If One Judge Gives FISA Review, and Another Judge Gives FISA Review, All Hell Will Break Loose!

/3 Comments/in /by

There have been a couple of developments on the government’s effort to continue its practice of shielding its dragnet from adversarial legal review behind the screen of FISA.

First, the 7th Circuit appears to want to punt on the question of whether or not Adel Daoud’s lawyer should be able to review the FISA materials used against him.

It claims (incorrectly, I suspect) it may not have the authority to review Sharon Coleman’s decision to give Daoud review.

A preliminary review of the short record indicates that the order appealed from may not be an appealable order.

Section 3731 of Title 18, United States Code, permits the United States to appeal certain rulings in a criminal case. The district court’s order of January 29, 2014, compelling disclosure of Foreign Intelligence Surveillance Act application materials to defense counsel having the necessary clearance, does not appear to fit within the statute’s list of orders that the government can appeal.

Meanwhile, in Oregon, the government has submitted its response to Mohamed Osman Mohamud’s discovery request for details of why the government didn’t tell him it had used FISA Section 702 to identify him before his trial. (h/t to Mike Scarcella on both documents)

I’ll come back to the substance of that response, as I think it shows the strategy the government will attempt to use to dig out of its discovery obligation hole in Section 702 cases.

But I wanted to point out footnote 19:

A district court order requiring the disclosure of FISA materials is a final order for purposes of appeal. See 50 U.S.C. § 1806(h). In the unlikely event that the Court concludes that disclosure of the classified FAA-related information that defendant requests may be required, given the significant national security consequences that would result from such disclosure, the government would expect to pursue an appeal. Accordingly, the government respectfully requests that the Court indicate its intent to do so before issuing any order, or that any such order be issued in such a manner that the United States has sufficient notice to file an appeal prior to any actual disclosure.

The government is pointing to what will surely be the core of the debate in the 7th Circuit, whether 50 USC 1806(h)‘s mention of Appeals Court review of disclosure decisions trumps  criminal code.

But it’s also revealing something else: with its suggestion that a judge might rule in favor of discovery and start handing over FISA warrant applications willy nilly, and therefore it should get warning before any judge rules against it, it betrays a concern that if judges actual so rule (even assuming they can appeal), it will harm their case.

The government seems to be admitting that one of the only things preventing judges from granting such review is the long history DOJ can point to when no judge has granted such review (which is a line they always use when defendants try to get such review).

It’s the taboo, the unquestioning deference courts have granted every time the Attorney General has claimed such review would harm national security without actually explaining why, that prevents defendants from getting review.

Not any real risk to national security.

And DOJ seems anxious to maintain the power of that taboo at all costs.

One more bit of ironic arrogance in this footnote: the government is suggesting it should get advance review on a ruling about the consequences they might suffer for failing to give a defendant advance review.

Update: I just noticed that Mohamud’s lawyer gave notice of the Daoud ruling and indicated that like Daoud’s lawyer, he also has TS/SCI clearance.

Update: Whoo boy. DOJ is panicking, I think. They’ve suggested that if either of two statutes they cite don’t give the 7th Circuit jurisdiction they should issue a writ of mandamus.

Finally, if the two statutory bases for appellate jurisd iction set forth above were not available, this Court would still have jurisdiction to issue a writ of mandamus to revers e the district court’s order pursuant to 28 U.S.C. § 1651.

Share this entry

Obama’s New Phone Dragnet Pre-Review Policy Supports Dragnet-as-Index Understanding

/2 Comments/in , /by

As I noted, yesterday the FISA Court released the motion and approval reflecting the changes to accessing the dragnet reflecting Obama’s promises from last month.

Effective immediately, we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization instead of three. And I have directed the Attorney General to work with the Foreign Intelligence Surveillance Court so that during this transition period, the database can be queried only after a judicial finding, or in a true emergency.

These promises have been taken to limit all queries to two hops (which was NSA”s practice in any case) and, except in an emergency, to require FISC to approve the Reasonable Articulable Suspicion determination an identifier before it is used to query the database.

That’s not exactly how the modification implements the change. Rather, it lays out 3 ways to access the database:

  • With prior FISC review, by motion, of the RAS determination
  • With an assertion of emergency from the Acting Director of NSA or DIRNSA, in which case FISC reviews it after the fact
  • Using an identifier for which FISC has already found probable cause under traditional FISA

Access under the terms of the last bullet, which has actually been part of dragnet orders since the second order, is accomplished in the supplement with this language:

For any selection term that is subject to ongoing Court-authorized electronic surveillance, pursuant to 50 U.S.C. § 1805, based on this Court’s finding of probable cause to believe that the selection term is being used or is about to be used by [redacted–describes a tie to a foreign terrorist organization], including those used by U.S. persons, the government may use such selection terms as “seeds” during any period of ongoing Court-authorized electronic surveillance without first seeking authorization from this Court as described herein. Except in the case of emergency, NSA will first notify the Department of Justice, National Security Division of its proposed use as a seed any selection term subject to Court-authorized electronic surveillance.

Now, with one minor caveat, I actually have no problem with this. As I said in this post, it makes sense that NSA should have access to the metadata of calls it already has access to content of. And this third access still complies with the language of Obama’s promise: rather than a judicial finding regarding RAS, such queries would have been justified by a judicial finding regarding probable cause, a much higher standard.

I’m mostly interested in this detail for what it might suggest about the way the NSA is currently using the dragnet. I have repeatedly focused on Theresa Shea’s description of how NSA uses the dragnet to prioritize which content they read.

Section 215 bulk telephony metadata complements other counterterrorist-related collection sources by serving as a significant enabler for NSA intelligence analysis. It assists the NSA in applying limited linguistic resources available to the counterterrorism mission against links that have the highest probability of connection to terrorist targets. Put another way, while Section 215 does not contain content, analysis of the Section 215 metadata can help the NSA prioritize for content analysis communications of non-U.S. persons which it acquires under other authorities. Such persons are of heightened interest if they are in a communication network with persons located in the U.S. Thus, Section 215 metadata can provide the means for steering and applying content analysis so that the U.S. Government gains the best possible understanding of terrorist target actions and intentions.

If this is primarily how the dragnet is currently being used — to tell NSA which call content that it has collected it should listen to or translate first — then it would explain why the FISC didn’t complain about having to approve a bunch of new query identifiers: because it wouldn’t really have to do much pre-approval beyond the traditional FISC warrant review it has already done.

And given that NSA ran queries on 288 identifiers in 2012, a year when FISC approved 1,788 FISA warrants (though some were for physical searches), it is feasible that many or even most of the dragnet queries were tied to FISC warrant targets.

If that’s right, it suggests the dragnet no longer serves primarily as the alert function it has been sold as, but instead serves an indexing function (which is, after all, what James Clapper said months ago).

So here’s my one caveat to my assertion that I have no problem with this.

In making this modification, DOJ actually changed the way they refer to what FISC-approved targets automatically qualify as RAS-approved. In the order itself, it describes it this way:

Selection terms that are currently the subject of electronic surveillance authorized by the Foreign Intelligence Surveillance Court (FISC) based on the FISC’s finding of probable cause to believe that they are used by [redacted description of tie to terrorism] including those used by U.S. persons, may be deemed approved for querying for the period of FISC-authorized electronic surveillance without review and approval by a designated approving official. The preceding sentence shall not apply to selection terms under surveillance pursuant to any certification of the Director of National Intelligence and the Attorney General pursuant to Section 702 of FISA, as added by the FISA Amendments Act of 2008, or pursuant to an Order of the FISC issued under Section 703 or Section 704 of FISA, as added by the FISA Amendments Act of 2008.

I think this works out to be a distinction without a difference, or even an improvement. The language of the order says targets of FISA orders — except those targeted under Section 702 (bulk collection targeted at foreigners outside the US), Sections 703 and 704 (US person target outside the US) — are pre-approved as dragnet identifiers. The language of the modification says targets only of traditional FISA orders (authorizing electronic surveillance of either US persons or foreign individuals in the US) are pre-approved for dragnet identifiers. If anything, the modification language is more narrow, as it would also exclude those against whom FISC has approved physical search warrants from automatic RAS approval. If this reading is correct, it would seem to support my supposition that the dragnet is increasingly serving primarily as an index to already-collected content.

But given the way they’ve expanded the intent of traditional FISA in the past, I do wonder whether something else is going on.

All that said, I mostly intend with this post to point to yet more evidence suggesting that the dragnet increasingly serves as an index rather than the early warning system it gets billed as.

Share this entry

Congress Currently Has Access to the Phone Dragnet Query Results

/6 Comments/in /by

When Bernie Sanders asked the NSA whether it spied on Members of Congress, Keith Alexander responded, in part,

Among those protections is the condition that NSA can query the metadata only based on phone numbers reasonably suspected to be associated with specific foreign terrorist groups. For that reason, NSA cannot lawfully search to determine if any records NSA has received under the program have included metadata of the phone calls of any member of Congress, other American elected officials, or any other American without that predicate.

Alexander’s response was dated January 10, 2014, one week after the current dragnet order was signed.

It’s an interesting response, because one of the changes made to the dragnet access rules with the January 3 order was to provide Congress access to the data for oversight reasons. Paragraph 3D reads, in part,

Notwithstanding the above requirements, NSA may share the results from intelligence analysis queries of the BR metadata, including United States person information, with Legislative Branch personnel to facilitate lawful oversight functions.

This doesn’t actually mean Sanders (and Darrell Issa, Jerrold Nadler, and Jim Sensenbrenner, who sent a letter on just this issue yesterday) can just query up the database to find out if their records are in there. The legislature can only get query results — it can’t perform queries. And as of last week, all query identifiers have to be approved by the FISC.

Still, they might legitimately ask to see what is in the corporate store, the database including some or all past query results, which may include hundreds of millions of Americans’ call records. And Nadler and Sensenbrenner — as members of the Judiciary Committee — can legitimately claim to play an oversight role over the dragnet.

So why don’t they just ask to shop the corporate store, complete with all the US person data, as permitted by this dragnet order? While they’re at it, why not check to see if the 6 McClatchy journalists whose FOIA NSA just rejected have been dumped into the corporate store? (No, I don’t think giving Congress this access is wise, but since they have it, why not use it?)

Incidentally, this access for legislative personnel is not unprecedented. Starting on February 25, 2010 and lasting through 3 orders (so until October 29, 2010, though someone should check my work on this point) the dragnet orders included even broader language.

Notwithstanding the above requirements, NSA may share certain information, as appropriate, derived from the BR metadata, including U.S. person identifying information, with Executive Branch and Legislative Branch personnel in order to enable them to fulfill their lawful oversight functions…

Of course at that point, most of Congress had no real understanding of what the dragnet is.

Now that they do, Nadler and Sensenbrenner should use the clear provision of the dragnet order as an opportunity to develop a better understanding of what happens to query results and how broadly they implicate average Americans’ privacy.

Update: Added short explanation of corporate store.

Share this entry

Is Hemisphere Creating Problems for the Phone Dragnet?

/2 Comments/in , /by

Screen Shot 2014-02-12 at 4.39.40 PMYou are all probably bored with my repeated posts about why the claim that NSA only collects 30% of US data is probably only narrowly true.

So I won’t discuss how absurd it would be to argue that the terrorist dragnet drawing on the records of at least 3 phone companies was less comprehensive than Hemisphere, the similar AT&T-specific database it makes available to hunt drug crime.

I just want to raise a methodological issue.

In her declaration submitted in support of the suits challenging the Section 215 dragnet, Theresa Shea emphasized something implicit in the Business Records order: the telecoms are only turning over records they already have.

[P]ursuant to the FISC’s orders, telecommunications service providers turn over to the NSA business records that the companies already generate and maintain for their own pre-existing business purposes (such as billing and fraud prevention).

Presumably, AT&T provides precisely this same data to the NSA for its master phone dragnet. That is, to the extent that AT&T compiles this data in particular form, that may well be the form it hands onto NSA.

And that’s interesting for several reasons.

Hemisphere includes not just AT&T call records. It includes records from “CDRs for any telephone carrier that uses an AT&T switch to process a telephone call.” It gets 4 billion call records a day, including international ones and cell ones. As Scott Shane explained,

AT&T operates what are called switches, through which telephone calls travel all around the country. And what AT&T does in this program is it collects all the—what are called the CDRs, the call data records, the so-called metadata from the calls that we’ve heard about in the NSA context. This is the phone number—phone numbers involved in a call, its time, its duration, and in this case it’s also the location. Some are cellphone calls; some are land line calls. Anything that travels through an AT&T switch, even if it’s not made by an AT&T customer—for example, if you’re using your T-Mobile cellphone but your call travels through an AT&T switch somewhere in the country, it will be picked up by this project and dumped into this database.

Which supports the report from last summer that the government can get T-Mobile calls off AT&T’s records. These are the pre-existing records that NSA can come get and they include T-Mobile calls.

There’s another interesting part of that. As I noted the first two phone dragnet orders provided for compensation to the providers, even though the statute doesn’t envision that. That would bring you to November 2006; Hemisphere started in 2007, with funding from ONCDP, the White House Drug Czar. Remember, too, that FBI had the equivalent of Hemisphere onsite until late 2007-2008. That is, one thing Hemisphere does is pay for one provider to store what serves as a good baseline dragnet that can then be handed over to the NSA. That’s significant especially given Geoffrey Stone’s claims that the dragnet is not comprehensive because the cost involved: there should be no cost, but somehow it’s driving decisions.

In any case, as luck would have it, Hemisphere got exposed at the same time as the dragnet.

Hemisphere operates with different legal problems than the NSA phone dragnet. At least with the phone dragnet, after all, AT&T has been compelled to turn over records; with Hemisphere they’re effectively retaining them voluntarily to turn surveillance into a profit center (though they do get compelled on an order-by-order basis). Moreover, AT&T’s far more exposed by the publication on Hemisphere than it is on the NSA dragnet (or perhaps, than even Verizon is under the phone dragnet). The exposure of Hemisphere might make AT&T more hesitant to “voluntarily” retain this data.

Finally, there’as the amicus challenge EFF and ACLU submitted in a criminal case in Northern California notes, Hemisphere includes precisely the data the NSA is struggling with: cell location data.

Hemisphere goes even further than the NSA’s mass call-tracking program, as the CDRs stored in the Hemisphere database contain location information about callers (see Hemisphere Slide Deck at 3, 13), thus implicating the specific concerns raised by five Justices in Jones. See 132 S. Ct. at 955 (Sotomayor, J., concurring) (“wealth of detail about [a person’s] familial, political, professional, religious, and sexual associations” revealed through “trips to the psychiatrist, the plastic surgeon, the abortion clinic,” etc.) (internal quotation marks, citation omitted); id. at 964 (Alito, J., concurring).

The FISC has created all sorts of problems for NSA to store cell location data, most explicitly with Claire Eagan’s order in July specifically prohibiting it.

But here AT&T is, creating the opportunity for the perfect challenge to use Jones to challenge location in a dragnet specifically.

Which is all a way of saying that the tensions with the phone dragnet may not be entirely unrelated from the fact that Hemisphere also got challenged.

Share this entry

Omaha! Omaha! The Alert that Won’t Alert

/5 Comments/in /by

The FISA Court just released the January 3, 2014 phone dragnet order, DOJ’s motion to amend it to meet Obama’s new dragnet terms, and the approval for that.

But those changes are of the least interest in these documents. I’ll explain the loophole to the changes tomorrow.

For now, consider that the NSA reportedly can’t get its automated chaining program to work. In the motion to amend, footnote 12 — which modifies part of some entirely redacted paragraphs describing its new automated alert approved back in 2012 — reads:

The Court understands that to date NSA has not implemented, and for the duration of this authorization will not as a technical matter be in a position to implement, the automated query process authorized by prior orders of this Court for analytical purposes. Accordingly, this amendment to the Primary Order authorizes the use of this automated query process for development and testing purposes only. No query results from such testing shall be made available for analytic purposes. Use of this automated query process for analytical purposes requires further order of this Court.

PCLOB describes this automated alert this way.

In 2012, the FISA court approved a new and automated method of performing queries, one that is associated with a new infrastructure implemented by the NSA to process its calling records.68 The essence of this new process is that, instead of waiting for individual analysts to perform manual queries of particular selection terms that have been RAS approved, the NSA’s database periodically performs queries on all RAS-approved seed terms, up to three hops away from the approved seeds. The database places the results of these queries together in a repository called the “corporate store.”

It has been 15 months since FISC approved this alert, but NSA still can’t get it working.

I suspect this is the root of the stories claiming NSA can only access 30% of US phone records.

And I think it probably does have to do with cell data and what they get from other programs — just not in the way the reports said it did.

I’ll explain that in a follow-up.

Share this entry

PCLOB Chair David Medine on the 30% Claims

/7 Comments/in /by

As Ken Dilanian pointed out in his story on the claim that NSA only collects 30% of phone records, in his testimony before the House Judiciary Committee, David Medine suggested “virtually all telephone records of every American” are collected — and he suggests these records are collected under Section 215.

Yet his references are more ambiguous than that. He admits that only some telecoms receive Section 215 orders.

The FISC order authorizes the NS A to collect nearly all call detail records generated by certain telephone companies in the United States, and specifies detailed rules for the use and retention of these records.

But then he makes 3 further references to some form of comprehensive collection.

And while eliminating a U.S. nexus to foreign plots can help the intelligence community focus its limited investigatory resources in time – sensitive situations by channeling efforts where they are needed most, our report questions whether the American public should accept the government’s routine collection of all of its telephone records because it helps in cases where there is no threat to the United States.

[snip]

Moreover, when the government collects all of a person’s telephone records, storing them for five years in a government database that is subject to high – speed digital searching and analysis, the privacy implications go far beyond what can be revealed by the metadata of a single telephone call.

[snip]

But while those rules offer many valuable safeguards designed to curb the intrusiveness of the program, in the Board’s view they cannot fully ameliorate the implications for privacy, speech, and association that follow from the government’s ongoing collection of virtually all telephone records of every American. [my emphasis]

With that in mind, I wanted to consider Medine’s answer to Richard Blumenthal’s questions about the 30% claims.

He starts by suggesting that if the claim were true it would not change PCLOB’s analysis.

Blumenthal: Would the apparent revelation that perhaps only a proportion of this telephone data was collected change in any way the conclusions of your report?

Medine: I don’t think we can address in public session the pros and cons of that conclusion but we’d be happy to meet with the committee in private session. But even if the reports are true it still means that hundreds of millions of telephone records are being collected and so, at least it’s my view, that it would not change the recommendations of the board.

The implication from this passage is that PCLOB did not know the collection was partial when they made their recommendations.

Medine’s dodges are more interesting in response to Blumenthal’s suggestion the Government has made false representations to Courts about obtaining all records (though note my comments on the ambiguity of that language here).

Blumenthal: Would it undercut the accuracy of the representations made by the United States Government to the Courts to justify this program?

Medine: Again, I don’t want to comment on that because some of this matter still remains classified and I think there’s more to be said on that but I don’t think it can be said in public session.

It seems that Medine suggests the Government’s claims are more complex than they might appear (though I may be reading into his answer my observation that the claims actually are ambiguous about how the government obtains its complete haystack).

Finally, Medine dodges again wholesale.

Blumenthal: Well, let me put it differently, wouldn’t you agree with me that the United States government has misled the Courts, whether purposefully or inadvertently in justifying this program on the basis that all telephone records are collected?

Medine: Again, I’m not prepared to confirm any of the reports that have been made and so I don’t want to draw any conclusions about representations that were made in court proceedings.

This answer may support the 30% claims more than earlier ones: it suggests Medine might be able to confirm such a claim.

Nevertheless, if the government has misrepresented the program, than so has Medine,

The one explanation that would address all this ambiguity, of course, is if the few providers that do receive orders provide the call records their backbones treat, not just the call records their own customers generate.

Share this entry

NSA’s Single Section 215 Success Would Probably Be Impossible If NSA’s Latest Claims Were True

/3 Comments/in /by

It looks increasingly like the sole Section 215 success the FBI has had would be impossible under the claims about limits to dragnet collection NSA leaked last week.

Last week, four journalists reported that the NSA doesn’t collect cell phone data in its phone dragnet program (they presumably meant, but did not specify, just the Section 215-authorized phone dragnet, which is just a small part of the phone dragnet). (WSJWaPoLAT, NYT) As a result — these reporters claimed — as more and more Americans rely on cell phones, the NSA’s phone dragnet has come to cover just 20 to 30% of the phone data in the US.

As I noted, the claim was particularly curious given that all the major examples in which the NSA has used the phone dragnet involved cell phone users.

Still, even in those cases, it was possible that NSA got the phone records via interim hops. That is, if a land line user whose calls were picked up in the dragnet called two cell phones, those numbers would be identified, though their calls to other cell users would not (again, this is if these recent claims are correct).

All that said, the sole case where the dragnet found someone with ties to terrorism they otherwise would not have identified, San Diego taxi driver Basaaly Moalin, increasingly looks to have been impossible under the terms now claimed by NSA leakers.

That’s because Moalin and his known US-based interlocutor through whom the government says he communicated with Somali warlord Aden Ayro, hawala operator Mohamed Ahmed, both used cell phones, both from T-Moble, according to Moalin’s attorney Joshua Dratel. The government has said it identified Moalin on at least the second hop. If that interim hop was Ahmed, Ahmed’s calls to Moalin would not have been collected, if the NSA’s current claims are true.

Assuming Ahmed was that interim hop, then, the dragnet could not have identified Moalin, at least not under the limits currently claimed by the NSA and the public claims made about the investigation into Moalin.

There are several possible explanations for why the phone dragnet did find him.

First, it’s possible the claims are entirely false, and that the NSA includes T-Mobile in its Section 215 collection. I think that’s unlikely; for a variety of reasons I believe just 3 providers — AT&T, Verizon, and Sprint — get Secondary Orders under the phone dragnet.

It’s possible that an earlier WSJ story (cited by several of these reporters) correctly described how T-Mobile data gets included in the dragnet: via the backbone provider of the networks T-Mobile uses (which, if claims Verizon doesn’t provide cell data are true, would mean AT&T provided it).

The National Security Agency’s controversial data program, which seeks to stockpile records on all calls made in the U.S., doesn’t collect information directly from T-Mobile USA and Verizon Wireless, in part because of their foreign ownership ties, people familiar with the matter said.

The blind spot for U.S. intelligence is relatively small, according to a U.S. official. Officials believe they can still capture information, or metadata, on 99% of U.S. phone traffic because nearly all calls eventually travel over networks owned by U.S. companies that work with the NSA.

[snip]

When a T-Mobile or Verizon Wireless call is made, it often must travel over one of these networks, requiring the carrier to pay the cable owner. The information related to that transaction—such as the phone numbers involved and length of call—is recorded and can then be passed to the NSA through its existing relationships. Additionally, T-Mobile relies on other wireless companies to fill holes in its infrastructure. That shared equipment could allow the government to collect the data.

If that’s the case, however, it means the only way the current claims about the Section 215 dragnet are true is if this collection happens offshore, counting as EO 12333 collection. Which would further mean that even with 20% coverage from domestic production, the NSA still gets most calls in the US.

Finally, it’s possible the dragnet identified Moalin via collection entirely collected overseas. Which would mean the claims he was identified under Section 215 — made repeatedly to Congress (though not, curiously, in declarations in the lawsuits against the dragnet) — would be false. It would also mean his prosecution was based on the foreign collection of US person data under no more than an Executive Order.

Here’s the remarkable thing about those two last possibilities. At least as late as March 2009, the NSA could not distinguish the data source for its dragnet query results. A query result from October 2007, when Moalin was first identified, might not distinguish between EO 12333 and Section 215 in the results — though at least according to FISC orders, the Section 215 data may not have gotten mixed in with the EO 12333 data yet. (By 2011, results came back tagged with XML tags to identify not only what authority the data was collected under, but which SIGAD collection point it had been collected from, though some data points get collected under more than one authority and collection point.)  That means, unless NSA knows for a fact how it collected T-Mobile data back in 2007, it may not know how it found Moalin. And if it found Moalin off an EO 12333 search, NSA would not have needed even Reasonable Articulable Suspicion to search for connections. It is possible that if NSA initiated the search on any Somali but Aden Ayro (Ayro had ties with Al Qaeda beyond just his al-Shabaab membership and therefore would meet RAS guidelines), they would not have had Reasonable Articulable Suspicion that the identifier had ties to Al Qaeda.

In any case, as I laid out, there are a number of ready explanations for how the dragnet identified Moalin even though he and one likely intermediary were using phones purportedly not collected under the dragnet. But those explanations either mean the recent claims about the extent of the dragnet collection are false, or there are many more questions about how Moalin got targeted.

Share this entry

On the Day Ron Wyden Asked Whether NSA Complied with US v. Jones, It Collected 4 Billion Cell Location Records

/10 Comments/in /by

FasciaAs part of my new focus on leaked claims that the NSA can’t collect call call data because of problems stripping out cell location data, I want to look at the two exchanges Ron Wyden and James Clapper have had about cell location data.

First, at the Global Threats Hearing 2 years ago just after the US v. Jones decision ruled GPS tracking a search (watching Ron Wyden discomfit Clapper at Threat Hearings used to be my exclusive beat, you know), they had this exchange.

Wyden: Director Clapper, as you know the Supreme Court ruled last week that it was unconstitutional for federal agents to attach a GPS tracking device to an individual’s car and monitor their movements 24/7 without a warrant. Because the Chair was being very gracious, I want to do this briefly. Can you tell me as of now what you believe this means for the intelligence community, number 1, and 2, would you be willing to commit this morning to giving me an unclassified response with respect to what you believe the law authorizes. This goes to the point that you and I have talked, Sir, about in the past, the question of secret law, I strongly feel that the laws and their interpretations must be public. And then of course the important work that all of you’re doing we very often have to keep that classified in order to protect secrets and the well-being of your capable staff. So just two parts, 1, what you think the law means as of now, and will you commit to giving me an unclassified answer on the point of what you believe the law actually authorizes.

Clapper: Sir, the judgment rendered was, as you stated, was in a law enforcement context. We are now examining, and the lawyers are, what are the potential implications for intelligence, you know, foreign or domestic. So, that reading is of great interest to us. And I’m sure we can share it with you. [looks around for confirmation] One more point I need to make, though. In all of this, we will–we have and will continue to abide by the Fourth Amendment. [my emphasis]

We now have proof (as if Wyden’s hints weren’t enough of a tell, given his track record) that NSA was collecting cell location at the time of Wyden’s question. While the exchange took place after (according to NSA’s public claims) NSA’s domestic experiments with cell data under Section 215 ended, it suggests the actual NSA collection took place outside of Section 215.

As it happens, NSA’s own slide shows that on the day Wyden asked the question — January 31, 2012 — it collected around 4 billion cell location records (it was a slow day that day — NSA had been collecting closer to 5 billion records a day in 2012). That collection presumably would have been conducted under EO 12333.

Given that we know NSA collected around 4 billion cell location records that day, I’m particularly struck by Clapper’s emphasis on two things: First his suggestion that the legal analysis might be different for an intelligence use than for a law enforcement use. Given his claim the IC abided by the Fourth Amendment, I assume he imagines they have a Special Need to suck up all this cell location data that makes such searches “reasonable.”

Also note his reference to “foreign or domestic.” I’m guessing the IC was also busy arguing that, in spite of the US person cell locations they were ingesting, because they were doing so in a foreign location, it didn’t violate the Fourth Amendment.

With all that in mind, consider Wyden’s question to Keith Alexander on September 26, just before Alexander admitted to the past Section 215 experiments as some kind of limited hangout. Read more

Share this entry

Section 215 FISC Orders Specifically Included Mobile Phone IDs Starting in 2008

/2 Comments/in , /by

I’ve been obsessing on when and whether telecoms turn over cell phone data under Section 215 and EO 12333 for the last several days. So I want to point out a change in the FISC orders for the Section 215 phone dragnet starting in 2008.

Here’s how the April 3, 2008 Section 215 FISC order describes the metadata to be turned over to NSA:

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, communications device identifier, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

Here’s how the August 19, 2008 order and (I believe) all subsequent orders describe the metadata to be turned over to the NSA.

Telephony meta data includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) numbers, International Mobile Station Equipment Identity (IMEI) etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony meta data does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. [my emphasis]

In both cases, these paragraphs end with a footnote that starts, “The Court understands that the,” followed by redacted language that would probably be very instructive in explaining where and how the telecoms got their data.

The IMSI is a subscriber’s account number — basically the number tied to the SIM card. The IMEI is a phone handset’s ID number. Drone targeting may track both numbers.

Amid claims the NSA doesn’t collect cell phone data, I find it notable that NSA started asking for cell phone identifiers back in 2008. (I find it equally notable that they started asking for IMSI and IMEI on the second docket after NSA put a copy of  the Section 215 data onto the same server as the EO 12333 data). That was also the year that Tempora — under which GCHQ   accessed huge amounts of Internet and phone data off Transatlantic cables, including from Verizon — was first piloted.

I don’t think that proves definitively that NSA was collecting cell phone data (though the WSJ reported last June that it was collecting cell data directly from AT&T and Sprint, with T-Mobile and Verizon data coming from another source). Depending on where providers got the data (on a daily basis, remember) to provide to NSA, they would have the IMSI and IMEI data on phones in contact with their land lines.

But the NSA has been collecting data about cell phones at least since 2008.

Which raises real questions about claims they don’t know how to integrate cell phone data into their database.

Update: To answer Dr. Pitchfork’s question, 4 national journalists reported on Friday that the NSA only “gets” 20 to 30% of US phone data because they don’t get cell data. Even ignoring details like the explicit mention of cell data in the 215 orders, their story doesn’t make any sense. I think the real problem may arise from a recent FISC order and Verizon’s split from Vodaphone.

Share this entry

Is There a 702 Certificate for Transnational Crime Organizations?

/in , /by

Update, 9/8/15: We’ve subsequently learned that in 2015, the third certificate in 2011 was a vaguely defined “foreign government” one, which has been used very broadly (and lied about by the government on multiple occasions). NSA was contemplating a cyber certificate in 2012, but Bates’ 2011 decision may have made the terms of that difficult. 

I joked yesterday that James Clapper did no more than cut and paste to accomplish President Obama’s order of providing a list of acceptable bulk collection. But I’d like to note something about the list of permissible uses of bulk collection.

  1. Espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;
  2. Threats to the United States and its interests from terrorism;
  3. Threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;
  4. Cybersecurity threats;
  5. Threats to U.S. or allied Armed Forces or other U.S. or allied personnel; and
  6. Transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named above.

For months, I have been noting hints that the use of Section 702 — which is one of several kinds of domestic bulk collection — is limited by the number of certifications approved by FISC, which might be limited by FISC’s assessment of whether such certifications establish a certain level of “special need.”

In 2011, it seems clear from John Bates’ opinion on the government’s Section 702 applications, there were 3 certifications.

Screen shot 2013-12-19 at 7.10.00 AM

If there are just 3 certifications, then it seems clear they cover counterterrorism, counterproliferation, and cybersecurity (which is consistent with both ODNI’s public descriptions of Section 702 and the Presidential Review Group’s limits on it), 3 of 6 of the permitted uses of bulk collection.

Furthermore, there’s some history (you’ll have to take my word for this for now, but the evidence derives in part from reports on the use of National Security Letters) of lumping in Counterintelligence and Cybersecurity, because the most useful CI application of bulk collection would target technical exploits used for spying. So if that happens with 702 collection, then 4 of the 6 permissible applications would be covered by existing known certifications.

Threats against Armed Forces would, for the most part, be overseas, suggesting the bulk collection on it would be too. (Though it appears Bush’s illegal program used the excuse of force protection to spy on Iraqi-related targets, potentially even in the US, until the hospital confrontation stopped it.)

Which leaves just transnational crime threats — against which President Obama rolled out a parallel sanctions regime to terrorism in 2011 (though there had long been a regime against drug traffickers) — as the sole bulk collection that might apply in the US that doesn’t have certifications we know about.

Given that at least drug cartels have a far more viable — and deathly — operation in the United States than al Qaeda, I can’t think of any reason why the Administration wouldn’t have applied for a certification targeting TCOs, too (one of Treasury’s designated TCO targets — Russian and East European mobs — would have some overlap with the cyber function, and one — Yakuza — just doesn’t seem like a big threat to the US at all).

And last year’s Semiannual Compliance Assessment may support the argument that there are more than 3 certificates. In its description of the review process for 702 compliance, the report lays out review dates by certifications. Here’s the NSA review schedule:

Screen Shot 2014-02-11 at 9.49.59 AM

This seems to show 4 lines of certifications, one each in August and December, but two in October. Perhaps they re-review one of the certifications (counterterrorism, most likely). But if not, it would seem to suggest there’s now a 4th certification.

Here’s the FBI review schedule (which apparently requires a lot more manual review).

Screen Shot 2014-02-11 at 12.30.28 PM

Given that this requires manual review, I wouldn’t be surprised if they repeated the counterterrorism certifications review (and we don’t know whether all the NSA certifications would be used by FBI). But the redactions would at least allow for the possibility that there is a 4th certification, in addition to the 3 we know about.

Perhaps Obama rolled out TCOs as a 4th certification as he rolled out his new Treasury initiative on it (which would be after the applications laid out by Bates).

Of course, we don’t know. But I think two things are safe to say. First, the use of 702 is tied to certifications by topic. And the public statement about permissible use of bulk collection, it would seem to envision the possibility of a 4th certification covering TCOs, and with it, drug cartels.

Share this entry