1 2 3 15

The Loopholes in DOJ’s New Stingray Policy

DOJ just announced a new policy on use of Stingrays which requires a warrant and minimization of incidentally-collected data. It’s big news and an important improvement off the status quo.

But there are a few loopholes.

Exigent and emergency uses

First, the policy reserves exigent uses. The exigent uses include most of DOJ Agencies known uses of Stingrays now.

These include the need to protect human life or avert serious injury; the prevention of the imminent destruction of evidence; the hot pursuit of a fleeing felon; or the prevention of escape by a suspect or convicted fugitive from justice.


In addition, in the subset of exigent situations where circumstances necessitate emergency pen register authority pursuant to 18 U.S.C. § 3125 (or the state equivalent), the emergency must be among those listed in Section 3125: immediate danger of death or serious bodily injury to any person; conspiratorial activities characteristic of organized crime; an immediate threat to a national security interest; or an ongoing attack on a protected computer (as defined in 18 U.S.C. § 1030) that constitutes a crime punishable by a term of imprisonment greater than one year.

We know the US Marshals constitute the most frequent users of admitted Stingray use — they’d be covered in prevention of escape by a fugitive. DEA seems to use them a lot (though I think more of that remains hidden). That’d include “conspiratorial activities characteristic of organized crime.” And it’s clear hackers are included here, which includes the first known use, to capture Daniel Rigmaiden.

And I’m not sure whether the exigent/emergency use incorporates the public safety applications mentioned in the non-disclosure agreements localities sign with the FBI, or if that’s included in this oblique passage.

There may also be other circumstances in which, although exigent circumstances do not exist, the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In such cases, which we expect to be very limited, agents must first obtain approval from executive-level personnel at the agency’s headquarters and the relevant U.S. Attorney, and then from a Criminal Division DAAG. The Criminal Division shall keep track of the number of times the use of a cell-site simulator is approved under this subsection, as well as the circumstances underlying each such use.

In short, many, if not most, known uses are included in exceptions to the new policy.

Notice to defendants

The many known uses of Stingrays where warrants would not be necessary — and where DOJ would therefore just be using a PRTT — are of particular importance given the way new disclosure requirements work. There are, to be sure, admirable new requirements to tell judges what the fuck they’re approving and what it means. But nothing explicitly says defendants will not get noticed. DOJ has said no past or current usage of Stingrays will get noticed to defendants. And all these non-warrant uses of Stingrays will be noticed either, probably. In other words, this returns things to the condition where defendants won’t know — because they would normally expect to see a warrant that wouldn’t exist in these non-warrant uses.

Sharing with localities

The policy doesn’t apply to localities, which increasingly have their own Stingrays they permit federal agencies to use. Curiously, the language applying this policy to federal cooperation with localities would suggest the federal rules only apply if the Feds are supporting localities, not if the reverse (FBI borrowing Buffalo’s Stingray, for example) is the case.

The Department often works closely with its State and Local law enforcement partners and provides technological assistance under a variety of circumstances. This policy applies to all instances in which Department components use cell-site simulators in support of other Federal agencies and/or State and Local law enforcement agencies.

Thus, it may leave a big out for the kind of cooperation we know to exist.

National security uses

Then, of course, the policy only applies in the criminal context, though DOJ claims it will adopt a policy “consistent” with this one on the FISC side.

This policy applies to the use of cell-site simulator technology inside the United States in furtherance of criminal investigations. When acting pursuant to the Foreign Intelligence Surveillance Act, Department of Justice components will make a probable-cause based showing and appropriate disclosures to the court in a manner that is consistent with the guidance set forth in this policy.

BREAKING! FBI has been using Stingrays in national security investigations! (Told ya!)

This language is itself slippery. FISC use of Stingrays probably won’t be consistent on the FISC side (even accounting for the many ways exigent uses could be claimed in national security situations), because we know that FISC already has different rules for PRTT on the FISC side, in that it permits collection of post cut through direct dialed numbers — things like extension numbers — so long as that gets minimized after the fact. The section on minimization here emphasizes the “law enforcement” application as well. So I would assume that not only will national security targets of Stingrays not get noticed on it, but they may use different minimization rules as well (especially given FBI’s 30 year retention for national security investigation data).

Other agencies use of Stingrays for content

DOJ suggests that DOJ never collects content using Stingrays by stating that its Stingrays always get set not to collect content.

Moreover, cell-site simulators used by the Department must be configured as pen registers, and may not be used to collect the contents of any communication, in accordance with 18 U.S.C. § 3127(3). This includes any data contained on the phone itself: the simulator does not remotely capture emails, texts, contact lists, images or any other data from the phone. In addition, Department cell-site simulators do not provide subscriber account information (for example, an account holder’s name, address, or telephone number).

But the rest of the policy makes it clear that department agents will work with other agencies on Stingray use. Some of those — such as JSOC — not only would have Stingrays that get content, but can even partner within the US with FBI.  So DOJ hasn’t actually prohibited its agencies from getting content from a Stingray (domestically — it goes without saying they’re permitted to do so overseas), just that it won’t do so using its own Stingrays.

Funny definitional games

Finally, while not necessarily a loophole (or at least not one I completely understand yet), I’m interested in this definition.

In the context of this policy, the terms “collection” and “retention” are used to address only the unique technical process of identifying dialing, routing, addressing, or signaling information, as described by 18 U.S.C. § 3 I 27(3), emitted by cellular devices. “Collection” means the process by which unique identifier signals are obtained; “retention” refers to the period during which the dialing, routing, addressing, or signaling information is utilized to locate or identify a target device, continuing until tlle point at whic!h such information is deleted.

This definition (which only applies to this policy and therefore perhaps not to national security uses of Stingrays) employs an entirely different definition for collection and retention than other collection that relies on collection then software analysis. Under upstream collection, for example, the government calls this definition of “retention” something closer to “collection.” Don’t get me wrong — this is probably a better definition than that used in other contexts. But I find it funny that FBI employs such different uses of these words in very closely connected contexts.

So, in sum, this is a real victory, especially the bit about actually telling judges what they’re approving when they approve it.

But there are some pretty obvious loopholes here….

Update: ACLU also welcomes this while pointing to some of the limits of the policy.

Update: Here are some of my posts on the FISA uses of PRTT, including (we now know) Stingrays.

I Con the Record: Drop the Lawsuits and We’ll Release the Data Hostages

I Con the Record just announced that the NSA will make the phone dragnet data it has “analytically unavailable” after the new system goes live in November, and unavailable even to techs three months later.

On June 29, 2015, the Foreign Intelligence Surveillance Court approved the Government’s application to resume the Section 215 bulk telephony metadata program pursuant to the USA FREEDOM Act’s 180-day transition provision. As part of our effort to transition to the new authority, we have evaluated whether NSA should maintain access to the historical metadata after the conclusion of that 180-day period.

NSA has determined that analytic access to that historical metadata collected under Section 215 (any data collected before November 29, 2015) will cease on November 29, 2015.  However, solely for data integrity purposes to verify the records produced under the new targeted production authorized by the USA FREEDOM Act, NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months.

Separately, NSA remains under a continuing legal obligation to preserve its bulk 215 telephony metadata collection until civil litigation regarding the program is resolved, or the relevant courts relieve NSA of such obligations. The telephony metadata preserved solely because of preservation obligations in pending civil litigation will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.

As I understand it, whatever data has been found to be two or three degrees of separation from a baddie will remain in NSA’s maw, but the data that has never returned off a search will not.

I’m pleasantly surprised by this, as I suspect it reflects a decision to accept the Second Circuit verdict in ACLU v. Clapper and to move to shut down other lawsuits.

As I noted, two weeks ago, the ACLU moved for an injunction against the dragnet, which not only might have led to the Second Circuit ordering the government to purge ACLU’s data right away (and possibly, to stop collecting all data), but also basically teed up the Second Circuit to remind the FISC it is not an appellate court. I worried that would lead the FISC to ask FISCR to review its dragnet decisions under a provision newly provided under the USA F-ReDux.

Shortly after ACLU filed its request for an injunction, the government asked for an extension to … today, which the court granted.

So I assume we’ll shortly see that filing arguing that, since the government has voluntarily set a purge date for all the dragnet data, ACLU should not get its injunction.

That doesn’t necessarily rule out a FISCR fast track request, but I think it makes it less likely.

The other player here, however, is the EFF.

I believe both ACLU and EFF’s phone dragnet client Council on American Islamic Relations, had not only standing as clients of dragnetted companies, but probably got swept up in the two-degree dragnet. But CAIR probably has an even stronger case, because it is public that FISC approved a traditional FISA order against CAIR founder Nihad Awad. Any traditional FISA target has always been approved as a RAS seed to check the dragnet, and NSA almost certainly used that more back when Awad was tapped, which continued until 2008. In other words, CAIR has very good reason to suspect the entire organization has been swept up in the dragnet and subjected to all of NSA’s other analytical toys.

EFF, remember, is the one NGO that has a preservation order, which got extended from its earlier NSA lawsuits (like Jewel) to the current dragnet suit. So when I Con the Record says it can’t destroy all the data yet, it’s talking EFF, and by extension, CAIR. So this announcement — in addition to preparing whatever they’ll file to get the Second Circuit off its back — is likely an effort to moot that lawsuit, which in my opinion poses by far the biggest threat of real fireworks about the dragnet (not least because it would easily be shown to violate a prior SCOTUS decision prohibiting the mapping of organizations).

We’ll see soon enough. For the moment, though, I’m a bit surprised by the cautious approach this seems to represent.

Update: Timeline on data availability fixed.

Update: Here’s the government’s brief submitted today. I’m rather intrigued by how often the brief claims USA F-ReDux was about bulk “telephony” data when it was supposed to be about all bulk collection. But I guess I can return to that point.

Update: They depart from describing USA F-ReDux as a ban bulk collection of telephony when they describe it as a ban on collection of bulk collection under Section 215, also not what the bill says.

Part of the compromise on which Congress settled, which the President supported, was to add an unequivocal ban on bulk collection under Section 215 specifying that “[n]o order issued under” Section 215(b)(2) “may authorize collection of tangible things without the use of a specific selection term that meets the requirements” of that subsection.

Update: This is key language — and slightly different from what they argued before FISC. I will return to it.

Plaintiffs assert that, by not changing the language of Section 215 authorizing the collection of business records during the transition period, Congress implicitly incorporated into the USA FREEDOM Act this Court’s opinion holding that Section 215 did not authorize bulk collection. See Pls.’ Mot. 7- 8. Plaintiffs rely on language providing that the legislation does not “alter or eliminate the authority of the Government to obtain an order under” Section 215 “as in effect prior to the effective date” of the statute. USA FREEDOM Act § 109, 129 Stat. at 276. That language does not advance plaintiffs’ argument, however, because the statute says nothing expressly about what preexisting authority the government had under Section 215 to obtain telephony metadata in bulk. It is implausible that Congress employed the  word “authority” to signify that the government lacked authority to conduct the Section 215 bulk telephony-metadata program during the 180-day transition period, contrary to the FISC’s repeated orders and the Executive Branch’s longstanding and continuing interpretation and application of the law, and notwithstanding the active litigation of that question in this Court. That is especially so because language in the USA FREEDOM Act providing for the 180-day transition period has long been a proposed feature of the legislation. It is thus much more plausible that the “authority” Congress was referring to was not the understanding of Section 215 reflected in this Court’s recent interpretation of Section 215, but rather the consistent interpretation of Section 215 by 19 different FISC judges: to permit bulk collection of telephony metadata.

Illiberal Hollywood: What’s the Point of a Union if It Doesn’t Represent Members?

BrokenHollywoodThis year continues to be a big one for women in film. Films featuring women as leads and/or directed by women made beaucoup at the box office. Mad Max: Fury Road, Pitch Perfect 2, Insurgent, and Fifty Shades of Grey are among the top ten films out of more than 284 released so far this year. Two of these films were directed by women; all four featured female leads. And two of these films put to lie once again the bullshit claim that ‘women can’t lead action films.’

The immense popularity of these movies — especially with women — demonstrates how much Hollywood underserves the female audience, in spite of repeated studies revealing how much women contribute to box office results. Women want women’s stories, told by women, and they’ve gotten them too rarely.

You’d think that Hollywood would actively court the single largest demographic by catering to its desires — but no. The film production pipeline remains solidly weighted toward men, still chasing the increasingly distracted 18-25 year-old male demographic.

It’s not as if women aren’t available as actors or directors. The Directors Guild of America (DGA) — the labor organization representing directors — counts among its ranks roughly 1200 female directors, reflecting the parity of female students who’ve been through film school or learned on the job in other production roles.

Which makes one wonder why actor/director/producer George Clooney said in a recent interview, “…there’s something like 15 female directors in a town of directors …

If a household name like Clooney doesn’t know more female directors, what exactly is it the DGA is doing for its female membership? It’s clearly not representing them within their own organization, let alone to studios and the public.

The ACLU‘s May 12th letter to the federal Equal Employment Opportunity Commission (EEOC) spelled out DGA’s complicity with Hollywood’s exclusion of female directors, when it asked the EEOC to investigate discriminatory practices. DGA has denied the use of short lists, but apart from preparing regular reports on diversity in hiring, it’s not clear at all what the DGA does to further the hiring of women directors. Continue reading

ACLU’s Poker Face

Thus far, I have not seen a statement from the ACLU on last night’s developments with respect to the PATRIOT Act — the passage of cloture, McConnell’s failure to even ask for an immediate vote, followed by McConnell filing several amendments that would weaken USA F-ReDux. [Correction: here is one. h/t EG]

Indeed, no one even seems to be interested what the ACLU thinks about all this, reporting the key players to include Mitch McConnell and Richard Burr, the White House and Intelligence Agencies, and the House, especially House leadership that would be forced to shepherd any changes to USA F-ReDux back through the House, but not the ACLU.

I’m interested.

Especially with Burr’s amendment to extend the transition period to the new phone records program to a full year. After all, ACLU’s lawsuit just got punted back to the District to see what happens now, but it was punted based on the presumption that Congress was going to fix the illegal dragnet “soon.”

A year is not “soon,” at least not in my book.

If ACLU agrees with me, they can asks the judges to provide some relief “sooner” than a year from now, either by ordering an earlier end to the dragnet or — at the very least — requiring the NSA to pull all of ACLU’s records from their dragnet. Indeed, given the number of active court challenges the ACLU has against the government, they’d be able to argue pretty compellingly they need quicker relief than a year.

In the past, NSA has suggested it would be too onerous to pull the records of one plaintiff from the dragnet. Who knows whether they were just bullshitting judges, but if it is too onerous, that would present other issues.

All of which is my way of saying the ACLU may have a few cards of interest in their hand that no one is much considering. I’m not going to ask them what they’re holding, mind you. I like that they may be deliberating in secret to thwart efforts to extend the dragnet.

I’m just noting that they do appear to still be holding some cards…

Government’s Assassination of Anwar al-Awlaki Used “Significantly Different” EO 12333 Analysis

Jameel Jaffer has a post on the government’s latest crazy-talk in the ongoing ACLU and NYT effort to liberate more drone memos. He describes how — in the government’s response to their appeal of the latest decisions on the Anwar al-Awlaki FOIA — the government claims the Court’s release of an OLC memo does not constitute official release of that memo. (Note, I wouldn’t be surprised if the government is making this claim in anticipation of orders to release torture pictures in ACLU’s torture FOIA suit that’s about to head to the 2nd Circuit.)

But there’s another interesting aspect of that brief. It provides heavily redacted discussion of the things Judge Colleen McMahon permitted the government to withhold. But it makes it clear that one of those things is a March 2002 OLC memo that offers different analysis about the assassination ban than the analysis used to kill Anwar al-Awlaki.

The district court also upheld the withholding of a March 2002 OLC Memorandum analyzing the assassination ban in Executive Order 12,333 (the “March 2002 Memorandum”). (CA 468-70; see CA 315-29). Although the district court noted that the OLC-DOD Memorandum released by this Court contained a “brief mention” of Executive Order 12,333, the district court concluded that the analysis in the March 2002 Memorandum is significantly different from any legal analysis that this Court held has been officially disclosed and for which privilege has been waived.

The statement here is carefully worded, probably for good reason. That’s because the February 19, 2010 memo McMahon permitted the government to almost entirely redact clearly explains EO 123333 and its purported ban on assassinations in more depth than the July 16, 2010 one; the first paragraph ends,

Under the conditions and factual predicates as represented by the CIA and in the materials provided to us from the Intelligence Community, we believed that a decisionmaker, on the basis of such information, could reasonably conclude that the use of lethal force against Aulaqi would not violate the assassination ban in Executive Order 12333 or any application constitutional limitations due to Aulaqi’s United States citizenship.

I pointed out that there must be more assassination analysis here. It almost certainly resembles what Harold Koh said about a month later, for which activists at NYU are now calling into question his suitability as an international law professor.

Fourth and finally, some have argued that our targeting practices violate domestic law, in particular, the long-standing domestic ban on assassinations. But under domestic law, the use of lawful weapons systems—consistent with the applicable laws of war—for precision targeting of specific high-level belligerent leaders when acting in self-defense or during an armed conflict is not unlawful, and hence does not constitute “assassination.”

But the government is claiming that because that didn’t get disclosed in the July 2010 memo, it doesn’t have to be disclosed in the February 2010 memo, and the earlier “significantly different” analysis from OLC doesn’t have to be disclosed either.

At a minimum, ACLU and NYT ought to be able to point to the language in the white paper that addresses assassinations that doesn’t appear in the later memo to show that the government has already disclosed it.

But I’m just as interested that OLC had to change its previous stance on assassinations to be able to kill Awlaki.

Of course, the earlier memo was written during a period when John Yoo and others were pixie dusting EO 12333, basically saying the President didn’t have to abide by EO 12333, but could instead violate it and call that modifying it. Perhaps that’s the difference — that David Barron invented a way to say that killing a high ranking leader (whether or not he’s a citizen) didn’t constitute assassination because of the weapons systems involved, as distinct from saying the President could blow off his own EOs in secret and not tell anyone.

I suggested Dick Cheney had likely pixie dusted EO 12333’s ban on assassinations back in 2009.

But there’s also the possibility the government had to reverse the earlier decision in some other fashion. After all, when Kamal Derwish was killed in a drone strike in Yemen on November 9, 2002, the government claimed Abu Ali al-Harithi was the target, a claim the government made about its December 24, 2009 attempt to kill Anwar al-Awlaki, but one they dropped in all subsequent attempts, coincident with the February 2010 memo. That is, while I think it less likely than the alternative, it is possible that the 2010 analysis is “significantly different” because they had to interpret the assassination ban even more permissively. While I do think it less likely, it might explain why Senators Wyden, Udall, and Heinrich keep pushing for more disclosure on this issue.

One thing is clear, however. The fact that the government can conduct “significantly different” analysis of what EO 12333 means, in secret, anytime it wants to wiretap or kill a US citizen makes clear that it is not a meaningful limit on Executive power.

The FBI PRTT Documents: Combined Orders

As I noted the other day, I’m working through documents submitted in EPIC’s FOIA for PRTT documents (see all of EPIC’s documents on this case here).

In addition to the documents released (the reports to Congress, the extensive reporting on the Internet dragnet), the government submitted descriptions of what appear to be two (possibly three) sets of documents withheld: documents pertaining to orders combining a PRTT and Section 215 order, and documents pertaining to a secret technique, which we’ll call the Paragraph 31 technique. In this post I’ll examine the “combined order” documents.

The Vaughn Index for this FOIA made it clear that a number of the documents Withheld in Full (WIF) pertained to orders combing the Pen Register and Section 215 (Business Record) authorities, as does this list from David Hardy’s second declaration.

Screen Shot 2014-11-30 at 11.46.30 AM

Footnotes 3, 4, and 5 all note that these documents have already been successfully withheld in the EFF’s FOIA for Section 215 documents, and by comparing the page numbers in that Vaughn Index in that case, we can guess with some confidence that these orders are the following documents and dates:

  • Document 16 is EFF 89D, dated  2/17/2006, 17 pages
  • Document 17 is EFF 89K,  dated 2/24/2006, 8 pages

As I’ll show, this correlates with what we can glean from the DOJ IG Reports on Section 215.

I’m less certain about Document 12. Both the EFF and ACLU Vaughn Indices show a 10/31/06 document (it is 82C in the EFF Vaughn) that is the correct length, 4 pages, that is linked with another 10/31/06 document (see 82B and 84, for example). For a variety of reasons, however, I think we can’t rule out Document 89S which appears only in the EFF FOIA (but not the ACLU FOIA), which is dated December 16, 2005 (intriguingly, the day after NYT exposed Stellar Wind), in which case the withheld portion might be the relevant 4 pages of a longer 16 page order.

Continue reading

Fixes for USA Freedom Act

I’m now being accused by USA Freedom Act champions of not providing constructive suggestions on how to improve USAF (even though I have, both via channels they were involved in and channels they are not party to) [oops, try this tweet, which is still active].

Now that it appears people who previously claimed I was making all this up now concede some of my critiques as a valid, here goes: my suggestions for how to fix the problems I identified in this post.

Problem: No one will say how the key phone record provision of the bill will work

Fix: Permit the use of correlations — but provide notice to defendants because this is probably unconstitutional warrantless surveillance

There is one application of connection chaining that I find legitimate, and two that are probably unconstitutional. The legitimate application is the burner phone one: to ask providers to use their algorithms (including new profiles of online use) to find the new phones or online accounts that people adopt after dropping previous ones, which is what AT&T offers under Hemisphere. To permit that, you might alter the connection chaining language to say providers can chain on calls and texts made, as well as ask providers to access their own records to find replacement phones. Note, however, that accuracy on this mapping is only about 94% per Hemisphere documents, so it seems there needs to be some kind of check before using those records.

The two other applications — the ones I’m pretty sure are or should be unconstitutional without a warrant — are 1) the use of cloud data, like address books, calendars, and photos, to establish connections, and 2) the use of phone records like Verizon’s supercookie to establish one-to-one correlations between identities across different platforms. I think these are both squarely unconstitutional under the DC Circuit’s Maynard decision, because both are key functions in linking all these metadata profiles together, and language in Riley would support that too. But who knows? I’m not an appellate judge.

To prevent the government from doing this without really independent judicial review — and more generally to ensure Section 215 is not abused going forward — the best fix is to require notice to defendants if any evidence from Section 215 or anything derived from it, including the use of metadata as an index to identify content, is used in a proceeding against them. Given that Section 215’s secret application is now unclassified, they should even get a fairly robust description of how it was used. After all, if this is just third party doctrine stuff, it can’t be all that secret!

Problem: USAF negotiates from a weak position and likely moots potentially significant court gains

Fix (sort of): Provide notice to defendants under Section 215

I’m frankly of the opinion that ACLU’s Alex Abdo kicked DOJ’s ass so thoroughly in the 2nd Circuit, that unless that decision is mooted, it will provide a better halt to dragnets than any legislation could. But I get that that’s a risk, especially with Larry Klayman botching an even better setup in the DC Circuit.

But I do think the one way to make sure we don’t lose the opportunity for a judicial fix to this is to provide notice to defendants of any use or derivative use of Section 215. The government has insisted (most recently in the Reaz Qadir Khan case, but also did so in the Dzhokhar Tsarnaev and derivative cases, where we know they used the phone dragnet) that it doesn’t have to give such notice. If they get it — with the ability to demonstrate that their prosecution arises out of a warrantless mosaic analysis of their lives which provides the basis for the order providing access to their content — then at least there may be a limited judicial remedy in the future, even if it’s not Abdo fighting for his own organization. FISCR said PAA was legal because of precisely these linking procedures, but if they’re not (or if they require a warrant) then PRISM is not legal either. Defendants must have the ability to argue that in court.

Problem: USAF’s effects in limiting bulk collection are overstated

Fix: Put temporal limits on traditional 215 collection, add flexibility into the emergency provision, but adopt existing emergency provision

USAF prohibits using a communications provider corporate person as a selector, but permits the use of a non-communications corporate person as a selector, meaning it could still get all of Visa’s or Western Union’s records. I understand the government claims it needs to retain the use for corporate person selectors to get things like all the guests at Caesars Palace to see if there are suspected terrorists there. The way to permit this, without at the same time permitting a programmatic dragnet (of, say, all Las Vegas hotels all the time), might be to temporally limit the order — say, limit the use of any non-communications provider order to get a month of records.

But this creates a problem, which is that it currently takes (per the NSL IG Report) 30-40 days to get a Section 215 order. The way to make it possible to get records when you need them, rather than keeping a dragnet, is to permit the use of the emergency provision more broadly. You might permit it to be used with counterintelligence uses as well as the current counterterrorism use (that is, make it available in any case where Section 215 would be available), though you should still limit use of any data collected to the purpose for which it was collected. You might even extend the deadline to submit an application beyond 7 days.

That exacerbates the existing problems with the emergency provision, however, which is that the government gets to keep records if the court finds they misused the statute. To fix this, I’d advise tying the change to the adoption of the existing language from the emergency provision currently in place on the phone dragnet order, specifically permitting FISC to require records be discarded if the government shouldn’t have obtained them. I’d also add a reporting requirement on how many emergency provisions were used (that one would be included in the public reporting) and, in classified form to the intelligence and judiciary committees, fairly precisely what it had been used for. I’d additionally require FBI track this data, so it can easily report what has become of it.

Given that the government may have already abused the emergency provisions, this requires close monitoring. So no loosening of the emergency provision should be put into place without the simultaneous controls.

Problem: USAF would eliminate any pushback from providers

Fix: Put “good faith” language back in the law and provide appeal of demand for proprietary requests

I’d do two things to fix the current overly expansive immunity provisions. First, I’d put the language that exists in other immunity provisions requiring good faith compliance with orders, such that providers can’t be immunized for stuff that they recognize is illegal.

I’d also add language giving them an appeal if the government were obtaining proprietary information. While under current law the government should be able to obtain call records, they shouldn’t be able to require providers also share their algorithms about business records, which is (I suspect) where this going (indeed, the Yahoo documents suggest that’s where it has already gone under PRISM). So make it clear there’s a limit to what is included under third party doctrine, and provide providers with a way to protect their data derived from customer records.

Problem: USAF may have the effect of weakening existing minimization procedures

Fix: Include language permitting FISC approval and review of compliance with traditional 215 minimization procedures and PRTT, adopt emergency provision language currently in place

This should be simple. Just include language letting the court review minimization procedures and review compliance, which is currently what happens and should happen as we get deeper and deeper into mosaic collection (indeed, this might be pitched as a solution to what should be a very urgent constitutional problem for the status quo practice).

Additionally, the bill should integrate the emergency provision currently applicable to the phone dragnet for all Section 215 use, along with reporting on how often and how it is used.

Both of these, importantly, simply codify the current status quo. If the government won’t accept the current status quo, after years of evidence on why it needs this minimal level of oversight from FISC, then that by itself should raise questions about the intelligence community’s intent going forward.

Problem: USAF’s transparency provisions are bullshit

Fix: Require reporting from all providers, give FBI 2 years and a budget to eliminate exemptions, give NSA 2 years to be able to answer all questions

One minimal fix to the transparency provisions is to require reporting not just from all communications providers, but from all providers who have received orders, such that the government would have to report on financial and location dragnets, which are both currently excluded. This would ensure that financial and location dragnets that currently exist and are currently exempted from reporting are included.

As to the other transparency provisions, the biggest problem is that the bill permits both the NSA and FBI to say “omigosh we simply can’t count all this.” I think they’re doing so for different reasons. In my opinion, the NSA is doing so because it is conducting illegal domestic wiretapping, especially to pursue cybersecurity targets. It is doing so because it hasn’t gotten Congress to buy off on using domestic wiretapping to pursue cybertargets. I would impose a 2 year limit on how long ODNI can avoid reporting this number, which should provide plenty of time for Congress to legislate a legal way to pursue cybertargets (along with limits to what kind of cybertargets merit such domestic wiretapping, if any).

I think the FBI refusing to count its collection because it wants to passively collect huge databases of US persons so it can just look up whether people who come under its radar are suspicious. I believe this is unconstitutional — it’s certainly something the government lied to the FISCR in order to beat back Yahoo’s challenge, and arguably the government made a similar lie in Amnesty v. Clapper. If I had my way, I’d require FBI to count how many US persons it was collecting on and back door searching yesterday. But if accommodation must be made, FBI, too, should get just 2 years (and significant funding) to be able to 1) tag all its data (as NSA does, so most of it would come tagged) 2) count it and its back door searches 3) determine whether incoming data is of interest within a short period of time, rather than sitting on it for 30 years. Ideally, FBI would also get 2 years to do the same things with its NSL data.

Again, I think the better option is just to make NSA and FBI count their data, which will show both are violating the Constitution. Apparently, Congress doesn’t want to make them do that. So make them do that over the next 2 years, giving them time to replace unconstitutional programs.

Problem: Other laudable provisions — like the Advocate — will easily be undercut

Fix: Add exemption in the ex parte language on FISA review for the advocate

In this post, I noted that the provision requiring the advocate have all the material she needs to do to do her job conflicts with the provision permitting the government to withhold information on classification or privilege grounds. If there is any way to limit this — perhaps by requiring the advocate be given clearance into any compartments for the surveillance under question (though not necessarily the underlying sources and methods used in an affidavit), as well as mandating that originator controlled (ORCON) documents be required to be shared. This might work like a CIPA provision, that the government must be willing to share something if it wants FISC approval (and with it, the authority to obligate providers).

But since that post, we’ve seen how, in the Yahoo challenge, the government convinced Reggie Walton to apply the ex parte provisions applying to defendants to Yahoo. That precedent would now, in my opinion, apply language on review to any adversary. To fix that, the bill should include conforming language in all the places (such as at 50 USC 1861(c)) that call for ex parte review to make it clear that ex parte review does not apply to an advocate’s review of an order.

I fully expect the IC to find this unacceptable (Clapper has already made it clear he’ll only accept an advocate that is too weak to be effective). But bill reformers should point to the clear language in the President’s speech calling for “a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court.” If the IC refuses to have an advocate that can do the job laid out by statute, they should have to answer to the President, who has called for real advocates (not amici). 

To recap — all this pertains only to the bill on its face, not to the important things the bill is missing, such as a prohibition on back door searches. But these are things that would make USA Freedom Act far better.

I suspect the intelligence community would object to many, if not all of them. But if they do, then it would certainly clarify what their intent really is.

Why DOJ Withheld the Correlations Opinion: The DC Circuit’s Mosaic

On January 9, 2014, the government appealed Judge Richard Leon’s decision finding the phone dragnet in Klayman v. Obama to the DC Circuit.

The DC Circuit, of course, is the court that issued US. v Maynard in 2010, the first big court decision backing a mosaic theory of the Fourth Amendment. And while the panel that ultimately heard the Klayman appeal included two judges who voted to have the entire circuit review Maynard, the circuit precedent in Maynard includes the following statement.

As with the “mosaic theory” often invoked by the Government in cases involving national security information, “What may seem trivial to the uninformed, may appear of great moment to one who has a broad view of the scene.” CIA v. Sims, 471 U.S. 159, 178 (1985) (internal quotation marks deleted); see J. Roderick MacArthur Found. v. F.B.I., 102 F.3d 600, 604 (D.C. Cir. 1996). Prolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than does any individual trip viewed in isolation. Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one‘s not visiting any of these places over the course of a month. The sequence of a person‘s movements can reveal still more; a single trip to a gynecologist‘s office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story.* A person who knows all of another‘s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups — and not just one such fact about a person, but all such facts.

With that precedent, the DC Circuit is a particularly dangerous court for the Administration to review a dragnet that aspires to collect all Americans’ call records and hold them for 5 years.

On March 31, 2014, the government submitted a motion for summary judgment in EFF’s FOIA for Section 215 documents with an equivalent to the ACLU. One of the only things the government specifically withheld — on the grounds that it described a dragnet analysis technique it was still using — was an August 20, 2008 FISC opinion authorizing the technique in question, which it did not name.

Two days before FISC issued that August 20, 2008 opinion, the NSA was explaining to the court how it made correlations between identifiers to contact chain on all those identifiers. Two days is about what we’ve seen for final applications before the FISC rules on issues, to the extent we’ve seen dates, suggesting the opinion is likely about correlations.

Here’s how the government described correlations, in various documents submitted to the court in 2009.

They define what a correlated address is (and note, this passage, as well as other passages, do not limit correlations to telephone metadata — indeed, the use of “address” suggests correlations include Internet identifiers).

The analysis of SIGINT relies on many techniques to more fully understand the data. One technique commonly used is correlated selectors. A communications address, or selector, is considered correlated with other communications addresses when each additional address is shown to identify the same communicant as the original address.

They describe how the NSA establishes correlations via many means, but primarily through one particular database.

NSA obtained [redacted] correlations from a variety of sources to include Intelligence Community reporting, but the tool that the analysts authorized to query the BR FISA metadata primarily used to make correlations is called [redacted].

[redacted] — a database that holds correlations [redacted] between identifiers of interest, to include results from [redacted] was the primary means by which [redacted] correlated identifiers were used to query the BR FISA metadata.

They make clear that NSA treated all correlated identifiers as RAS approved so long as one identifier from that user was RAS approved.

In other words, if there: was a successful RAS determination made on any one of the selectors in the correlation, all were considered .AS-a. ,)roved for purposes of the query because they were all associated with the same [redacted] account

And they reveal that until February 6, 2009, this tool provided “automated correlation results to BR FISA-authorized analysts.” While the practice was shut down in February 2009, the filings make clear NSA intended to get the automated correlation functions working again,

While it’s unclear whether this screen capture describes the specific database named behind the redactions in the passages above, it appears to describe an at-least related process of identifying all the equivalent identities for a given target (in this case to conduct a hack, but it can be used for many applications).


If I’m right that the August 20, 2008 memo describes this correlations process, it means one of the things the government decided to withhold from EFF and ACLU (who joined Klayman as amici) after deciding to challenge Leon’s decision in a court with a precedent of recognizing a mosaic theory of the Fourth Amendment was a document that shows the government creates a mosaic of all these dragnets.

It’s not just a phone dragnet (and it’s not just US collected phone records). It’s a domestic and internationally-collected phone and Internet and other metadata dragnet, and after that point, if it sucks you into that dragnet, it’s a financial record and other communications dragnet as well (for foreigners, I imagine, you get sucked in first, without an interim stage).

Even though both Janice Rogers Brown and David Sentelle voted to reconsider the mosaic theory in 2010, Sentelle’s questions seemed to reflect a real concern about it. Unsurprisingly, given that he authored a fairly important opinion in US v Quartavious Davis holding that the government needed a warrant to get stored cell site location data while he was out on loan to the 11th Circuit earlier this year, his questions focused on location.

Sentelle: What information if any is gathered about the physical location of wireless callers, if anything? Cell tower type information.

Thomas Byron: So Judge Sentelle, what is not included. Cell tower information is not included in this metadata and that’s made clear in the FISC orders.  The courts have specified that it’s not included.

Note how Byron specified that “cell tower information is not included in this metadata”? Note how he also explains that the FISC has specified that CSLI is not included, without explaining that that’s only been true for 15 months (meaning that there may still be incidentally collected CSLI in the databases). Alternately, if the NSA gets cell location from the FBI’s PRTT program (my well-educated guess is that the FBI’s unexplained dragnet — the data from which it shares with the NSA — is a Stingray program), then that data would get analyzed along with the call records tied to the same phones, though it’s not clear that this location data would be available from the known but dated metadata access, which is known only to include Internet, and EO 12333 and BRFISA phone metadata).

Stephen Williams seemed even more concerned with the Maynard precedent, raising it specifically, and using it to express concern about the government stashing 5 years of phone records.

Williams: Does it make a significant difference that these data are collected for a five year period.

Byron’s response was particularly weak on this point, trying to claim that the government’s 90-day reauthorizations made the 5 years of data that would seem to be clearly unacceptable under Maynard (which found a problem with one week of GPS data) acceptable.

Byron: It’s not clear in the record of this case how much time the telephone companies keep the data but the point is that there’s a 90 day period during which the FISC orders are operative and require the telephone companies to turn over the information from their records to the government for purposes of this program. Now the government may retain it for five years but that’s not the same as asking whether the telephone company must keep it for five years.

Williams: How can we discard the five year period that the government keeps it?

Williams also, later, asked about what kind of identities are involved, which would also go to the heart of the way the government correlates identities (and should warrant questions about whether the government is obtaining Verizon’s supercookie).

Byron expressed incredible (as in, not credible) ignorance about how long the phone companies keep this data; only AT&T keeps its data that long. Meaning the government is hoarding records well beyond what users should have an expectation the third party in question would hoard the data, which ought to eliminate the third party justification by itself.

Janice Rogers Brown mostly seemed to want things to be easy, one bright line that cops could use to determine what they could and could not obtain. Still, she was the only one to raise the other kinds of data the government might obtain.

JRB: Does it matter to whom the record has been conveyed. For instance, medical records? That would be a third party’s record but could you draw the same line.

Byron: Judge Brown, I’m glad you mentioned this because it’s really important to recognize in the context of medical records just as in the context, by the way, of telephone records, wiretap provisions, etcetera, Congress has acted to protect privacy in all of these areas. For example, following the Miller case, Congress passed a statute governing the secrecy of bank records. Following the Smith case, Congress passed a statute governing wiretaps. HIPAA, in your example, Judge Brown, would govern the restrictions, would impose restrictions on the proper use of medical information. So too here, FISA imposes requirements that are then enforced by the Foreign Intelligence Surveillance Court. And those protections are essential to understanding the program and the very limited intrusion on any privacy interest.

While Byron had a number of very misleading answers, this probably aggravated me the most. After all, the protections that Congress created after the Miller case and the Smith case were secretly overridden by the FISC in 2008 and 2010, when it said limitations under FISA extended for NSLs could also be extended for 215 orders. And we have every reason the government could, if not has, obtained medical records if not actual DNA using a Section 215 order; I believe both would fall under a national security exception to HIPAA. Thus, whatever minimization procedures FISC might impose, it has, at the same time blown off precisely the guidelines imposed by Congress.

The point is, all three judges seemed to be thinking — to a greater or lesser extent — of this in light of the Maynard precedent, Williams particularly so. And yet because the government hid the most important useful evidence about how they use correlations (though admittedly the plaintiffs could have submitted the correlations data, especially in this circuit), the legal implications of this dragnet being tied to other phone and Internet dragnets and from there more generalized dragnets never got discussed.

Don’t get me wrong. Larry Klayman likely doomed this appeal in any case. On top of being overly dramatic (which I think the judges would have tolerated), he misstated at least two things. For example, he claimed violations reported at the NSA generally happened in this program alone. He didn’t need to do that. He could have noted that 3,000 people were dragnetted in 2009 without the legally required First Amendment review. He could have noted 3,000 files of phone dragnet data were not destroyed in timely fashion, apparently because techs were using the real data on a research server. The evidence to show this program has been — in the past at least — violative even of the FISC’s minimization requirements is available.

Klayman also claimed the government was collecting location data. He got caught, like a badly prepared school child, scrambling for the reference to location in Ed Felten’s declaration, which talked about trunk location rather than CSLI.

In substantive form, I don’t think those were worse than Byron’s bad evasions … just more painful.

All that said, all these judges — Williams in particular — seemed to want to think of this in terms of how it fit in a mosaic. On that basis, the phone dragnet should be even more unsustainable than it already is. And some of that evidence is in the public record, and should have been submitted into the record here.

Still, what may be the most important part of the record was probably withheld, by DOJ, after DOJ decided it was going to appeal in a circuit where that information would have been centrally important.

The Klayman Hearing: Everyone Can Stand If DOJ Has the Backbone

Update: See this post, which explains that I’m wrong about the timing of Verizon’s different approach to production than AT&T. And that difference precedes Verizon’s withdrawal from the FBI call record program in 2009 — it goes back to 2007.

I’m finally getting around to listening to the Klayman v. Obama hearing from the other day, which you can listen to here. I’ll have more to say on it later. But my impression is that — because of the incomplete reporting of a bunch of NSA beat reporters — Klayman may be improperly thrown out on standing because he is only a Verizon cell customer, not a Verizon landline customer.

Back on June 14, 2013, the WSJ reported that Verizon Wireless and T-Mobile don’t turn over records under the phone dragnet, but that the government obtains those records anyway as they travel across the domestic backbone, largely owned by AT&T and Verizon Business Services.

The National Security Agency’s controversial data program, which seeks to stockpile records on all calls made in the U.S., doesn’t collect information directly from T-Mobile USA and Verizon Wireless, in part because of their foreign ownership ties, people familiar with the matter said.

The blind spot for U.S. intelligence is relatively small, according to a U.S. official. Officials believe they can still capture information, or metadata, on 99% of U.S. phone traffic because nearly all calls eventually travel over networks owned by U.S. companies that work with the NSA.


Much of the U.S.’s telecom backbone is owned by two companies: AT&T and Verizon Business Network Services Inc., a U.S. subsidiary of Verizon Communications that it views as a separate network from its mobile business. It was the Verizon subsidiary that was named in the FISA warrant leaked by NSA contractor Edward Snowden to the Guardian newspaper and revealed last week.

When a T-Mobile or Verizon Wireless call is made, it often must travel over one of these networks, requiring the carrier to pay the cable owner. The information related to that transaction—such as the phone numbers involved and length of call—is recorded and can then be passed to the NSA through its existing relationships.

Then, on February 7, 2014, the WSJ (and 3 other outlets) reported something entirely different — that the phone dragnet only collects around 20% of phone records (others reported the number to be a higher amount).

The National Security Agency’s collection of phone data, at the center of the controversy over U.S. surveillance operations, gathers information from about 20% or less of all U.S. calls—much less than previously thought, according to people familiar with the NSA program.

The program had been described as collecting records on almost every phone call placed in the U.S. But, in fact, it doesn’t collect records for most cellphones, the fastest-growing sector in telephony and an area where the agency has struggled to keep pace, the people said.

Over the course of 8 months, the WSJ’s own claim went from the government collecting 99% of phone data (defined as telephony) to the government collecting 20% (probably defining “call data” broadly to include VOIP), without offering an explanation of what changed. And it was not just its own earlier reporting with which WSJ conflicted; aspects of it also conflicted with a lot of publicly released primary documents about what the program has done in the past. Nevertheless, there was remarkably little interest in explaining the discrepancy.

I’m getting a lot closer to being able to explain the discrepancy in WSJ’s reporting. And if I’m right, then Larry Klayman should have standing (though I’m less certain about Anna Smith, who is appealing a suit in the 9th Circuit).

I’m fairly certain (let me caveat: I think this is the underlying dynamic; the question is the timing) the discrepancy arises from the fact that, for the first time ever, on July 19, 2013 (a month after the WSJ’s first report) the FISA Court explicitly prohibited the collection of Cell Site Location Information.

Furthermore, this Order does not authorize the production of cell site location information (CSLI).

We’ve learned several details since February that puts this in context.

First, the NSL IG Report revealed that one of the three providers who had been part of FBI’s onsite call records access from 2003 to 2006 did not renew the contract for that program in 2009.

Company A, Company B, and Company C are the three telephone carriers described in our Exigent Letters Report that provided telephone records to the TCAU in response to exigent letters and other informal requests between 2003 and 2006. As described in our Exigent Letters Report, the FBI entered into contracts with these carriers in 2003 and 2004, which required that the communication service providers place their employees in the TCAU’s office space and give these employees access to their companies’ databases so they could immediately service FBI requests for telephone records. Exigent Letters Report, 20. As described in the next chapter, TCAU no longer shares office space with the telephone providers. Companies A and C continue to serve FBI requests for telephone records and provide the records electronically to the TCAU. Company B did not renew its contract with the FBI in 2009 and is no longer providing telephone records directly to the TCAU. Company B continues to provide telephone records in response to NSL requests issued directly by the field without TCAU’s assistance.

The original WSJ, in retrospect, makes it fairly clear that Company B is Verizon (though I believe it provides the wrong explanation otherwise for Verizon’s inability to provide records, that it was partly foreign owned–though admittedly it only claims to be providing part of the explanation).

Unlike Sprint and AT&T, [Verizon Wireless and T-Mobile] also don’t perform classified work for the government. Such contracts require secure facilities that make cooperating with NSA programs simpler, people familiar with the matter said.

Verizon Associate General Counsel Michael Woods’ response to questions at a hearing earlier this year made it even more clear. He said that Verizon does not keep call detail records — as distinct from billing records — long at all (and they only keep billing records on the landline side for 18 months).

The contract with TCAU, the NSL IG Report (and the earlier Exigent Letters report) makes clear, would require providers to keep records for longer to facilitate some bells and whistles. That’s a big part of what the “make cooperating with NSA programs simpler” is likely about. Therefore, Verizon must be the provider that stopped retaining records in 2009 for the purpose of the government (It also just so happens to be the provider that doesn’t need the government cash as part of its business model). I suspect that TCAU remains closely related to Hemisphere, which may be why when I asked FBI about its participation in that unclassified project, FBI refused to comment at all.

If all that’s right, then AT&T and Sprint retain their call detail records because they have signed a contract with the government to do so. Verizon does not.

That means, at least since 2009, Verizon has been relying on actual call detail records to fulfill its obligations under Section 215, not a database that makes it easier to pull out precisely what the government wants (indeed, I suspect the end of the contract created the problems where Verizon was providing entirely foreign calls along with its domestic calls starting with the May 29, 2009 order).  The business records that Verizon had on hand was a CDR that, in the case of cell phones, necessarily included CSLI.

Verizon is still (the Verizon-specific language remains in the dragnet orders, and they challenged the first order after Leon’s decision in this case) providing records of landline calls that traverse its backbone.

But when FISC made it a violation — rather than just overproduction they otherwise would have and have, in both this and other programs, approved — to provide CSLI, and made that public, it gave Verizon the opportunity to say it had no way to provide the cell data legally.

That’s sort of what the later WSJ report says, though it doesn’t explain why this would be limited in time or why NSA would have a problem when it collects CDRs internationally with CSLI with no problem.

Moreover, the NSA has been stymied by how to remove location data—which it isn’t allowed to collect without getting additional court approval—from U.S. cellphone records collected in bulk, a U.S. official said.

I’m not sure whether it’s the case that Verizon couldn’t very easily pull that CSLI off or not. But I do suspect — particularly for a program that offers no compensation — that Verizon no longer had a legal obligation to. (This probably answers, by the way, how AT&T and Sprint are getting paid here: they’re being paid to keep their CDRs under the old TCAU contracts with the FBI.)

The government repeats over and over that they’re only getting business records the companies already have. Verizon has made it clear it doesn’t have cell call detail records without the location attached. And therefore, I suspect, the government lost its ability to make Verizon comply. That is also why, I suspect, the President claims he needs new legislation to make this happen: because he needs language forcing the providers to provide the CDRs in the form the government wants it in.

If I’m right, though — that the government had 99% coverage of telephony until Claire Eagan specifically excluded cell location — then Klayman should have standing. That’s because Richard Leon’s injunction not only prohibited the government from collecting any new records from Klayman, he also required the government to “destroy any such metadata in its possession that was collected through the bulk collection program.”

Assuming Verizon just stopped providing cell data in 2013 pursuant to Eagan’s order, then there would still be over 3 years of call records in the government’s possession available for search. Which would mean he would still be exposed to the government’s improper querying of his records.

It is certainly possible that Verizon stopped providing cell data once it ended its TCAU contact in 2009. If that’s the case, the government’s hasty destruction of call records in March would probably have eliminated the last of the data it had on Klayman (though not on ACLU, since ACLU is a landline customer as well as a wireless customer).

But if Verizon just stopped handing over cell records in 2013 after Claire Eagan made it impossible for the government to force Verizon to comply with such orders, then Klayman — and everyone else whose records transited Verizon’s backbone — should still have standing.

Update: I provided this further explanation to someone via email.

I should have said this more clearly in the post. But the only way everyone is correct: including WSJ in June, Claire Eagan’s invocation of “substantially all” in July, the PRG’s claims they weren’t getting as much as thought in December, and WSJ’s claims they weren’t much at all in February, is if Verizon shut down cell collection sometime during that period. The July order and the aftermath would explain that.

I suspect the number is now closer to 50-60% of US based telephony records within the US (remember, on almost all international traffic, there should be near duplication, because they’re collecting that at scale offshore), but there’s also VOIP and other forms of “calls” and texts that they’re not getting, which is how you get down to the intentionally alarmist 20%. One reason I think Comey’s going after Apple is because iMessage is being carved out, and Verizon is already pissed, so he needs to find a way to ensure that Apple doesn’t get a competitive advantage over Verizon by going through WiFi that may not be available to Verizon because it is itself the backbone. But if you lose both Verizon’s cell traffic AND any cell traffic they carry, you lose a ton of traffic.
That gets you to the import of the FBI contract. It is a current business purpose of AT&T and Sprint to create a database that they can charge the FBI to use to do additional searching, including location data and burner phones and the like. AT&T’s version of this is probably Hemisphere right now (thus, in FBI-speak, TCAU would be Hemisphere), meaning they also get DEA and other agencies to pay for it. In that business purpose, the FBI is a customer of AT&T and Sprint’s business decision to create its own version of the NSA’s database, including all its calls as well as things like location data the FBI can get so on individualized basis.
Verizon used to choose to pursue this business (this is the significance, I think, of the government partially relying on a claim to voluntary production, per Kris). In 2009, they changed their business approach and stopped doing that. So they no longer have a business need to create and keep a database of all its phone records.
What they do still have are SS7 routing records of all traffic on their backbone, which they need to route calls through their networks (which is what AT&T uses to build their database). That’s the business record they use to respond to their daily obligations.
But there seem to be two likely reasons why the FISC can’t force Verizon to alter those SS7 records, stripping the CSLI before delivering it to the government. First, there is no means to compensate the providers under Section 215. That clearly indicates Congress had no plan to ask providers to provide all their records on a daily basis. But without compensation, you can’t ask the providers to do a lot of tweaking.
The other problem is if you’re asking the providers to create a record, then you’re getting away from the Third Party doctrine, aren’t you? In any case, the government and judges have repeated over and over, they can only get existing business records the providers already have. Asking Verizon to do a bunch to tweak those records turns it into a database that Verizon has created not for its own business purpose, but to fulfill the government’s spying demands.
I think this is the underlying point of Woods’ testimony where he made it clear Verizon had no intent of playing Intelligence agent for the government. Verizon seems to have made it very clear they will challenge any order to go back into the spying for the government business (all the more so after losing some German business because of too-close ties to the USG). And since Verizon is presumably now doing this for relatively free (since 2009, as opposed to AT&T and Sprint, who are still getting paid via their FBI contract), the government has far less ability to make demands.
This is also where I think the cost from getting complete coverage comes from. You have to pay provider sufficiently such that they are really doing the database-keeping voluntarily, which presumably gets it well beyond reasonable cost compensation.
Update: One final point (and it’s a point William Ockham made a billion years ago). The foreign data problem Verizon had starting in 2009 would be completely consistent with a shift from database production to SS7 production, because SS7 records are going to have everything that transits the circuit.

Hospital Hero Jack Goldsmith, the Destroyer of the Internet Dragnet, Authorized the Internet Dragnet

As I noted earlier, I think the re-release of Jack Goldsmith’s May 6, 2004 OLC memo authorizing Stellar Wind is meant to warn Congress that the Executive does not believe it needs any Congressional authorization to spy on every American — just in time for the USA Freedom Act debate in the Senate. This is exactly parallel to similar provocations during the Protect America Act debate. In the past, such provocations led Congress to capitulate to Executive branch demands to tailor the program to their wishes.

That earlier post, however, implied that this warning pertains primarily to the phone dragnet.

It doesn’t. The warning also applies to the Internet dragnet (and I suspect that stories about the heroic hospital heroes shutting down the Internet dragnet have been dramatically overblown).

One of the very few things — aside from the name STELLAR WIND, over and over, as well as references to content collection that could have been released after President Bush admitted to that part of the program in 2005, and the title Secretary of Defense — that has been newly revealed is this bit of the Table of Contents (here’s the previous release for comparison).

Screen Shot 2014-09-06 at 1.05.11 PM


It shows that the memo discusses content, discusses telephony metadata, discusses something else, then concludes that content and metadata are both kosher under the Fourth Amendment. That already makes it clear that part IV is about metadata. The last sentence of the first full paragraph on page 19 does, too. Page 7 makes it clear that Fourth Amendment analysis applies to “both telephony and e-mail.” Much later in the memo, it becomes clear this section — pages 96 to 100 — deals with Internet metadata.

In fact, the only substantive newly unredacted parts of the memo appear on 101 (PDF 69) and then from 106 to 108.

All of this new information makes it clear that Goldsmith asserted that Smith v. Maryland applied for metadata — and applied to both phone and Internet metadata. Remarkably, in that analysis, the government keeps at least one paragraph addressing phone metadata hidden, but reveals the analysis at 106-7 (PDF 74-75) that applies to Internet. (Goldsmith’s claim that Internet users can get providers to turn off spam, at the bottom of 107, is particularly nice.)

In perhaps the most interesting newly released passage (out of the roughly 5 pages that got newly released!), Goldsmith absolves himself of examining what procedures the government was using in its “metadata” collection.

As for meta data collection, as explained below, we conclude that under the Supreme Court’s decision in Smith v. Maryland, 442 U.S. 735 (1979), the interception of the routing information for both telephone calls and e-mails does not implicate any Fourth Amendment interests.85

85 Although this memorandum evaluates the STELLAR WIND program under the Fourth Amendment, we do not here analyze the specific procedures followed by the NSA in implementing the program.  (101/PDF 69)

I find this utterly damning, given that we know that, for the following 5 years, the government would lie to FISC about whether their “metadata” contained content. Even the OLC opinion built in the Executive’s ability to collect content in the guise of metadata!

In any case, what is clear — again, just in time to impact the debate over USA Freedom, for which prospective call record collection might or might not be limited to telephone content — is that rather than legally shutting down the Internet dragnet in 2004, Jack Goldsmith authorized it.

And that authorization remains in place, telling the Executive it can collect Internet (and phone) “metadata” whether or not FISC or Congress rubberstamps it doing so. Not only that, but telling the Executive this analysis holds regardless of how inadequate their procedures are in implementing this program to ensure that no content gets swept up in the guise of metadata (which of course is precisely what occurred).

So the Administration, in releasing this “newly unredacted” memo did one thing. Tell Congress it will continue to collect phone and Internet “metadata” on its own terms, regardless of what Congress does.

Only one thing could alter this analysis of course: if the Courts decide that Smith v. Maryland doesn’t actually permit the government to collect all metadata, plus some content-as-metadata, in the country, if they say the Executive can’t actually collect “everything there is to know about everybody and have it all in one big government cloud,” as 2nd Circuit Judge Gerard Lynch described the implications of what we now know to be Goldsmith’s logic on Tuesday. But the courts are going to stop analyzing this question as soon as Congress passes USA Freedom Act. Moreover, the last check on the program — the unwillingness of providers to break the law — will be removed by the broad immunity provision included in the bill.

Not only didn’t Jack Goldsmith heroically legally shut down the Internet dragnet in 2004 (clearly President Bush did make several modifications; we just still don’t know what those are). But he provided a tool that is likely proving remarkably valuable as the Executive gets Congress and privacy NGOs to finish signing off on their broad authority.

The hospital heroes may have temporarily halted the conduct of the Internet dragnet — even while telling Colleen Kollar-Kotelly she had to rubber stamp ignoring the letter of the law because Congress couldn’t know about the dragnet — but they didn’t shut it down. Here it is, legally still operating, just in time to use as a cudgel with Congress.

Update: One other thing other reporting on this is missing — and not for the first time — is that whatever change they made to the Internet dragnet, it was by no means the only change after the hospital confrontation. They also took Iraqi targeting out (in some way). And there was a later April 2 modification that appears to have nothing to do with NSA at all (I have my theories about this, but they’re still theories). So it is too simple to say the hospital confrontation was exclusively about the Internet dragnet — the public record already makes clear that’s not the case.

1 2 3 15
Emptywheel Twitterverse
bmaz This is a seriously awesome article by @ggreenwald
emptywheel @jrmithdobbs Sorry for delay. Here's livestream.
emptywheel Or, in the case of David Petraeus, 2 years of probation and one speaking fee.
emptywheel @B_D_Silver Also, probably not employed bc their record is not being liberated. @culturejedi
emptywheel .@culturejedi "What happens to the decarcerated people? Are they wearing ankle bracelets?"
emptywheel @jrmithdobbs Checking. Here's the website but don't see a link.
bmaz Yes, I'm certain that is what Lynch, Biden and Obama are working fastidiously on in their WH meeting today.
bmaz @BlanksSlate I know!
bmaz @BlanksSlate "Lost"
emptywheel @jrmithdobbs #CFP2015 It is being streamed, assume recorded. @culturejedi
emptywheel .@culturejedi "We need a new Civil Rights Act for the era of Big Data." #CFP2015
October 2015
« Sep