Section 702 Used for Cybersecurity: You Read It Here First

/3 Comments/in /by

I have been reporting for years that the government uses Section 702 for cybersecurity purposes, including its upstream application.

ProPublica and NYT have now confirmed and finally liberated related Snowden documents on the practice. They show that DOJ tried to formalize the process in 2012 (though I have reasons to doubt that the NSA documents released tell all of the story, as I hope to show in upcoming posts).

Without public notice or debate, the Obama administration has expanded the National Security Agency’s warrantless surveillance of Americans’ international Internet traffic to search for evidence of malicious computer hacking, according to classified NSA documents.

In mid-2012, Justice Department lawyers wrote two secret memos permitting the spy agency to begin hunting on Internet cables, without a warrant and on American soil, for data linked to computer intrusions originating abroad — including traffic that flows to suspicious Internet addresses or contains malware, the documents show.

The Justice Department allowed the agency to monitor only addresses and “cybersignatures” — patterns associated with computer intrusions — that it could tie to foreign governments. But the documents also note that the NSA sought to target hackers even when it could not establish any links to foreign powers.

The disclosures, based on documents provided by Edward J. Snowden, the former NSA contractor, and shared with the New York Times and ProPublica, come at a time of unprecedented cyberattacks on American financial institutions, businesses and government agencies, but also of greater scrutiny of secret legal justifications for broader government surveillance.

Jonathan Mayer, whom ProPublica and NYT cite in the article, has his own worthwhile take on what the documents say.

Stay tuned!

Share this entry

On Carrots, Sticks, and Rand Paul

/8 Comments/in /by

Now that USA F-ReDux has become USA FreeDone, I wanted to look at Steve Vladeck’s two bizarre posts attacking Rand Paul’s opposition to USA F-ReDux as a way of doing a post-mortem on the process.

I say bizarre because Vladeck complains that Paul “seize[d] the national spotlight in order to focus everyone’s attention on a hyper-specific question” — that of the Section 215 dragnet — when Vladeck has, at this late date, joined those of us who have long been pushing a focus on broader issues, specifically EO 12333 and Section 702. To support his claim that Paul is singularly focused on Section 215, Vladeck links to a second-hand report of a sentence in Paul’s campaign announcement, rather than to the announcement itself which (while more muddled than in other statements where Paul has named EO 12333 directly) invokes surveillance authorized by Executive Order, not the PATRIOT Act.

The president created this vast dragnet by executive order. And as president on day one, I will immediately end this unconstitutional surveillance.

Contrary to Vladeck’s miscitation, in this and other comments, Paul seized the national spotlight, in significant part, to talk about the broader issues, specifically EO 12333 and Section 702, that those pushing USA F-ReDux had set aside for future fights. Indeed, big parts of Paul’s filibuster speech — including his 10 and Ron Wyden’s 2 references to EO 12333 and his 18 and Wyden’s 3 references to 702 — sounds a lot like Vladeck’s series of posts worrying that this will be the only shot at reform and therefore regretting that we didn’t talk about the bigger issues as part of it.

Another deficiency of the USA FREEDOM Act is that it does not address bulk collection under Executive Order 12333. The bill also fails to address bulk collection under section 702 of the FISA Amendments Act.

One could say: What are you complaining about? You are getting some improvement. You still have problems, but you are getting some improvement.

I guess my point is that we are having this debate, and we don’t have it very often. We are having the debate every 3 years, and some people have tried to make this permanent, where we would never have any debate. Even though we are only having it every3 years, it is still uncertain whether I will be granted any amendments to this bill.

So, yes, I would like to address everything while we can. I think we ought to address section 702. I think we ought to–for goodness’ sake, why won’t we have some hearings on Executive Order 12333? I think they may be having them in secret, but I go back to what Senator Wyden said earlier. I think the principles of the law could be discussed in public. We don’t have to reveal how we do stuff. Do we think anybody in the world thinks we are not looking at their stuff? Why don’t we
explore the legality and the law of how we are doing it as opposed to leaving it unsaid and unknown in secret?

In other words, unlike the drone filibuster Vladeck points to as proof of “libertarian hijacking” — where Paul definitely defined his terms narrowly (but in a later iteration did succeed in getting more response from Jim Comey than Ron Wyden making demands) — Paul was arguing for precisely what Vladeck said we should be arguing about. He just has cooties, I guess is the substance of Vladeck’s argument, so Vladeck doesn’t want him as an ally.

Equally bizarre is Vladeck’s claim that, “it was the very same Senator Paul who all-but-singlehandedly torpedoed the Leahy bill back in November, helping to force the entirely unnecessary political and legal brinkmanship of the past week.” That’s bizarre because, as a matter of fact, Paul did not “singlehandedly” torpedo the bill; Bill Nelson played an equal role (and that’s even assuming the bill had enough votes to pass, which given that I know of 1 pro-cloture vote who was a no vote on passage and a significant number who weren’t committed to vote for it without improving amendment, was never a foregone conclusion). It’s easy to blame Paul because it absolves whoever it was that whipped a bill but didn’t even count all the Democratic votes on it, but Paul was in no way singlehandedly responsible.

But the view all the more bizarre, coming from Vladeck, because if Paul singlehandedly torpedoed the bill (he didn’t) he also singlehandedly made the 2nd Circuit ruling for ACLU possible (he didn’t, but that is Vladeck’s logic). And unlike most USA F-ReDux champions, Vladeck has been very attentive– if, at times, arguably mistaken in his understanding of it — to the interaction of USA F-ReDux legislation and the courts. While USA F-ReDux is — important additional Congressional reporting requirements on PRTT and bulky 215 collection notwithstanding — definitely a worse bill than its predecessor, that’s not the measure. So long as the 2nd Circuit decision ruling against “relevant to” and finding a Fourth Amendment interest at the moment of collection rather than review stands (the government still has a few weeks to challenge it), the measure is USA F-ReDux plusthe 2nd Circuit decision as compared to USAF without the additional leverage of an appellate court ruling. There are very important things the 2nd Circuit decision may add to USA F-ReDux. Every commenter is entitled to weigh that measure themselves, but if you’re going to hold Paul responsible for torpedoing the legislation last fall you also have to credit him with buying time so the 2nd Circuit could weigh in.

Which brings me to leverage.

I was not a fan of any version of USAF because all left every key provision save the CDR function (and even some of that was left dangerously open to interpretation until HJC wrote its final bill report) subject to the whim of the Executive and/or the FISC, and the bill itself jettisoned necessary leverage over the Executive (Vladeck has written about the gutting of the FISC advocate, and a parallel gutting has happened on transparency provisions from the start). That is, rather than exercise some kind of authority over the Executive, Congress basically wrote down what the Executive wanted and passed it in a way that the Executive still had a lot of leeway to decide what it wanted to do.

I get why that happened and I don’t mean to diminish the work of those who pushed for more: the votes and leadership buy-in simply isn’t there yet to actually start limiting what Article II will do in secret.

But that means none of the other things Vladeck wants will be possible until we get more leverage. And while the outcome of the bill may be the same and/or worse, what is different about the passage of USA F-ReDux is that leadership in both house of Congress barely kept it together.

And Rand Paul, whether he has cooties or not, was key to that process.

That’s true, in large part, because Mitch McConnell was aiming to set up an urgent crisis as a way to scare people into making the bill worse. He succeeded in doing so by delaying consideration of the bill until the last minute, but when Paul — and Ron Wyden and Martin Heinrich — prevented him from getting a short-term extension to do so without lapsing the dragnet, that changed the calculus of the crisis. It meant those who had bought into the idea you need a dragnet to keep the country safe could be pressured to vote against McConnell’s efforts to weaken USA F-ReDux. (Note, there are some who have claimed that Paul objected to immediately considering USA F-ReDux Sunday night, giving McConnell his opportunity to amend the bill, but the congressional record doesn’t support that; McConnell didn’t call for immediate consideration of the bill itself until he had already filled the tree with amendments.)

And while I don’t want to minimize the utterly crucial efforts of Mike Lee to actually whip the vote, that effort was made easier by the very real threat that if the bill had to go back to the House it would die, resulting in a more permanent lapse to Section 215 and the other expired authorities. Leahy and others used that threat repeatedly, in fact, to argue that surveillance hawks needed to support an amended bill. And the threat was heightened because John Boehner had real worries that if he tried something funny, his own leadership would be at risk.

Last year, the privacy community was mostly fighting with carrots against an Executive branch that was dictating what it was willing to give up. Now, it’s fighting with carrots and sticks. We haven’t gotten the Executive branch to give up anything it didn’t already want to give up yet. But having dealt McConnell a big defeat and having the threat to do so with Boehner might make that possible going forward.

Having someone like Rand Paul, who is not afraid to be accused of having cooties, to make that possible is a critical part of that process. That doesn’t negate the efforts of anyone else (again, I’m really encouraged by Mike Lee’s role in all this). But it does mean people holding carrots but demanding things that will only be obtained with some sticks, too, ought not to dismiss the efforts to make the threat of a stick real.

 

Share this entry

Did FBI Stall an IG Review of Innocent Americans Sucked Up in the Dragnet?

/6 Comments/in /by

I mentioned earlier that the FBI withheld information on the Bureau’s use of phone dragnet tippers from DOJ’s Inspector General long enough to make any review unusable for Congress’ consideration before it passed USA F-ReDux.

That’s important because of this passage from the Stellar Wind IG Report.

Another consequence of the Stellar Wind program and the FBI’s approach to assigning leads was that many threat assessments were conducted on individuals located in the United States, including U.S. persons, who were determined not to have any nexus to terrorism or represent a threat to national security.402 These assessments also caused the FBI to collect and retain a significant amount of personal identification about the users of tipped telephone numbers and e-mail addresses. In addition to an individual’s name and home address, such information could include where the person worked, records of foreign travel, and the identity of family members. The results of these threat assessments and the information that was collected generally were reported in communications to FBI Headquarters and uploaded into FBI databases.

The FBI’s collection of U.S. person information in this manner is ongoing under the NSA’s FISA-authorized bulk metadata collection. To the extent leads derived from this program generate results similar to those under Stellar Wind, the FBI will continue to collect and retain a significant amount of information about individuals in the United States, including U.S. persons, that do not have a nexus to terrorism or represent a threat to national security.

We recommend that as part of the [redacted] project, the Justice Department’s National Security Division (NSD), working with the FBI, should collect addresses disseminated to FBI field offices that are assigned as Action leads and that require offices to conduct threat assessments. The information compiled should include whether individuals identified in threat assessments are U.S. or non-U.S. persons and whether the threat assessments led to the opening of preliminary or full national security investigations. With respect to threat assessments that conclude that users of tipped telephone numbers or e-mail addresses are not involved in terrorism and are not threats to national security, the Justice Department should take steps to track the quantity and nature of U.S. person information collected and how the FBI retains and utilizes this information. This will enable the Justice Department and entities with oversight responsibilities, including the OIG and congressional committees, to assess the impact this intelligence program has on the privacy interests of U.S. persons and to consider whether, and for how long, such information should be retained. (PDF 666-7/329-330)

After a preceding section talking about how many of the tippers to FBI — which, after all, may be two hops away from someone of interest — weren’t all that useful, DOJ’s IG (the current IG, Michael Horowitz’s predecessor, Glenn Fine) noted how many Americans with no nexus to terrorism nevertheless have their names, home addresses, workplace, travel records, and family members’ identities collected and stored in an FBI database, potentially for decades. And, we now know, those assessments would include a search for any previously-collected content, which the FBI could read without a warrant.

Fine recommended that FBI begin to track what happens with the Americans sucked up in PATRIOT-authorized dragnets.

But we can be virtually certain FBI chose not to heed that recommendation, because it hasn’t heeded similar recommendations with NSLs, and because FBI refuses to track any of their other FISA-related activities.

And Horowitz has been very disciplined in following up on previous IG recommendations in reports that follow up on like topics, so that is likely one of the things he planned to investigate with his focus on the “receiving, processing, and disseminating [of] leads” from the phone dragnet.

The review will examine the FBI’s procedures for receiving, processing, and disseminating leads the NSA develops from the metadata, as well as any changes that have been made to these procedures over time. The review will also examine how FBI field offices respond to leads and the scope and type of information field offices collect as a result of any investigative activity that is initiated. In addition, the review will examine the role the leads have had in FBI counterterrorism efforts

Frankly, because NSA had to curtail so much of what they were doing with the phone dragnet in 2009, there should be fewer Americans sucked up in the dragnet now then there was when Fine did his Stellar Wind review in 2008-09. Though if FBI continued to require an assessment of every new identifier, it would still result in a lot of innocent Americans having their lives unpacked and stored for 30 years by the FBI.

But those numbers will likely be higher — potentially significantly higher — under USA F-ReDux, because any given query will draw off of more kinds of information. More importantly, FBI is exempted from counting the queries it does on any database of call detail records obtained under the new CDR function.

(C) the number of search terms that included information concerning a United States person that were used to query any database of call detail records obtained through the use of such orders;

[snip]

(A) FEDERAL BUREAU OF INVESTIGATION.—Paragraphs (2)(A), (2)(B), and (5)(C) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

This strongly suggests the data will come in through the FBI, be treated under FBI’s far more permissive (than NSA’s) minimization procedures, and searched regularly. Which likely means the privacy implications of innocent Americans sucked up into the dragnet will be far worse. And all that’s before any of the analysis NSA will do on these query results.

There was no public consideration of the privacy impact of the innocent Americans sucked in under the CDR function during the USA F-ReDux debate (though I wrote about it repeatedly).

But if DOJ’s IG intended to include past recommendations in its review of what FBI does with the phone dragnet data — which would be utterly consistent with past practice — that’s one of the things this review, the review FBI stalled beyond the point when it could be useful, would have focused on.

 

Share this entry

FBI Successfully Runs Out the Clock on DOJ’s Inspector General Review of Use of Phone Metadata

/9 Comments/in /by

While everyone was focused on USA F-ReDux last week, DOJ’s Inspector General submitted its semiannual report. In it, Michael Horowitz reiterated his complaint that FBI was stonewalling on document production. He listed 4 requests made after Congress defunded such stonewalling on which FBI was still stonewalling at the end of March.

The OIG has sent four letters to Congress to report that the FBI has failed to comply with Section 218 by refusing to provide the OIG, for reasons unrelated to any express limitation in Section 6(a) of the IG Act, with timely access to certain records in ongoing OIG reviews. Those reviews are:

  • Two FBI whistleblower retaliation investigations, letter dated February 3, 2015, which is available here;
  • The FBI documents related to review of the DEA’s use of administrative subpoenas, letter dated February 19, 2015, which is available here;
  • The FBI’s use of information derived from collection of telephony metadata under Section 215 of the Patriot Act, letter dated February 25, 2015, which is available here; and
  • The FBI’s security clearance adjudication process, letter dated March 4, 2015, which is available here.

As of March 31, 2015, the OIG document requests were outstanding in every one of the reviews and investigations that were the subject of the letters above. The OIG is approaching the 1 year anniversary of the Deputy Attorney General’s request in May 2014 to the Office of Legal Counsel for an opinion on these matters, yet that opinion remains outstanding and the OIG has been given no timeline for the issuance of the completed opinion. Although the OIG has been told the opinion is a priority for the Department, the length of time that has now passed suggests otherwise. Instead, the status quo continues, with the FBI repeatedly ignoring the mandate of Section 218 and the Department failing to issue an opinion that would resolve the matter. The result is that the OIG continues to be prevented from getting complete and timely access to records in the Department’s possession. The OIG’s ability to conduct effective and rigorous oversight is being undercut every day that goes by without a resolution of this dispute.

Of particular note, as of March 31, FBI was still stonewalling an October 10, 2014 request (and January 2015 deadline) connected with DOJ IG’s review of how FBI has been using metadata from phone dragnets.

The OIG requested these records in connection with its pending review of the FBI’s use of information derived from the National Security Agency’s collection of telephony metadata obtained from certain telecommunications service providers under Section 215 of the Patriot Act. The timeliness of production is particularly important given that Section 215 of the Patriot Act is set to expire in June of this year.

FBI was also still stonewalling records of how it used DEA’s dragnet, but in the case of phone metadata, Horowitz specifically tied the investigation to the upcoming sunset of Section 215 authority.

DOJ’s IG wanted to review what was happening with the 2-hop dragnet data that got turned over to FBI before Congress reauthorized Section 215. And FBI successfully stalled that effort until after Congress passed a bill that will almost certainly result in far more phone metadata being turned over to FBI, and under far more permissive rules than they had been under.

I’ll explain why that was probably important in a follow-up post. But for the moment, as pundits declare winners and losers on yesterday’s passage of USA F-ReDux (I’ll do my own version of that too, shortly!), it’s worth noting that FBI successfully ran out the clock on its own IG, preventing us from learning about the privacy impact of one little-considered aspect of the dragnet.

Share this entry

ACLU’s Poker Face

/6 Comments/in /by

Thus far, I have not seen a statement from the ACLU on last night’s developments with respect to the PATRIOT Act — the passage of cloture, McConnell’s failure to even ask for an immediate vote, followed by McConnell filing several amendments that would weaken USA F-ReDux. [Correction: here is one. h/t EG]

Indeed, no one even seems to be interested what the ACLU thinks about all this, reporting the key players to include Mitch McConnell and Richard Burr, the White House and Intelligence Agencies, and the House, especially House leadership that would be forced to shepherd any changes to USA F-ReDux back through the House, but not the ACLU.

I’m interested.

Especially with Burr’s amendment to extend the transition period to the new phone records program to a full year. After all, ACLU’s lawsuit just got punted back to the District to see what happens now, but it was punted based on the presumption that Congress was going to fix the illegal dragnet “soon.”

A year is not “soon,” at least not in my book.

If ACLU agrees with me, they can asks the judges to provide some relief “sooner” than a year from now, either by ordering an earlier end to the dragnet or — at the very least — requiring the NSA to pull all of ACLU’s records from their dragnet. Indeed, given the number of active court challenges the ACLU has against the government, they’d be able to argue pretty compellingly they need quicker relief than a year.

In the past, NSA has suggested it would be too onerous to pull the records of one plaintiff from the dragnet. Who knows whether they were just bullshitting judges, but if it is too onerous, that would present other issues.

All of which is my way of saying the ACLU may have a few cards of interest in their hand that no one is much considering. I’m not going to ask them what they’re holding, mind you. I like that they may be deliberating in secret to thwart efforts to extend the dragnet.

I’m just noting that they do appear to still be holding some cards…

Share this entry

Mitch McConnell Just Made the Country Less Safe in Bid to Ensure FISC Continues to Be Rubber Stamp

/5 Comments/in /by

I predicted back in April that Mitch McConnell would use the threat of straight reauthorization of a program that doesn’t do what the Intelligence Community wants to demand changes to USA F-ReDux.

And a data retention mandate — presented in the guise of a requirement that providers give notice if they plan not to retain data at least 18 months — is one the things McConnell will try to push through today.

(k) PROSPECTIVE CHANGES TO EXISTING PRACTICES RELATED TO CALL DETAIL RECORDS.—

(1) IN GENERAL.—Consistent with subsection (c)(2)(F), an electronic communication service provider that has been issued an order to produce call detail records pursuant to an order under subsection (c) shall notify the Attorney General if that service provider intends to retain its call detail records for a period less than 18 months.

(2) TIMING OF NOTICE.—A notification under paragraph (1) shall be made not less than 180 days prior to the date such electronic communications service provider intends to implement a policy to retain such records for a period less than 18 months.’’.

McConnell repeated his justification for a retention mandate last night by pointing to a provider that refused to agree to keep documents for a call record program, as he did last week. Why is Mitch worried about document retention for a call record program?

Remarkably, McConnell’s data mandate is for a shorter period of time than the 2 year data handshake the major telecoms have agreed to, according to Dianne Feinstein.

McConnell also submitted standalone amendments, the first requiring certification from James Clapper that the dragnet works before existing dragnet authorities expire, with the second one extending the expiration of the dragnet to a year.

McConnell submitted an amicus provision that simply codifies the status quo, which already permits a court to name an amicus. Significantly, McConnell’s amicus provision eliminates the reporting to Congress that Richard Burr’s bill at least had. But McConnell’s bill does include FISCR fast-track review, which I believe may actually be counterproductive. So McConnell’s amicus amendment permits the FISC to go on making shit up without any notice that’s what they’re doing.

Finally, there’s one other provision in one of two substitute bills Mitch put forward this month: an elimination of the reporting requirement of any significant FISC decisions (Section 402 is removed entirely).

Now, frankly, even in the existing USA F-ReDux, the reporting requirement permits the Executive too much discretion about what kind of details they’ll release. Even in FOIA suits, where a judge gets to weigh in, the government has been able to withhold even information that is almost certainly in the public record. Their summaries of important decisions would surely look like useless Vaughn Index summaries.

But that’s too much for Mitch McConnell — and the Intelligence Community folks whose demands he is serving. And, of course, elimination of this weak reporting requirement eliminates the only check against ongoing bulk or bulky collection, because the language surrounding Specific Selection Term includes big potential loopholes.

So consider what this means.

Over the last two weeks, Mitch McConnell has pursued policies that have led to a lapse in the phone (and CIA money transfer) dragnets. He didn’t even try to bring USA F-ReDux for an immediate vote last night; he only tried to bring up Lone Wolf and Roving Wiretap.

And his goal, for letting the dragnet expire, is to ensure the FISA Court continues to be dysfunctional.

Mitch McConnell has — according to his claims, not mine — made the country less safe with this lapse in the dragnet. All in a bid to ensure the FISC continues to operate as a rubber stamp.

Share this entry

FBI Doesn’t Want You To Know It Uses NSLs to “Correlate” All the Identities You Use Online

/2 Comments/in /by

Back in March, I parsed the declaration Nicholas Merrill submitted in his bid to reveal the contents of what he was asked to turn over via an NSL back in 2004. As a reminder, here’s what FBI permitted Merrill to reveal at the beginning of this suit.

Screen Shot 2015-03-29 at 8.36.05 AM

And here’s Merrill’s description of what kind of records his ISP, Calyx, might have had on customers.

Calyx Internet Access, like most ISPs, collected a wide array of information about its clients. For a given client, we may have collected their [1] name, [2] address and [3] telephone number; [4] other addresses associated with the account; [5] email addresses associated with the account; [6] IP addresses associated with the account; [7] Uniform Resource Locator (URL) addresses assigned to the account; [8] activity logs for the account; [9] logs tracking visitors to the client’s website; [10] the content of a client’s electronic communications; [11] data files residing on Calyx’s server; [12] the client’s customer list; [13] the client’s bank account and [14] credit card numbers; [15] records relating to merchandise bought and sold; and the [16] date the account was opened or closed. [numbers 1 through 16 added]

FBI has submitted a counter-declaration (posted by Cryptome) that — even in its excessively redacted form — includes a number of interesting details.

FBI’s limited new admission

The FBI now concedes that it had publicly confirmed some aspects of what it asked for from Merrill. It specifically admits that “screen names or other online names associated with the account” and “all email addresses associated with the account” may be disclosed, as well as that the request involved an “account number” from an “Internet service provider” (though in the sections that must describe these requests, those phrases remain redacted).

In addition, this paragraph appears without redaction:

The NSA issued to [Merrill’s ISP] Calyx requested “the names, addresses, lengths of service and electronic communication transaction records, to include existing transaction/activity logs and all e-mail header information (not to include message content and/or subject fields)” for the email account [email protected].

FBI disses Merrill for interacting with his ISP client

Part of — potentially a big part of — the declaration seems to insinuate that Merrill’s lawsuit should be distrusted because he had a personal relationship with the target of the NSL. It describes,

Merrill stated that he previously “engaged in ongoing communications with [redacted] on a variety of issues,” including “topics related to politics and current events.”

Interestingly, the declaration makes clear the NSL — which was almost certainly authorized as a terrorism investigation — was authorized in Pittsburgh. I raise that because Pittsburgh’s FBI office was investigating a number of anti-war targets as terrorists in the 2004-timeframe. So I do wonder whether Merrill thought the investigation improper for that reason.

FBI mentions just one kind of Internet production as having moved to Section 215 orders

As I’ve noted, we know some production obtained until 2009 using NSLs has moved under Section 215. This paragraph seems to acknowledge that, even while saying the FBI may ignore what the Office of Legal Counsel has told it ECPA permits FBI to obtain using an NSL.

Merrill NSL to 215 paragraph

Curiously, this pertains only to the second bullet of the request (above), of 17 categories of information, suggesting just one kind of production moved to Section 215 orders.

FBI doesn’t want you to know how much of your activities it can correlate by going to your ISP

The FBI has a separate paragraph addressing why it cannot reveal the other 15 categories of information it requested from Merrill 11 years ago. The paragraphs are worth reading, because they’re each somewhat different. Some say not just counterterrorism and counterintelligence investigations might be affected with the release of the information, some claim greater use than others, some warn that potential criminals might avoid turning over certain kinds of information (perhaps an alternate email or phone number?) if they knew it could be obtained via an NSL.

All seem to pretend that a lot of this isn’t already available from exhibits submitted in other cases.

As I noted in this post, for example, here’s what the government obtains from Google subpoenaing a Google voice account and then the underlying Google account as a whole.

[T]he two reports Google provided in response to administrative subpoenas for information on Shantia Hassanshahi, the guy caught using the DEA phone dragnet (these were subpoenas almost certainly used to parallel construct data obtained from the DEA phone dragnet and PRISM targeted at the Iranian, “Sheikhi,” they found him through), included:

  • a primary gmail account
  • two secondary gmail accounts
  • a second name tied to one of those gmail accounts
  • a backup email (Yahoo) address
  • a backup phone (unknown provider) account
  • Google phone number
  • Google SMS number
  • a primary login IP
  • 4 other IP logins they were tracking
  • 3 credit card accounts
  • Respectively 40, 5, and 11 Google services tied to the primary and two secondary Google accounts, much of which would be treated as separate, correlated identifiers

There’s surely a significant overlap between this list and the things FBI says Merrill can’t reveal because if he did, it would tip off intelligence and criminal targets that the FBI can obtain them (though as Merrill made clear in his description of what Calyx had to turn over, they had more details about the websites run under an account).

Ultimately, though, the FBI seems to want to prevent anyone from realizing how much information your Internet providers have — and can be forced to turn over — that correlate all your multiple identities online.

FBI’s false transparency going forward

There’s one more really funny part of this declaration. It notes that Office of Director of National Intelligence released a report in February claiming that “the FBI will now presumptively terminate National Security Letter nondisclosure orders at the earlier of three years after the opening of a fully predicated investigation or the investigations close.”

But it says it won’t have to comply with that policy for this NSL because “the investigation at issue here was closed prior to the implementation of the policy.”

One would think that they would reveal all these categories of information going forward if they were really going to comply with ODNI’s order.

Unless the FBI has already started to change the way they write NSLs (or perhaps plan on leaving more to verbal communications with Agents or some other means of communicating the list without including these descriptions) so as to get all the information without stating that they’re demanding all that information.

Share this entry

Richard Burr Wants to Label People Who Make Threats and Carry Guns “Terrorists”

/14 Comments/in /by

The bill Senate Intelligence Chair Richard Burr released last Friday is bad enough for the way it expanded the existing illegal dragnet. I argued here Burr’s bill would give the Intelligence Community everything they lost in 2009 and 2011.

But there’s something just as troubling in Burr’s stack of additional goodies for the IC. As USA F-ReDux does, Burr’s bill extends maximum sentences for material support for terrorism. Both bills increase the maximum sentence under 18 USC 2339B, which prohibits material support for a terrorist group formally designated as such by the government. Burr would also increase the maximum sentence under 18 USC 2339A, which prohibits material support for people who may not be formally designated as terrorists, but who violate one of a bunch of other laws that are deemed terrorist acts. (Burr also tweaks the penalty for getting military training from terrorists in ways that might actually lower the punishment.)

The shocking move came in Burr’s proposal to add 18 USC 924(c) — which prohibits the “use, carrying, or possession of fire arms” during the commission of a crime of violence — among those crimes listed in 18 USC 2332b that make someone a terrorist.

Let me be clear: I’m in favor of doing whatever we can to keep guns out of the hands of terrorists and dangerous people, so much so my libertarian and gun activist friends surely consider me squishy on the Constitution.

But there are a number of reasons why making the possession of gun while committing a crime of violence, “a terrorist act,” is a dangerous idea.

It starts from the fact that the term “crime of violence” is horribly vague (so much so that SCOTUS is reviewing a similar designation right now). It “has as an element the use, attempted use, or threatened use of physical force against the person or property of another.” That is, the “violence” may all stem from that perceived threat of physical force, which in turn may stem from someone’s possession of a gun (or, as often happens in our still very racially charged society, the possession of a gun by a particular kind of someone).

Then, to meet the terms of 18 USC 2332b that makes something a terrorist act, it may only involve a threat to “conspir[e] to destroy or damage any structure, conveyance, or other real or personal property within the United States.” As with the crime of violence, it may be the perceived threat of a crime, rather than a committed crime. And one way to qualify under this provision, the act would be “calculate[] to influence or affect the conduct of government by intimidation or coercion, or to retaliate against government conduct.”

Altogether, Burr’s proposed change could — if the Federal Government pushed far enough — get people labeled as a terrorist for posing a threat or risk to the government while carrying a gun. The required element — beyond being or making a threat — is that gun, which, of course, is protected under the Constitution. The rest is just the risk to property in a way to influence politics. But ordinary dissidents and protestors intend to influence politics and have, at times, been called a threat to property, and looters who definitely (and indefensibly) destroy property have, throughout history, often been described as a “risk to the government” (and especially, a risk to law enforcement). Certainly dissidents should not be deemed terrorists because they carry guns and sit in the wrong park. And while looting is wrong, it’s not terrorism.

This might seem far-fetched, but one of the rare instances where non-Muslims have been charged as terrorists under a related provision — which deems even FBI-supplied bombs “Weapons of Mass Destruction” and therefore terrorist weapons — were three guys tied to Occupy Cleveland who were caught in an FBI-crafted sting.

As with that case, the effect of labeling someone’s threat of violence a terrorist crime would involve expanding the potential sentences significantly, not to mention labeling someone a terrorist as they contemplated a jury trial. Since 9/11, jurors have been very credulous of evidence involving alleged terrorists, meaning it would become a lot easier for the government to win convictions even with dodgy evidence or (as in the Cleveland case) a plot invented by the FBI.

It probably, also, involves lots of extra investigative tools.

There are so many other ways to designate people who are really conspiring under the direction of actual terrorists as terrorists that this seems like dangerous overkill. It would invite Feds to label looters who happen to be armed or dissidents who mouth off and train with guns as terrorists — and thereby all their associates as material supporters of terrorism.

Richard Burr’s bill is horrible, as it is, for how it would expand the dragnet. But that he is, at the same time, envisioning dangerously expanding the definition of “terrorist” in a way that could be badly abused is another reason to distrust Burr’s effort to capitalize on fear-mongering around the PATRIOT reauthorization to expand the security state.

Share this entry

Administration Feeds Journalists Hints of More Secret Law … Journalists Instead Parrot “Russian Roulette” Line

/17 Comments/in , /by

Back in January, Charlie Savage revealed that in 2007 the FISC approved a secret interpretation of the Roving Wiretap provision, one of the provisions due to sunset Sunday night. To support a domestic content collection order targeting al Qaeda targets overseas, Judge Roger Vinson rubber-stamped DOJ’s argument that — because Congress had let it wiretap individual targets without naming each of the phones they were using, that also meant it could target al Qaeda as a target — without naming each of the phones and email addresses it was targeting until after tasking them [this sentence updated for accuracy].

Judge Vinson ruled that this procedure was a legitimate interpretation of FISA because of a provision Congress had added to the surveillance law in the Patriot Act. The provision created so-called roving wiretap authority, which allows the F.B.I. to get orders to swiftly follow targets who switch phones, telling the court about the new numbers later.

Public discussion of the purpose and meaning of roving wiretap authority has focused on targeting individual terrorists or spies who seek to evade detection. But Judge Vinson accepted a Justice Department proposition that the target could be Al Qaeda in general, so if the N.S.A. learned of a new Qaeda suspect, it could immediately collect his communications and get after-the-fact approval.

The government stopped using this particular application as it transitioned to Protect America Act (though it even grandfathered some of the existing targets tasked under the prior argument). But the premise — that DOJ can target entire communication nodes based on the argument that a specific target is using unknown accounts passing through that node — surely remains on the books.

This secret interpretation of the law may not be as outrageous as FISC’s redefinition of the word “relevant” to mean “all,” but it is nevertheless a fairly breathtaking argument, with potentially dangerous ongoing implications.

Yet, in spite of the fact that a top journalist (not some dirty hippie like me!) revealed this secret interpretation, the journalists who transcribed Administration claims that sunsetting PATRIOT would amount to playing “national security Russian roulette” have also transcribed Administration claims that they’re only using Roving Wiretaps individually.

A second tool is the “roving wiretap,” which enables the FBI to use one warrant to wiretap a spy or terrorist suspect who is constantly switching cellphones. Those two in particular are of “tremendous value,” the first official said.

We don’t know they’re using Roving Wiretaps to tap entire circuits anymore. But we know they can. That detail should be included in any description before a journalist parrots the Administration claim this is an “uncontroversial” authority. If it’s not controversial, it should be.

Ditto the Lone Wolf provision.

Reporters are reporting something that — 11 years after passage of the Lone Wolf provision — ought to raise serious questions (note: Lone Wolf was actually not part of the PATRIOT Act; it was passed in 2004 as part of the Intelligence Reform and Terrorism Prevention Act).

A third tool allows the FBI to surveil a “lone wolf” suspect who cannot be tied to a foreign terrorist group such as al-Qaeda. It has never been used, but officials said it is a valuable authority they do not want to lose.

That provision has been on the book for 11 years, and the FBI still says they have never used it but even though they have never used it is a valuable authority. It was not used in cases — such as that of Khalid Ali-M Aldawsari — that solidly fit the definition of a Lone Wolf. Even if the FBI found someone who they thought was an international terrorist but didn’t know to what group he belonged, they could get an emergency wiretap to help them find evidence.

So what “value” does the Lone Wolf provision have, if it’s not to authorize the wiretapping of Lone Wolves?

I think there’s increasing reason to ask whether this, like the Roving Wiretap, serves to justify some other secret law, allowing the government to spy on people against whom it has no evidence of ties to al Qaeda or any other terrorist group, but on whom it nevertheless wants to use its terrorist authorities against.

We’re on the fifth or so reauthorization debate where FBI has said “we don’t use this thing but we find it very valuable anyway.” At some point, we need to start assuming that when they say they haven’t “used” it, they only mean in the literal sense, and they’re using it to support some secret, unintended purpose.

Rather than parroting Administration claims of “Russian roulette,” shouldn’t journalists be asking why, after 11 years, their claims of necessity make no sense?

Share this entry

DOJ IG Issues Yet Another Classified Report that Should Be Public Before Congress Votes on PATRIOT Act

/in , /by

DOJ’s Inspector General just announced it completed its draft report on the use of Pen Register/Trap and Trace between 2007 and 2009 15 months ago, but the Intelligence Community only finished its classification review last month. It has now issued a classified version of that report to the Judiciary and Intelligence Committees.

Department of Justice Inspector General Michael E. Horowitz today issued a classified report entitled, The Federal Bureau of Investigation’s Use of Pen Register and Trap and Trace Devices under the Foreign Intelligence Surveillance Act in 2007 through 2009. The Department of Justice (DOJ) Office of the Inspector General (OIG) completed a draft of this report in February 2014. At that time, we provided the draft report to DOJ, the Federal Bureau of Investigation (FBI), and the Intelligence Community to conduct factual accuracy and classification reviews. In May 2014, we circulated an updated draft report that reflected minor revisions made in response to the factual accuracy comments we received. We did not receive the final results of the classification reviews until April 30, 2015.

We are providing today’s classified report to the relevant Congressional oversight and intelligence committees, as well as to DOJ leadership offices. We recently submitted a short unclassified Executive Summary of the report to DOJ, the FBI, and the Intelligence Community for review. We will publicly release the Executive Summary as soon as that review is completed.

This is another report that should have been released long before the current debate on the PATRIOT Act. While PRTT is not among the authorities that sunsets on Sunday, the issues surrounding the shut-down of the bulk Internet program in (around) October 2009 are central to the debate about the dragnet going forward, because “call” records are increasingly Internet records.

Moreover, the USA F-ReDux calls for “privacy guidelines” that I believe are still inadequate to protect US persons’ privacy in the ways the IC is likely using PRTT today. Plus, PRTT is likely used for applications — such as tower dumps and Stingrays — that affect the privacy of many people not otherwise targeted. Congress should have details about that before they legislate.

In addition, Richard Burr’s bill actually adopts a definition of “content” — excluding Dialing, Routing, Addressing, and Signaling data from the definition of content — that responds directly to the issues behind the Internet dragnet shutdown in 2009.

Last week, much of DC discovered for the first time — because of the delayed release of DOJ IG’s report on Section 215 — what I had been reporting for months: that the bulk of Section 215 orders actually collect bulky Internet data. That report also disclosed that, at least as used up until 2009 (that is, as FBI just started using 215 for that Internet collection), Section 215 wasn’t all that useful.

It is highly likely that the 15-month old PRTT report DOJ’s IG just released would have information that is equally important to this debate.

But the public is not going to have access to it.

Share this entry