigner.

His own bill would insert language prohibiting the targeting someone outside the US if a significant purpose is to get the communications of someone inside the US. If it was, the bill would require the government to get a Title I (traditional) order. [Bolded language is new.]

(d) Targeting procedures
(1) Requirement to adopt–The Attorney General, in consultation with the Director of National Intelligence, shall adopt targeting procedures that are reasonably designed to—
(A) ensure — 

(aa) that any acquisition authorized under subsection (a) is limited to targeting persons reasonably believed to be located outside the United States; and
(bb) that an application is filed under title I, if otherwise required, when a significant purpose of an acquisition authorized under subsection (a) is to acquire the communications of a particular, known person reasonably believed to be located in the United States; 

And a SSCI Wyden amendment modified by Angus King would prohibit the targeting of someone overseas if a purpose of the targeting was to collect on someone in the US.

By a vote of four ayes to eleven noes, the Committee rejected an amendment by Senator Wyden, as modified by Senator King, which would have revised the standard on current reverse targeting prohibitions to replace ‘‘the’’ with ‘‘a,’’ such that the statute would state ‘‘If a purpose of such acquisition is to target a particular known person.’’ The votes in person or by proxy were as follows: Chairman Burr—no; Senator Risch—no; Senator Rubio—no; Senator Collins—no; Senator Blunt—no; Senator Lankford—no; Senator Cotton—no; Senator Cornyn—no; Vice Chairman Warner—no; Senator Feinstein—no; Senator Wyden—aye; Senator Heinrich— aye; Senator King—aye; Senator Manchin—no; and Senator Harris—aye.

 

Clearly, the current prohibition on reverse targeting actually would nevertheless permit the government to obtain Gartenlaub’s in-laws communications to find out what they talk about in order to assess whether he might be plotting to steal IP from Boeing with them. And even though we still only have circumstantial evidence this is what happened, if it did, it would show the problem with reverse targeting: because Gartenlaub had Chinese in-laws, it (may have) made it far easier to obtain potentially damning information using 702 than it would be for any of his colleagues who didn’t have such ties with anyone of interest in China.

Effectively (again, if Gartenlaub was indeed reverse targeted), it would mean the government could obtain communications without any suspicion from which they could look for evidence of probable cause that he (or his wife) was an agent of a foreign power.

Ultimately, after both a criminal warrant and a FISA warrant claiming they had probable cause Gartenlaub was spying for China, after reading his emails for months, searching his home, and searching multiple devices, the government never found evidence to support that claim. But they did find old child porn (though no forensic evidence showing he had accessed that porn). It appears likely that they would never have found it if he hadn’t had the bad luck of marrying a well-connected Chinese-American.

Share this entry

Yup: The Government Is Secretly Hiding Its Crypto Battles in the Secret FISA Court

/9 Comments/in /by

When I analyzed the Wyden-Paul Section 702 reform bill, I noted language that suggested Wyden was concerned about the government using the secrecy of FISA Court proceedings to demand technical assistance from providers they otherwise couldn’t get. Wyden’s bill makes it clear he’s concerned that the government would (or is) making technical demands without even telling the FISC it is doing so. His bill would explicitly require review of any technical demands by the court.

(B) LIMITATIONS.—The Attorney General or the Director of National Intelligence may not request assistance from an electronic communication service provider under subparagraph (A) without demonstrating, to the satisfaction of the Court, that the assistance sought—

(i) is necessary;

(ii) is narrowly tailored to the surveillance at issue; and

(iii) would not pose an undue burden on the electronic communication service provider or its customers who are not an intended target of the surveillance.

(C) COMPLIANCE.—An electronic communication service provider is not obligated to comply with a directive to provide assistance under this paragraph unless

(i) such assistance is a manner or method that has been explicitly approved by the Court; and

(ii) the Court issues an order, which has been delivered to the provider, explicitly describing the assistance to be furnished by the provider that has been approved by the Court.

I suggested the most likely use of such a “technical assistance” demand would be requiring a company (cough, Apple) to back door its encryption.

The most obvious such application would involve asking Apple to back door its iPhone encryption.

As a reminder, national security requests to Apple doubled in the second half of last year.

The number of national security orders issued to Apple by US law enforcement doubled to about 6,000 in the second half of 2016, compared with the first half of the year, Apple disclosed in its biannual transparency report. Those requests included orders received under the Foreign Intelligence Surveillance Act, as well as national security letters, the latter of which are issued by the FBI and don’t require a judge’s sign-off.

We would expect such a jump if the government were making a slew of new requests of Apple related to breaking encryption on their phones.

In his statement on the bill, Wyden made it clear that that’s precisely what he is concerned about.

It leaves in place current statutory authority to compel companies to provide assistance, potentially opening the door to government mandated de-encryption without FISA Court oversight. [my emphasis]

And note: he is saying that the government will (that is, has already, most likely) done this without asking the FISC to review whether its technical demands are narrowly tailored and necessary.

Update: This post has been updated in response to comments to clarify that Wyden is not concerned about technical demands per se, but about technical demands with no FISC review.

Update: One more point to make clear: for “individual” orders, the court will review every facility, which will involve some review of what kinds of access the government will get (such as when, in 2015, the government ordered Yahoo to scan all its users for some kind of signature).

But under 702, the “assistance” language that the government could use to obligate back doors (or whatever else) is not tied to anything the court reviews. Annual certifications have to affirm that the collection requires domestic provider assistance (but does not require a description of what that assistance entails).

vi) the acquisition involves obtaining foreign intelligence information from or with the assistance of an electronic communication service provider; and

But then once that certificate is signed, the government can work at the level of directives, demanding, compensating, and indemnifying the provider for that assistance all without any court review.

(h) Directives and judicial review of directives

(1) Authority: With respect to an acquisition authorized under subsection (a), the Attorney General and the Director of National Intelligence may direct, in writing, an electronic communication service provider to—

(A) immediately provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition in a manner that will protect the secrecy of the acquisition and produce a minimum of interference with the services that such electronic communication service provider is providing to the target of the acquisition; and

(B) maintain under security procedures approved by the Attorney General and the Director of National Intelligence any records concerning the acquisition or the aid furnished that such electronic communication service provider wishes to maintain.

(2) Compensation

The Government shall compensate, at the prevailing rate, an electronic communication service provider for providing information, facilities, or assistance in accordance with a directive issued pursuant to paragraph (1).

(3) Release from liability
No cause of action shall lie in any court against any electronic communication service provider for providing any information, facilities, or assistance in accordance with a directive issued pursuant to paragraph (1).

That’s why the risk is that much greater for 702: because the court is never going to review the individual directives which is where the specific technical assistance gets laid out (unless a provider is permitted to challenge those directives).

Share this entry

Eleven (or Thirteen) Senators Are Cool with Using Section 702 to Spy on Americans

/7 Comments/in /by

The Senate Intelligence Committee report on its version of Section 702 “reform” is out. It makes it clear that my concerns raised here and here are merited.

In this post, I’ll examine what the report — particularly taken in conjunction with the Wyden-Paul reform — reveals about the use of Section 702 for domestic spying.

The first clue is Senator Wyden’s effort to prohibit collection of domestic communications — the issue about which he and Director of National Intelligence Dan Coats have been fighting about since June.

By a vote of four ayes to eleven noes, the Committee rejected an amendment by Senator Wyden that would have prohibited acquisition under Section 702 of communications known to be entirely domestic under authority to target certain persons outside of the United States. The votes in person or by proxy were as follows: Chairman Burr—no; Senator Risch—no; Senator Rubio—no; Senator Collins—no; Senator Blunt—no; Senator Lankford—no; Senator Cotton—no; Senator Cornyn—no; Vice Chairman Warner—no; Senator Feinstein—aye; Senator Wyden—aye; Senator Heinrich— aye; Senator King—no; Senator Manchin—no; and Senator Harris—aye.

It tells us that the government collects entirely domestic communications, a practice that Wyden tried to prohibit in his own bill, which added this language to Section 702.

(F) may not acquire communications known to be entirely domestic;

This would effectively close the 2014 exception, which permitted the NSA to continue to collect on a facility even after it had identified that Americans also used it. As I have explained is used to collect Tor (and probably VPN) traffic to obtain foreigners’ data. I suspect that detail is what Wyden had in mind when, in his comments in the report, he said the report itself “omit[s] key information about the scope of authorities granted the government” (though there are likely other things this report hides).

I have concerns about this report. By omitting key information about the scope of authorities granted the government, the Committee is itself contributing to the continuing corrosive problem of secret law

As the bill report lays out, Senators Burr, Risch, Rubio, Collins, Blunt, Lankford, Cotton, Cornyn, Warner, King, and Manchin are all cool using a foreign surveillance program to spy on their constituents, especially given that Burr has hidden precisely the impact of that spying in this report.

Any bets on whether they might have voted differently if we all got to know what kind of spying on us this bill authorized.

That, of course, is only eleven senators who are cool with treating their constituents (or at least those using location obscuring techniques) like foreigners.

But I’m throwing Feinstein and Harris in with that group, because they voted against a Wyden amendment that would have limited how the government could use 702 collected data in investigations.

By a vote of two ayes to thirteen noes, the Committee rejected an amendment by Senator Wyden that would have imposed further restrictions on use of Section 702-derived information in investigations and legal proceedings. The votes in person or by proxy were as follows: Chairman Burr—no; Senator Risch—no; Senator Rubio—no; Senator Collins—no; Senator Blunt—no; Senator Lankford—no; Senator Cotton—no; Senator Cornyn—no; Vice Chairman Warner—no; Senator Feinstein—no; Senator Wyden— aye; Senator Heinrich—aye; Senator King—no; Senator Manchin— no; and Senator Harris—no.

While we don’t have the language of this amendment, I assume it does what this language in Wyden’s bill does, which is to limit the use of Section 702 data for purposes laid out in the known certificates (foreign government including nation-state hacking, counterproliferation, and counterterrorism — though this language makes me wonder if there’s a Critical Infrastructure certificate or whether it only depends on the permission to do so in the FBI minimization procedures, and the force protection language reminds me of the concerns raised by a recent HRW FOIA permitting the use of 12333 language to do so).

(B) in a proceeding or investigation in which the information is directly related to and necessary to address a specific threat of—

(i) terrorism (as defined in clauses (i) through (iii) of section 2332(g)(5)(B) of title 18, United States Code);

(ii) espionage (as used in chapter 37 of title 18, United States Code);

(iii) proliferation or use of a weapon of mass destruction (as defined in section 2332a(c) of title 18, United States Code);

(iv) a cybersecurity threat from a foreign country;

(v) incapacitation or destruction of critical infrastructure (as defined in section 1016(e) of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 (42 U.S.C. 5195c(e))); or

(vi) a threat to the armed forces of the United States or an ally of the United States or to other personnel of the United States Government or a government of an ally of the United States.

Compare this list with the one included in the bill, which codifies the use of 702 data for issues that,

“Affects, involves, or is related to” the national security of the United States (which will include proceedings used to flip informants on top of whatever terrorism, proliferation, or espionage and hacking crimes that would more directly fall under national security) or involves,

  • Death
  • Kidnapping
  • Serious bodily injury
  • Specified offense against a minor
  • Incapacitation or destruction of critical infrastructure (critical infrastructure can include even campgrounds!)
  • Cybersecurity, including violations of CFAA
  • Transnational crime, including transnational narcotics trafficking
  • Human trafficking (which, especially dissociated from transnational crime, is often used as a ploy to prosecute prostitution; the government also includes assisting undocumented migration to be human trafficking)

[snip]

Importantly, the bill does not permit judicial review on whether the determination that something “affects, involves, or is related to” national security. Meaning Attorney General Jeff Sessions could decide tomorrow that it can collect the Tor traffic of BLM or BDS activists, and no judge can rule that’s an inappropriate use of a foreign intelligence program.

The bill report’s description of this section makes it clear that — in spite of its use of the word “restriction,” — this is really about providing affirmative “permission.”

Section 6 provides restrictions on the Federal Bureau of Investigation’s (FBI’s) use of Section 702-derived information, so that the FBI can use the information as evidence only in court proceedings [my emphasis]

That is, Wyden would restrict the use of 702 data to purposes the FISC has affirmatively approved, rather than the list of 702 purposes expanded to include the most problematic uses of Tor: all hacking, dark markets, and child porn.

So while Feinstein and Harris voted against the use of 702 to collect known domestic communications, they’re still okay using domestic Tor commuincations they say they don’t want to let NSA collect to prosecute Americans (which is actually not surprising given their past actions on sex workers).

Again, they’re counting on the fact that the bill report is written such that their constituents won’t know that this is going on. Unless they read me.

Look, I get the need to collect on Tor traffic to go after its worst uses. But if you’re going to do that, stop pretending this is a foreign surveillance bill, and instead either call it a secret court bill (one that effectively evades warrant requirements for all Tor wiretapping in this country), or admit you’re doing that collection and put review of it back into criminal courts where it belongs.

Share this entry

Today in the Ben Wittes (And Friends) Utter Lack of Self-Awareness File: Family and Friends Edition

/10 Comments/in , , /by

This morning, Ben Wittes called Ashley Feinberg’s discovery of the Twitter account that Jim Comey had himself disclosed the existence of publicly, “a creepy stalking effort.”

Shortly thereafter he went on to backtrack a bit, calling Feinberg’s work “very impressive,” but then pitching his privacy concern as pertaining to Comey’s adult-aged son.

Later in the day he defended against claims he was “being mean” to her by pointing to the time she used his name to get Comey to click on a test phish.

Then Matt Tait weighed in, reaffirming that tracking Comey down through his adult-aged son was very stalkery.

Ultimately, though, they (and Susan Hennessey) end up asking what the news value of Feinberg identifying Comey’s Twitter account was.

Let’s review, shall we? We’re talking about whether it is acceptable for a journalist to use public means (facilitated by a loophole in Instagram), hopping through a public figure’s 22-year old son, to find the public figure’s Twitter account, which he revealed in a televised appearance.

And not just any public figure. This is Jim Comey, the man who, in 2004, declined to reauthorize a bulk Internet metadata dragnet (Comey showed no such compunction about reauthorizing a phone metadata dragnet), only to run to the FISA Court and tell Colleen Collar-Kotelly that she had no discretion but to approve it.

And thus was born the legal codification of the definition of “relevant to” that holds that the metadata of all Americans can be considered “relevant to” FBI’s standing terrorism investigations, the definition that, two years later, would be used to justify collection aspiring to obtain the metadata of all phone calls placed in this country. Not just those who talk to terrorists, but those who talk to the people who talk to them and the people who talk to those who talk to those who talk to them. Including their children.

The Internet dragnet (and the upstream collection that replaced it) collects things like what people get tagged or favorited in Instagram and Twitter accounts — precisely the kind of metadata that led Feinberg to identify Comey’s account.

But that’s not all that’s “relevant to” whether there is any news value to using publicly available metadata to identify a Twitter account that Comey himself revealed.

In 2014, when Jim Comey headed the FBI, DOJ’s Inspector General argued for at least the second time (with the first including practices that occurred while Comey was DAG) that FBI should not be obtaining all records associated with the Friends and Family account of a target.

[T]he significance of the FBI’s request for “associated” records is that the FBI has sought and in some cases received not only the toll billing records and subscriber information of the specific telephone number identified in the NSL, but also the toll billing numbers that belong to the same account — such as numbers in a group or family plan account — without a separate determination and certification by the FBI that the additional records are relevant to an authorized international terrorism investigation. Yet before the FBI may specifically request in an NSL the records of a subject’s family member or partner, Section 2709 would require an authorized official to certify that such records are relevant to a national security investigation. (158)

That is, DOJ’s IG had to tell the FBI for the second time, when Comey was running it, that they shouldn’t be collecting the phone records of a target’s mom or (dependent aged) child or girlfriend because they were associated with accounts relevant to an investigation.

The FBI accepted DOJ IG’s recommendation to ensure that records “associated to” those “relevant to” investigations not be collected, but had only implemented it thus far on the non-automated side of NSL submissions by the time of the report.

Now that we’ve reviewed Jim Comey’s great tolerance for using three hop metadata records as an investigative technique (if not the more targeted collection of records “associated to” those “relevant to” investigations) as well as the mind-numbing definition of what constitutes “relevant to,” let’s return to the context of his discussions about social media. While the Twitter revelation served as evidence for a story that he’s non-partisan, the Instagram one he likes to tell serves to support his claim to care about privacy. Here’s the quote Feinberg included in her piece, but Comey has made this speechlet numerous times over the years.

I care deeply about privacy, treasure it. I have an Instagram account with nine followers. Nobody is getting in. They’re all immediate relatives and one daughter’s serious boyfriend. I let them in because they’re serious enough. I don’t want anybody looking at my photos. I treasure my privacy and security on the internet.

Nobody is getting into his Instagram account (with its loophole permitting people like Feinberg or FBI agents to get to his metadata), Comey said. With respect to content, that seems to be true.

Presumably, he also believed nobody was getting into his Twitter account that at that point just one person — the weak link, Ben Wittes — had followed.

He was wrong.

Jim Comey’s understanding of his own well guarded privacy was overblown, in part because of the inherent insecurity of the platforms he uses and in part because of the OpSec practices of his friend and his son’s friend. I don’t think Comey much cares — in his business, the likelihood that a dumb associate might thwart otherwise admirable operational security (especially on the part of a 22-year old) of a target is a blessing, not a curse.

But it is an awesome illustration of the power and danger of this metadata soup that, under Comey, the government got far more access to.

Now, in threads where I’ve made this argument, people have rightly pointed out that the power of the FBI (which gets far more metadata) and a reporter is somewhat different, as might be the necessity for avoiding any chains involving children. Though the frequency with which Trump and his associates’ own (admittedly older) spawn get included in stories of his corruption demonstrates how important such connections are, even for journalists.

But the contention that FBI’s contact chaining and a journalist’s contact chaining are that different is belied by Comey’s own reaction, his first tweet ever.

Not only did he say he wasn’t mad and compliment her work, but he posted the link to FBI jobs.

I’d say Jim Comey sees a similarity in what Feinberg did.

I’m all in favor of protecting the accounts of children from such contact chaining — and am really not a big fan of contact chaining, generally. But those who, like Comey and Wittes and Hennessey and Tait, have championed a system that endorses at least two hop chaining irrespective of who gets hopped, not to mention those who’ve tolerated the collection on family members in even more targeted surveillance, I’m not all that interested in complaints about the privacy of a 22-year old son.

Or rather, I point to it as yet another example of surveillance boosters not understanding what the policies they embrace actually look like in practice.

Which is precisely why this “doxing” was so newsworthy.

Update: For the benefit of Al, I’m including this link to Comey introducing his children (Brian was 19 at the time, his youngest was 13) at his FBI Director confirmation hearing in 2013; a screencap is above. It sounds like he did the same at his DAG hearing 10 years earlier.

So if you’ve got a concern about their safety you might want to talk to the Senate about the practice of featuring families during confirmation hearings.

Update: Here we are Monday and Gates and Manafort still haven’t found anything liquid to put up as bail. Not only that, but in a filing raising a potential conflict with one of Gates’ money laundering expert lawyers, prosecutors reveal Gates is trying to have his partner from a movie-related firm’s brother serve as surety while also doing so for the partner.

Marc Brown, the brother of defendant Steven Brown, was proposed by Gates as a potential surety despite the facts that they seemingly do not have a significant relationship, they have not had regular contact over the past ten years, and Marc Brown currently serves as a surety for his brother Steven in his ongoing criminal prosecution in New York. In an interview with the Special Counsel’s Office on November 16, Marc Brown listed as a reason for seeking to support Gates that they belonged to the same fraternity (although they did not attend the same college) and that, as such, he felt duty bound to help Gates. Of note, Marc Brown’s financial assets were significantly lower, almost by half, than previously represented by Gates.

Share this entry
[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

HJC’s Manager’s Amendment Blows Open 702 Metadata Queries

/6 Comments/in /by

I realized something as I was doing a last minute review comparing the Manager’s Amendment of 702 reauthorization that will be marked up in the House Judiciary Committee with a recent version. Here’s the language the two bills propose for querying of metadata:

Recent Version:

RELEVANCE AND SUPERVISORY APPROVAL TO ACCESS NON-CONTENTS INFORMATION.—Except as provided by subparagraph (D), the information of communications acquired under subsection (a) relating to the dialing, routing, addressing, signaling, or other similar non-contents information may be accessed or disseminated only upon a determination by the Attorney General that

(i) such communications are relevant to an authorized investigation or assessment, provided that such investigation or assessment is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States; and

(ii) any use of such communications pursuant to section 706 will be carried out in accordance with such section.

Manager’s Amendment

(C) RELEVANCE AND SUPERVISORY APPROVAL TO ACCESS NON-CONTENTS INFORMATION.—Except as provided by subparagraph (D), the information of communications acquired under subsection (a) relating to the dialing, routing, addressing, signaling, or other similar non-contents information may be accessed or disseminated only—

(i) with supervisory approval;

(ii) [] if such information is not sought solely on the basis of activities protected by the first amendment to the Constitution of the United States;

(iii) if an order based on probable cause would not be required by law to obtain such information if requested as part of an investigation of a Federal crime; and

(iv) if any use of such communications pursuant to section 706 will be carried out in accordance with such section.

Inventing metadata-plus

I haven’t commented on this at length, but one thing the HJC bill does that the other drafts don’t is to invent a new, undefined category of “metadata plus.” They do so to get around the issue I laid out here: NSA has always treated as metadata stuff that from a packet architecture perspective is actually content. They did so by breaking the law from 2001 to 2004 and again from 2004 to 2009 and almost certainly still from 2010 to 2011. After 2011, they simply shut down the Internet metadata program and swapped it to access of metadata acquired under the name of content from upstream collection.

If HJC were a real legislative body, they’d take this opportunity, having clearly identified the need, to redefine metadata in a way that makes sense in the Internet era.

But they chose not to do that. Instead, they’ve just slapped a “or other similar non-contents information” onto the traditional definition of metadata, without defining it!!, so as to cover the continued access to such non-content information without debating the limits of the new definition.

Swapping AG approval for supervisor approval

That redefinition of metadata happens in both bills. But something new happens in the manager’s amendment. It swaps delegable Attorney General approval for “supervisory” approval. That’s still more than currently happens at FBI but possibly less than what currently happens at NSA. But it will ensure that such queries are common and easy.

Eliminating the tie to any investigation

Then the manager’s amendment eliminates the requirement that such queries are “relevant to” (whatever that means anymore) an authorized investigation. This will open up the data for assessments, meaning the FBI can use the data for far more than just investigating crimes. Again, that matches the status quo for FBI currently (which is effectively mostly what the HJC bill does, all while screaming LIBERTY cynically). But it does mean the FBI can continue to research whether you’ve been talking to foreigners without having any evidence of wrong-doing first.

Permitting the use of location and other enhanced metadata

Here’s the big tell, the addition of this language to the metadata querying language. The government can only do back door metadata searches on US persons  “if an order based on probable cause would not be required by law to obtain such information if requested as part of an investigation of a Federal crime.”

My discussion of metadata-plus, above, is mostly important today for NSA, because it involves NSA’s use of “metadata” obtained from upstream queries. That stuff doesn’t get passed on to FBI and CIA (which like FBI refuses to count its metadata queries) yet, but I guarantee you it soon will.

But remember, FBI (and CIA) are getting raw PRISM information.

And PRISM data includes a lot of “non-content” information that is not DRAS that would be of interest to the FBI, starting with location data (among other things, FBI likes to obtain the location data from your phone that you share with apps like Facebook). This probably also allows FBI to skirt jurisdictions were obtaining content without a warrant would be illegal, given that it came from national collection. In any case, however, most jurisdictions will still give some content with a PRTT, so without probable cause.

Like all the other tweaks, this probably also reflects the status quo — meaning that the FBI is accessing as metadata stuff that is far more intrusive. But by laying out the prohibition in this way, it makes it clear that FBI (and CIA) will be (continuing to) access fairly intrusive metadata-plus collected by cloud providers that wouldn’t have been identified without the use of warrantless surveillance.

Watering the meaningless warrant requirement down still further

I have argued that the warrant requirement in the HJC bill is currently meaningless, because it permits queries for foreign intelligence information and permits the FBI to define foreign intelligence with the next certification (another area where HJC has abdicated its legislative role to the Intelligence Community).

By codifying that FBI can do metadata queries without an open investigation, the government is ensuring that it can continue to access this information at the assessment level, even if they’re not doing so under the guise of national security.

But two other changes in the manager’s amendment water down the meaningless warrant requirement even more.

First, the manager’s amendment eliminates this prohibition on using metadata to prove probable cause.

noncontents information accessed or disseminated pursuant to subparagraph (C) is not the sole basis for such probable cause;

That means the government can access metadata without an open investigation, and then use that metadata as the sole basis to access the content.

But under the manager’s amendment, the FBI can bypass the court altogether if the Attorney General (currently racist Jeff Sessions) reasonably determines the US person is communicating with someone engaged in, or materially supporting, terrorism.

Subject to section 706(a)(2), 25 based on a review described in item (II), the Attorney General reasonably determines that the person identified by the queried term is, or is communicating with—

(aa) a person reasonably believed to be engaged in international terrorism (as defined in section 101(c)) or activities in preparation therefore; or

(bb) a person reasonably believed to be acting for, or in furtherance of, the goals or objectives of an international terrorist or international terrorist organization.

And that review relies on the same metadata-plus.

A review described in this item is a review of information of communications acquired under subsection (a) relating to the dialing, routing, addressing, signaling, or other similar non-contents information,

Again, all of this basically amounts to retaining the status quo (though at a time when Russia may pose a greater threat to the US than the shriveling ISIS, and when gun violence by regular old American whackos is proving far more lethal than that of ISIS, it’s not clear that prioritizing terrorism anymore makes sense).

But it is a testament both to how much the HJC bill is really just window dressing, Potemkin reform cynically called “Liberty,” and hints at how they’re really using metadata-plus.

Share this entry

Ron Wyden Is Worried the Government Will Use FISA Process to Force Companies to Make Technical Changes

/4 Comments/in , /by

Ron Wyden and Rand Paul just introduced their bill to fix Section 702. It’s a good bill that not only improves Section 702 (by prohibiting back door searches, prohibiting the 2014 exception, and limiting use of 702 data), but also improves FISC and PCLOB.

The most alarming part of the bill, though, is Section 14. It prohibits the Attorney General and Director of National Intelligence from asking for technical assistance under Section 702 that is not narrowly targeted or explicitly laid out and approved by the court.

(B) LIMITATIONS.—The Attorney General or the Director of National Intelligence may not request assistance from an electronic communication service provider under subparagraph (A) without demonstrating, to the satisfaction of the Court, that the assistance sought—

(i) is necessary;

(ii) is narrowly tailored to the surveillance at issue; and

(iii) would not pose an undue burden on the electronic communication service provider or its customers who are not an intended target of the surveillance.

(C) COMPLIANCE.—An electronic communication service provider is not obligated to comply with a directive to provide assistance under this paragraph unless

(i) such assistance is a manner or method that has been explicitly approved by the Court; and

(ii) the Court issues an order, which has been delivered to the provider, explicitly describing the assistance to be furnished by the provider that has been approved by the Court.

This suggests that Wyden is concerned the government might use — or has used — FISA to make sweeping onerous technical demands of companies without explicitly explaining what those demands are to the Court.

The most obvious such application would involve asking Apple to back door its iPhone encryption.

As a reminder, national security requests to Apple doubled in the second half of last year.

The number of national security orders issued to Apple by US law enforcement doubled to about 6,000 in the second half of 2016, compared with the first half of the year, Apple disclosed in its biannual transparency report. Those requests included orders received under the Foreign Intelligence Surveillance Act, as well as national security letters, the latter of which are issued by the FBI and don’t require a judge’s sign-off.

We would expect such a jump if the government were making a slew of new requests of Apple related to breaking encryption on their phones.

Share this entry

The Senate Intelligence Committee 702 Bill Is a Domestic Spying Bill

/16 Comments/in , /by

Richard Burr has released his draft Section 702 bill.

Contrary to what you’re reading about it not “reforming” 702, the SSCI bill makes dramatic changes to 702. Effectively, it makes 702 a domestic spying program.

The SSCI expands the kinds of criminal prosecutions with which it can use Section 702 data

It does so in Section 5, in what is cynically called “End Use Restriction,” but which is in reality a vast expansion of the uses to which Section 702 data may be used (affirmatively codifying, effectively, a move the IC made in 2015). It permits the use of 702 data in any criminal proceeding that “Affects, involves, or is related to” the national security of the United States (which will include proceedings used to flip informants on top of whatever terrorism, proliferation, or espionage and hacking crimes that would more directly fall under national security) or involves,

  • Death
  • Kidnapping
  • Serious bodily injury
  • Specified offense against a minor
  • Incapacitation or destruction of critical infrastructure (critical infrastructure can include even campgrounds!)
  • Cybersecurity, including violations of CFAA
  • Transnational crime, including transnational narcotics trafficking
  • Human trafficking (which, especially dissociated from transnational crime, is often used as a ploy to prosecute prostitution; the government also includes assisting undocumented migration to be human trafficking)

This effectively gives affirmative approval to the list of crimes for which the IC can use 702 information laid out by Bob Litt in 2015 (in the wake of the 2014 approval).

Importantly, the bill does not permit judicial review on whether the determination that something “affects, involves, or is related to” national security. Meaning Attorney General Jeff Sessions could decide tomorrow that it can collect the Tor traffic of BLM or BDS activists, and no judge can rule that’s an inappropriate use of a foreign intelligence program.

“So what?” you might ask, this is a foreign surveillance program. So what if they find evidence of child porn in the course of spying on designated foreign targets, and in the process turn it over to the FBI?

The reason this is a domestic spying program is because of two obscure parts of 702 precedent.

The 2014 exception permits NSA to collect Tor traffic — including the traffic of 430,000 Americans

First, there’s the 2014 exception.

In 2014, the FISC approved an exception to the rule that the NSA must detask from a facility when it discovers that a US person was using it. I laid out the case that the facilities in question were VPNs (collected in the same way PRISM would be) and Tor (probably collected via upstream collection). I suggested then that it was informed speculation, but it was more than that: the 2014 exception is about Tor (though I haven’t been able to confirm the technical details of it).

NSA is collecting Tor traffic, including the traffic of the 430,000 Americans each day who use Tor.

One way to understand how NSA gets away with this is to consider how the use of upstream surveillance with cybersecurity works. As was reported in 2015, NSA can use upstream for cybersecurity purposes, but only if that use is tied to known indicators of compromise of a foreign government hacking group.

On December 29 of last year, the Intelligence Community released a Joint Analysis Report on the hack of the DNC that was considered — for cybersecurity purposes — an utter shitshow. Most confusing at the time was why the IC labeled 367 Tor exit nodes as Russian state hacker indicators of compromise.

But once you realize the NSA can collect on indicators of compromise that it has associated with a nation-state hacking group, and once you realize NSA can collect on Tor traffic under that 2014 exception, then it all begins to make sense. By declaring those nodes indicators of compromise of Russian state hackers, NSA got the ability to collect off of them.

NSA’s minimization procedures permit it to retain domestic communications that are evidence of a crime

The FISC approved the 2014 exception based on the understanding that NSA would purge any domestic communications collected via the exception in post-tasking process. But NSA’s minimization procedures permit the retention of domestic communications if the communication was properly targeted (under targeting procedures that include the 2014 exception) and the communication 1) includes significant foreign intelligence information, 2) the communication includes technical database information (which includes the use of encryption), 3) contains information pertaining to an imminent threat of serious harm to life or property OR,

Such domestic communication does not contain foreign intelligence information but is reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed. Such domestic communication may be disseminated  (including United States person identities) to appropriate law enforcement authorities, in accordance with 50 U.S.C. § 1806(b) and 1825(c), Executive Order No 12333, and, where applicable, the crimes reporting procedures set out in the August 1995 “Memorandum of Understanding: Reporting of Information Concerning Federal Crimes,” or any successor document.

So they get the data via the 2014 exception permitting NSA to collect from Tor (and VPNs). And they keep it and hand it off to FBI via the exception on NSA’s destruction requirements.

In other words, what Richard Burr’s bill does is affirmatively approve the use of Section 702 to collect Tor traffic and use it to prosecute a range of crimes, some of them potentially quite minor.

 

Share this entry