US Official Position Says Hacking Is Permissible?

/1 Comment/in , /by

According to LAT’s Ken Dilanian, it is the “official position” of the US government that some kinds of hacking are “permissible.”

The official U.S. position — that governments hacking governments for military and other official secrets is permissible, but governments hacking businesses for trade secrets is not — is a tougher sell these days.

He makes the claim in an article that originally claimed Edward Snowden’s leaks have set back cybersecurity efforts, but then had to issue a correction acknowledging CISPA probably wasn’t going to happen anyway.

An article in the Feb. 2 Section A on the effects of Edward Snowden’s leaks of National Security Agency secrets said the White House backed the Cyber Intelligence Sharing and Protection Act, a cybersecurity measure. The White House threatened to veto the proposed bill in April. —

I take from this correction that Dilanian was fairly uncritically repeating the claims of NSA boosters — as other reporters have credulously repeated claims about the way Snowden’s leaks will affect cybersecurity initiatives.

Which is why I find his description of this “official position” so interesting.

I’m not aware of the US endorsing any official (public) policy on the kinds of hacks NSA (and CyberCommand) are permitted. Congress has tried to put some limits on it — or at least get briefing on it. And Keith Alexander successfully fought for a lot more autonomy over the hacks he could do.

The Executive does, however, have an official policy on SIGINT: President Obama’s recent Presidential Policy Directive. But a SIGINT official position and a hacking policy are not necessarily the same thing. While hacking is one way we collect SIGINT (though I don’t think NSA has admitted to that), we also conduct hacking for offensive purposes.

Even assuming they were the same thing, Dilanian’s characterization would be a misstatement of the policy in any case.

The actual policy permits the collection of SIGINT for broadly defined foreign intelligence purposes.

Thus, ” foreign intelligence ” means ” information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations, foreign persons, or international terrorists,

Of course, corporations are, under US law, both “organizations” and “persons,” so this definition permits spying on foreign corporations (other intelligence documents lay this out explicitly).

And the PPD does permit the collection of foreign private commercial information to protect US and allies’ national security.

The collection of foreign private commercial information or trade secrets is authorized only to protect the national security of the United States or its partners an d allies. It is not an authorized foreign intelligence or counterintelligence purpose to collect such information to afford a competitive advantage 4 to U.S. companies and U.S. business sectors commercially.

This is, frankly, where our hypocrisy on hacking (and SIGINT) begins to fall apart, given that China would maintain that stealing our military (and energy and tech) secrets are a matter of national security, and the fact that our government maintains more nominal separation from the companies that develop such things than China does should not shield those companies from spying.

And then, finally, the limits on data collection don’t apply when the NSA is working to develop SIGINT capabilities.

it shall not apply to signals intelligence activities undertaken to test or develop signals intelligence capabilities.

Given that some of our alleged hacking seems to support efforts to develop new hacking capabilities, this exception could prove infinitely recursive, especially given the rules on information collection in the name of cyberdefense and attacks. And of course, when we exploited Siemens’ SCADA industrial control systems to attack Iran, we used a corporate competitor’s trade secrets in the name of national security.

That is, even ignoring how America’s self-interested standard simply defines our national security in terms that legitimize our own hacking, when you get into the interaction of our intelligence to hack which serves to collect intelligence, the rules on SIGINT basically fall apart.

But hey. If the US says hacking of official government secrets is “permissible,” then maybe DOJ will withdraw the charges against Edward Snowden?

Share this entry

For the Purposes of Analytical Efficiency, Making Copies of the Dragnet

/2 Comments/in /by

In 2008, NSA started (or started telling the FISA Court) it was copying the dragnet.

Starting with the January docket BR 08-01 (the date is illegible but it should be around January 4, 2008), the orders added a footnote saying,

5 The Court understands that for the purposes of analytical efficiency a copy of meta data obtained pursuant to the Court’s Orders in this matter will be stored in the same database with data obtained pursuant to other NSA authorities and data provided to NSA from other sources. Access to such records shall be strictly limited in accordance with the procedures set forth in paragraphs A – G.

The footnote would appear in four more orders that year:  BR 08-04 4/3/08; BR 08-07 6/26/08; BR 08-08 9/19/08?. Then it disappeared in the December 11,  2008 docket, BR 08-13 12/11/08. It did not appear in any other orders, though starting with the October 29, 2010 docket BR 10-70, a different footnote noted that “NSA will maintain the BR metadata in recovery back-up systems.”

The change almost certainly relates to the federated query system, in which all the data from EO 12333 collection (and, given the reference to “data provided to NSA from other sources,” probably GCHQ collection) was and, at least until 2011, remained accessible from one interface.

The footnote almost certainly does reflect a change in the way NSA handled the data (that is, in this case NSA informed FISC in timely fashion), because by April of that year, 31 “newly trained” NSA analysts were caught querying domestic phone data using 2,373 identifiers without knowing they were doing so, which seems to indicate the “newly trained” analysts just kept querying metadata as they would have using EO 12333 collected data. Though NSA didn’t tell FISC about that until 6 months later. In the interim (in August 2008), NSA also told FISC about how it correlated numbers — which we know works across data sources, not exclusively within the domestic data collection.

In other words, NSA was slowly integrating the phone dragnet in with its larger metadata collection, and informing — perhaps even more slowly — FISC what that meant.

In spite of the disappearance of the footnote in the first orders dealing with the dragnet problems in 2009, the NSA did not segregate the data from the federated interface. That’s clear from a memorandum of understanding NSA issued sometime after March 18, 2009 indicating that access to one metadata repository had been shut down, but four were still accessible:

  • SIGINT dating back to 1998
  • [redacted — which could be STELLAR WIND data or could be foreign-supplied data]
  • BRFISA dating back to May 2006
  • PR/TT dating back to a redacted date that public records show to be July 2004

Given the previous inclusion of 3,000 US persons in with other queries, it’s possible the newly excluded collection consisted of GCHQ collected data that included significant US person data.

I raise all this to point out one of the inherent dangers with the dragnet. A program that was billed as a simple collection designed to serve FBI needs got integrated within 2 years of inception, creating a great deal of problems, without reconsideration of whether the stated purpose of the dragnet still matched what the by-then clearly different intent was. And this from a program that was supposed to be closely minimized.

Oh by the way, NSA told the FISC, we made an extra copy of the database of all phone-based relationships in the United States. Because it’s more efficient to have two databases.

Share this entry

Michael Hayden: Bulk Collection Is Better for Privacy than Particularized Collection

/11 Comments/in /by

Michael Hayden’s wisdom:

Frankly, metadata is one way that you arrive at those specific targeting conclusions in a way that certainly, from the American perspective, does not squeeze privacy very much because it is bulk collection, not particularized collection.

According to the former Director of NSA, bulk metadata collection is more privacy protective than particularized collection is.

I get what he’s trying to say: because the government works at the level of metadata, NSA only looks at communications from an structural perspective, rather than listening in to find what to listen to, until it has reason to be interested in. That ignores everything you see from that network structure, and the degree to which it infringes on perfectly innocent associations.

More importantly, that Hayden doesn’t understand that the statement itself is nonsensical is a testament to how far down the rabbit hole he has gone.

Share this entry

Goldilocks Porridge of NSA Reform

/8 Comments/in /by

Since Obama’s speech on the dragnet, I’ve been skeptical the promise to obtain court review before conducting phone dragnet searches means anything. There’s nothing — not a thing — in the actual speech or the White House fact sheet accompanying it distinguishes the allegedly new court review from the review that already exists.

The President has directed the Attorney General to work with the Foreign Intelligence Surveillance Court so that during this transition period, the database can be queried only after a judicial finding, or in a true emergency.

After all, the FISC quarterly approves which terror (and Iranian) groups NSA can target in the dragnet. That’s a judicial finding! Without more specificity, there’s no reason to believe this is any further review than already occurs.

In off-the-record briefing before speech (I didn’t listen in but saw a transcript), anonymous Senior Administration Officials did insist this meant an individualized review of each identifier to be queried (though there were no details about whether the court had to approve each query using that identifier; also, the SAOs indicated no limits would be put on using Section 215 to engage in bulk collection or querying of other items). Though one reason Executive Branch officials like to do off the record briefings is so their credibility can’t be challenged if their secret assurances prove to be hollow. And how would anyone prove these claims to be hollow, in any case, given that all of these reviews are secret?

That background is one reason I’m intrigued by Siobhan Gorman’s tick-tock of how the White House included this review as a very last minute sop to the Review Group, in response to pushback in a January 15 meeting.

Top White House officials, including National Security Adviser Susan Rice, met the afternoon of Jan. 15 with the members of the NSA review panel, which had issued an influential report a month earlier calling for an overhaul of key surveillance programs. The meeting turned tense, though not combative.

The panel had proposed a restructuring that would store telephone data outside the U.S. government and require NSA to obtain approval from the secret Foreign Intelligence Surveillance Court to conduct a search of the database. Currently, NSA searches are governed by an internal process.

White House officials told panel members at the meeting that they were inclined to move the phone data out of the NSA’s hands. But they didn’t mention judicial review of the searches.

The panel’s response was “that’s half” of their recommendation, according to a person close to the review panel. Some panel members interpreted the White House officials’ failure to mention judicial review as a sign that the recommendation wouldn’t be adopted, said several people familiar with the talks.

Appealing to the White House officials, panel members said that without judicial approval, “there’s no way you can restore trust” from the public, said a person familiar with the talks.

[snip]

White House officials appeared “rattled” by the pushback, the person said. “It caused them to regroup.”

The next day—the day before Mr. Obama’s speech—White House officials inserted a new section into the speech that required judicial approval of a search from the secret court, which oversees many of NSA’s surveillance programs.

But even that evening, White House officials were struggling with whether the president could singlehandedly impose such requirements on another branch of government. They sought late-night advice from the Justice Department on how to structure the rule, trying to make it more collaborative than compulsory, a U.S. official said.

Which is how, Gorman goes on, they came up with language that on its face doesn’t impose any new review.

But there are several things that don’t make sense with this story.

First, the NSA Review Group didn’t recommend this kind of individualized review for Section 215, though they did say the intent of the law was to permit the government to query providers on individual orders after getting FISC authorization, suggesting such review is implicit.

As originally envisioned when section 215 was enacted, the government can query the information directly from the relevant service providers after obtaining an order from the FISC.

 

They did recommend judicial review for National Security Letters (and Gorman’s story makes it clear this discussion was wrapped up in a discussion of the Review Group’s recommendations for NSLs). But the Review Group’s recommendations focused on ending bulk collection and moving whatever remained out of government hands. Obama outright rejected the first recommendation and punted the second to a Congress that won’t adopt it.

PCLOB, on the other hand, did recommend something much closer to individualized review for the transition period (though they recommended it come after queries were made).

(c) submit the NSA’s “reasonable articulable suspicion” determinations to the FISC for review after they have been approved by NSA and used to query the database;

Though their last meeting with the White House was on January 8, well before this last-minute addition.

In any case, this last minute changed is pitched — by someone described as a “person familiar with the intelligence-agency discussions” —  as central to a Goldilocks “just right”  solution that left both privacy advocates and the intelligence community placated.

The White House strategy appears to have muted major criticism, both from privacy advocates and intelligence officials.

While privacy advocates said they had wanted Mr. Obama to require more privacy safeguards, their primary message has been that the true effect of the overhauls can’t be known until they are implemented.

Among the spy agencies, there’s relief that Mr. Obama’s speech didn’t criticize the surveillance operations.

“Nobody lost, nobody won,” said one person familiar with the intelligence-agency discussions. “That’s the nature of our government.”

Except the privacy advocate view portrayed here (with no source) doesn’t resemble the view I’m hearing from privacy advocates, who are focusing on Congress and on more pressure. That is, at least the Goldilocks conclusion, that this represents a happy middle, seems to be IC propaganda, perhaps designed to hide how little has actually changed (and unless we can trust Administration officials who would not speak on the record, this last minute solution is useless). It takes a story that claims the Review Group recommendation was to provide judicial review — not to end bulk collection –and declares the Review Group got what they wanted.

They didn’t.

All of this in an article published in the news hole of a Friday night.

Share this entry

When Judge Reggie Walton Disappeared the FBI Director: The Tell that FISC Wasn’t Following the Law

/4 Comments/in , /by

SEN. MIKULSKI: General Clapper, there are 36 different legal opinions.

DIR. CLAPPER: I realize that.

SEN. MIKULSKI: Thirty-six say the program’s constitutional. Judge Leon said it’s not.

Thirty-six “legal opinions” have deemed the dragnet legal and constitutional, its defenders say defensively, over and over again.

But that’s not right — not by a long shot, as ACLU’s Brett Max Kaufman pointed out in a post yesterday. In its report, PCLOB confirmed what I first guessed 4 months ago: the FISA Court never got around to writing an opinion considering the legality or constitutionality of the dragnet until August 29, 2013.

FISC judges, on 33 occasions before then, signed off on the dragnet without bothering to give it comprehensive legal review.

Sure, after the program had been reauthorized 11 times, Reggie Walton considered the more narrow question of whether the program violates the Stored Communications Act (I suspect, but cannot yet prove, that the government presented that question because of concerns raised by DOJ IG Glenn Fine). But until Claire Eagan’s “strange” opinion in August, no judge considered in systematic fashion whether the dragnet was legal or constitutional.

And the thing is, I think FISC judge — now Presiding Judge — Reggie Walton realized around about 2009 what they had done. I think he realized the program didn’t fit the statute.

Consider a key problem with the dragnet — another one I discussed before PCLOB (though I was not the first or only one to do so). The wrong agency is using it.

Section 215 does not authorize the NSA to acquire anything at all. Instead, it permits the FBI to obtain records for use in its own investigations. If our surveillance programs are to be governed by law, this clear congressional determination about which federal agency should obtain these records must be followed.

Section 215 expressly allows only the FBI to acquire records and other tangible things that are relevant to its foreign intelligence and counterterrorism investigations. Its text makes unmistakably clear the connection between this limitation and the overall design of the statute. Applications to the FISA court must be made by the director of the FBI or a subordinate. The records sought must be relevant to an authorized FBI investigation. Records produced in response to an order are to be “made available to,” “obtained” by, and “received by” the FBI. The Attorney General is directed to adopt minimization procedures governing the FBI’s retention and dissemination of the records it obtains pursuant to an order. Before granting a Section 215 application, the FISA court must find that the application enumerates the minimization procedures that the FBI will follow in handling the records it obtains. [my emphasis, footnotes removed]

The Executive convinced the FISA Court, over and over and over, to approve collection for NSA’s use using a law authorizing collection only by FBI.

Which is why I wanted to point out something else Walton cleaned up in 2009, along with watchlists of 3,000 Americans who had not received First Amendment Review. Judge Reggie Walton disappeared the FBI Director.

>>>Poof!<<<

Gone.

The structure of all the dragnet orders released so far (save Eagan’s opinion) follow a similar general structure:

  • An (unnumbered, unlettered) preamble paragraph describing that the FBI Director made a request
  • 3-4 paragraphs measuring the request against the statute, followed by some “wherefore” language
  • A number of paragraphs describing the order, consisting of the description of the phone records required, followed by 2 minimization paragraphs, the first pertaining to FBI and,
  • The second paragraph introducing minimization procedures for NSA, followed by a larger number of lettered paragraphs describing the treatment of the records and queries (this section got quite long during the 2009 period when Walton was trying to clean up the dragnet and remains longer to this day because of the DOJ oversight Walton required)

Here’s how the first three paragraphs looked in the first order and (best as I can tell) the next 11 orders, including Walton’s first order in December 2008:

An application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (the Act), Title 50, United States Code (U.S.C.), § 1861, as amended, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, the Court finds that:

1. The Director of the FBI is authorized to make an application for an order requiring the production of any tangible thing for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the First Amendment to the Constitution of the United States. [50 U.S.C. § 1861 (c)(1)]

2. The tangible things to be produced are all call-detail records or “telephone metadata” created by [the telecoms]. Telephone metadata includes …

[snip]

3. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12,333 to protect against international terrorism, … [my emphasis]

Here’s how the next order and all (released) following orders start [save the bracketed language, which is unique to this order]:

An verified application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (FISA), as amended, 50 U.S.C. § 1861, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, [as well as the government’s filings in Docket Number BR 08-13 (the prior renewal of the above-captioned matter),] the Court finds that:

1. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12333 to protect against international terrorism, …

That is, Walton took out the paragraph — which he indicated in his opinion 3 months earlier derived from the statutory language at 50 U.S.C. § 1861 (c)(1) — pertaining to the FBI Director. The paragraph always fudged the issue anyway, as it doesn’t discuss the FBI Director’s authority to obtain this for the NSA. Nevertheless, Walton seems to have found that discussion unnecessary or unhelpful.

Walton’s March 5, 2009 order and all others since have just 3 statutory paragraphs, which basically say:

  1. The tangible things are relevant to authorized FBI investigations conducted under EO 12333 — Walton cites 50 USC 1861 (c)(1) here
  2. The tangible things could be obtained by a subpoena duces tecum (50 USC 1861 (c)(2)(D)
  3. The application includes an enumeration of minimization procedures — Walton doesn’t cite statute in this May 5, 2009 order, but later orders would cite 50 USC 1861 (c)(1) again

Here’s what 50 USC 1861 (c)(1), in its entirety, says:

(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.

And here are two key parts of subsections (a) and (b) — in addition to “relevant” language that has always been included in the dragnet orders.

(a) Application for order; conduct of investigation generally

(1) Subject to paragraph (3), the Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things

[snip]

(2) shall include—

[snip]

(B) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

FBI … FBI … FBI.

The language incorporated in 50 USC 1861 (c)(1) that has always been cited as the standard judges must follow emphasizes the FBI repeatedly (PCLOB laid out that fact at length in their analysis of the program). And even Reggie Walton once admitted that fact.

And then, following his lead, FISC stopped mentioning that in its statutory analysis altogether.

Eagan didn’t even consider that language in her “strange” opinion, not even when citing the passages (here, pertaining to minimization) of Section 215 that directly mention the FBI.

Section 215 of the USA PATRIOT Act created a statutory framework, the various parts of which are designed to ensure not only that the government has access to the information it needs for authorized investigations, but also that there are protections and prohibitions in place to safeguard U.S. person information. It requires the government to demonstrate, among other things, that there is “an investigation to obtain foreign intelligence information … to [in this case] protect against international terrorism,” 50 U.S.C. § 1861(a)(1); that investigations of U.S. persons are “not conducted solely upon the basis of activities protected by the first amendment to the Constitution,” id.; that the investigation is “conducted under guidelines approved by the Attorney General under Executive Order 12333,” id. § 1861(a)(2); that there is “a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant” to the investigation, id. § 1861(b)(2)(A);14 that there are adequate minimization procedures “applicable to the retention and dissemination” of the information requested, id. § 1861(b)(2)(B); and, that only the production of such things that could be “obtained with a subpoena duces tecum” or “any other order issued by a court of the United States directing the production of records” may be ordered, id. § 1861(c)(2)(D), see infra Part III.a. (discussing Section 2703(d) of the Stored Communications Act). If the Court determines that the government has met the requirements of Section 215, it shall enter an ex parte order compelling production.

This Court must verify that each statutory provision is satisfied before issuing the requested Orders. For example, even if the Court finds that the records requested are relevant to an investigation, it may not authorize the production if the minimization procedures are insufficient. Under Section 215, minimization procedures are “specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” Id. § 1861(g)(2)(A)

Reggie Walton disappeared the FBI Director as a statutory requirement (he retained that preamble paragraph, the nod to authorized FBI investigations, and the perfunctory paragraph on minimization of data provided from NSA to FBI) on March 5, 2009, and he has never been heard from in discussions of the FISC again.

Now I can imagine someone like Steven Bradbury making an argument that so long as the FBI Director actually signed the application, and so long as the FBI had minimization procedures for the as few as 16 tips they receive from the program in a given year, it was all good to use an FBI statute to let the NSA collect a dragnet potentially incorporating all the phone records of all Americans. I can imagine Bradbury pointing to the passive construction of that “things to be made available” language and suggest so long as there were minimization procedures about FBI receipt somewhere, the fact that the order underlying that passive voice was directed at the telecoms didn’t matter. That would be a patently dishonest argument, but not one I’d put beyond a hack like Bradbury.

The thing is, no one has made it. Not Malcolm Howard in the first order authorizing the dragnet, not DOJ in its request for that order (indeed, as PCLOB pointed out, the application relied heavily on Keith Alexander’s declaration about how the data would be used). The closest anyone has come is the white paper written last year that emphasizes the relevance to FBI investigations.

But no one I know of has affirmatively argued that it’s cool to use an FBI statute for the NSA. In the face of all the evidence that the dragnet has not helped the FBI thwart a single plot — maybe hasn’t even helped the FBI catch one Somali-American donating less than $10,000 to al-Shabaab, as they’ve been crowing for months — FBI Director Jim Comey has stated to Congress that the dragnet is useful to the FBI primarily for agility (though the record doesn’t back Comey’s claim).

Which leaves us with the only conclusion that makes sense given the Executive’s failure to prove it is useful at all: it’s not the FBI that uses it, it’s NSA. They don’t want to tell us how the NSA uses it, in part, because we’ll realize all their reassurances about protections for Americans fall flat for the millions of Americans who are 3 degrees away from a potential suspect.

But they also don’t want to admit that it’s the NSA that uses it, because then it’ll become far more clear how patently illegal this program has been from the start.

Better to just disappear the FBI Director and hope no one starts investigating the disappearance.

Share this entry

The 5-Eyes Tippecanoe — Er, Tipping & Cueing

/11 Comments/in /by

Screen shot 2014-01-31 at 9.05.56 AMCBC has a scathing report about a pilot project their SIGINT agency, CSEC, did in 2012, tracking the free WiFi in Canadian airports. The article — with lots of quotes from furious people describing how illegal this is under Canadian law — is here, and the backup document is here.

The PowerPoint is just as interesting for the methodological details as it is for the fact that CSEC is collecting off of airport (and hotel and other public) WiFi sites and doing so to hunt imagined kidnappers, not to find terrorists.

It shows how a joint 5-Eyes “Tipping and Cueing Task Force” is working on ways to track IP-based identities across many sites. (As a reminder, “5-Eyes” refers to the UK, US, Canadian, Australian, New Zealand intelligence partnership.)

Tipping and Cueing Task Force (TCTF)

  • a 5-Eyes effort to enable the SIGINT system to provide real-time alerts of events of interest
  • alert to: target country location changes, webmail logins with time-limited cookies etc.

I’m particularly interested in the name: “Tipping and Cueing.”

I’m interested in it for one more reason. We’ve heard the term “tipper” before — it’s what NSA calls query results that get sent to FBI from the phone dragnet. The term implies that data analysis shows something new, which then gets shared with other intelligence agencies and law enforcement.

But this presentation makes it clear that, unsurprisingly, it’s a two way street. This dragnet process serves not only to identify new leads, but also as a panopticon tracking identified “targets.”

I raise this for one more reason. At least as early as February 25, 2010, the language used to describe the information shared with FBI from the dragnet changed.

Previously, it had used the term “tipped” (and when this whole Snowden process started, that’s what NSA defenders used to describe the information — tippers).

Screen shot 2014-01-31 at 9.18.25 AM

The dragnet orders started referring to the information shared more generically: “any information the FBI receives as a result of this Order.”

Screen shot 2014-01-31 at 9.12.46 AM

Again, none of this is surprising. The existence of the “alert” list that caused all the troubles in 2009 made it clear this functions as part of a panopticon as much as it does a lead generation tool.

But it’s worth noting that the 5-Eyes are actually fighting a losing battle against “the Natives”* that is far more intrusive than all that.

Update: I noted above CSEC ran this test on an imagined kidnapper, not a terrorist. The Globe and Mail reports that the number of Mounty requests for help from CSEC is going up, and it may be a way to bypass warrant requirements.

* [Update] This was meant to be a joke that both the Battle of Tippecanoe and the 5-Eyes’ Tipping and Cueing target “natives” by deeming us foreign to our own land. Given joanneleon’s comment I realize I was being too subtle.

Share this entry

Jim Comey: For FBI, Section 215 Only Provides Agility

/6 Comments/in , /by

In yesterday’s Threat Hearing, James Clapper and John Brennan provided so much news early, I suspect many didn’t stick around to hear the question Angus King posed to Jim Comey. He asked about the significance of the phone dragnet.

SEN. KING: Director Comey, do you have views on the significance of 215? You understand this is not easy for this committee. The public is very skeptical and in order for us to continue to maintain it, we have to be convinced that it is in fact effective and not just something that the intelligence community thinks is something nice to have in their toolkit.

DIR. COMEY: Yeah, I totally understand people’s concerns and questions about them. They’re reasonable questions. I believe it’s a useful tool. For the FBI, its primary value is agility. That is, it allows us to do in minutes what would otherwise take us in hours. And I’ll explain what I mean by that. If a terrorist is identified in the United States or something blows up in the United States, we want to understand, OK, is there a network that we’re facing here?

And we take any telephone numbers connected to that terrorist, to that attack. And what I would do in the absence of 215 is use the legal process that we use every day, either grand jury subpoenas or national security letters, and by subpoenaing each of the telephone companies I would assemble a picture of whether there’s a network connected to that terrorist. That would take hours.

What this tool allows us to do is do that in minutes. Now, in most circumstances, the difference between hours and minutes isn’t going to be material except when it matters most. And so it’s a useful tool to me because of the agility it offers. [my emphasis]

Comey prefaced his entire answer by making it clear he was only addressing the way the FBI uses the dragnet. That suggests he was bracketing off his answer from possible other uses, notably by NSA.

If the FBI Director brackets off such an answer after 7 months of NSA pointing to FBI’s efforts to thwart plots, to suggest his Agency’s use may not be the most important use of the dragnet, can we stop talking about plots thwarted and get an explanation what role the dragnet really plays?

That said, it’s worth comparing Comey’s answer to what the PCLOB said about FBI’s use of the dragnet. Because in the 5 cases the government cited claiming the dragnet found particular leads (the exception is Basaaly Moalin, which PCLOB said might have been found via active investigations FBI already had going), FBI found the same leads via other means (and the implication for some of these is that FBI found those other leads first).

Operation WiFi: Those numbers simply mirrored information about telephone connections that the FBI developed independently using other authorities.

[snip]

David Headley: Those numbers, however, only corroborated data about telephone calls that the FBI obtained independently through other authorities.

[snip]

3 other cases: But in all three cases, that information simply mirrored or corroborated intelligence that the FBI obtained independently through other means.

That is, usually the dragnet isn’t even a matter of agility. It’s a matter of redundancy.

It seems Jim Comey, sharing the dais with several colleagues who’ve already torched their credibility, had no interest in pretending the dragnet is primarily about the investigations of his Agency.

Perhaps the rest of the us can dispense with that myth too now?

Share this entry

Adel Daoud Wins Review of FISA Application

/16 Comments/in /by

Screen Shot 2014-01-29 at 4.20.11 PMAs I’ve written before, Adel Daoud is a 20-year old American citizen from the Chicago suburbs busted in 2012 for attempting to bomb a nighclub. Since Dianne Feinstein mentioned Daoud’s case during the 2012 FAA reauthorization fight, his lawyers have been trying to figure out how the government obtained all the evidence against him. There are hints they may have used a back door search to collect emails dating to 2011 (before the FBI allegedly started tracking him). There are reasons to think the government may have collected upstream collection on him. Either would be particularly interesting, as this surveillance dates to the same weeks when John Bates wrote an opinion addressing both practices.

In addition, the revelations that NSA collects YouTube comments is of particular interest, as Daoud’s YouTube comments serve as part of the evidence against him. (Remember, they could also collect YouTube comments in bulk, and then conduct backdoor searches of that material.)

The judge in his case has just done what no judge has ever done before — grant his lawyers a review of the FISA application against him. As Charlie Savage first noted, Judge Sharon Coleman granted the defense the ability to review the FISA Application against Daoud.

While this Court is mindful of the fact that no court has ever allowed disclosure of FISA materials to the defense, in this case, the Court finds that the disclosure may be necessary. This finding is not made lightly, and follows a thorough and careful review of the FISA application and related materials. The Court finds however that an accurate determination of the legality of the surveillance is best made in this case as part of an adversarial proceeding. The adversarial process is the bedrock of effective assistance of counsel protected by the Sixth Amendment. Anders v. California, 386 U.S. 738, 743 (1967). Indeed, though this Court is capable of making such a determination, the adversarial process is integral to safeguarding the rights of all citizens, including those charged with a crime. “The right to the effective assistance of counsel is thus the right of the accused to require the prosecution’s case to survive the crucible of meaningful adversarial testing.” United States v. Cronic, 466 U.S. 648, 656 (1984).

In sum, this Court grants disclosure to cleared defense counsel of the FISA application materials and such disclosure will be made under an appropriate protective order.

Her mention of the necessity for adversarial review suggests the suspicions about the basis for FBI’s interest in Daoud may be well-grounded.

We’ll never learn what’s in that application, but we may get a better sense of whether one federal judge thinks it’s legal to use certain kinds of collection as a basis for a FISA warrant.

Update: Spencer Ackerman alerted me that I was cited in the response motion that won this review (see page 3). Yeah me!

Share this entry

Jello Jay Rockefeller: Associational Database Is “Core Governmental Function”

/7 Comments/in /by

I’m watching the Senate Intelligence Committee hearing on global threats, and will have more to say about the Snowden fear-mongering later.

But I wanted to point to Jello Jay Rockefeller’s remarkable campaign in favor of the status quo for the dragnet.

He argued against the telecoms taking the data, because their interest is not in protecting privacy (yet they’re playing with our data all the time).

He then said the phone dragnet — a database of all the phone-based relationships in the US in the last 5 years — was a “core governmental function.”

There you have it. Having an associational database of the entire US is a core governmental function, the oversight people think.

Share this entry

Clapper and Holder Remind Us “Disclosure” Mostly Pertains to Targets

/4 Comments/in /by

I want to thank James Clapper and Eric Holder who, in their statement on yesterday’s “disclosure” agreement emphasized the word “target.”

As indicated in the Justice Department’s filing with the Foreign Intelligence Surveillance Court, the administration is acting to allow more detailed disclosures about the number of national security orders and requests issued to communications providers, the number of customer accounts targeted under those orders and requests, and the underlying legal authorities.

I should have given this more emphasis yesterday. All “transparency” numbers provided by the tech companies will describe the number of accounts or “selectors” “targeted,” with the exception of National Security Letter reporting using Option One. So if thousands of other Google accounts are getting sucked into requests for content or metadata, we’ll never know that.

Share this entry