Last week, precisely 10 days after USA F-Redux — with its different formulas allowing for provider transparency –passed, Amazon released its first transparency report. In general, the report shows that Amazon either doesn’t retain — or successfully pushes back — against a lot of requests. For example, Amazon provided no or only partial information to a third of the 813 subpoenas it received last year.
Also of note, in a post accompanying the report, Stephen Schmidt claimed that “Amazon never participated in the NSA’s PRISM program,” which may not be all that surprising given that it has only received 25 non-national security search warrants.
As I’ve already suggested, I find the most interested detail to be the timing: given that Amazon has gotten crap as the only major company not to release a transparency report before, I suspect either that Amazon had a new application 2 years ago when everyone started reporting, meaning it had to wait until the new collection had aged under the reporting guidelines, or something about the more granular reporting made the difference for Amazon. Amazon reported in the 0-250 range (including both NSLs and other FISA orders), so it may just have been waiting to be able to report that lower number.
That said, Amazon received 13 non-national security court orders (aside from the one take down order they treat separately, which I believe has to do with an ISIL site), only 4 of which they responded fully to. I think this category would be where Amazon would count pen registers. And I’d expect Amazon to get pen registers in connection with their hosting services. If any of the 0 to 250 National Security orders are pen registers, it could be fairly intrusive.
Finally, Amazon clarified (sort of) something of particular interest. While Amazon makes clear that content stored in a customer’s site is content (self-evident, I know, but there are loopholes for stored content, which is a big part of why Amazon would be of interest (and was when Aaron Swartz was using them as a hosting service).
Non-content. “Non-content” information means subscriber information such as name, address, email address, billing information, date of account creation, and certain purchase history and service usage information. Content.
“Content” information means the content of data files stored in a customer’s account.
But Amazon doesn’t include “certain purchase history information” to be content.
As the country’s biggest online store, that’s where Amazon might be of the most interest. Indeed, in the legal filings pertaining to Usaamah Abdullah Rahim (the claimed ISIL follower whom Boston cops shot and killed on June 2) show they were tracking Rahim’s Amazon purchase of a knife very closely.
If you wanted to do a dragnet of purchase records, you’d include Amazon in there one way or another. And such a dragnet order might represent just one (or four) of the fewer than 250 orders Amazon got in a year.
It’s not surprising they’re treating (“certain”) purchase records as metadata. But it is worth noting.
Update: According to the DOJ IG NSL Report released today, the rise in number of Section 215 orders stems from some Internet companies refusing to provide certain data via NSL; FBI has been using Section 215 instead. However they’re receiving it now, Internet companies, like telephone companies, should not be subject to bulk orders as they are explicitly exempted.
WaPo’s MonkeysCage blog just posted a response I did to a debate between H.L. Pohlman and Gabe Rottman over whether Patrick Leahy’s USA Freedom includes a big “backdoor” way to get call records. The short version: the bill would prevent bulk — but not bulky — call record collection. But it may do nothing to end existing programs, such as the reported collection of Western Union records.
In the interest of showing my work, he’s a far more detailed version of that post.
Leahy’s Freedom still permits phone record collection under the existing authority
Pohlman argues correctly that the bill specifically permits the government to get phone records under the existing authority. So long as it does so in a manner different from the Call Detail Record newly created in the bill, it can continue to do so under the more lenient business records provision.
To wit: the text “carves out” the government’s authority to obtain telephone metadata from its more general authority to obtain “tangible things” under the PATRIOT Act’s so-called business records provision. This matters because only phone records that fit within the specific language of the “carve out” are subject to the above restrictions on the government’s collection authority. Those restrictions apply only “in the case of an application for the production on a daily basis of call detail records created before, on, or after the date of the application relating to an authorized investigation . . . to protect against international terrorism.”
This means that if the government applies for a production order of phone records on a weekly basis, rather than on a “daily basis,” then it is falls outside the restrictions. If the application is for phone records created “before, on, [and] after” (instead of “or after”) the date of the application, ditto. If the investigation is not one of international terrorism, ditto.
However, neither Pohlman nor Rottman mention the one limitation that got added to USA Freedumber in Leahy’s version which should prohibit the kind of bulk access to phone records that currently goes on.
Leahy Freedom prohibits the existing program with limits on electronic service providers
The definition of Specific Selection Term “does not include a term that does not narrowly limit the scope of the tangible things … such as–… a term identifying an electronic communication service provider … when not used as part of a specific identifier … unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.”
In other words, the only way the NSA can demand all of Verizon’s call detail records, as they currently do, is if they’re investigating Verizon. They can certainly require Verizon and every other telecom to turn over calls two degrees away from, say, Julian Assange, as part of a counterintelligence investigation. But that language pertaining to electronic communication service provider would seem to prevent the NSA from getting everything from a particular provider, as they currently do.
So I think Rottman’s largely correct, though not for the reasons he lays out, that Leahy’s Freedom has closed the back door to continuing the comprehensive phone dragnet under current language.
But that doesn’t mean it has closed a bunch of other loopholes Rottman claims have been closed.
FISC has already dismissed PCLOB (CNSS) analysis on prospective collection
For example, Rottman points to language in PCLOB’s report on Section 215 stating that the statutory language of Section 215 doesn’t support prospective collection. I happen to agree with PCLOB’s analysis, and made some of the same observations when the phone dragnet order was first released. More importantly, the Center for National Security Studies made the argument in an April amicus brief to the FISC. But in an opinion released with the most recent phone dragnet order, Judge James Zagel dismissed CNSS’ brief (though, in the manner of shitty FISC opinions, without actually engaging the issue).
In other words, while I absolutely agree with Rottman’s and PCLOB’s and CNSS’ point, FISC has already rejected that argument. Nothing about passage of the Leahy Freedom would change that analysis, as nothing in that part of the statute would change. FISC has already ruled that objections to the prospective use of Section 215 fail.
Minimization procedures may not even protect bulky business collection as well as status quo
Then Rottman mischaracterizes the limits added to specific selection term in the bill, and suggests the government wouldn’t bother with bulky collection because it would be costly.
The USA Freedom Act would require the government to present a phone number, name, account number or other specific search term before getting the records—an important protection that does not exist under current law. If government attorneys were to try to seek records based on a broader search term—say all Fedex tracking numbers on a given day—the government would have to subsequently go through all of the information collected, piece by piece, and destroy any irrelevant data. The costs imposed by this new process would create an incentive to use Section 215 judiciously.
As I pointed out in this post, those aren’t the terms permitted in Leahy Freedom. Rather, it permits the use of “a person, account, address, or personal device, or another specific identifier.” Not a “name” but a “person,” which in contradistinction from the language in the CDR provision — which replaces “person” with “individual” — almost certainly is intended to include “corporate persons” among acceptable SSTs for traditional Section 215 production.
Like Fedex. Or Western Union, which several news outlets have reported turns over its records under Section 215 orders.
FISC already imposes minimization procedures on most of its orders
Rottman’s trust that minimization procedures will newly restrain bulky collection is even more misplaced. That’s because, since 2009, FISC has been imposing minimization procedures on Section 215 collection with increasing frequency; the practice grew in tandem with greatly expanded use of Section 215 for uses other than the phone dragnet.
While most of the minimization procedure orders in 2009 were likely known orders fixing the phone dragnet violations, the Attorney General reports covering 2010 and 2011 make it clear in those years FISC modified increasing percentages of orders by imposing minimization requirements and required a report on compliance with them
The FISC modified the proposed orders submitted with forty-three such applications in 2010 (primarily requiring the Government to submit reports describing implementation of applicable minimization procedures).
The FISC modified the proposed orders submitted with 176 such applications in 2011 (requiring the Government to submit reports describing implementation of applicable minimization procedures).
Yesterday, privacy researcher Chris Soghoian posted an interesting exchange he had with Aaron Swartz in March 2011.
But then I wondered about Amazon. Amazon not only has a lot of private data on its own, but they host a lot of other websites with personal data. It seems like everyone is using Amazon EC2 these days Reddit and Netflix and Foursquare and more. Even sites that aren’t hosted on EC2, like 37 signals, still use S3 for backup. The “truly paranoid” tarsnap uses both EC2 and S3. (Yes, tarsnap encrypts your data, but [it sometimes has bugs][b] and doesn’t protect against traffic analysis.) Hell, even WikiLeaks was hosted there at one point.
What’s disturbing is that this means your personal data isn’t just accessible by the people who operate these sites it’s also accessible by Amazon. And anyone Amazon decides to hand it to.
What are Amazon’s policies? I’ve had several conversations with them about this, but they refuse to comment on the record. Still, I’m in the rare position of getting to experience them firsthand. A couple years ago the government sent Amazon a subpoena for information about an EC2 instance I’d purchased. Amazon handed it over without stopping to warn me. When I asked them about it specifically, they refused to comment. When I asked them about their general policy, they refused to comment. The only reason I found out about it was because I filed a FOIA request with the Department of Justice. The DOJ was more transparent about this than Amazon.
As best as I can tell, this is Amazon’s policy: When the government asks, turn stuff over. Never tell the people affected. Don’t give them a chance to object.
The exchange ends with Soghoian asking if Swartz will publish his piece, to which Swartz says he cannot.
I thought of that and wish I could, but I can’t put my name on it right now personal reasons.
The exchange happened, we now know, in between the time the Cambridge police first arrested him for breaking and entering and the time the government indicted him for a slew of computer crimes. It seems likely that those “personal reasons” include negotiations with the Secret Service about the JSTOR downloads (we know Swartz and his lawyer met with the Secret Service that summer and turned over some hard drives).
As Swartz himself pointed out, this exchange also happened in the wake of news that the government had issued orders to Twitter–basically within a day of the time the Secret Service triggered Swartz’ initial arrest–for the communications of people associated with WikiLeaks.
The exchange is notable because of a request Swartz’ lawyer made the following year, at the beginning of the pre-trial discovery process. In addition to asking how the government had obtained a bunch of communication involving Swartz and others, his lawyer asked to see everything returned from grand jury subpoenas and orders served on MIT and JSTOR–which makes sense in this case–but also Twitter, Google, and Amazon.
These paragraphs request information relating to grand jury subpoenas. Paragraph 1 requested that the government provide “[a]ny and all grand jury subpoenas – and any and all information resulting from their service – seeking information from third parties including but not limited to Twitter. MIT, JSTOR, Internet Archive that would constitute a communication from or to Aaron Swartz or any computer associated with him.” Paragraph 4 requested “[a]ny and all SCA applications, orders or subpoenas to MIT, JSTOR, Twitter, Google, Amazon, Internet Archive or any other entity seeking information regarding Aaron Swartz, any account associated with Swartz, or any information regarding communications to and from Swartz and any and all information resulting from their service.” Paragraph 20 requested “[a]ny and all paper, documents, materials, information and data of any kind received by the Government as a result of the service of any grand jury subpoena on any person or entity relating to this investigation.”
Swartz requests this information because some grand jury subpoenas used in this case contained directives to the recipients which Swartz contends were in conflict with Rule 6(e)(2)(A), see United States v. Kramer, 864 F.2d 99, 101 (11th Cir. 1988), and others sought certification of the produced documents so that they could be offered into evidence under Fed. R. Evid. 803(6), 901. Swartz requires the requested materials to determine whether there is a further basis for moving to exclude evidence under the Fourth Amendment (even though the SCA has no independent suppression remedy).
Moreover, defendant believes that the items would not have been subpoenaed by the experienced and respected senior prosecutor, nor would evidentiary certifications have been requested, were the subpoenaed items not material to either the prosecution or the defense. Defendant’s viewing of any undisclosed subpoenaed materials would not be burdensome, and disclosure of the subpoenas would not intrude upon the government’s work product privilege, as the subpoenas were served on third parties, thus waiving any confidentiality or privilege protections. [my emphasis]
Effectively, Swartz’ lawyer was indicating that he had seen subpoenas and orders that requested information from–among others–Amazon, but not all of what these providers had returned in exchange was turned over as evidence in the case. He was trying to see what else the government had. He’s also making it clear that the government asked for the information in such a form that could be entered as evidence in a trial (meaning the government would not have to call an employee from Amazon or another service provider to certify the authenticity of the data, who could then be questioned by the defense).
And he’s suggesting that if the prosecutor asked for these things, then they must be relevant in this case, and therefore discoverable.
I suspect, though, that that last claim is not what the lawyer really thought. I suspect that he believed the grand jury investigating Swartz–during precisely the same period when Swartz was researching how Amazon might respond to a government request for information–had conducted a fishing trip on other issues, and had done so in such a way that any information gleaned could be used both to prosecute the alleged JSTOR download but also any other crime.
Now I suspect that DOJ’s original request to Amazon–the one Swartz mentioned to Soghoian–dated to Swartz’ efforts to liberate PACER. It shows up in the part of his FBI file Swartz published on his blog.
Data that was exfiltrated went to one of two Amazon IP addresses.
Investigation has determined that the Amazon IP address used to access the PACER system belongs to Aaron Swartz.
So it’s possible the grand jury was reinvestigating what Aaron had done two years earlier, even though DOJ had earlier declined to press charges, in an effort to criminalize Swartz’ efforts to liberate information generally.
But given the timing and Swartz’ own tie to the WikiLeaks orders, I also wonder whether there was something else there–whether Swartz believed the government had information pertaining to activities entirely unrelated to JSTOR or PACER.
Ultimately, Swartz didn’t get this information. As to the communications, the judge assumed the government’s assurances that they had neither used a civil administrative subpoena nor “court ordered electronic surveillance” to get his communications closed the issue (given that the government investigated WikiLeaks as an Espionage case, the government might have claimed access to some of this under the PATRIOT Act simply because of Swartz’ ties to the Cambridge hacktavist community). And she refused to turn over the grand jury information on the grounds that the government may use such inquiries to chase down every lead, even if those leads are unrelated.
So it’s not clear Swartz ever learned what the government was looking for in its fishing expedition with Amazon.
Remember the “good” jobs report last week? As Dean Baker explained, many of the new jobs were actually the “couriers” who delivered your holiday presents.
The sharp drop in the unemployment rate over the last four months (from 9.1 percent to 8.5 percent) is not consistent with the job growth reported in the establishment survey. The survey reported 200,000 jobs in December; however, this figure is skewed by the 42,200 job gain reported for couriers. There was a similar gain in this category reported for last December, which was completely reversed the next month. Clearly this is a problem of seasonal adjustment, not an issue of real job growth. Pulling out these jobs, the economy created 158,000 jobs in December, in line with expectations.
Pulling out the courier jobs, growth has averaged 145,000 per month over the last four months. This is somewhat better than the 90,000-100,000 a month needed to keep pace with the growth of the labor force, but certainly not rapid enough to explain a 0.6 percentage point drop in unemployment. At this pace, we would not get back to pre-recession levels of unemployment until 2027. [my emphasis]
Now Baker’s predicted reversal in those jobs has started to appear, with initial jobless claims up 24,000 this week.
More Americans than forecast filed applications for unemployment benefits last week, raising the possibility that a greater-than-usual increase in temporary holiday hiring boosted December payrolls.
Jobless claims climbed by 24,000 to 399,000 in the week ended Jan. 7, Labor Department figures showed today in Washington. The median forecast of 46 economists in a Bloomberg News survey projected 375,000. The number of people on unemployment benefit rolls rose, while those receiving extended payments decreased.
Hiring by package delivery companies and retailers during the holidays to meet demand for gifts may now be giving way to an increase in dismissals.
These words–“couriers” and “package delivery companies”–are very cold. What we’re really talking about are Santa’s Elves, the wondrous people who make your holidays magical, particularly given how they help you avoid crowded malls by allowing you to shop online. In all the cartoon Christmas specials, those elves spend the off-season making more toys for the next Christmas. Not so our “modern” economy. Now, we benefit from their services, enjoy our holidays, and then <<BAM!!>> the Elves are on the street again, looking for work.
Mark Hosenball reports that aside from some pockets of short-term damage, the impact of the Wikileaks leak of diplomatic cables has been embarrassing, but not damaging.
Internal U.S. government reviews have determined that a mass leak of diplomatic cables caused only limited damage to U.S. interests abroad, despite the Obama administration’s public statements to the contrary.
A congressional official briefed on the reviews said the administration felt compelled to say publicly that the revelations had seriously damaged American interests in order to bolster legal efforts to shut down the WikiLeaks website and bring charges against the leakers.
“I think they just want to present the toughest front they can muster,” the official said.
But State Department officials have privately told Congress they expect overall damage to U.S. foreign policy to be containable, said the official, one of two congressional aides familiar with the briefings who spoke to Reuters on condition of anonymity.
“We were told (the impact of WikiLeaks revelations) was embarrassing but not damaging,” said the official, who attended a briefing given in late 2010 by State Department officials.
National security officials familiar with the damage assessments being conducted by defense and intelligence agencies told Reuters the reviews so far have shown “pockets” of short-term damage, some of it potentially harmful. Long-term damage to U.S. intelligence and defense operations, however, is unlikely to be serious, they said. [my emphasis]
More important than yet another indication that the Obama Administration has oversold the damage done by Wikileaks is the reason given by Hosenball’s Congressional source as to why they oversold that damage: to bolster legal efforts to shut down Wikileaks’ website.
The Administration lied, says a congressional official, to make it easier to shut down Wikileaks.
Now that’s important for several reasons. First, all this time the government has been pretending that the series of decisions by private corporations to stop doing business with Wikileaks were made by the businesses on their own. Surprise surprise (not!), it seems that the government was affirmatively trying to shut down Wikileaks.
Just as importantly, Hosenball’s story seems to suggest, the government was going to service providers–the same service providers they routinely go to on terrorist investigations–and lying to get them to do the government’s bidding. The government was making claims about the damage of the leak to convince service providers to shut down Wikileaks.
And companies like Amazon, Visa, and PayPal complied.
So, to these companies, now tainted with cooperation in government censorship, was it worth it? Was it worth being branded as a collaborator, knowing you were lied to?
And to Philip Crowley, whom Hosenball quotes talking about “substantial” damage: given your critique of Tunisia’s suppression of social media, and given that we now know you lied in the service of similar repression, do you still want to claim there’s no disjunct between claiming to support free speech while squelching that of Wikileaks?