The Government Admits 9 Defendants Spied On Under Section 702 Have Not Gotten FISA Notice

/1 Comment/in /by

As I noted, in his opinion approving the Section 702 certifications from last year, Judge Thomas Hogan had a long section describing the 4 different kinds of violations the spooks had committed in the prior year.

One of those pertained to FBI agents not establishing an attorney-client review team for people who had been indicted, as mandated by the FBI’s minimization procedures.

In his section on attorney-client review team violations, Hogan describes violations in all four of the Quarterly Reports submitted since the previous 702 certification process: December 19, 2014, March 20, 2015, June 19, 2015, and September 18, 2015. He also cites three more Preliminary Compliance Reports that appear not to be covered in that September 18, 2015 report: one on September 9, 2015, one on October 5, 2015, and one on October 8, 2015. His further discussion describes the government claiming at a hearing on October 8 to discuss the issue that, thanks to a new system FBI had deployed to address the problem, “additional instances of non-compliance with the review team requirement were discovered by the time of the October 8 Hearing.”

But as Hogan notes in his November 2015 opinion, FBI discovered a lot of these issues because FBI had had a similar problem the previous year and he required them to review for it closely in his 2014 order. A July 30, 2014 letter submitted as part of the recertification process describes two instances in depth: one noticed in February 2014 and reported in the March Quarterly report, and one noticed in April and reported in the June 2014, each involving multiple accounts. A footnote to that discussion admits “there have been additional, subsequent instances of this type of compliance incident.”

Set aside, for the moment, the persistence with which FBI failed to set up review teams to make sure prosecutorial teams were not reading the attorney-client conversations of indicted defendants (who are the only ones who get such protection!!!). Set aside the excuses they gave, such as that they thought this requirement — part of the legally mandatory minimization procedures — didn’t apply for sealed indictments or with targets located outside the United States.

Conservatively, this significantly redacted discussion identifies 9 examples (2 reported in Compliance Reports in 2014, at least 1 reported each in each of four quarterly Compliance report between applications, plus 3 individual compliance reports submitted after the September Compliance report) when people who have been indicted had their communications collected under Section 702, whether they were the target of the 702 directives or not.

And yet, as Patrick Toomey wrote in December, not a single defendant has gotten a Section 702 notice during the period in question.

Up until 2013, no criminal defendant received notice of Section 702 surveillance, even though notice is required by statute. Then, after reports surfaced in the New York Times that the Justice Department had misled the Supreme Court and was evading its notice obligations, the government issued five such notices in criminal cases between October 2013 and April 2014. After that, the notices stopped — and for the last 20 months, crickets.

We know both Mohamed Osman Mohamud — who received a 702 notice personally — and Bakhtiyor Jumaev — who would have secondary 702 standing via Jamshid Muhtorov, with whom he got busted — had their attorney-client communications spied on. But that wasn’t (damn well better not have been!!) 702 spying, because both parties to all those conversations were in the US.

These are 9 different defendants who’ve not yet been told they were being spied on under 702.

Why not?

The answer is probably the one Toomey laid out: that even though members of a prosecutorial team were listening in on attorney-client conversations collected under 702, DOJ made sure nothing from those conversations (or anything else collected via 702) got used in another court filing, and thereby avoided the notice requirement.

Based on what can be gleaned from the public record, it seems likely that defendants are not getting notice because DOJ is interpreting a key term of art in Fourth Amendment law too narrowly — the phrase “derived from.” Under FISA itself, the government is obliged to give notice to a defendant when its evidence is “derived from” Section 702 surveillance of the defendant’s communications. There is good reason to think that DOJ has interpreted this phrase so narrowly that it can almost always get around its own rule, at least in new cases.

It is clear from public reporting and DOJ’s filings in the ACLU’s lawsuit that it has spent years developing a secret body of law interpreting the phrase “derived from.” Indeed, from 2008 to 2013, National Security Division lawyers apparently adopted a definition of “derived” that eliminated notice of Section 702 surveillance altogether. Then, after this policy became public, DOJ came up with something else, which produced a handful of notices in existing cases.

Savage reports in Power Wars that then-Deputy Attorney General James Cole decided that Section 702 information had to have been “material” or “critical” to trigger notice to a defendant. But the book doesn’t provide any details about the legal underpinnings for this rule or, crucially, how Cole’s directive was actually implemented within DOJ. The complete absence of Section 702 notices since April 2014 suggests DOJ may well have found new ways of short-circuiting the notice requirement.

One obvious way DOJ might have done so is by deeming evidence to be “derived from” Section 702 surveillance only when it has expressly relied on Section 702 information in a later court filing — for instance, in a subsequent FISA application or search warrant application. (Perhaps DOJ’s interpretation is slightly more generous than this, but probably not by much.) DOJ could then avoid giving notice to defendants simply by avoiding all references to Section 702 information in those court filings, citing information gleaned from other investigative sources instead — even if the information from those alternative sources would never have been obtained without Section 702.

So these 9 mystery defendants don’t tell us anything new. They just give us a number — 9 — of defendants the government now has officially admitted have been spied on under 702 who have not been told that.

As I noted, Judge Hogan did not include this persistent attorney-client problem among the things he invited Amy Jeffress to review as amicus. Whether or not she would have objected to the persistent violation of FBI’s minimization procedures, a review of them would also have given her evidence from which she might have questioned FBI’s compliance with another part of 702, that defendants get notice.

But DOJ seems pretty determined to flout that requirement going forward.

Share this entry

Former Top Holder Aide Says Back Door Searches Violate Fourth Amendment; FISC Judge Thomas Hogan Doesn’t Care

/8 Comments/in , /by

My apologies to Amy Jeffress.

When I first realized that FISA Court Presiding Judge Thomas Hogan picked her to serve as amicus for the review of the yearly 702 certifications last year, I complained that she, not Marc Zwillinger, got selected (the pick was made in August, but Jeffress would later be picked as one of the standing amicus curiae, along with Zwillinger). After all, Zwillinger has already argued that PRISM (then authorized by Protect America Act) was unconstitutional when he represented Yahoo in its challenge of the program. He’s got experience making this precise argument. Plus, Jeffress not only is a long-time national security prosecutor and former top Eric Holder aide, but she has been involved in some actions designed to protect the Executive. I still think Zwillinger might have done a better job. But Jeffress nevertheless made what appears to be a vigorous, though unsuccessful, argument that FBI’s back door searches of US person data are unconstitutional.

A former top DOJ lawyer believes FBI’s back door queries are unconstitutional

But it says a lot that Jeffress — someone who narrowly missed being picked as Assistant Attorney General for National Security and who presumably got at least some visibility on back door searches when working with Holder — argued that FBI’s warrantless back door searches of communications collected under Section 702 is unconstitutional. (I presume it would be unethical for Jeffress to use information learned while counseling Holder in this proceeding, which might have put her in an interesting position of knowing more than she could say.)

Sadly, Hogan didn’t care. Worse, his argument for not caring doesn’t make sense. As I’ll note, not only did Hogan pick a less than optimal person to make this argument, but he may have narrowly scoped her input, which may have prevented her from raising evidence in Hogan’s own opinion that his legal conclusion was problematic.

To be clear, Jeffress was no flaming hippie. She found no problem with the NSA and CIA practice of back door searches, concluding, “that the NSA and CIA minimization procedures are sufficient to ensure that the use of U.S. person identifiers for th[e] purpose of [querying Section 702-acquired information] complies with the statutory requirements of Section 702 and with the Fourth Amendment.” But she did find the FBI practice problematic.

Jeffress’ amicus brief included at least 10 pages of discussion of her concerns with the practice, though ODNI did not release her brief and Hogan cited very limited bits of it. She argued, “the FISA process cannot be used as a device to investigate wholly unrelated ordinary crimes” and said because the queries could do so they “go far beyond the purpose for which the Section 702-acquired information is collected in permitting queries that are unrelated to national security.”

To dismiss Jeffress’ arguments, Hogan does several things. He,

  • Notes the statute requires foreign intelligence just be “a significant purpose” of the collection, and points back to the 2002 In Re Sealed Case FISCR decision interpreting the “significant purpose” language added in the PATRIOT Act to permit the use of traditional FISA information for prosecutions
  • Cites the FISA minimization procedure language that “allow[s] for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed”
  • Dismisses a former top DOJ official’s concerns about the use of FISA data for non-national security crimes as “hypothetical”
  • Doesn’t address — at all — language in the FBI minimization procedures that permits querying of data for assessments and other unspecified uses
  • Invests a lot of faith in FBI’s access and training requirements that later parts of his opinion undermine

There are several problems with his argument.

In Re Sealed Case ties “significant purpose” to the target of an interception

First, Hogan extends the scope of what the FISA Court of Review interpreted the term “significant purpose,” which got added to traditional FISA in the PATRIOT Act and then adopted in FISA Amendments Act.

Hogan cites the FISCR decision in In Re Sealed Case to suggest it authorized the use of information against non-targets of surveillance. He does so by putting the court’s ultimate decision after caveats it uses to modify that. “The Court of Review concluded that it would be an “anomalous reading” of the “significant purpose” language of 50 U.S.C. § 1804(a)(6)(B) to allow the use of electronic surveillance in such a case. See id. at 736. The Court nevertheless stressed, however, that “[s]o long as the government entertains a realistic option of dealing with the agent other than through criminal prosecution that it satisfies the significant purpose test.”

But that’s not what FISCR found. Here’s how that reads in the original, with Hogan’s citations emphasized.

On the one hand, Congress did not amend the definition of foreign intelligence information which, we have explained, includes evidence of foreign intelligence crimes. On the other hand, Congress accepted the dichotomy between foreign intelligence and law enforcement by adopting the significant purpose test. Nevertheless, it is our task to do our best to read the statute to honor congressional intent. The better reading, it seems to us, excludes from the purpose of gaining foreign intelligence information a sole objective of criminal prosecution. We therefore reject the government’s argument to the contrary. Yet this may not make much practical difference. Because, as the government points out, when it commences an electronic surveillance of a foreign agent, typically it will not have decided whether to prosecute the agent (whatever may be the subjective intent of the investigators or lawyers who initiate an investigation). So long as the government entertains a realistic option of dealing with the agent other than through criminal prosecution, it satisfies the significant purpose test.

The important point is–and here we agree with the government–the Patriot Act amendment, by using the word “significant,” eliminated any justification for the FISA court to balance the relative weight the government places on criminal prosecution as compared to other counterintelligence responses. If the certification of the application’s purpose articulates a broader objective than criminal prosecution–such as stopping an ongoing conspiracy–and includes other potential non-prosecutorial responses, the government meets the statutory test. Of course, if the court concluded that the government’s sole objective was merely to gain evidence of past criminal conduct–even foreign intelligence crimes–to punish the agent rather than halt ongoing espionage or terrorist activity, the application should be denied.

The government claims that even prosecutions of non-foreign intelligence crimes are consistent with a purpose of gaining foreign intelligence information so long as the government’s objective is to stop espionage or terrorism by putting an agent of a foreign power in prison. That interpretation transgresses the original FISA. It will be recalled that Congress intended section 1804(a)(7)(B) to prevent the government from targeting a foreign agent when its “true purpose” was to gain non-foreign intelligence information–such as evidence of ordinary crimes or scandals. See supra at p.14. (If the government inadvertently came upon evidence of ordinary crimes, FISA provided for the transmission of that evidence to the proper authority. 50 U.S.C. § 1801(h)(3).) It can be argued, however, that by providing that an application is to be granted if the government has only a “significant purpose” of gaining foreign intelligence information, the Patriot Act allows the government to have a primary objective of prosecuting an agent for a non-foreign intelligence crime. Yet we think that would be an anomalous reading of the amendment. For we see not the slightest indication that Congress meant to give that power to the Executive Branch. Accordingly, the manifestation of such a purpose, it seems to us, would continue to disqualify an application. That is not to deny that ordinary crimes might be inextricably intertwined with foreign intelligence crimes. For example, if a group of international terrorists were to engage in bank robberies in order to finance the manufacture of a bomb, evidence of the bank robbery should be treated just as evidence of the terrorist act itself. But the FISA process cannot be used as a device to investigate wholly unrelated ordinary crimes.

Hogan ignores three key parts of this passage. First, FISCR’s decision only envisions the use of evidence against the target of the surveillance, not against his interlocutors, to in some way neutralize him. Any US person information collected and retained under 702 is, by definition, not the targeted person (whereas he or she might be in a traditional FISA order). Furthermore, FBI’s queries of information collected under 702 will find and use information that has nothing to do with putting foreign agents in prison — that is, to “investigate wholly unrelated ordinary crimes,” which FISCR prohibited. Finally, by searching data that may be years old for evidence of a crime, FBI is, in effect, “gaining evidence of past criminal conduct” — itself prohibited by FISCR — of someone who isn’t even the target of the surveillance.

Hogan only treats querying for criminal purposes

Having, in my opinion, expanded on what FISCR authorized back in 2002, Hogan then ignores several parts of what FBI querying permits.

Here’s (some of) the language FBI added to its minimization procedures, at the suggestion of PCLOB, to finally, after 8 years, fully disclose what it was doing to the FISC.

It is a routine and encouraged practice for FBI to query databases containing lawfully acquired information, including FISA-acquired information, in furtherance of the FBI’s authorized intelligence and law enforcement activities, such as assessments, investigations and intelligence collection. Section III.D governs the conduct of such queries. Examples of such queries include, but are not limited to, queries reasonably designed to identify foreign intelligence information or evidence of a crime related to an ongoing authorized investigation or reasonably designed queries conducted by FBI personnel in making an initial decision to open an assessment concerning a threat to national security, the prevention or protection against a Federal crime, or the collection of foreign intelligence, as authorized by the Attorney General Guidelines. These examples are illustrative and neither expand nor restrict the scope of the queries authorized in the language above.

This language makes clear FBI may do back door searches for:

  • To identify foreign intelligence information
  • To identify evidence of a crime related to an ongoing investigation
  • To decide whether to open an assessment concerning a threat to national security, the prevention or protection against a Federal crime, or the collection of foreign intelligence
  • Other things, because FBI’s use of such queries “are not limited to” these uses

Given Hogan’s stingy citations from Jeffress’ brief, it’s unclear how much of these things she addressed (or whether she was permitted to introduce knowledge gained from having worked closely with Eric Holder when these back door searches were being formalized).

Read more

Share this entry

FBI’s Back Door Searches: Explicit Permission … and Before That

/1 Comment/in /by

I have written numerous times about the timing of authorization for FBI to do back door searches. There’s a passage of the November 6, 2015 FISC opinion finding those searches to be constitutional that some have taken to clearly date the authority. But I believe the (unredacted sections of the) passage are being misread.

As Judge Thomas Hogan describes, “Queries by FBI personnel of Section 702-acquired data…

Screen Shot 2016-04-20 at 8.53.44 PM

As the unredacted parts of the section make clear, queries for both foreign intelligence information or evidence of a crime “have been explicitly permitted by the FBI Minimization Procedures since 2009.” [my emphasis] The footnote goes onto describe how Minimization Procedures approved by Attorney General Mukasey on October 22, 2008 and submitted on some redacted date were approved by an opinion issued on April 7, 2009.

Already, that’s a curious set of details. If the minimization procedures were approved in October 2008, normally they’d be submitted close to right away, though it’s not clear that that happened. But why bother, given that FISC had just approved FAA certifications on September 4 (this timing resembles what had happened earlier that year, when the government significantly changed the program within days of getting certificates approved)?  In any case, James Clapper’s censors want to hide what those dates were. One likely reason they might have done so would be to hide the dates from defendants, including a few of the ones challenging 702. Another would be to obscure how the approval process went after passage of FISA Amendments Act, specifically given that the FISA Court of Review finalized its Yahoo opinion in August of that year, in which it relied on DOJ’s promise that “there is no database” of incidentally collected US person information.

There Is No Database

But two other things suggest that’s not the end of the story. First, the use of “explicitly” suggests there may have been a period before FISC approved the minimization procedures when such a practice was approved but perhaps not explicitly. Perhaps that simply refers to that lag period, between the time Mukasey approved those minimization procedures and the time FISC approved them.

But then there’s that redacted paragraph (the next footnote, 25, starts after it). Hogan adds something to his discussion beyond his description of the explicit approval of those minimization procedures.

As I have pointed out, Mukasey (writing with then Director of National Intelligence Mike McConnell, who would also have to approve any PRISM minimization procedures) made it clear in response to a Russ Feingold amendment of FISA Amendments Act in February of 2008 that they intended to spy in Americans under PRISM.

So it sure seems likely the Administration at the very least had FBI back door searches planned, if not already in the works, well before FISC approved the minimization procedures in 2009. That’s probably what Hogan explained in that paragraph, but James Clapper apparently believes it would be legally inconvenient to mention that.

Share this entry

Last July, NSA and CIA Decided They Didn’t Have to Follow Minimization Procedures, and Judge Hogan Is Cool with That

/9 Comments/in /by

Yesterday, I Con the Record released three FISA Court opinions from last year. This November 6, 2015 opinion, authorizing last year’s Section 702 certifications, has attracted the most attention, both for its list of violations (including the NSA’s 3rd known instance of illegal surveillance) and for the court’s rejection of amicus Amy Jeffress’ argument that FBI’s back door searches are not constitutional. I’ll return to both issues.

I’m surprised, however, that this passage hasn’t generated more attention.

The NSA and CIA Minimization Procedures included as part of the July 15, 2015 Submission each contain new language stating that “[n]othing in these procedures shall prohibit the retention, processing, or dissemination of information reasonably necessary to comply with specific constitutional, judicial, or legislative mandates.” See NSA Minimization Procedures at 1; CIA Minimization Procedures at 4-5. These provisions were not included in the draft procedures that were submitted to the Court in June 2015, but appear to have been added by the government thereafter. They are not discussed in the July 15, 2015 Memorandum.

So basically, NSA and CIA just slipped in language suggesting that they can blow off minimization procedures mandated by Congress, without prior explanation (which is highly unusual in FISA process). The language reminds me of the language NSA used in Intelligence Oversight Board reports to cover up for Stellar Wind. Or the language John Yoo used in his letter to Colleen Kollar-Kotelly saying that FISC couldn’t bind the President.

Thomas Hogan was, to some degree, suitably shocked by this. After laying out how much detail goes into minimization procedures, he said,

A provision that would allow the NSA and CIA to deviate from any of these restrictions based un unspecified “mandates” could undermine the Court’s ability to find the procedures satisfy the above-described statutory requirement.

Ya think?!?!

Hogan then went on to suggest — based on what evidence, he doesn’t say — that the NSA and CIA will only use this language sparingly because the NCTC, which apparently has similar language in their minimization procedures, claimed they’d only use it sparingly.

It appears, however, that the government does not intend to apply these provisions as broadly as their language would arguably permit. In 2012, the government proposed a similar provision as part of minimization procedures to be applied by NCTC in handling certain unminimized terrorism-related information acquired by FBI pursuant to other provisions of FISA. In requesting approval of a provision that would allow NCTC personnel to deviate from other requirements of its minimization procedures when “reasonably necessary to comply with specific constitutional, judicial, or legislative mandates,” the government asserted that “Executive Branch orders or directives will not trigger this provision, nor will general Congressional directives that are not specific to information NCTC receives pursuant to this motion. [citation removed] The Court approved the NCTC minimization procedures with the understanding that this provision would be applied sparingly.The Court described the provision as permitting NCTC personnel to “retain, process or disseminate information when reasonably necessary to fulfill specific legal requirements” and compared it to a more narrowly-drafted provision of separate procedures that permits CIA to retain or disseminate information that is “required by law to be retained or disseminated.”

This language, which if I’m counting correctly, is now in everyone’s minimization procedures but FBI’s, is alarming enough in the NCTC context, which will only get counterterrorism information and that only via FBI.

But CIA and NSA get raw data. Shit-tons of it. Which makes the scale of such language pretty damned alarming.

Having thus assumed the NCTC example is decent precedent for the NSA and CIA adoption, Hogan then does something else amazing. He relies on “informal communications.”

The Court understands based on informal communications between Court staff and attorneys for the government that NSA and CIA intend to apply the similar provisions at issue here in the same narrow manner. In any case, to avoid a deficiency under the above-described definition of “minimization procedures” the Court must construe the phrase “specific constitutional, judicial, or legislative mandates” to include only those mandates containing language that clearly and specifically requires action in contravention of an otherwise-applicable provision of the requirement of the minimization procedures. Such clear and specific language, for instance, might be found in a court order requiring the government to preserve a particular target’s communications beyond the date when they would otherwise be subject to age-off under the minimization procedures. On the other hand, these provisions should not be interpreted as permitting an otherwise prohibited retention or use of information simply because that retention of use could assist the government in complying with a general statutory requirement, such as those stated at 50 U.S.C. § 1881a(b).

This is batshit insane! The court has for years, fought, often unsuccessfully, to keep NSA within the scope of the law as interpreted in minimization procedures. The government slipped in a provision basically saying, if we decide we don’t have to follow minimization procedures mandated by law, we won’t. And Hogan hasn’t required written explanation for why the agencies need this?!?!?!

Hogan does it again in a footnote suggesting the government “may” use this provision to share data with Congress.

The Court understands that the government may have added these new provisions to clarify that information acquired under Section 702 may be shared with Members of Congress or Congressional committees in connection with Congressional oversight of the program. If so, the Court would urge the government to consider replacing these broadly-worded provisions with language that is narrowly tailored to that purpose.

Hey Judge Hogan? The law requiring you approve these minimization procedures and NSA follow them? That law comes from Congress. If Congress needs NSA to start sharing raw data with it (!!!!), then it can change the law. At the very least, don’t you owe your independent branch of government — and the American people — more certainty than that this may explain this alarming provision?

But no. Hogan required nothing in writing. He did require reporting on how NSA and CIA use it. I’m not sure how that’ll be effective when President Trump decides he can pass an Executive Order requiring NSA to keep all the US person data it collects but not tell FISC about it, because the order they report on this to him is part of the minimization procedures they say they can blow off.

And note this is not one of the two areas that Hogan asked amicus Amy Jeffress to weigh in on. Apparently this is either not a “novel or significant interpretation of the law” requiring amicus review or Hogan didn’t include it because it didn’t get included in the June draft, which is when he decided this should have amicus review.

There’s a lot that’s troubling in this opinion. But the most troubling is that the presiding Judge of the FISC court just rubber-stamped NSA and CIA blowing off entirely the minimization procedures that are the core of the FISC’s leverage over the government.

Share this entry

SS7 and NSA’s Redundant Spying

/9 Comments/in , , /by

SS7 countermeasuresOn Sunday, 60 Minutes brought attention to an issue first exposed by researchers some years back: the ease with which people can use the SS7 system that facilitates global mobile phone interoperability to spy on you.

Sharyn Alfonsi: If you just have somebody’s phone number, what could you do?

Karsten Nohl: Track their whereabouts, know where they go for work, which other people they meet when– You can spy on whom they call and what they say over the phone. And you can read their texts.

60 Minutes was smart in that they got Congressman Ted Lieu to agree to be targeted.

Congressman Lieu didn’t have to do anything to get attacked.

All Karsten Nohl’s team in Berlin needed to get into the congressman’s phone was the number. Remember SS7 –that little-known global phone network we told you about earlier?

Karsten Nohl: I’ve been tracking the congressman.

[snip]Sharyn Alfonsi: Are you able to track his movements even if he moves the location services and turns that off?

Karsten Nohl: Yes. The mobile network independent from the little GPS chip in your phone, knows where you are. So any choices that a congressman could’ve made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network. That of course, is not controlled by any one customer.

[snip]

Sharyn Alfonsi: What is your reaction to knowing that they were listening to all of your calls?

Rep. Ted Lieu: I have two. First, it’s really creepy. And second, it makes me angry.

Sharyn Alfonsi: Makes you angry, why?

Rep. Ted Lieu: They could hear any call of pretty much anyone who has a smartphone. It could be stock trades you want someone to execute. It could be calls with a bank.

Karsten Nohl’s team automatically logged the number of every phone that called Congressman Lieu — which means there’s a lot more damage that could be done than just intercepting that one phone call.

So now Lieu is furious — and pushing House Oversight Committee to conduct an investigation into SS7’s vulnerabilities.

Of course, it’s probably best to think of SS7’s vulnerabilities not as a “flaw,” as 60 Minutes describes it, but a feature. The countries that collectively aren’t demanding change are also using this vulnerability to spy on their subjects and adversaries.

But the fact that Lieu — who really is one of the smartest Members of Congress on surveillance issues — is only now copping onto the vulnerabilities with SS7 suggests how stunted our debate over dragnet surveillance was and is. For two years, we debated how to shut down the Section 215 dragnet, which collected a set of phone records that was significantly redundant with what we collected “overseas” — though in fact the telecoms’ production of such records was mixed together until 2009, suggesting for years Section 215 probably served primarily as legal cover, not the actual authorization for the collection method used. We had very credulous journalists talking about what a big gap in cell phone records NSA faced, in part because FISC frowned on letting NSA collect location data domestically. Yet all the while (as some smarter commenters here have said), NSA was surely exploiting SS7 to collect all the cell phone records it needed, including the location data. Members of Congress like Lieu — on neither the House Intelligence (which presumably has been briefed) or the House Judiciary Committees — would probably not get briefed on the degree to which our intelligence community thrives on using SS7’s vulnerabilities.

What I find perhaps most interesting about this new flurry of attention on SS7 is that the researchers behind it were hired by some “international telecoms” to find ways to improve security sometime in advance of December 2014 (when they first presented their work). The original CCC presentation on this vulnerability (see after 40:00) included a general discussion of what cell phone providers could do to increase the security of their users (see above). 60 Minutes noted that some US providers were doing more than others.

The NSA presumably could and did use entirely SS7 collection for cell phones — especially US based ones — until such time as domestic providers started making them less accessible (and once they were unaccessible overseas, then subject to legal process, though even some of the countermeasures would still leave a US user exposed to other US providers). That needs to be understood (should have been, before the passage of USA Freedom) to really understand the degree to which Congress has any influence over the NSA.

Share this entry

Apple’s Spiking National Security Requests Could Reflect USA Freedom Compliance

/2 Comments/in /by

A number of outlets are pointing to an alarming spike in Apple’s national security requests, as reflected in its privacy numbers (though I think they are exaggerating the number). Here’s what the numbers look like since it began reporting national security requests. [I’ll put this in a table later, but I’m trying to get this done in the last window I’ll have for a while.]

Orders received, accounts affected

1H 2013: 0-249, 0-249

2H 2013: 0-249, 0-249

1H 2014: 0-249, 0-249

2H 2014: 250-499, 0-249

1H 2015: 750-999, 250-499

2H 2015: 1250-1499, 1000-1249

As you can see, Apple’s numbers were already rising from a baseline of 0-249 for both categories in the second half of 2014 (not incidentally when encryption became default), though really started to grow the first half of last year. Where the request-to-number-of-accounts affected ratio has differed, it shows more requests received than accounts affected, suggesting either that Apple is getting serial requests (first iMessage metadata, then content), or that the authorities are renewing requests — say, after a 90-day 215 order expires (though Apple reiterates in this report that they have never received a bulk order, so they are presumably, but not definitely, not the additional bulk provider that appears to have shown up in the June 29 order last year. The number of requests may have doubled or even nearly tripled in the reporting reflecting the first half of last year, and may have almost doubled again, but it appears that Apple continues to get multiple orders affecting the same account.

In other words, this appears to be a spike in the number of accounts affected, accompanied by a more gradual spike in the orders received, but it follows on what could be a straight doubling of both categories from the prior period.

It appears Apple is reporting under paragraph 3 reporting, described as follows.

(3) A semiannual report that aggregates the number of orders, directives, or national security letters with which the
person was required to comply in the into separate categories of–

(A) the total number of all national security process received, including all national security letters, and orders or directives under this Act, combined, reported in bands of 250 starting with 0-249;
and

(B) the total number of customer selectors targeted under all national security process received, including all national security letters, and orders or directives under this Act, combined, reported in bands of 250 starting with 0-249.

[snip]

(2) A report described in paragraph (3) of subsection (a) shall include only information relating to the previous 180 days.

That should work out to the same reporting method they were using, provided there was no 2-year delay in reporting of a new kind of production, which doesn’t appear to have happened.

One possible explanation of what’s partly behind the increase is that the more recent number reflects USA Freedom Act collection. USAF became law on June 2, with the new 2-hop production going into effect on November 29. Marco Rubio made it clear last year that USAF extended the 2-hop collection to “a large number of companies.” The Intelligence Authorization made it clear a fair number of companies would be covered by it as well. In its discussion of what kind of responses it gave to San Bernardino requests Apple said they got legal process.

Especially given that Apple is a “phone company,” it seems highly likely the government included iMessage data in its roll out of the expanded program (which, multiple witnesses have made clear, was functioning properly in time for the December 2 San Bernardino attack). So it’s quite possible what look to be 500 first-time requests are USAF’s new reporting, though that would seem to be a very high number of requests for the first month of the program.

Probably, the bulk of the increase is from something else, perhaps PRISM production, because iMessage is an increasing part of online communication. Apple’s numbers are still far below Google’s (though Yahoo’s had a big drop off in this reporting period). But it would make sense as more people use iMessage, it will increase Apple’s PRISM requests.

Update: This post has been updated to better reflect my understanding of how this reporting and the new production work.

Share this entry

The Obama Administration Almost Doubled Down on Yoo’s Illegality

/4 Comments/in , /by

Over at JustSecurity the other day, ACLU’s Patrick Toomey argued that the Administration’s current interpretation of FISA — especially its embrace of upstream surveillance — means the Obama Administration has gone beyond John Yoo’s thinking on surveillance as exhibited in his May 17, 2002 letter to FISC judge Colleen Kollar-Kotelly.

Perhaps most remarkably, however, the Obama Justice Department has pressed legal theories even more expansive and extreme than Yoo himself was willing to embrace. Yoo rounded out his Stellar Wind memo with an effort to reassure Judge Kollar-Kotelly that the government’s legal interpretation had limits, saying: “Just to be clear in conclusion. We are not claiming that the government has an unrestricted right to examine the contents of all international letters and other forms of communication.” But that is essentially the power the NSA claims today when it conducts Upstream surveillance of Americans’ Internet communications. The NSA has installed surveillance equipment at numerous chokepoints on the Internet backbone, and it is using that equipment to search the contents of communications entering or leaving the country in bulk. As the ACLU recently explained in Wikimedia v. NSA, this surveillance is the digital analogue of having a government agent open every letter that comes through a mail processing center to read its contents before determining which letters to keep. In other words, today the Obama administration is defending surveillance that was a bridge too far for even John Yoo.

I’m not sure I’m convinced. After all, the Administration claims it is not examining the contents of all international letters, but rather only looking at those where selected identifiers show up in data packets. Yeah, I know it’s a bullshit argument, but they pretend that’s not searching the contents, really. Moreover we have substantial reason to believe they were doing (some) of this anyway.

But there is a curious relationship between a claim Yoo made in his letter and the Obama Administration’s views on FISA.

In the letter, Yoo writes,

FISA purports to be the exclusive means for conducting electronic surveillance for foreign intelligence, … FISA establishes criminal and civil sanctions for anyone who engages in electronic surveillance, under color of law, except as authorized by statute, warrant, or court order. 50 U.S.C. § 1809-10. It might be thought, therefore, that a warrantless surveillance program, even if undertaken to protect the national security, would violate FISA’s criminal and civil liability provisions.

Such a reading of FISA would be an unconstitutional infringement on the President’s Article II authorities. FISA can regulate foreign intelligence surveillance only to the extent permitted by the Constitution’s enumeration of congressional authority and the separation of powers.

[snip]

[A]s we explained to Congress during the passage of the Patriot Act, the ultimate test of whether the government may engage in foreign surveillance is whether the government’s conduct is consistent with the Fourth Amendment, not whether it meets FISA.

This is especially the case where, as here, the executive branch possess [sic] the inherent constitutional power to conduct warrantless searches for national security purposes.

Effectively, Yoo is saying that even if they blow off FISA, they will be immune from the penalties under 50 USC §1809-10 so long as what they were doing fulfilled the Fourth Amendment, including an expansive reading of special needs that Yoo lays out in his memo. (Note, this was explained in the DOJ Stellar Wind IG Report — starting at PDF 47 — but this letter makes it more clear.)

As a reminder, on two occasions, John Bates disagreed with that interpretation, first in 2010 when he ruled NSA couldn’t continue to access the five years of data it overcollected under the PRTT Internet dragnet, and then again in 2011 when he said the government couldn’t disseminate the illegally collected upstream data (and Vaughn Walker disagreed in a series of rulings in the Al Haramain case in 2010, though the 9th Circuit partially overturned that in 2012). We know, thanks to Snowden, that the government considered appealing the order. And in his summary of the resolution of this issue, Bates made it clear that the government’s first response was to say that limits on illegally collected data don’t apply.

However, issues remained with respect to the past upstream collection residing in NSA’s databases. Because NSA’s upstream collection almost certainly included at least some acquisitions constituting “electronic surveillance” within the meaning of 50 U.S.C. § 1801 (f), any overcollection resulting from the government’s misrepresentation of the scope of that collection implicates 50 U.S.C. § 1809(a)(2). Section 1809(a)(2) makes it a crime to “disclose[] or use[] information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized” by statute. The Court therefore directed the government to make a written submission addressing the applicability of Section 1809(a), which the government did on November 22, 2011. See [redacted — probably a reference to Bates’ July 2010 opinion], Oct. 13, 2011 Briefing Order, and Government’s Response to the Court’s Briefing Order of Oct. 13, 2011 (arguing that Section 1809(a)(2) does not apply).

Ultimately, though, the government not only (said it) destroyed the illegal upstream data, but claims to have destroyed all its PRTT data in a big rush (so big a rush it didn’t have time to let NSA’s IG certify the intake collection of data).

And it replaced that PRTT program by searching data under SPCMA it claimed to have collected legally … somewhere.

I don’t pretend to understand precisely went on in those few weeks in 2011, though it’s clear that Obama’s Administration at least considered standing by the spirit of Yoo’s claim, even though the opinion itself had been withdrawn.

But I do know that at least through 2009, the government treated all its PRTT and Section 215 data as EO 12333 data, and in fact the providers appear not to have distinguished it either (more on this in upcoming days, hopefully). That is, it was collecting data with FISC sanction that it treated as data it collected outside of FISC sanction (that is, under EO 12333), and it was ignoring the rules FISC imposed.

Which leads me to wonder whether the government still doesn’t believe it remains immune from penalties laid out in FISA.

Share this entry

John Yoo’s Two Justifications for Stellar Wind

/7 Comments/in , /by

Because I’m a hopeless geek, I want to compare the what we can discern of the November 2, 2001 memo John Yoo wrote to authorized Stellar Wind with the letter he showed FISA Presiding Judge Colleen Kollar-Kotelly on May 17, 2002. The former is almost entirely redacted. But as I’ll show, the two appear to be substantially the same except for small variations within paragraphs (which possibly may reflect no more than citations). The biggest difference is that Yoo’s memo appears to have two pages of content not present in the letter to Kollar-Kotelly.

What follows is a comparison of every unredacted passage in the Yoo memo, every one of which appear in exactly the same form in the letter he wrote to Kollar-Kotelly.

The first unredacted line in Yoo’s memo — distinguishing between “electronic surveillance” covered by FISA and “warrantless searches” the President can authorize — appears in this paragraph in the letter.

FISA Safe Harbor

The line appears on page 7 of Yoo’s memo, but page 5 of his letter (which also includes some foofy introductory language for Kollar-Kotelly). That says there’s already 2 pages of information in Yoo’s memo that doesn’t appear in the letter. Yoo’s description of the surveillance program in the letter to Kollar-Kotelly is actually fairly short (and written entirely in the conditional voice), so there may be more of that in the actual memo. Also, anything that didn’t involve electronic surveillance — such as the collection of financial data — would not necessarily be relevant to FISC. But as I argue below, it’s also possible Yoo made claims about executive power in those two paragraphs that he rewrote as a two-page addition to for Kollar-Kotelly’s benefit.

The next unredacted passage in the memo consists of the first sentences of these two paragraphs.

Screen Shot 2016-04-05 at 5.34.32 PM

They appear on page 9 of Yoo’s memo and page 7 of the letter, and it appears that the space in between the two is consistent — suggesting that the interim content remains the same.

The next unredacted passage appears on page 12 of Yoo’s memo, page 10 of the letter.

FISA Restrict

While the general pagination still seems to be roughly tracking (again, suggesting the interim content is at least similar), the spacing of this paragraph is clearly different (note how the sentence begins in a different place in the column), suggesting Yoo may have made an even stronger defense of inherent authority in his memo, or perhaps that OLC has precedents for such a claim that Yoo thought inappropriate to share with the FISC. It’s possible this and later paragraph spacing differences arise from classification marks at the beginning of each paragraph, except the passages from the beginning of paragraphs seem to match up more closely than those from the middle of them.

Screen Shot 2016-04-05 at 7.30.51 PM

The next unredacted passage, on page 17 of Yoo’s memo and 15 of the letter, extend the claim that Congress can’t limit the President’s use of pen registers used to defend the nation. That’s followed closely by Yoo’s shift to arguing that intelligence gathering “in direct support” of military operations does not trigger the Fourth Amendment.

Intel Military Ops

Read more

Share this entry

DOJ Claims the Cybersecurity Related OLC Memo Is Also A Stellar Wind Memo

/1 Comment/in , , /by

I’ve written a bunch of times about an OLC memo Ron Wyden keeps pointing to, suggesting it should be declassified so we all can know what outrageous claims DOJ made about common commercial service agreements. Here’s my most complete summary from Caroline Krass’ confirmation process:

Ron Wyden raised a problematic OLC opinion he has mentioned in unclassified settings at least twice in the last year (he also wrote a letter to Eric Holder about it in summer 2012): once in a letter to John Brennan, where he described it as “an opinion that interprets common commercial service agreements [that] has direct relevance to ongoing congressional debates regarding cybersecurity legislation.” And then again in Questions for the Record in September.

Having been ignored by Eric Holder for at least a year and a half (probably closer to 3 years) on this front and apparently concerned about the memo as we continue to discuss legislation that pertains to cybersecurity, he used Krass’ confirmation hearing to get more details on why DOJ won’t withdraw the memo and what it would take to be withdrawn.

Wyden: The other matter I want to ask you about dealt with this matter of the OLC opinion, and we talked about this in the office as well. This is a particularly opinion in the Office of Legal Counsel I’ve been concerned about — I think the reasoning is inconsistent with the public’s understanding of the law and as I indicated I believe it needs to be withdrawn. As we talked about, you were familiar with it. And my first question — as I indicated I would ask — as a senior government attorney, would you rely on the legal reasoning contained in this opinion?

Krass: Senator, at your request I did review that opinion from 2003, and based on the age of the opinion and the fact that it addressed at the time what it described as an issue of first impression, as well as the evolving technology that that opinion was discussing, as well as the evolution of case law, I would not rely on that opinion if I were–

Wyden: I appreciate that, and again your candor is helpful, because we talked about this. So that’s encouraging. But I want to make sure nobody else ever relies on that particular opinion and I’m concerned that a different attorney could take a different view and argue that the opinion is still legally valid because it’s not been withdrawn. Now, we have tried to get Attorney General Holder to withdraw it, and I’m trying to figure out — he has not answered our letters — who at the Justice Department has the authority to withdraw the opinion. Do you currently have the authority to withdraw the opinion?

Krass: No I do not currently have that authority.

Wyden: Okay. Who does, at the Justice Department?

Krass: Well, for an OLC opinion to be withdrawn, on OLC’s own initiative or on the initiative of the Attorney General would be extremely unusual. That happens only in extraordinary circumstances. Normally what happens is if there is an opinion which has been given to a particular agency for example, if that agency would like OLC to reconsider the opinion or if another component of the executive branch who has been affected by the advice would like OLC to reconsider the opinion they will  come to OLC and say, look, this is why we think you were wrong and why we believe the opinion should be corrected. And they will be doing that when they have a practical need for the opinion because of particular operational activities that they would like to conduct. I have been thinking about your question because I understand your serious concerns about this opinion, and one approach that seems possible to me is that you could ask for an assurance from the relevant elements of the Intelligence Community that they would not rely on the opinion. I can give you my assurance that if I were confirmed I would not rely on the opinion at the CIA.

Wyden: I appreciate that and you were very straightforward in saying that. What concerns me is unless the opinion is withdrawn, at some point somebody else might be tempted to reach the opposite conclusion. So, again, I appreciate the way you’ve handled a sensitive matter and I’m going to continue to prosecute the case for getting this opinion withdrawn.

The big piece of news here — from Krass, not Wyden — is that the opinion dates to 2003, which dates it to the transition period bridging Jay Bybee/John Yoo and Jack Goldsmith’s tenure at OLC, and also the period when the Bush Administration was running its illegal wiretap program under a series of dodgy OLC opinions. She also notes that it was a memo on first impression — something there was purportedly no law or prior opinion on — on new technology.

Back in November, ACLU sued to get that memo. The government recently moved for summary judgment based on the claim that a judge in DC rejected another ACLU effort to FOIA the document, which is a referral to ACLU’s 2006 FOIA lawsuit for documents underlying what was then called the “Terrorist Surveillance Program” and which we now know as Stellar Wind. Here’s the key passage of that argument.

The judgment in EPIC precludes the ACLU’s claim here. First, EPIC was an adjudication on the merits that involved the district court’s reviewing in camera the same document that is at issue in this litigation, and granting summary judgment to the government after finding that the government had properly asserted Exemptions One, Three, and Five – the same exemptions asserted here – to withhold the document. See Colborn Decl. ¶ 13; EPIC, 2014 WL 1279280, at *1. Second, the ACLU was a plaintiff in EPIC. Id. Finally, the claims asserted in this action were, or could have been, asserted in EPIC. The FOIA claim at issue in EPIC arose from a series of requests that effectively sought all OLC memoranda concerning surveillance by Executive Branch agencies directed at communications to or from U.S. citizens.2at See id.  Even if the ACLU did not know that this specific memorandum was included among the documents reviewed in camera by the EPIC court, the ACLU had a full and fair opportunity to make any and all arguments in seeking disclosure of that document. Indeed, in EPIC, the government’s assertion of exemptions received the highest level of scrutiny available to a plaintiff in FOIA litigation—the district court issued its decision after reviewing the document in camera and determining that the government’s assertions of Exemptions One, Three, and Five were proper. Colborn Decl. ¶ 13. The ACLU’s claim in this lawsuit is therefore barred by claim preclusion.

2 One of the FOIA requests at issue in EPIC sought “[a]ll memoranda, legal opinions, directives or instructions from [DOJ departments] issued between September 11, 2001, and December 21, 2005, regarding the government’s legal authority for surveillance activity, wiretapping, eavesdropping, and other signals intelligence operations directed communications to or from U.S. citizens.” Elec. Privacy Information Ctr. v. Dep’t of Justice, 511 F. Supp. 2d 56, 63 (D.D.C. 2007).

Wyden just sent a letter to Loretta Lynch disputing some claim made in DOJ’s memorandum of law.

I encourage you to direct DOJ officials to comply with the pending FOIA request.

Additionally, I am greatly concerned that the DOJ’s March 7, 2016 memorandum of law contains a key assertion which is inaccurate. This assertion appears to be central to the DOJ’s legal arguments, and I would urge you to take action to ensure that this error is corrected.

I am enclosing a classified attachment which discusses this inaccurate assertion in more detail.

Here are some thoughts about what the key inaccurate assertion might be:

ACLU never had a chance to argue for this document as a cybersecurity document

Even the section I’ve included here pulls a bit of a fast one. It points to EPIC’s FOIA request (these requests got consolidated), which asked for OLC memos in generalized fashion, as proof that the plaintiffs in the earlier suit had had a chance to argue for this document.

But ACLU did not. They asked for “legal reviews of [TSP] and its legal rationale.” In other words, back in 2006 and back in 2014, ACLU was focused on Stellar Wind, not on cybersecurity spying (which Wyden has strongly suggested this memo implicates). So they should be able to make a bid for this OLC memo as something affecting domestic spying for a cybersecurity purpose.

DOJ claimed only Wyden had commented publicly about the document, not Caroline Krass

DOJ makes a preemptive effort to discount the possibility that Ron Wyden’s repeated efforts to draw attention to this document might constitute new facts for the ACLU to point to to claim they should get the document.

Nor is there any evidence the memorandum has been expressly adopted as agency policy or publicly disclosed. Colborn Decl. ¶¶ 23-24. Although the ACLU’s complaint points to statements about the document by Senator Wyden, he is not an Executive Branch official, and his statements cannot effect any adoption or waiver

[snip]

The ACLU may argue that statements made by Senator Ron Wyden regarding the document, including in letters to the Attorney General, constitute new facts or changed circumstances. See Compl. ¶ 2 (“In letters sent to then–Attorney General Eric Holder, Senator Wyden suggested that the executive branch has relied on the Opinion in the past and cautioned that the OLC’s secret interpretation could be relied on in the future as a basis for policy.”). But such statements do not constitute new facts or changed circumstances material to the ACLU’s FOIA claim because they do not evince any change of the Executive Branch’s position vis-à-vis the document or otherwise affect its status under FOIA. See Drake, 291 F.3d at 66; Am. Civil Liberties Union, 321 F. Supp. 2d at 34. As the Senator is not an Executive Branch official, his statements about the document do not reflect the policy or position of any Executive Branch agency. See Brennan Center v. DOJ, 697 F.3d 184, 195, 206 (2d Cir. 2012); Nat’l Council of La Raza v. DOJ, 411 F.3d 350, 356-59 (2d Cir. 2005); infra at 11-12. Senator Wyden’s statements are simply not relevant to whether the document has been properly withheld under Exemptions One, Three, and Five, and do not undermine the applicability of any of those exemptions. Additionally, the Senator has made similar statements regarding the document at issue in letters sent during at least the last four years. Compl. ¶ 2. Thus, the Senator’s statements regarding the document are not new facts since they were available to Plaintiffs well before the district court ruled in EPIC.

That’s all well and good. But the entire discussion ignores that then Acting OLC head and current CIA General Counsel Caroline Krass commented more extensively on the memo than anyone ever has on December 17, 2013 (see my transcript above). This is a still-active memo, but the then acting OLC head said this about the memo in particular.

I have been thinking about your question because I understand your serious concerns about this opinion, and one approach that seems possible to me is that you could ask for an assurance from the relevant elements of the Intelligence Community that they would not rely on the opinion. I can give you my assurance that if I were confirmed I would not rely on the opinion at the CIA.

That seems to be new information from the Executive branch (albeit before the March 31, 2014, final judgment in that other suit).

I’d say this detail is the most likely possibility for DOJ’s inaccuracy, except that Krass’ comments are in the public domain, and have been been written about by other outlets. It wouldn’t seem that Wyden would need to identify this detail in secret.

(I think it’s possible some of the newly declassified language in Stellar Wind materials may be relevant to, but I will have to return to that.)

The document may be a different document

DOJ’s memo and the Paul Colborn declaration describe this as a March 30, 2003 memo written by John Yoo.

The withheld document is a 19-page OLC legal advice memorandum to the General Counsel of an executive branch agency, drafted at the request of the General Counsel, dated March 30, 2003 and signed by OLC Deputy Assistant Attorney General John Yoo. The memorandum was written in response to confidential communications from an executive branch client soliciting legal advice from OLC attorneys. As with all such OLC legal advice memoranda, the document contains confidential client communications made for the purpose of seeking legal advice and predecisional legal advice from OLC attorneys transmitted to an executive branch client as part of government deliberative processes. In light of the fact that the document’s general subject matter is publicly known, the identity of the recipient agency is itself confidential client information protected by the attorney-client privilege.

But their claim that ACLU has already been denied this document under FOIA is based on the claim that this document is the same document as one identified in a Steven Bradbury declaration submitted in the Stellar Wind suit. Here’s how he described the document.

DAG 42 is a 19-page memorandum, dated May 30, 2003, from a Deputy Assistant Attorney General in OLC to the General Counsel of another Executive Branch agency. This document is withheld under FOIA Exemptions One, Three, and Five.

This may be an error (if so, Bradbury is probably correct, as March 30, 2003 was a Sunday), but a document dated March 30, 2003 cannot be the same document as one dated May 30, 2003. If it’s not a simple error in dates, it may suggest that the document the DC court reviewed was a later revision, perhaps one making less outrageous claims. Moreover, as I’ll show in my post on newly learned Stellar Wind information, the change in date (as well as the confirmation that Yoo wrote the memo) make the circumstances surrounding this memo far more interesting.

Update: In Ron Wyden’s amicus in this case, he made it clear the correct date is May 30, 2003.

The document may not have been properly classified

As noted, this is a March 2003 OLC memo written by John Yoo. That’s important not just because Yoo was freelancing on certain memos at the time. But more importantly, because a memo he completed just 16 days earlier violated all guidelines on classification. Here’s what former ISOO head Bill Leonard had to say about John Yoo’s March 14, 2003 torture memo.

The March 14, 2003, memorandum on interrogation of enemy combatants was written by DoJ’s Office of Legal Counsel (OLC) to the General Counsel of the DoD. By virtue of the memorandum’s classification markings, the American people were initially denied access to it. Only after the document was declassified were my fellow citizens and I able to review it for the first time. Upon doing so, I was profoundly disappointed because this memorandum represents one of the worst abuses of the classification process that I had seen during my career, including the past five years when I had the authority to access more classified information than almost any other person in the Executive branch. The memorandum is purely a legal analysis – it is not operational in nature. Its author was quoted as describing it as “near boilerplate.”! To learn that such a document was classified had the same effect on me as waking up one morning and learning that after all these years, there is a “secret” Article to the Constitution that the American people do not even know about.

[snip]

In this instance, the OLC memo did not contain the identity of the official who designated this information as classified in the first instance, even though this is a fundamental requirement of the President’s classification system. In addition, the memo contained neither declassification instructions nor a concise reason for classification, likewise basic requirements. Equally disturbing, the official who designated this memo as classified did not fulfill the clear requirement to indicate which portions are classified and which portions are unclassified, leading the reader to question whether this official truly believes a discussion of patently unclassified issues such as the President’s Commander-in-Chief authorities or a discussion of the applicability to enemy combatants of the Fifth or Eighth Amendment would cause identifiable harm to our national security. Furthermore, it is exceedingly irregular that this memorandum was declassified by DoD even though it was written, and presumably classified, by DoJ.

Given that Yoo broke all the rules of classification on March 14, it seems appropriate to question whether he broke all rules of classification on March 30, 16 days later, especially given some squirrelly language in the current declarations about the memo.

Here’s what Colborn has to say about the classification of this memo (which I find to be curious language), after having made a far more extensive withholding argument on a deliberative process basis.

OLC does not have original classification authority, but when it receives or makes use of classified information provided to it by its clients, OLC is required to mark and treat that information as derivatively classified to the same extent as its clients have identified such information as classified. Accordingly, all classified information in OLC’s possession or incorporated into its products has been classified by another agency or component with original classifying authority.

The document at issue in this case is marked as classified because it contains information OLC received from another agency that was marked as classified. OLC has also been informed by the relevant agency that information contained in the document is protected from disclosure under FOIA by statute.

As far as the memo of law, it relegates the discussion of the classified nature of this memo to a classified declaration by someone whose identity remains secret.

As explained in the classified declaration submitted for the Court’s ex parte, in camera review,1 this information is also classified and protected from disclosure by statute.

Remember, this memo is about some secret interpretation of common commercial service agreements.  Wyden believes it should be “declassified and released to the public, so that anyone who is a party to one of these agreements can consider whether their agreement should be revised or modified.”

If this is something that affects average citizens relationships with service providers, it seems remarkable that it can, at the same time, be that secret (and remain in force). While Wyden certainly seems to treat the memo as classified, I’d really love to see whether it was, indeed, properly classified, or whether Yoo was just making stuff up again during a period when he is known to have secretly made stuff up.

In any case, given DOJ’s continued efforts to either withdraw or disclose this memo, I’d safe it’s safe to assume they’re still using it.

Share this entry

On the Coming Showdown over Promiscuous Sharing of EO 12333 Data

/2 Comments/in , /by

A number of outlets are reporting that Ted Lieu and Blake Farenthold have written a letter to NSA Director Mike Rogers urging him not to implement the new data sharing effort reported by Charlie Savage back in February. While I’m happy they wrote the letter, they use a dubious strategy in it: they suggest their authority to intervene comes from Congress having “granted” NSA authority to conduct warrantless collection of data.

Congress granted the NSA extraordinary authority to conduct warrantless collection of communications and other data.2

2 See Foreign Intelligence Surveillance Act and the Patriot Act.

As an initial matter, they’ve sent this letter to a guy who’s not in the chain of approval for the change. Defense Secretary Ash Carter and Attorney General Loretta Lynch will have to sign off on the procedures developed by Director of National Intelligence James Clapper; they might consult with Rogers (if he isn’t the one driving the change), but he’s out of the loop in terms of implementing the decision.

Furthermore, the Congressionally granted authority to conduct warrantless surveillance under FISA has nothing to do with the authority under which NSA collects this data, EO 12333. In his story, Savage makes clear that the change relies on the [what he called “little-noticed,” which is how he often describes stuff reported here years earlier] changes Bush implemented in the wake of passage of FISA Amendments Act. As I noted in 2014,

Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.

The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,

In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.

In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.

Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.

In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.

What Bush did just as he finished moving most of Stellar Wind over to FISA authorities, was to make it permissible to share EO 12333 data with other intelligence agencies under the same kind of DNI/AG/DOD approval process already in place for surveillance. They’ve already been using this change (though as I note, in some ways the new version of EO 12333 made FAA sharing even more permissive than EO 12333 sharing). And Savage’s article describes that they’ve intended to roll out this further expansion since Obama’s first term.

Obama administration has been quietly developing a framework for how to carry it out since taking office in 2009.

[snip]

Intelligence officials began working in 2009 on how the technical system and rules would work, Mr. Litt said, eventually consulting the Defense and Justice Departments. This month, the administration briefed the Privacy and Civil Liberties Oversight Board, an independent five-member watchdog panel, seeking input. Before they go into effect, they must be approved by James R. Clapper, the intelligence director; Loretta E. Lynch, the attorney general; and Ashton B. Carter, the defense secretary.

“We would like it to be completed sooner rather than later,” Mr. Litt said. “Our expectation is months rather than weeks or years.”

All of which is to say that if Lieu and Farenthold want to stop this, they’re going to have to buckle down and prepare for a fight over separation of powers, because Congress has had limited success (the most notable successes being imposition of FAA 703-705 and Section 309 of last year’s intelligence authorization) in imposing limits on EO 12333 collection. Indeed, Section 309 is the weak protection Dianne Feinstein and Mark Udall were able to get for activities they thought should be covered under FAA.

Two more points. First, I suspect such expanded sharing is already going on between NSA and DEA. I’ve heard RUMINT that DEA has actually been getting far more data since shutting down their own dragnets in 2013. The sharing of “international” narcotics trade data has been baked into EO 12333 from the very start. So it would be unsurprising to have DEA replicate its dragnet using SPCMA. There’s no sign, yet, that DEA has been included under FAA certifications (and there’s not, as far as we know, an FAA narcotics certificate). But EO 12333 sharing with DEA would be easier to implement on the sly than FAA sharing. And once you’ve shared with DEA, you might as well share with everyone else.

Finally, this imminent change is why I was so insistent that SPCMA should have been in the Brennan Center’s report on privacy implications of EO 12333 collection. What the government was doing, explicitly, in 2007 when they rolled that out was making the US person participants in internationally collected data visible. We’ve seen inklings of how NSA coaches analysts to target foreigners to get at that US person content. The implications of basing targeting off of SPCMA enabled analysis under PRISM (which we know they do because DOJ turned over the SPCMA document, but not the backup, to FISC during the Yahoo challenge), currently, are that US person data can get selected because US persons are involved and then handed over to FBI with no limits on its access. Doing so under EO 12333 will only expand the amount of data available — and because of the structure of the Internet, a great deal of it is available.

Probably, the best way to combat this change is to vastly expand the language of FAA 703-705 to over US person data collected incidentally overseas during next year’s FAA reauthorization. But it will take language like that, because simply pointing to FISA will not change the Executive’s ability to change EO 12333 — even secretly! — at will.

Share this entry