Hate to Tell SSCI I Told Them So, John Brennan Lying and Spying Edition

/15 Comments/in /by

The morning of John Brennan’s confirmation hearing, I posted what I deemed the 5 most important questions to ask him. Three were: Will you stop lying, how much of Dick Cheney’s illegal wiretap program did you run, and will you permit CIA to spy on Americans.

1) Do you plan to continue lying to Americans?

You have made a number of demonstrable lies to the American people, particularly regarding the drone program and the Osama bin Laden raid. Most egregiously in 2011, you claimed “there hasn’t been a single collateral death” in almost a year from drone strikes; when challenged, you revised that by saying, “the U.S. government has not found credible evidence of collateral deaths,” even in spite of a particularly egregious case of civilian deaths just months earlier. On what basis did you make these assertions? What definition of civilian were you using in each assertion? (More background)

In addition, in a speech purportedly offering transparency on the drone program, you falsely suggested we know the identities of all people targeted by drones. Why did you choose to misrepresent the kind of intelligence we use in some strikes?

[snip]

4) What role did you have in Bush’s illegal wiretap program?The joint Inspector General report on the illegal wiretap program reported that entities you directed — the Terrorist Threat Integration Center in 2003 and 2004, and the National Counterterrorism Center in 2004 and 2005 — conducted the threat assessments for the program.

What role did you have, as the head of these entities, in the illegal wiretapping of Americans? To what extent did you know the program violated FISA? What role did you have in counseling Obama to give telecoms and other contractors immunity under the program? What influence did you have in DOJ decisions regarding suits about the illegal program, in particular the al-Haramain case that was thrown out even after the charity had proved it had been illegally wiretapped? Did you play any role in decisions to investigate and prosecute whistleblowers about this and other programs, notably Thomas Drake? (More background)

5) Did you help CIA bypass prohibitions on spying domestically with the NYPD intelligence (and other) programs?

In your additional prehearing questions, you admit to knowing about CIA’s role in setting up an intelligence program that profiled Muslims in New York City. What was your role in setting up the program? As someone with key oversight over personnel matters at the time, did you arrange Larry Sanchez’ temporary duty at the NYPD or CIA training for NYPD detectives?

Have you been involved in any similar effort to use CIA resources to conduct domestic spying on communities of faith? You said the CIA provides (among other things) expertise to local groups spying on Americans. How is this not a violation of the prohibition on CIA spying on Americans?  (More background)

As it turns out, all three questions are directly pertinent for the latest dust-up between SSCI and the CIA Director.

Tensions between the CIA and its congressional overseers erupted anew this week when CIA Director John Brennan refused to tell lawmakers who authorized intrusions into computers used by the Senate Intelligence Committee to compile a damning report on the spy agency’s interrogation program.

The confrontation, which took place during a closed-door meeting on Tuesday, came as the sides continue to spar over the report’s public release, providing further proof of the unprecedented deterioration in relations between the CIA and Capitol Hill.

After the meeting, several senators were so incensed at Brennan that they confirmed the row and all but accused the nation’s top spy of defying Congress.

“I’m concerned there’s disrespect towards the Congress,” Sen. Carl Levin, D-Mich., who also serves as chairman of the Senate Armed Services Committee, told McClatchy. “I think it’s arrogant, I think it’s unacceptable.”

And you know what, Senator Levin? Brennan doesn’t actually care what you think. This Committee confirmed him last year, at a point where it was already clear he would lie and spy if he thought it would help the CIA. That was the moment to win respect from Brennan.

But at this point — especially because it seems Brennan has confidence his boss won’t fire him — he knows he can get away with this.

Share this entry

“Linking” Procedures in the Yahoo Opinion

/1 Comment/in /by

As I mentioned earlier, Yahoo is finally releasing the documents pertaining to its challenge of Protect America Act directives in 2008. The LAT has loaded the Yahoo documents in an easy to access page.

This post will look primarily at the FISCR opinion.

As you’ll recall, this opinion was previously released in 2009 (and in fact, the previous list has names of some of the DOJ people who are redacted with this release unredacted).

The four main new disclosures I noted are:

  • A discussion of differences between the definition of foreign power in EO 12333 and FISA
  • Concerns Yahoo raised about how inaccurate the first directives it had received (the Court appears to misunderstood the seriousness of the inaccuracies)
  • Discussion of a parting shot — this supplemental brief makes it clear the largely redacted discussion pertains to US person data collected overseas; I’ll probably return to this, but it appears Yahoo’s concerns were born out and led to the addition of Sections 703-5 in FISA Amendments Act.
  • Reference to “linking” procedures which were part of what FISCR used to deem the collection constitutional

That last item — the “linking” procedures — is what was redacted in this post I did when the memo was first released. As I noted then, the procedures were what the FISCR used to meet particularity requirements.

The following passage starts on page 23:

The linking procedures — procedures that show that the [redacted] designated for surveillance are linked to persons reasonably believed to be overseas and otherwise appropriate targets — involve the application of “foreign intelligence factors” These factors are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. As attested by affidavits  of the Director of the National Security Agency (NSA), the government identifies [redacted] surveillance for national security purposes on information indicating that, for instance, [big redaction] Although the FAA itself does not mandate a showing of particularity, see 50 U.S.C. § 1805(b). This pre-surveillance procedure strikes us as analogous to and in conformity with the particularly showing contemplated by Sealed Case.

I’ll need to look more closely to find this brief — if it was released. But I suspect that this shows more closely how the metadata dragnets and the content collection are linked. They collect the metadata to mine for “proof” of meaningful connection, then use that to unlock the content. That’s not surprising — it’s what I had been speculating since days after Risen first broke this — but it’s important to flesh out. Because, of course, all this not-a-search metadata really is, because it leads directly to the content.

As I noted in my post in 2009, Russ Feingold released a statement with the release of the opinion, basically arguing that Yahoo could have won this if they had had access to the procedures related to the program (Mark Zwillinger made the same point when he testified to PCLOB).

The decision placed the burden of proof on the company to identify problems related to the implementation of the law, information to which the company did not have access.  The courtupheld the constitutionality of the PAA, as applied, without the benefit of an effective adversarial process.  The court concluded that “[t]he record supports the government.  Notwithstanding the parade of horribles trotted out by the petitioner, it has presented no evidence of any actual harm, any egregious risk of error, or any broad potential for abuse in the circumstances of the instant case.”  However, the company did not have access to all relevant information, including problems related to the implementation of the PAA.  Senator Feingold, who has repeatedly raised concerns about the implementation of the PAA and its successor, the FISA Amendments Act (“FAA”), in classified communications with the Director of National Intelligence and the Attorney General, has stated that the court’s analysis would have been fundamentally altered had the company had access to this information and been able to bring it before the court.

There’s no reason to believe the “linking” procedures are what Feingold was referring to. After all, there still are details of the minimization and targeting procedures that raise big constitutional issues. Plus, we know foreign collection has always been a big concern of Feingold’s. But I am wondering whether part of the problem was that their contact chaining was not very good, and therefore they were collecting people who really weren’t linked to the targets in question.

Which might explain why Yahoo was experiencing so many dud directives in the first months of its operation.

Share this entry

Remember Joseph Nacchio?

/8 Comments/in /by

Yahoo just announced that it will shortly be releasing the docket from its 2008 effort to challenge a Protect America Act order.

In a report on the release, WaPo notes that the government threatened Yahoo with a $250,000 day fine for not complying with the Protect America Act order (appreciate the irony of that law’s name!).

The U.S. government threatened to fine Yahoo $250,000 a day in 2008 if it failed to comply with a broad demand to hand over user data that the company believed was unconstitutional, according to court documents unsealed Thursday that illuminate how federal officials forced American tech companies to participate in the NSA’s controversial PRISM program.

Umph. That kind of fine would add up quickly.

Which got me thinking about Joseph Nacchio, the Qwest CEO who claims the real source of his insider trading scandal arose from government retaliation when he refused to do something — in January 2001, before NineElevenChangedEverything — that he considered illegal.

According to Nacchio, his troubles can be traced back to a meeting at the NSA’s Fort Meade, Md., headquarters on Feb. 27, 2001. The agency asked that Qwest participate in a surveillance program, but Nacchio considered the proposed action to be illegal.

Nacchio was unable to explain the exact nature of the request, which remains classified. However, contrary to news reports, he said discussions with the NSA at the February 2001 meeting didn’t involve turning over telephone records.

“I found that request to be peculiar. I didn’t think it was legal. I asked for legal justification. We never got it, and therefore we never did it,” said Nacchio, who completed his prison sentence in September. “That was the moment things turned down for me.”

The former AT&T (T) executive resigned from his post at Qwest in 2002 after the Securities and Exchange Commission launched an insider-trading investigation. In 2007, he was charged with 42 counts of insider trading.

Nacchio was ultimately convicted on 19 counts for selling stock between April and May 2001, leading to the forfeiture of $44.6 million and a $19 million fine. He was sentenced to six years in jail, but his time was reduced to 70 months.

Obviously, the size of Yahoo’s fine — for a congressionally authorized, even if unconstitutional program — lends far more credibility to the claim that the government retaliated by setting Nacchio up for an insider trading prosecution. (See also this post which tracks some interesting discrepancies in the stories, which is one of a number of reasons I believe the NSA IG report on the illegal dragnet is itself incorrect.)

It also makes me wonder about two other companies — an Internet company, and what is probably something like Cisco — that refused to cooperate with the illegal dragnet.

There really isn’t a lot of rule of law surrounding the government’s spying.

Share this entry

Every Senator Who Supports USA Freedom May Be Affirmatively Ratifying a Financial Dragnet

/8 Comments/in /by

Now that I’ve finally got around to reading the so-called transparency provisions in Patrick Leahy’s USA Freedom Act, I understand that one purpose of the bill, from James Clapper’s perspective, is to get Congress to ratify some kind of financial dragnet conducted under Section 215.

As I’ve laid out in detail before, there’s absolutely no reason to believe USA Freedom Act does anything to affect non-communications collection programs.

That’s because the definition of “specific selection term” permits (corporate) persons to be used as a selector, so long as they aren’t communications companies. So Visa, Western Union, and Bank of America could all be used as the selector; Amazon could be for anything not cloud or communications-related. Even if the government obtained all the records from these companies — as reports say it does with Western Union, at least — that would not be considered “bulk” because the government defines “bulk” as collection without a selector. Here, the selector would be the company.

And as I just figured out yesterday, the bill requires absolutely no individualized reporting on traditional Section 215 orders that don’t obtain communications. Here’s what the bill requires DNI to report on traditional 215 collection.

(D) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of—
(i) the number of targets of such orders;
(ii) the number of individuals whose communications were collected pursuant to such orders; and
(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

The bill defines “individuals whose communications were collected” this way:

(3) INDIVIDUAL WHOSE COMMUNICATIONS WERE COLLECTED.—The term ‘individual whose communications were collected’ means any individual—
(A) who was a party to an electronic communication or a wire communication the contents or noncontents of which was collected; or
(B)(i) who was a subscriber or customer of an electronic communication service or remote computing service; and
(ii) whose records, as described in subparagraph (A), (B), (D), (E), or (F) of section 2703(c)(2) of title 18, United States Code, were collected.

Thus, the 215 reporting only requires the DNI to provide individualized reporting on communications related orders. It requires no individualized reporting at all on actual tangible things (in the tangible things provision!). A dragnet order collecting every American’s Visa bill would be reported as 1 order targeting the 4 or so terrorist groups specifically named in the primary order. It would not show that the order produced the records of 310 million Americans.

I’m guessing this is not a mistake, which is why I’m so certain there’s a financial dragnet the government is trying to hide.

Under the bill, of course, Visa and Western Union could decide they wanted to issue a privacy report. But I’m guessing if it would show 310 million to 310,000,500 of its customers’ privacy was being compromised, they would be unlikely to do that.

So the bill would permit the collection of all of Visa’s records (assuming the government could or has convinced the FISC to rubber stamp that, of course), and it would hide the extent of that collection because DNI is not required to report individualized collection numbers.

But it’s not just the language in the bill that amounts to ratification of such a dragnet.

As the government has argued over and over and over, every time Congress passes Section 215’s “relevant to” language unchanged, it serves as a ratification of the FISA Court’s crazy interpretation of it to mean “all.” That argument was pretty dodgy for reauthorizations that happened before Edward Snowden came along (though its dodginess did not prevent Clare Eagan, Mary McLaughlin, and William Pauley from buying it). But it is not dodgy now: Senators need to know that after they pass this bill, the government will argue to courts that it ratifies the legal interpretations publicly known about the program.

While the bill changes a great deal of language in Section 215, it still includes the “relevant to” language that now means “all.” So every Senator who votes for USAF will make it clear to judges that it is the intent of Congress for “relevant to” to mean “all.”

And it’s not just that! In voting for USAF, Senators would be ratifying all the other legal interpretations about dragnets that have been publicly released since Snowden’s leaks started.

That includes the horrible John Bates opinion from February 19, 2013 that authorized the government to use Section 215 to investigate Americans for their First Amendment protected activities so long as the larger investigation is targeted at people whose activities aren’t protected under the First Amendment. So Senators would be making it clear to judges their intent is to allow the government to conduct investigations into Americans for their speech or politics or religion in some cases (which cases those are is not entirely clear).

That also includes the John Bates opinion from November 23, 2010 that concluded that, “the Right to Financial Privacy Act, … does not preclude the issuance of an order requiring the production of financial records to the Federal Bureau of Investigation (FBI) pursuant to the FISA business records provision.” Given that Senators know (or should — and certainly have the ability to — know) about this before they support USAF, judges would be correct in concluding that it was the intent of Congress to permit the government to collect financial records under Section 215.

So Senators supporting this bill must realize that supporting the bill means they are supporting the following:

  • The interpretation of “relevant to” to permit the government to collect all of a given kind of record in the name of a standing FBI terrorism investigation.
  • The use of non-communication company corporate person names, like Visa or Western Union, as the selector “limiting” collection.
  • The use of Section 215 to collect financial records.
  • Not requiring the government to report how many Americans get sucked up in any financial (or any non-communications) dragnet.

That is, Senators supporting this bill are not only supporting a possible financial dragnet, but they are helping the government hide the existence of it.

I can’t tell you what the dragnet entails. Perhaps it’s “only” the Western Union tracking reported by both the NYT and WSJ. Perhaps James Cole’s two discussions of being able to collect credit card records under this provision means they are. Though when Leahy asked him if they could collect credit card records to track fertilizer purchases, Cole suggested they might not need everyone’s credit cards to do that.

Leahy: But if our phone records are relevant, why wouldn’t our credit card records? Wouldn’t you like to know if somebody’s buying, um, what is the fertilizer used in bombs?

Cole: I may not need to collect everybody’s credit card records in order to do that.

[snip]

If somebody’s buying things that could be used to make bombs of course we would like to know that but we may not need to do it in this fashion.

We don’t know what the financial dragnet is. But we know that it is permitted — and deliberately hidden — under this bill.

Below the rule I’ve put the names of the 18 Senators who have thus far co-sponsored this bill. If one happens to be your Senator, it might be a good time to urge them to reconsider that support.

Patrick Leahy (202) 224-4242

Mike Lee (202) 224-5444

Dick Durbin (202) 224-2152

Dean Heller (202) 224-6244

Al Franken (202) 224-5641

Ted Cruz (202) 224-5922

Richard Blumenthal (202) 224-2823

Tom Udall (202) 224-6621

Chris Coons (202) 224-5042

Martin Heinrich (202) 224-5521

Ed Markey (202) 224-2742

Mazie Hirono (202) 224-6361

Amy Klobuchar (202) 224-3244

Sheldon Whitehouse (202) 224-2921

Chuck Schumer (202) 224-6542

Bernie Sanders (202) 224-5141

Cory Booker (202) 224-3224

Bob Menendez (202) 224-4744

Sherrod Brown (202) 224-2315

 

 

Share this entry

USA Freedom Act’s So-Called “Transparency” Provisions Enable Illegal Domestic Surveillance

/10 Comments/in , /by

I regret that I am only now taking a close look at the “transparency” provisions in Patrick Leahy’s version of USA Freedom Act. They are actually designed not to provide “transparency,” but to give a very misleading picture of how much spying is going on. They are also designed to permit the government to continue not knowing how much content it collects domestically under upstream and pen register orders, which is handy, because John Bates told them if they didn’t know it was domestic then collecting domestic isn’t illegal.

In this post, I’ve laid out the section of the bill that mandates reporting from ODNI, with my comments interspersed along with what the “transparency” report Clapper did this year showed.

(b) MANDATORY REPORTING BY DIRECTOR OF NATIONAL INTELLIGENCE.—

(1) IN GENERAL.—Except as provided in subsection (e), the Director of National Intelligence shall annually make publicly available on an Internet Web site a report that identifies, for the preceding 12-month period—

This language basically requires the DNI to post a report on I Con the Record every year. But subsection (e) provides a number of outs.

Individual US Person FISA Orders

(A) the total number of orders issued pursuant to titles I and III and sections 703 and 704 and a good faith estimate of the number of targets of such orders;

This language requires DNI to describe, in bulk, how many individual US persons are targeted in a given year (there were 1,767 orders and 1,144 estimated targets last year). But it only requires DNI to give a “good faith estimate” of these numbers (and that’s what they’re listed as in ODNI’s report from last year)! If there’s one thing DNI should be able to give a rock-solid number for, it’s individual USP targets. But … apparently that’s not the case.

Screen Shot 2014-09-10 at 10.29.15 AM

Section 702 Orders

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders;

(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

This language requires DNI to provide an estimate of the number of targets of Section 702 which includes both upstream and PRISM production. Last year, this was one order (ODNI doesn’t tell us, but there were at least 3 certificates –Counterterrorism, Counterproliferation, and Foreign Government) affecting 89,138 targets.

Screen Shot 2014-09-10 at 10.23.26 AM

The new reporting requires the government to come up with some estimate of how many communications are collected, as well as how many are located inside the US.

Except DNI is permitted to issue a certification saying that there are operational reasons why he can’t provide that last bit — how many are in the US. Thus, 4 years after refusing to tell John Bates how many Americans’ communications NSA was sucking up in upstream collection, Clapper is now getting the right to continue to refuse to provide that ratified by Congress. And remember — Bates also said that if the government didn’t know it was collecting that content domestically, then it wasn’t really in violation of 50 USC 1809(a). So by ensuring that it doesn’t have to count this, Clapper is ensuring that he can continue to conduct illegal domestic surveillance.

Don’t worry though. The bill includes language that says, even though this provision permits the government to continue conducting illegal domestic collection, “Nothing in this section affects the lawfulness or unlawfulness of any government surveillance activities described herein. ”

Back Door Searches

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

This language counts back door searches.

But later in the bill, the FBI — which we know does the bulk of these back door searches — is exempted from all of this reporting. As I noted in this post, effectively the Senate is saying it’s no big deal of FBI doesn’t track how many warrantless searches of US person content it does, even of people against whom the FBI has no evidence of wrongdoing.

In addition, note that odd limit to (v). DNI only has to report metadata searches “initiated by an officer, employee, or agent” of the United States. That would seem to exempt any back door metadata searches by foreign governments (it might also exempt contractors, but they should be included as “agents” of the US). Which, given that CIA doesn’t currently count its metadata searches, and given that CIA conducts a bunch of metadata searches on behalf of other entities, leads me to suspect that CIA may be doing metadata searches “initiated” by foreign governments. But that’s a guess. One way or another, though, this clause was written to not count some of these metadata searches. [Update: On reflection, that language may be designed to avoid counting automated processes as searches — if they’re initiated by a robot rather than an employee they’re not counted!]

Pen Register Orders

C) the total number of orders issued pursuant to title IV and a good faith estimate of—

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders; and

(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

This language counts how many Pen Register orders the government obtains, how many individuals get sucked up, and how many are in the US, both of which are additions on what ODNI reported this year.

Screen Shot 2014-09-10 at 10.50.08 AM

But that last bit — counting people in the US — is again a permissible exemption under the bill. Which is, as you’ll recall, the other way NSA has been known to engage in illegal domestic content collection. The only known bulk pen register is currently run by FBI, but in any case, the exemption has the same effect, of permitting the government from ever having to admit that it is breaking the law.

Traditional Section 215 Collection

(D) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of—

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders; and

(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

This requires DNI to report on traditional Section 215 orders, but the entire requirement is a joke on two counts.

Screen Shot 2014-09-10 at 11.09.02 AM

First, note that, for a reporting requirement for a law permitting the government to collect “tangible things,” it only requires individualized reporting for “communications.” “Individuals whose communications were collected” are specifically defined as only involving phone calls and electronic communications.

So this “transparency” bill will not count how many individuals have their financial records, beauty supply purchases, gun purchases, pressure cooker purchases, medical records, money transfers, or other things sucked up, much of which we know to be done under this bill. And this is particularly important, because the law still permits bulk collection of these things. Thus, this “transparency” report creates the illusion that far less collection is done under Section 215 than actually is, it creates the illusion that bulk collection is not going on when it is.

But it gets worse!

Read more

Share this entry

Tech Companies: Hurry Up and Give Us Immunity and Compensation

/2 Comments/in /by

The tech industry has issued a letter urging the Senate to hurry up and give them immunity and compensation pass USA Freedom Act.

The letter is actually pretty funny. The letter claims:

The revelations about the U.S. government’s surveillance programs that began in June of 2013 have led to an erosion of public trust in the U.S. government and the U.S. technology sector. In an effort to begin restoring that trust, the USA FREEDOM Act will prevent the bulk collection of Internet metadata, call detail records, and other tangible things in a manner that both enhances privacy and protects national security.

I mean, it’s not funny that the NSA has fucked with the tech companies’ business model. The funny part is the bill doesn’t do what the tech companies say it does!

It only limits the bulk collection of Internet metadata — to the extent it does do that — via the use of Pen Register or Section 215 authorities. It doesn’t do anything about the bulky collection of Internet metadata (and content) through PRISM. And it definitely doesn’t do anything to end the biggest part of bulk Internet metadata collection, which happens overseas. Hell, this doesn’t even give the Internet companies any more assurances they won’t have their data stolen overseas (though some at least are making that more difficult by encrypting their data).

Then the letter makes this claim.

As a result of the surveillance program revelations, U.S. technology companies have experienced negative economic implications in overseas markets. In addition, other countries are considering proposals that would limit data flows between countries, which would have a negative impact on the efficiencies upon which the borderless Internet relies. The transparency measures in the USA FREEDOM Act are designed to alleviate some of the concerns behind such actions by allowing companies to be more transparent about the orders they receive from the government to its surveillance authorities.

Now, it is true that the law tweaks the agreement the government previously made with the Internet companies so they can show more about what they do. That’s a good thing.

But the “transparency” provisions in the bill are actually designed to obscure key details about surveillance. They hide how many Americans will be exposed to most Section 215 orders (though will reveal the total people exposed) because FBI, which will get most of the orders, is exempted from that reporting. They hide the FBI’s use of “back door searches” of Internet metadata collected under PRISM. And it may (though I’m less sure about this) hide requests for PRISM metadata searches executed by the CIA for foreign governments.

All hidden right there in the “transparency” procedures.

Finally, I’m not sure why the tech companies think their foreign customers will be impressed with deceptive “transparency” provisions that leave the bulk (in all senses of the word) of the collection the US is doing against foreigners still hidden.

But hey! I can imagine why the tech companies want their absurdly broad immunity and compensation for spying, which this bill does give them.

Oddly, the letter doesn’t emphasize that part of it.

Share this entry

James Clapper’s Letter DIDN’T Endorse S 2685; It Endorsed HR 3361

/8 Comments/in /by

I’m sorry to return to James Clapper’s letter that has been grossly misreported as endorsing Patrick Leahy’s USA Freedom Act.

In this post I pointed out what Clapper’s letter really said. In this one, I described why it is so inexcusable that Clapper emphasized FBI’s exemption from reporting requirements (I will have a follow-up soon about why that earlier post just scratches the surface). And this post lays out some — but not all — the ways Clapper’s letter said he would gut the Advocate provision.

But I think there’s a far better way of understanding Clapper’s letter. He didn’t endorse Leahy’s USAF, S 2685. He endorsed USA Freedumber, HR 3361.

Below the rule I’ve put a summary of changes from USA Freedumber to Leahy USA Freedom, HR 3361 to S 2685. I did it a very long time ago, and there are things I’d emphasize differently now, but it will have to do for now (it may also be helpful to review this summary of how USA Freedumber made USA Freedumb worse). Basically, S 2685 improved on HR 3361 by,

  • Tightening the definition of “specific selection term”
  • Adding transparency (though, with exemptions for FBI reporting)
  • Improving the advocate
  • Limiting prospective CDR collection (but not retention and therefore probably dissemination) to counterterrorism

This closely matches what the coalition that signed onto S 2685 laid out as the improvements from HR 3361 to S 2685.

[T]he new version of the bill:

  • Strengthens and clarifies the ban on “bulk” collection of records, including by tightening definitions to ensure that the government can’t collect records for everyone in a particular geographic area or using a particular communication service, and by adding new post-collection minimization procedures;
  • Allows much more detailed transparency reporting by companies—and requires much more detailed transparency reporting by the government—about the NSA’s surveillance activities; and
  • Provides stronger reforms to the secret Foreign Intelligence Surveillance Court’s processes, by creating new Special Advocates whose duty is to advocate to the court in favor of privacy and civil liberties, and by strengthening requirements that the government release redacted copies or summaries of the court’s significant decisions.

Though as I explained here, there is no public evidence the minimization procedures required by the bill are even as stringent as what the FISC currently imposes on most orders, so the minimization procedures of S 2685 might — like the emergency procedures do — actually weaken the status quo.

Here are three of the key passages from Clapper’s letter that I believe would address the intent of the bill as written.

  • “Recognizing that the terms [laid out in the definition of specific selection term] enumerated in the statute may not always meet operational needs, the bill permits the use of other terms.”
  • “The transparency provisions in this bill … recognize the technical limitations on our ability to report certain types of information.”
  • “The appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Office of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address those concerns.”

In other words, the limiting language in Clapper’s letter very clearly maps the changes from HR 3361 to S 2685.

He clearly says he doesn’t have to follow the new limits on specific selection terms. He signals he will use his authority to make classification and privilege determinations to keep information away from the amicus (or retain ex parte procedures via some other means). And by endorsing John Bates’ letter, he revealed his intention to take out requirements that the amicus advocate in favor of privacy and civil liberties. In addition — this is the part of Bates’ letter I missed in my previous analysis — he thereby endorsed Bates’ recommendation to “delet[e] this provision [specifying that the Court must release at least a summary], leaving in place the provision that significant FISA court decision would continue to be released, whenever feasible, in redacted form.”

Plus, as I mentioned, his use of “metadata” rather than “Call Detail Record” suggests he may play with that laudable limit in the bill as well.

I think Clapper’s read on the exemption for FBI is totally a fair reading of the bill; I just happen to think the Senate is doing a great deal of affirmative damage by accepting it. (Again, I hope to explain more why that is the case in the next day or so.)

Voila! Clapper’s “endorsement” of the bill managed to carve out almost all the improvements from HR 3361 to S 2685 (as well as emphasize Congress’ ratification for the FBI exemption, the huge reservation on the one improvement he left untouched). The only other improvement Clapper left in place was the limit on collection of prospective phone record to counterterrorism purposes.

That’s it. If Clapper’s views hold sway, that’s all this bill is: USA Freedumber with the retention of the status quo counterterrorism application for CDR collection.

Read more

Share this entry

Supporters of USA Freedom Ignore the Courts

/3 Comments/in /by

The National Journal reports that Leahy’s USA Freedom Act probably won’t move until after the election, if not next year.

A bill that would curtail the government’s broad surveillance authority is unlikely to earn a vote in Congress before the November midterms, and it might not even get a vote during the postelection lame-duck session.

The inaction amounts to another stinging setback for reform advocates, who have been agitating for legislation that would rein in the National Security Agency ever since Edward Snowden’s leaks surfaced last summer. It also deflates a sudden surge in pressure on Congress to pass the USA Freedom Act, which scored a stunning endorsement from Director of National Intelligence James Clapper last week.

Of course, contrary to what the NJ keeps reporting, that letter is not a stunning endorsement. On the contrary, it’s a signal James Clapper would change — at a minimum — the FISA Advocate position, and probably the Call Detail Record provision as well.

And even while the story suggests timing is the problem, further down the story suggests the bill doesn’t have the votes.

But beyond the calendar squeeze and geopolitical tensions, the Freedom Act has never had a clear path forward. It was not embraced by defense hawks such as Senate Intelligence Committee Chairwoman Dianne Feinstein or Sens. Ron Wyden and Mark Udall, who have become icons of the surveillance-reform movement. The two Democrats said they wanted to strengthen the bill to require warrants for “backdoor” searches of Americans’ Internet data that can be incidentally collected during foreign surveillance hauls. Sources indicated that their support for the Freedom Act remains a bridge too far.

“We were told to go after Republicans,” one industry said.

Wyden and Udall’s reticence to publicly back Leahy’s bill may stem from a conviction that they can get a better deal next Congress, with Section 215 of the USA Patriot Act—the legal underpinning for the NSA’s phone-records collection—due to expire on June 1, 2015.

Without the left flank of the Senate, this wasn’t going to pass. But so long as this bill endorsed warrantless back door searches of Americans at the assessment stage, it wasn’t going to get those votes.

The story ends with a solitary quote purportedly representing the voices of “many” people.

But many see an NSA reform debate that rolls into next year as no sure bet, regardless of what party holds control of the Senate.

“If the USA Freedom Act is not passed this Congress, we are really in uncharted territory, and the process has to start all over again,” said Harley Geiger, senior counsel at the Center for Democracy & Technology, a pro-reform group. “All the elements for reform are in place now, but it just happens that we don’t have much time.”

Geiger is the same purpose mis-reading Clapper’s letter as a complete endorsement of the bill.

Note what doesn’t get mentioned in any of this, though?

The Courts.

Last we heard from the 2nd Circuit, it sounded very very skeptical that it was constitutional to, “collect everything there is to know about everybody and have it all in one big government cloud.” And while SCOTUS was happy to reverse precisely this court in Section 702, both ACLU’s standing and the details of the program are much clearer this time. Had Congress legislated quickly, it likely would moot this and several other challenges to this dragnet. 

This way, at least, the courts will be forced to determine whether it is actually legal for the government to conduct dossiers of every American and store them on a cloud.

Share this entry

Hospital Hero Jack Goldsmith, the Destroyer of the Internet Dragnet, Authorized the Internet Dragnet

/22 Comments/in , /by

As I noted earlier, I think the re-release of Jack Goldsmith’s May 6, 2004 OLC memo authorizing Stellar Wind is meant to warn Congress that the Executive does not believe it needs any Congressional authorization to spy on every American — just in time for the USA Freedom Act debate in the Senate. This is exactly parallel to similar provocations during the Protect America Act debate. In the past, such provocations led Congress to capitulate to Executive branch demands to tailor the program to their wishes.

That earlier post, however, implied that this warning pertains primarily to the phone dragnet.

It doesn’t. The warning also applies to the Internet dragnet (and I suspect that stories about the heroic hospital heroes shutting down the Internet dragnet have been dramatically overblown).

One of the very few things — aside from the name STELLAR WIND, over and over, as well as references to content collection that could have been released after President Bush admitted to that part of the program in 2005, and the title Secretary of Defense — that has been newly revealed is this bit of the Table of Contents (here’s the previous release for comparison).

Screen Shot 2014-09-06 at 1.05.11 PM

 

It shows that the memo discusses content, discusses telephony metadata, discusses something else, then concludes that content and metadata are both kosher under the Fourth Amendment. That already makes it clear that part IV is about metadata. The last sentence of the first full paragraph on page 19 does, too. Page 7 makes it clear that Fourth Amendment analysis applies to “both telephony and e-mail.” Much later in the memo, it becomes clear this section — pages 96 to 100 — deals with Internet metadata.

In fact, the only substantive newly unredacted parts of the memo appear on 101 (PDF 69) and then from 106 to 108.

All of this new information makes it clear that Goldsmith asserted that Smith v. Maryland applied for metadata — and applied to both phone and Internet metadata. Remarkably, in that analysis, the government keeps at least one paragraph addressing phone metadata hidden, but reveals the analysis at 106-7 (PDF 74-75) that applies to Internet. (Goldsmith’s claim that Internet users can get providers to turn off spam, at the bottom of 107, is particularly nice.)

In perhaps the most interesting newly released passage (out of the roughly 5 pages that got newly released!), Goldsmith absolves himself of examining what procedures the government was using in its “metadata” collection.

As for meta data collection, as explained below, we conclude that under the Supreme Court’s decision in Smith v. Maryland, 442 U.S. 735 (1979), the interception of the routing information for both telephone calls and e-mails does not implicate any Fourth Amendment interests.85

85 Although this memorandum evaluates the STELLAR WIND program under the Fourth Amendment, we do not here analyze the specific procedures followed by the NSA in implementing the program.  (101/PDF 69)

I find this utterly damning, given that we know that, for the following 5 years, the government would lie to FISC about whether their “metadata” contained content. Even the OLC opinion built in the Executive’s ability to collect content in the guise of metadata!

In any case, what is clear — again, just in time to impact the debate over USA Freedom, for which prospective call record collection might or might not be limited to telephone content — is that rather than legally shutting down the Internet dragnet in 2004, Jack Goldsmith authorized it.

And that authorization remains in place, telling the Executive it can collect Internet (and phone) “metadata” whether or not FISC or Congress rubberstamps it doing so. Not only that, but telling the Executive this analysis holds regardless of how inadequate their procedures are in implementing this program to ensure that no content gets swept up in the guise of metadata (which of course is precisely what occurred).

So the Administration, in releasing this “newly unredacted” memo did one thing. Tell Congress it will continue to collect phone and Internet “metadata” on its own terms, regardless of what Congress does.

Only one thing could alter this analysis of course: if the Courts decide that Smith v. Maryland doesn’t actually permit the government to collect all metadata, plus some content-as-metadata, in the country, if they say the Executive can’t actually collect “everything there is to know about everybody and have it all in one big government cloud,” as 2nd Circuit Judge Gerard Lynch described the implications of what we now know to be Goldsmith’s logic on Tuesday. But the courts are going to stop analyzing this question as soon as Congress passes USA Freedom Act. Moreover, the last check on the program — the unwillingness of providers to break the law — will be removed by the broad immunity provision included in the bill.

Not only didn’t Jack Goldsmith heroically legally shut down the Internet dragnet in 2004 (clearly President Bush did make several modifications; we just still don’t know what those are). But he provided a tool that is likely proving remarkably valuable as the Executive gets Congress and privacy NGOs to finish signing off on their broad authority.

The hospital heroes may have temporarily halted the conduct of the Internet dragnet — even while telling Colleen Kollar-Kotelly she had to rubber stamp ignoring the letter of the law because Congress couldn’t know about the dragnet — but they didn’t shut it down. Here it is, legally still operating, just in time to use as a cudgel with Congress.

Update: One other thing other reporting on this is missing — and not for the first time — is that whatever change they made to the Internet dragnet, it was by no means the only change after the hospital confrontation. They also took Iraqi targeting out (in some way). And there was a later April 2 modification that appears to have nothing to do with NSA at all (I have my theories about this, but they’re still theories). So it is too simple to say the hospital confrontation was exclusively about the Internet dragnet — the public record already makes clear that’s not the case.

Share this entry

Executive Still Hiding Its Phone Dragnet Self-Authorization, While Making Sure We Know It Has It

/9 Comments/in /by

Screen Shot 2014-09-06 at 9.48.41 AM

Back in February, Ron Wyden got then acting OLC head Caroline Krass to admit that Jack Goldsmith’s May 6, 2004 Stellar Wind authorization remained active. Although they could rely on it at any time, Krass suggested they weren’t, because FISA currently authorizes the very same phone dragnet that OLC authorized a decade ago.

In the follow-up questions for CIA General Counsel nominee Caroline Krass, Ron Wyden asked a series of his signature loaded questions. With it, he pointed to the existence of still-active OLC advice — Jack Goldsmith’s May 6, 2004 memo on Bush’s illegal wiretap program — supporting the conduct of a phone (but not Internet) dragnet based solely on Presidential authorization.

He started by asking “Did any of the redacted portions of the May 2004 OLC opinion address bulk telephony metadata collection?

Krass largely dodged the question — but did say that “it would be appropriate for the May 6, 2004 OLC opinion to be reviewed to determine whether additional portions of the opinion can be declassified.”

In other words, the answer is (it always is when Wyden asks these questions) “yes.”

This is obvious in any case, because Goldsmith discusses shutting down the Internet dragnet program, and spends lots of time discussing locating suspects.

Wyden then asked if the opinion relied on something besides FISA to conduct the dragnet.

[D]id the OLC rely at that time on a statutory basis other than the Foreign Intelligence Surveillance Act for the authority to conduct bulk telephony metadata collection?

Krass dodged by noting the declassification had not happened so she couldn’t answer.

[snip]

Finally, Wyden asks the kicker: “Has the OLC taken any action to withdraw this opinion?”

Krass makes it clear the memo is still active, but assures us it’s not being used.

OLC generally does not reconsider the status of its prior opinions in the absence of a practical need by an element of the Executive Branch to know whether it can rely upon the advice in connection with its ongoing operations. My understanding is that any continuing NSA collection activities addressed in the May 6, 2004 opinion are being conducted pursuant to authorization by the Foreign Intelligence Surveillance Court, and thus do not rely on the advice of the opinion.

Last night, the government finally released a new version of that memo, reflecting all the things that have been declassified thanks to Edward Snowden’s leaks.

And it shows that a 15-page section of the memo authorize(s) the phone dragnet.

Only, that section is entirely redacted.

Even after the phone dragnet has been declassified for 15 months, the Executive refuses to show its claim that it can engage in that dragnet with or without Congressional authorization.

Understand what this amounts to: The Executive just waved its dick around in advance of Congressional action that may or may not reauthorize this program. It said, to Congress and to us, that it will continue operating its phone dragnet with or without Congressional authorization.

For what it’s worth, I think that’s a bluff. I believe Verizon would refuse to cooperate without explicit authorization from Congress and legal mandates it can show. But the Executive is, at least, trying to send a message that it doesn’t believe it needs anything so piddly as Congressional approval to spy on every single American.

Share this entry