USA F-ReDux Is Non-Exclusive, but the Second Circuit Might Be

I’m still trying to figure out WTF Mitch McConnell is doing with his Senate machinations over USA F-ReDux. Currently, he has both his short-term reauthorization and USA F-ReDux prepped for a vote, which probably means he’ll bring USA F-ReDux up for cloture or a vote, show that it doesn’t have enough support, and then use that to scaremonger the short-term reauthorization through as a way to wring more concessions out of the House.

Still, given what a dead-ender he is on a bill, USA F-ReDux, that gives the Intelligence Community so many goodies, I can’t help but wonder if there’s another explanation for his intransigence. I can think of one other possibility.

The House Judiciary Committee made it clear USA F-ReDux would be the exclusive means to obtain prospective Call Detail Records under Section 215:

This new mechanism is the only circumstance in which Congress contemplates the prospective, ongoing use of Section 501 of FISA in this manner.

But it made it equally clear it is not the exclusive means to obtain Call Detail Records. That’s because the report envisions conducting federated queries including “metadata [the government] already lawfully possess.”

The government may require the production of up to two ‘‘hops’’—i.e., the call detail records associated with the initial seed telephone number and call detail records (CDRs) associated with the CDRs identified in an initial ‘‘hop.’’ Subparagraph (F)(iii) provides that the government can obtain the first set of CDRs using the specific selection term approved by the FISC. In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses. Together, the CDRs produced by the phone companies and those identified independently by the government constitute the first ‘‘hop.’’

I suggested here that that other “lawfully possessed metadata” probably consisted of data collected under EO 12333 (and permissible for chaining on US persons under SPCMA) and PRISM metadata.

But maybe that’s not all it includes. Maybe, the government has devise a way by which AT&T (or some other backbone provider) will still provide phone records in bulk on a daily basis? Maybe — as Richard Burr claimed before he later unclaimed — the government secretly maintains an IP dragnet under some other authority?

If that was the plan (though keep in mind, USA F-ReDux passed the House after the Second Circuit decision), then the Second Circuit may have ruined that effort. The ruling should limit all collection under a “relevant to” standard, not just that conducted under Section 215. And, as Faiza Patel argued, the decision should also affect collection where the government has dodged Fourth Amendment issues by focusing on “searches” rather than “seizures.”

[A]s Jennifer Daskal explained last Friday, “collection matters.” The Second Circuit rejected the government’s contention that there was no cognizable injury until plaintiffs’ phone records were actually analyzed and reviewed. It ruled that collection is properly analyzed as “seizure,” which if unlawful constitutes a separate injury from the “search” that takes place when records are analyzed either by a human being or a computer.

As the Supreme Court has recognized, in Fourth Amendment cases the analysis of standing is intertwined with the merits question of whether there has been an invasion of a protected privacy interest. Thus, the Second Circuit’s position on collection could have serious implications for other government programs beyond the standing question.

I’ve already suggested the decision might create problems for the virgin birth DOJ secretly gave to EO 12333 data used in SPCMA.

But who knows what else it applies to?

After all, USA F-ReDux was written so as to allow other dragnets (which is what EO 12333 is, after all). But the Second Circuit may pose problems for such dragnets that USA F-ReDux did not.

Going back to Richard Burr’s odd colloquy — which his office’s excuses simply cannot rationally explain — I think it (very remotely) possible the government is dragnetting IP addresses (perhaps for cybersecurity rather than counterterrorism purposes), but worries it has lost authority to do so with the Second Circuit decision. If so, it might be using this fight over counterterrorism data collection to lay congressional support for broader dragnet collection, to be able to sustain whatever other dragnets it has in place.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Fifty Shades of Fake University Degrees

On Sunday, Declan Walsh delivered a blockbuster report on the vast network of fake univeristies, diplomas for purchase and high-pressure upsales of “validation” credentials for fraudulently purchased diplomas. Remarkably, the company in which these activities were housed, Axact, with headquarters in Karachi and offices throughout Pakistan, had enjoyed a role as a prominent software company billing itself as Pakistan’s biggest software success story. Despite the massive amount of evidence compiled by Walsh and the Times, Axact initially pushed back hard, trying to threaten the Times with legal action and even going after a local Pakistani blog that merely accumulated amusing Tweets relating to the story.

Today, authorities in Pakistan took decisive action, with as many as 45 Axact employees arrested and the seizure of computer equipment and files:

According to Express News, employees were evacuated from the software company’s head office in Islamabad. Further, around 45 employees were rounded up, including HR and PR managers, to be taken to FIA headquarters.

The arrested Axact employees were shifted to FIA’s cyber-crime wing office.

The seven-member FIA team also seized hard disks, computers, other electronic equipment and documents belonging to the IT firm. The bags and mobile phones of department heads in Islamabad have also been seized.

/snip/

The FIA also raided Axact’s call center in Rawalpindi and seized voice call and other devices. Axact’s regional director Colonel (retd) Jamil has been taken into custody.

With “university” names like Columbiana and Barkley, the cynicism of Axact’s scam is breathtaking. But once I started thinking about it, I realized that the new world of online degrees is a very cutthroat place with questionable marketing practices everywhere. Just right here in Gainesville, the University of Florida has raised many eyebrows with its decision this year to admit an extra 3000 students who would not otherwise be admitted and then inform them that they have to complete the first year of studies toward their degree online. But don’t worry, poor little online second class students, because at UF, even if you complete your entire degree online, your diploma won’t reflect that fact. Here’s the very first entry on the FAQ’s for UF online:

UF

It’s a highly competitive world for those online degrees, whether they come from fake diploma mills, for-profit “universities” or traditional universities being forced by backwards legislators to come up with online competition.

Call me old-fashioned, but my concept of a university education involves an actual university with libraries housing real books, laboratories where real experiments can take place, lecture halls where students and professors actually interact face to face and a shared site where a community moves about freely. Sure, fake diplomas from legitimate universities do get penned now and then, but the market for fakery has been enabled greatly by the rapid expansion of online “learning”.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Michael Hayden’s Masturbatory Claims of Dragnet Efficacy

In a bid to extend a dragnet that has proven useless in the function the Intelligence Community claims it serves, Mitch McConnell is claiming there are secret reasons we need to keep the dragnet.

It’s possible this is just a tactic, to gain leverage to make USA F-ReDux even worse.

It’s possible that McConnell just wants to retain the dragnet to identify people to coerce into becoming informants, the use the FBI has claimed for the dragnet that never got included in its more public assessments of value.

It’s possible McConnell wants to retain a dragnet — and finally expand it to include most Internet metadata — because he can (and all of our Five Eyes allies have done so in the wake of Snowden’s leaks).

But I want to submit another possibility, based on the Stellar Wind IG Report.

In its assessment of the Stellar Wind dragnet — the same section that notes that 1.2% of all tips made a “significant” contribution to finding terrorists (and that measure included deporting suspected terrorists and identifying potential informants, not just identifying actual terrorists) and Internet dragnet tips had made no contribution — the report explained Michael Hayden’s justification.

Hayden also observed that the enemy may not have been as embedded in the United States as much as feared but said that he believes Stellar Wind helped determine this.

[snip]

Other witnesses, such as General Hayden, said that the value of the program may lie in its ability to help the Intelligence Community determine that the terrorist threat embedded within the country is not as great as once feared. (PDF 647, 664)

Now, remember, to justify operating this program in defiance of the law (and to justify getting FISC to rubber stamp it in 2004 in defiance of common sense), John Brennan and his colleagues would routinely write a “scary memo” to establish that the threat of a terrorist attack on the US was so big that the government needed the program. Probably, they used Khalid Sheikh Mohammed’s claim that he had gotten a Briton to recruit non-existent black Muslims in Montana to start forest fires for the 3 months of 2003 that CIA believed that ruse. We know in 2004, the CIA drummed up fear of an election year plot — seeded by a fabricator and sustained through CIA’s use of torture — to sustain the initial Internet dragnet order.

The point is, for the entire life of the dragnet, the government justified it by talking about scary terrorists embedded in the US.

And then, when challenged in 2009 to explain the value of the dragnet, Hayden explained that it was useful because it proved those claims of scary terrorists embedded in the US turned out to be overblown.

The best Hayden can offer — after years of overseeing a dragnet — is that it proved the IC’s overblown claims in the first place were overblown.

Behind all this dragnettery, then, lies a great deal of masturbatory fear-mongering.

 

 

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Mike Morell’s Performance of “Intelligence”

Given that Bill Harlow co-wrote George Tenet and Jose Rodriguez’ autobiographical novels, it’s fairly clear he continues to propagandize for the CIA years after he left the Agency as Public Affairs officer. Still, his past autobiographical novels were perhaps more convincing than the roll out of Mike Morell’s autobiographical novel, The Great War of Our Time, which Harlow also co-wrote. That’s pretty remarkable given that Morell had more retained credibility than either of the other two. This propaganda tour actually seems to be eroding Morell’s credibility.

Part of the problem is interviews like this, where Morell says both that we should be “all in” with Saudi Arabia (an asinine judgement, in my opinion, perhaps betraying CIA’s close ties to the Saudis) and that we should support secular Bashar al-Assad, which is totally inconsistent with his first stance.

And he makes those two claims in an interview where he also claims that numbers on collateral damage tied to drone strikes are “propaganda.”

“The other thing I’ll say is that this is the most precise weapon in the U.S. arsenal.  Collateral damage is not zero — and gosh, I wish it were zero, but it’s not — but it’s very close to zero.

“Number three, the numbers that you see about huge numbers of collateral damage just aren’t true.  They are put out there as propaganda by people who want this program to go away, and al-Qaida is one of those groups.”

It’s a great display of Morell’s approach to lying.

First, most people don’t claim there are huge numbers of collateral damage. TBIJ — which is both one of the more partisan voices against drone strikes but which also does some of the most meticulous work tracking drone killing over years — shows that civilians amount for around 14%  of those killed (a lower number than some more hawkish counts). The number itself is not, as Morell depicts it, “huge.” But it is, nevertheless, a relatively large amount, one what brings with it a lot of blowback. And the numbers — which again, are similar to those tracked my multiple independent sources — are much higher than CIA publicly claims.

It is CIA, and not drone killing trackers, engaged in propaganda here.

Yet by refuting something his opponents hadn’t asserted, Morell gets to claim to have debunked it.

While I have no idea what part of Sy Hersh’s story on Osama bin Laden are true, Morell’s use of the same method to debunk Hersh suggests he’s engaged — at least partly — in non-denial denial.

Jeff Stein deals with one problem with Morell’s debunking. CIA’s former Deputy Director claims that if we had tipped the Pakistanis (who are dealt with as a monolith in Morell’s story) they would have told Osama bin Laden. Wouldn’t that require knowledge of where he was, and some ongoing interest in protecting him? If so, that actually confirms a key premise of Hersh’s (and other reporters’) stories.

Then there’s Morell’s debunking of the walk-in story.

He claims that we learned of bin Laden’s location not from following the courier and from excellent intelligence analysis, but from a Pakistani intelligence officer who walked into the U.S. Embassy and gave us bin Laden’s whereabouts in exchange for “much of the $25 million reward offered by the U.S.” The truth is that while walk-ins have long been useful in providing intelligence to us world-wide, none of the information that led to finding the location where bin Laden was came from walk-ins.

NBC has already confirmed that there was a walk-in — just that he wasn’t key to identifying OBL’s location.

Editor’s Note: This story has been updated since it was first published. The original version of this story said that a Pakistani asset told the U.S. where bin Laden was hiding. Sources say that while the asset provided information vital to the hunt for bin Laden, he was not the source of his whereabouts.

Morell’s statement is utterly consistent with NBC’s reporting.

Morell claims to debunk Hersh’s claim that CIA obtained DNA from OBL.

bin Laden was very ill, and that early on in his confinement at Abbottabad, the ISI had ordered Amir Aziz, a doctor and a major in the Pakistani army, to move nearby to provide treatment.

[snip]

The planners turned for help to Kayani and Pasha, who asked Aziz to obtain the specimens. Soon after the raid the press found out that Aziz had been living in a house near the bin Laden compound: local reporters discovered his name in Urdu on a plate on the door. Pakistani officials denied that Aziz had any connection to bin Laden, but the retired official told me that Aziz had been rewarded with a share of the $25 million reward the US had put up because the DNA sample had showed conclusively that it was bin Laden in Abbottabad.

But Morell focuses on obtaining DNA from the compound and from OBL’s children, not from OBL himself.

Mr. Hersh says we obtained DNA samples from people in the bin Laden compound before the assault was launched. Wrong again. We would have liked to have obtained samples from the children in the compound to confirm that they were bin Laden’s children, but we did not. [my emphasis]

And Morell claims Hersh’s claim that SEALs couldn’t have thrown OBL body parts out the helicopter over the Hindu Kush …

The remains, including his head, which had only a few bullet holes in it, were thrown into a body bag and, during the helicopter flight back to Jalalabad, some body parts were tossed out over the Hindu Kush mountains – or so the Seals claimed.

… Because he received a burial at sea.

Finally—and most absurdly perhaps—Mr. Hersh cites his sources as telling him that SEALs threw bin Laden body parts off their helicopter over the Hindu Kush and suggests that the burial at sea from the USS Carl Vinson never happened. Bin Laden’s body received a proper Muslim burial at sea. How do I know? I heard the president give the order, and I saw photographs and video of the burial at sea.

Now, to be fair, this is one claim from Hersh I’m most skeptical of (though I realize now the SEALs might have thrown some body parts out the helicopter to leave DNA evidence that OBL was killed there, which was the purported cover story). But Morell’s debunking is no such thing, because it is perfectly possible a shrouded corpse could be buried at sea even if it were missing some body parts. (I’ll also note that JSOC hid what I believe to be trophy photos after this story started breaking, which suggests the SEALs did something with the corpse that would cause problems if it were publicized, though I always assumed they just hammed it up.)

In other words, as Morell does for his drone propaganda, he usually doesn’t debunk what Hersh wrote, but instead something else.

Which is a suggestion that he’s engaged in another cover story.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

About those Brennan Lies about Working with Iran and Those Who Commit Atrocities

During the whole flap over Seymour Hersh’s reporting questioning the Osama bin Laden raid, I kept pointing to Ron Wyden’s comments to John Brennan about lies he told in March, probably at his Council on Foreign Relations speech.

I guessed that Brennan’s likely lies had to do with whether we partner with anyone who commits atrocities and whether Brennan has worked directly with Iranian Republican Guard leader Qasem Soleimani. And after Hersh’s report that we still have a dark site on Diego Garcia, I added Brennan’s claim we outsource all our interrogation to partners.

Keep those potential lies as you read Moon of Alabama’s guesses about why the Syrians announced this raid before the Americans did.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Joel Brenner Reveals David Addington’s Sources and Methods

Several people (including Dan Froomkin) have pointed to the speech former NSA Inspector General Joel Brenner gave at NSA today for the confirmation of what was pretty clear from the joint IG Report on Stellar Wind — that David Addington ran the program out of OVP.

The seed of the problem was planted shortly after 9/11, when the White House determined to undertake certain collection outside the FISA regime under a highly classified, but now mostly declassified, program called STELLAR WIND. That program was not SAP’ed, because the creation of a new special access program requires Congressional notification, but it was run directly by the Office of the Vice President and put under the direct personal control of the Vice President’s counsel, David Addington.

But there’s another detail I find more interesting (aside from Brenner’s note that parts of the program remain classified, which people often forget).

Stellar Wind was not SAP’ed, Joel Brenner (who was, at least according to the IG Report, not read in himself until far later than he makes out in his speech).

Because if it were SAP’ed — if it were made a Special Access Program — then Congress would have had to be notified.

I’m interested in that for two reasons.

First (and most prosically), the Executive was messing around with the classification of Stellar Wind at least until January 2009, when they appear to have been making last minute adjustments to gain advantage in the al-Haramain suit.

More interestingly, because the Executive claims Congress was notified (even in that IG Report, though interestingly enough, some accountings of Congressional briefings got redacted in the underlying reports). Joel Brenner is here suggesting that they weren’t, really. Which is consistent with the fact that the briefing Congress got on March 10, 2004 was different in substance than what they had gotten before then.

Finally, because there are questions about when and who made the torture program a SAP. It appears not to have happened until early 2003 (and some of CIA’s own briefing records suggest that’s when the first torture briefings were, notwithstanding the September 2002 briefings for the Gang of Four).

Brenner’s suggestion makes it likely (as if it weren’t already) that that decision, too, was driven by Addington.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

How the Second Circuit, FISC, and the Telecoms Might Respond to McConnell’s USA F-ReDux Gambit

Update: Jennifer Granick (who unlike me, is a lawyer) says telecoms will be subject to suit if they continue to comply with dragnet orders. 

Any company that breaches confidentiality except as required by law is liable for damages and attorneys’ fees under 47 U.S.C. 206. And there is a private right of action under 47 U.S.C. 207.

Note that there’s no good faith exception in the statute, no immunity for acting pursuant to court order. Rather, the company is liable unless it was required by law to disclose. So Verizon could face a FISC 215 dragnet order on one side and an order from the Southern District of New York enjoining the dragnet on the other. Is Verizon required by law to disclose in those circumstances? If not, the company could be liable. And did I mention the statute provides for attorneys’ fees?

Everything is different now than it was last week. Reauthorization won’t protect the telecoms from civil liability. It won’t enable the dragnet. As of last Thursday, the dragnet is dead, unless a phone company decides to put its shareholders’ money on the line to maintain its relationships with the intelligence community.

Last night, Mitch McConnell introduced a bill for a 2-month straight reauthorization of the expiring PATRIOT provisions as well as USA F-ReDux under a rule that bypasses Committee structure, meaning he will be able to bring that long-term straight reauthorization, that short term one, or USA F-ReDux to the floor next week.

Given that a short term reauthorization would present a scenario not envisioned in Gerard Lynch’s opinion ruling the Section 215 dragnet unlawful, it has elicited a lot of discussion about how the Second Circuit, FISC, and the telecoms might respond in case of a short term reauthorization. But these discussions are almost entirely divorced from some evidence at hand. So I’m going to lay out what we know about both past telecom and FISA Court behavior.

Because of the details I lay out below, I predict that so long as Congress looks like it is moving towards an alternative, both the telecoms and the FISC will continue the phone dragnet in the short term, and the Second Circuit won’t weigh in either.

The phone dragnet will continue for another six months even under USA F-ReDux

As I pointed out here, even if USA F-ReDux passed tomorrow, the phone dragnet would continue for another 6 months. That’s because the bill gives the government 180 days — two dragnet periods — to set up the new system.

(a) IN GENERAL.—The amendments made by sections 101 through 103 shall take effect on the date that is 180 days after the date of the enactment of this Act.

(b) RULE OF CONSTRUCTION.—Nothing in this Act shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 24 1861 et seq.) as in effect prior to the effective date described in subsection (a) during the period ending on such effective date.

The Second Circuit took note of USA F-ReDux specifically in its order, so it would be hard to argue that it doesn’t agree Congress has the authority to provide time to put an alternative in place. Which probably means (even though I oppose Mitch’s short-term reauth in most scenarios) that the Second Circuit isn’t going to balk — short of the ACLU making a big stink — at a short term reauth for the purported purpose of better crafting a bill that reflects the intent of Congress. (Though the Second Circuit likely won’t look all that kindly on Mitch’s secret hearing the other day, which violates the standards of debate the Second Circuit laid out.)

Heck, the Second Circuit waited 8 months — and one failed reform effort — to lay out its concerns about the phone dragnet’s legality that were, in large part, fully formed opinions at least September’s hearing. The Second Circuit wants Congress to deal with this and they’re probably okay with Congress taking a few more months to do so.

FISC has already asked for briefing on any reauthorization

A number of commentators have also suggested that the Administration could just use the grandfather clause in the existing sunset to continue collection or might blow off the Appeals Court decision entirely.

But the FISC is not sitting dumbly by, oblivious to the debate before Congress and the Courts. As I laid out here, in his February dragnet order, James Boasberg required timely briefing from the government in each of 3 scenarios:

  • A ruling from an Appellate Court
  • Passage of USA F-ReDux introduces new issues of law that must be considered
  • A plan to continue production under the grandfather clause

And to be clear, the FISC has not issued such an order in any of the publicly released dragnet orders leading up to past reauthorizations, not even in advance of the 2009-2010 reauthorizations, which happened at a much more fraught time from the FISC’s perspective (because FISC had had to closely monitor the phone dragnet production for 6 months and actually shut down the Internet dragnet in fall 2009). The FISC clearly regards this PATRIOT sunset different than past ones and plans to at least make a show of considering the legal implications of it deliberately.

FISC does take notice of other courts

Of course, all that raises questions about whether FISC feels bound by the Second Circuit decision — because, of course, it has its very own appellate court (FISCR) which would be where any binding precedent would come from.

There was an interesting conversation on that topic last week between (in part) Office of Director of National Intelligence General Counsel Bob Litt and ACLU’s Patrick Toomey (who was part of the team that won the Second Circuit decision). That conversation largely concluded that FISC would probably not be bound by the Second Circuit, but Litt’s boss, James Clapper (one of the defendants in the suit) would be if the Second Circuit ever issued an injunction.

Sunlight Foundation’s Sean Vitka: Bob, I have like a jurisdictional question that I honestly don’t know the answer to. The Court of Appeals for the Second Circuit. They say that this is unlawful. Obviously there’s the opportunity to appeal to the Supreme Court. But, the FISA Court of Review is also an Appeals Court. Does the FISC have to listen to that opinion if it stands?

Bob Litt: Um, I’m probably not the right person to ask that. I think the answer is no. I don’t think the Second Circuit Court of Appeals has direct authority over the FISA Court. I don’t think it’s any different than a District Court in Idaho wouldn’t have to listen to the Second Circuit’s opinion. It would be something they would take into account. But I don’t think it’s binding upon them.

Vitka: Is there — Does that change at all given that the harms that the Second Circuit acknowledged are felt in that jurisdiction?

Litt: Again, I’m not an expert in appellate jurisdiction. I don’t think that’s relevant to the question of whether the Second Circuit has binding authority over a court that is not within the Second Circuit. I don’t know Patrick if you have a different view on that?

Third Way’s Mieke Eoyang: But the injunction would be, right? If they got to a point where they issued an injunction that would be binding…

Litt: It wouldn’t be binding on the FISA Court. It would be binding on the persons who received the —

Eoyong: On the program itself.

Patrick Toomey: The defendants in the case are the agency officials. And so an injunction issued by the Second Circuit would be directed at those officials.

But there is reason to believe — even beyond FISC’s request for briefing on this topic — that FISC will take notice of the Second Circuit’s decision, if not abide by any injunction it eventually issues.

That’s because, twice before, it has even taken notice of magistrate judge decisions.

The first known example came in the weeks before the March 2006 reauthorization of the PATRIOT Act would go into effect. During 2005, several magistrate judges had ruled that the government could not add a 2703(d) order to a pen register to obtain prospective cell site data along with other phone data. By all appearances, the government was doing the same with the equivalent FISA orders (this application of a “combined” Business Record and Pen Register order is redacted in the 2008 DOJ IG Report on Section 215, but contextually it’s fairly clear this is close to what happened). Those magistrate decisions became a problem when, in 2005, Congress limited Section 215 order production to that which could be obtained with a grand jury subpoena. Effectively, the magistrates had said you couldn’t get prospective cell site location with just a subpoena, which therefore would limit whether FBI could get cell site location with a Section 215 order.

While it is clear that FISC required briefing on this point, it’s not entirely clear what FISC’s response was. For a variety of reasons, it appears FISC stopped these combined application sometime in 2006 — the reauthorization went into effect in March 2006 — though not immediately (which suggests, in the interim, DOJ just found a new shell to put its location data collection under).

The other time FISC took notice of magistrate opinions pertained to Post Cut Through Dialed Digits (those are the things like pin and extension numbers you dial after your call or Internet connection has been established). From 2006 through 2009, some of the same magistrates ruled the government must set its pen register collection to avoid collecting PCTDD. By that point, FISC appears to have already ruled the government could collect that data, but would have to deal with it through minimization. But the FISC appears to have twice required the government to explain whether and how its minimization of PCTDD did not constitute the collection of content, though it appears that in each case, FISC permitted the government to go on collecting PCTDD under FISA pen registers. (Note, this is another ruling that may be affected by the Second Circuit’s focus on the seizure, not access, of data.)

In other words, even on issues not treating FISC decisions specifically, the FISC has historically taken notice of decisions made in courts that have no jurisdiction over its decisions (and in one case, FISC appears to have limited government production as a result). So it would be a pretty remarkable deviation from that past practice for FISC to completely blow off the Second Circuit decision, even if it may not feel bound by it.

Verizon responds to court orders, but in half-assed fashion

Finally, there’s the question of how the telecoms will react to the Second Circuit decision. And even there, we have some basis for prediction.

In January 2014, after receiving the Secondary Order issued in the wake of Judge Richard Leon’s decision in Klayman v. Obama that the dragnet was unconstitutional, Verizon made a somewhat half-assed challenge to the order.

Leon issued his decision December 16. Verizon did not ask the FISC for guidance (which makes sense because they are only permitted to challenge orders).

Verizon got a new Secondary Order after the January 3 reauthorization. It did not immediately challenge the order.

It only got around to doing so on January 22 (interestingly, a few days after ODNI exposed Verizon’s role in the phone dragnet a second time), and didn’t do several things — like asking for a hearing or challenging the legality of the dragnet under 50 USC 1861 as applied — that might reflect real concern about anything but the public appearance of legality. (Note, that timing is of particular interest, given that the very next day, on January 23, PCLOB would issue its report finding the dragnet did not adhere to Section 215 generally.)

Indeed, this challenge might not have generated a separate opinion if the government weren’t so boneheaded about secrecy.

Verizon’s petition is less a challenge of the program than an inquiry whether the FISC has considered Leon’s opinion.

It may well be the case that this Court, in issuing the January 3,2014 production order, has already considered and rejected the analysis contained in the Memorandum Order. [redacted] has not been provided with the Court’s underlying legal analysis, however, nor [redacted] been allowed access to such analysis previously, and the order [redacted] does not refer to any consideration given to Judge Leon’s Memorandum Opinion. In light of Judge Leon’s Opinion, it is appropriate [redacted] inquire directly of the Court into the legal basis for the January 3, 2014 production order,

As it turns out, Judge Thomas Hogan (who will take over the thankless presiding judge position from Reggie Walton next month) did consider Leon’s opinion in his January 3 order, as he noted in a footnote.

Screen Shot 2014-04-28 at 10.49.42 AM

And that’s about all the government said in its response to the petition (see paragraph 3): that Hogan considered it so the FISC should just affirm it.

Verizon didn’t know that Hogan had considered the opinion, of course, because it never gets Primary Orders (as it makes clear in its petition) and so is not permitted to know the legal logic behind the dragnet unless it asks nicely, which is all this amounted to at first.

Ultimately, Verizon asked to see proof that FISC had considered Leon’s decision. But it did not do any of the things people think might happen here — it did not immediately cease production, it did not itself challenge the legality of the dragnet, and it did not even ask for a hearing.

Verizon just wanted to make sure it was covered; it did not, apparently, show much concern about continued participation in it.

And this is somewhat consistent with the request for more information Sprint made in 2009.

So that’s what Verizon would do if it received another Secondary Order in the next few weeks. Until such time as the Second Circuit issues an injunction, I suspect Verizon would likely continue producing records, even though it might ask to see evidence that FISC had considered the Second Circuit ruling before issuing any new orders.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Some Thoughts on USA F-ReDux

There’s a funny line in the House Judiciary Committee’s report on USA F-ReDux. Amid the discussion of the new Call Detail Record function, it explains the government will be doing CDR chaining on “metadata it already lawfully possesses,” even as providers will be chaining on metadata in their possession.

In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses.

The line should not be surprising. As I reported in 2013, the NSA does what are called “federated” queries, metadata chaining across data collected from a variety of sources. This line, then, simply acknowledges that the government will continue to conduct what amounts to federated queries even under the new system.

But the line ought to raise the question, “where does this lawfully possessed data come from?”

The data almost certainly comes from at least 3 sources: metadata taken from PRISM collection in databases that get copied wholesale (so Internet metadata within a hop of a foreign target), records of international phone calls, and records from Internet data collected overseas.

The latter two, of course, would be collected in bulk.

So within the report on a bill many claim ends bulk collection of American’s phone records is tacit admission that the bulk collection continues (not to mention that the government has broad access to data collected under PRISM).

After yesterday’s 338 – 88 vote in the House in favor of USA F-ReDux, a number of people asked me to explain my view on the bill.

First, the good news. As I noted, while the language on CDR chaining in the actual bill is muddled, the House report includes language that would prohibit most of the egregious provider-based chaining I can imagine. So long as nothing counters that, one of my big concerns dating back to last year has been addressed.

I also opposed USAF last fall because I expected the Second Circuit would weigh in in a way that was far more constructive than that bill, and I didn’t want a crappy bill to moot the Second Circuit. While there are many things that might yet negate the Second Circuit ruling (such as conflicting decisions from the DC or 9th Circuits or a reversal by SCOTUS), the Second Circuit’s decision was even more useful than I imagined.

But that’s part of why I’m particularly unhappy that Specific Selection Term has not been changed to require the government to more narrowly target its searches. Indeed, I think the bill report’s language on this is particularly flaccid.

Section 501(b)(2)(A) of FISA will continue to require the government to make ‘‘a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation….’’50 Section 103 requires the government to make an additional showing, beyond relevance, of a specific selection term as the basis for the production of the tangible things sought, thus ensuring that the government cannot collect tangible things based on the assertion that the requested collection‘‘is thus relevant, because the success of [an] investigative tool depends on bulk collection.’’ 51 Congress’ decision to leave in place the ‘‘relevance’’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term. These changes restore meaningful limits to the‘‘relevance’’ requirement of Section 501, consistent with the opinion of the U.S. Court of Appeals for the Second Circuit in ACLU v.Clapper.

Meaningful limits on “relevant to” would be specific guidelines for the court on what is reasonable and what is not. Instead, USA F-ReDux still subjects the narrowness of an SST to a “greatest extent reasonably practicable” standard, which in the past we’ve seen amount to prioritization of the practicability of spying over privacy interests. While people can respectfully disagree on this front, I believe USA F-ReDux still permits both bulk collection of non-communications records and bulky collection of communications records (including FBI’s Internet collection). In the wake of the Second Circuit opinion, I find that especially inexcusable.

I also am not convinced USA F-ReDux is an across-the-board privacy win. I argued last year that USAF swaps a well-guarded unexploded nuclear bomb for many more exploding IEDs striking at privacy. By that, I mean that the new CDR function will probably not result in any less privacy impact, in practice (that is, assuming NSA follows its own minimization rules, which it hasn’t always), than the prior dragnet. That’s true because:

  • We have every reason to believe the CDR function covers all “calls,” whether telephony or Internet, unlike the existing dragnet. Thus, for better and worse, far more people will be exposed to chaining than under the existing dragnet. It will catch more potential terrorists, but also more innocent people. As a result, far more people will be sucked into the NSA’s maw, indefinitely, for exploitation under all its analytical functions. This raises the chances that an innocent person will get targeted as a false positive.
  • The data collected under the new CDR function will be circulated far more broadly than status quo. Existing dragnet orders limit access to the results of queries to those with special training unless one of four named individuals certifies that the query result relates to counterterrorism. But USA F-ReDux (and the current minimization procedures for Section 702 data; USA F-ReDux will likely use the PRISM infrastructure and processing) makes it clear that FBI will get access to raw query results. That almost certainly means the data will be dumped in with FBI’s PRISM and FISA data and subjected to back door searches at even the assessment level, even for investigations that have nothing to do with terrorism. As on the NSA side, this increases the risk that someone will have their lives turned upside down for what amounts to being a false positive. It also increases the number of people who, because of something in their metadata that has nothing to do with a crime, can be coerced into becoming an informant. And, of course, they’ll still never get notice that that’s where this all came from, so they will have a difficult time suing for recourse.

One other significant concern I’ve got about the existing bill — which I also had last year — is that the emergency provision serves as a loophole for Section 215 collection; if the FISC deems emergency collections illegal, the government still gets to keep — and parallel construct — the data. I find this especially concerning given how much Internet data FBI collects using this authority.

I have — as I had last year — mixed feelings about the “improvements” in it. I believe the amicus, like initial efforts to establish PCLOB, will create an initially ineffective function that might, after about 9 years, someday become effective. I believe the government will dodge the most important FISC opinion reporting, as they currently do on FOIAs. And, in spite of a real effort from those who negotiated the transparency provisions, I believe that the resulting reporting will result in so thoroughly an affirmatively misleading picture of surveillance it may well be counterproductive, especially in light of the widespread agreement the back doors searches of Section 702 data must be closed (while there are a few improvements on reporting to Congress in this year’s bill, the public reporting is even further gutted than it was last year).

And now there’s new gunk added in.

One change no one has really examined is a change extending “foreign power” status from those proliferating WMDs to those “conspiring” or “abetting” efforts to do so. I already have reasons to believe the WMD spying under (for example) PRISM is among the more constitutionally problematic. And this extends that in a way no one really understands.

Even more troublesome is the extension of Material Support maximum sentences from 15 to 20 years. Remember, under Holder v. HLP, a person can be convicted of material support for First Amendment protected activities. Thus, USA F-ReDux effectively embraces a 20 year sentence for what could be (though isn’t always) thought crimes. And no one has explained why it is necessary! I suspect this is an effort to use harsh sentences to coerce people to turn informant. If so, then this is an effort to recruit fodder for infiltrators into ISIS. But if all that’s correct, it parallels similar efforts under the Drug War to use excessive sentences to recruit informants, who — it turns out in practice — often lead to false convictions and more corruption. In other words, at a moment when there is bipartisan support for sentencing reform for non-violent crimes (for which many cases of Material Support qualify), USA F-ReDux goes in the opposite direction for terrorism, all at a time when the government claims it should be putting more emphasis on countering extremism, including diversion.

So while I see some advantages to the new regime under USA F-ReDux (ironically, one of the most important is that what surveillance the government does will be less ineffective!), I am not willing to support a bill that has so many bad things in it, even setting aside the unconstitutional surveillance it doesn’t address and refuses to count in transparency provisions. I think there need to be privacy advocates who live to fight another day (and with both ACLU and EFF withdrawing their affirmative support for the bill, we at least have litigators who can sue if and when we find the government violating the law under this new scheme — I can already identify an area of the bill that is certainly illegal).

That said, it passed with big numbers yesterday. If it passes, it passes, and a bunch of authoritarians will strut their purported support for liberty.

At this point, however, the priority needs to be on preventing the bill from getting worse (especially since a lot of bill boosters seem not to have considered at what point they would withdraw their support because the bill had gotten too corrupted). Similarly, while I’m glad bill sponsors Jim Sensenbrenner and Jerry Nadler say they won’t support any short-term extension, that may tie their own hands if what comes back is far worse than status quo.

There’s some good news there, too. The no votes on yesterday’s House vote were almost exclusively from supporters of privacy who believe the bill doesn’t go far enough, from Justin Amash to Jared Polis to Tom Massie to Donna Edwards to Ted Poe to rising star Ted Lieu and — most interestingly — Jan Schakowsky (who voted for the crappier House bill when she was on HPSCI last year). Hopefully, if and when Mitch McConnell throws in more turdballs, those who opposed the bill yesterday can whip efforts to defeat it.

Stay tuned.

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

USA F-ReDux: The Risks Ahead

Sometime after 2 today, the House will pass USA F-ReDux by a large margin. Last night the Rules Committee rejected all amendments, including two (a version of the Massie-Lofgren amendment prohibiting back doors and a Kevin Yoder amendment that would improved ECPA protections) that have majority support in the House.

After the bill passes the House today it will go to the Senate where Mitch McConnell will have his way with it.

What happens in the Senate is anyone’s guess.

One reason no one knows what Mitch has planned is because most people haven’t figured out what Mitch really wants. I think there are 3 possibilities:

  • He actually wants USA F-ReDux with some tweaks (about which more below) and the threat of a straight reauthorization is just a tactic to push through those tweaks; this makes the most sense because USA F-ReDux actually gives the IC things they want and need that they don’t currently have
  • There is something the government is doing — a bulk IP program, for example — that Mitch and Burr plan to provide Congressional sanction for even while basically adopting USA F-ReDux as a limit on Section 215 (but not other authorities); the problem with this plan is that secret briefings like the Administration offered the Senate, but not the House, last night don’t seem to meet the terms of ratification described by the Second Circuit
  • The Second Circuit decision threatens another program, such as SPCMA (one basis for Internet chaining involving US persons right now), that the Senate believes it needs to authorize explicitly and that’s what the straight reauthorization is about
  • [Update] I’m reminded by Harley Geiger that Mitch might just be playing to let 215 sunset so he can create a panic that will let him push through a worse bill. That’s possible, but the last time such an atmosphere of panic reigned, after Congress failed to replace Protect American Act in 2008, it worked to reformers’ advantage, to the extent that any cosmetic reform can be claimed to be a win.

I think — though am not certain — that it’s the first bullet, though Burr’s so-called misstatement the other day makes me wonder. If so Mitch’s procedural move is likely to consist of starting with his straight reauthorization but permitting amendments, Patrick Leahy introducing USA F-ReDux as an amendment, Ron Wyden and Rand Paul unsuccessfully pushing some amendments to improve the bill, and Richard Burr adding tweaks to USA F-ReDux that will make it worse. After that, it’s not clear how the House will respond.

Which brings me to what I think Burr would want to add.

As I’ve said before, I think hawks in the Senate would like to have data mandates, rather than the data handshake that Dianne Feinstein keeps talking about. While last year bill supporters — including corporate backers — suggested that would kill the bill, I wonder whether everyone has grown inured to the idea of data retention, given that they’ve been silent about the data handshake since November.

I also suspect the IC would like to extend the CDR authority to non-terrorism functions, even including drug targets (because they probably were already using it as such).

The Senate may try to tweak the Specific Selection Term language to broaden it, but it’s already very very permissive.

I’m also wondering if the Senate will introduce language undermining the limiting language HJC put in its report.

Those are the predictable additions Burr might want. There are surely a slew more (and there will be very little time to review it to figure out the intent behind what they add).

The two big questions there are 1) are any of those things significant enough to get the House to kill it if and when it gets the bill back and 2) will the House get that chance at all?

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Did the Government Comply with FISC Requirement of Notice on Appellate Decision

I’m prepping a post on how all the various deadlines over the next several weeks will work together. So I’ve been reviewing the instructions James Boasberg laid out in the most recent dragnet order, which he signed on February 26.

First, Boasberg reminded the government — which had turned in its homework late in February — that FISC gets a week to consider any application. That means they need the next application by May 22.

Remember, the House breaks for Memorial Day on May 21 (that is, they’re not scheduled to be in session on May 22) and the Senate breaks on May 22.

The government will almost certainly have to submit a new dragnet order by May 22. That’s because USA F-ReDux allows bulk collection to continue for 6 months as it sets up PRISM-lite for provider compliance. But as I understand it, the new dragnet order has to happen under USA F-ReDux, not PATRIOT.

That may shave one day off the legislative schedule.

More interesting is Boasberg’s order that if any of the three appellate court reviewing the dragnet issues an opinion “prior to the expiration of this Order, the government is directed to inform the Court promptly if the government’s implementation of this Order has changed as a result of such opinion(s).”

Now, in actually, the government might only have to send a short note saying, “the Second Circuit ruled, told us this is unlawful, but also did not issue an injunction because Congress is about to act on it.” But they have to send some kind of notice, per this order.

Did they?

Tweet about this on TwitterShare on RedditShare on FacebookGoogle+Email to someone

Emptywheel Twitterverse

emptywheel @ddayen A very good question. I'm not even sure I have a hotel room, much less swank dinner reservations. @bmaz
14mreplyretweetfavorite
emptywheel .@AllThingsHLS Surely you're not suggesting the FBI is held to a higher standard of competence than the Senate?
19mreplyretweetfavorite
emptywheel @AllThingsHLS 5 days! It's only the equivalent of a pen register on every American...
37mreplyretweetfavorite
emptywheel Garden variety pen registers have to be renewed every 90 days. The current phone dragnet is already 91 days old. https://t.co/ZySYAei2Bf
39mreplyretweetfavorite
emptywheel Behold, BR 15-24, the Longest-Serving Phone Dragnet Order Ever https://t.co/ZySYAei2Bf Feinstein wants to extend it over a year.
45mreplyretweetfavorite
emptywheel @flyinggibbon No staff, which I think extends to friends and their yachts.
58mreplyretweetfavorite
bmaz @weems @OKnox No, that's a decent plan. In fact, I try to impart upon clients to avoid handcuffs at all costs. Some of them even heed advice
1hreplyretweetfavorite
bmaz @weems @OKnox I have several utility knives out in my workshop, is this the kind of "utility" we are talking about? #FirstCutIsTheDeepest
1hreplyretweetfavorite
emptywheel @ubiqunity But even under Stellar Wind they did period renewals.
1hreplyretweetfavorite
emptywheel @ubiqunity Not a dumb question! FISA Pen Registers have to be renewed every 90 days, so Internet dragnet on which phone was based renewed.
1hreplyretweetfavorite
emptywheel Today current phone dragnet order turns 90 days old. Think that makes it the longest-serving dragnet order. DiFI wants it extended a year
2hreplyretweetfavorite
May 2015
S M T W T F S
« Apr    
 12
3456789
10111213141516
17181920212223
24252627282930
31