Posts

Plus-Delta Analysis: CNN’s New Political Hire Isgur Flores

[NB: Check the byline. /~Rayne]

Let’s make like a cable news management team and assess CNN’s hiring of former GOP operative Sarah Isgur Flores as a Political Editor ahead of the 2020 election using a plus-delta analysis.

Plus:

Education background includes history, political science, and law; she has a JD from Harvard. History and law degree may be very important should the current administration face mounting investigations and the possibility of impeachment.

With a decade of experience in political campaigns, Flores should understand well how media works campaign cycle from a campaign’s perspective.

Her hiring provides assurance to conservatives that CNN will not exercise a liberal bias covering 2020 campaigns.

Flores’ presence as an openly pro-GOP editor may discourage further attacks on CNN after this past year’s bomb threats.

A woman editor may offer some diversity in perspective as 2020’s field of candidates already includes more women than ever.

Delta:

Flores has zero journalism experience yet bypasses political analyst position for political editor.

Worked exclusively for Republican Party candidates, revealing a partiality toward a particular political ideology.

She has been extremely open about her conservative ideology which may be off-putting to a moderate audience, ex. her strident anti-choice beliefs, evident in her Twitter feed, may offend women.

Worked for the Trump administration as Jeff Sessions’ spokesperson, revealing a willingness to work for problematic Republicans.

Made a show of loyalty before accepting roll with DOJ by visiting Trump to assure him she was “on board with his agenda and would be honored to serve him.” Not clear when this loyalty and service ends.

It’s not clear whether a non-disclosure agreement was signed by Flores muzzling her from speaking about the Trump administration.

It’s not clear if her loyalties and ideology pose a threat to confidential and anonymous sources CNN’s reporters have relied upon while covering the Trump administration.

MSNBC had also been approached by Flores; she tried to sell them on her inside knowledge of the Special Counsel’s investigation. CNN says she won’t use this knowledge in her role but it’s difficult to see how she can be firewalled off from matters related to the investigation if they affect Republicans in Congress or running in 2020.

Her ambitions may both outstrip her current role before 2020, stepping on her immediate boss’s toes (David Chalian) and they may interfere with CNN’s intentions:

…“She had a detailed idea of what she wanted to do,” someone with knowledge of the discussions told me. “She wanted to do something on-air combined with some sort of quasi-management, behind-the-scenes planning kind of work. I think she looked at Dave Chalian and said, I wanna do that.”…(source)

CNN staff are not happy with this move (though Brian Stelter puts an awfully good face on it).

While Flores’ hiring could be likened to CNN’s hiring of Corey Lewandowski and Jeffrey Lord in terms of balance, the leap to an editorial position combined with strong ideology makes CNN look partisan — lacking neutrality in the public’s perception.

One more critically important factor gives pause about Flores’ new gig: CNN is owned by Warner Media LLC, which in turn is owned by AT&T. Is hiring Flores an attempt to shape policy to benefit ultimate parent AT&T, heading off pressure from the public for Net Neutrality and any changes in regulations affecting telecommunications and internet service providers?

This just doesn’t look good to me, especially after so many good, seasoned news media people without baggage like Flores’ were cut by outlets over the last two weeks.

This is an open thread.

Twitter Asked to Tell Reality Winner the FBI Had Obtained Her Social Media Activity

Last week, the Augusta Chronicle reported that the government had unsealed notice that it had obtained access to Reality Winner’s phone and social media metadata. Altogether, the government obtained metadata from her AT&T cell phone, two Google accounts, her Facebook and Instagram accounts, and her Twitter account. Of those providers, it appears that only Twitter asked to tell Winner the government had obtained that information. The government obtained the 2703(d) order on June 13. On June 26, Twitter asked the FBI to rescind the non-disclosure order. In response, FBI got a 180-day deadline on lifting the gag; then on August 31, the FBI asked the court to unseal the order for Twitter, as well as the other providers.

The applications all include this language on Winner’s use of Tor, and more details about using a thumb drive with a computer last November.

During the search of her home, agents found spiral-bound notebooks in which the defendant had written information about setting up a single-use “burner” email account, downloading the TOR darkweb browser at its highest security setting, and unlocking a cell phone to enable the removal and replacement of its SIM card. Agents also learned, and the defendant admitted, that the defendant had inserted a thumb drive into a classified computer in November 2016, while on active duty with the U.S. Air Force and holding a Top Secret/SCI clearance. The defendant claimed to have thrown the thumb drive away in November 2016, and agents have not located the thumb drive.

Given that the FBI applied for and eventually unsealed the orders in all these cases, it provides a good way to compare what the FBI asks for from each provider — which gives you a sense of how the FBI actually uses these metadata requests to get a comprehensive picture of all the aliases, including IP addresses, someone might use. The MAC and IP addresses, in particular, would be very valuable to identify any of her otherwise unidentified device and Internet usage. Note, too, that AT&T gets asked to share all details of wire communications sent using the phone — so any information, including cell tower location, an app shares with AT&T would be included in that. AT&T, of course, tends to interpret surveillance requests broadly.

Though note: the prosecutor here pretty obviously cut and paste from the Google request for the social media companies, given that she copied over the Google language on cookies in her Twitter request.

AT&T

AT&T Corporation is required to disclose the following records and other information, if available, to the United States for each Account listed in Part I of this Attachment, for the time period beginning June 1, 2016, through and including June 7, 2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses. Electronic Serial Numbers (“ESN”), Mobile Electronic Identity Numbers (“MEIN”), Mobile Equipment Identifier (“MEID”), Mobile Identification Numbers (“MIN”), Subscriber Identity Modules (“SIM”), Mobile Subscriber Integrated Services Digital Network Number (“MSISDN”), International Mobile Subscriber Identifiers (“IMSl”), or International Mobile Equipment Identities (“IMEI”));
7. Other subscriber numbers or identities (including the registration Internet Protocol (“IP”) address); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to wire and electronic communications sent from or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers), and including information regarding the cell towers and sectors through which the communications were sent or received.

Records of any accounts registered with the same email address, phone number(s), or method(s) of payment as the account listed in Part I.

Google

Google is required to disclose the following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”), for the time period beginning June 1, 2016, through and including June 7,2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Internet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Internet Protocol addresses;
2. Information about each communication sent or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers);
3. Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address as either of the accounts listed in Part 1; and Records of any accounts that are linked to either of the accounts listed in Part 1 by machine cookies (meaning all Google user IDs that logged into any Google account by the same machine as either of the accounts in Part

Facebook/Instagram

Facebook, Inc. is required to disclose tbe following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”),
for the time period beginning June 1, 2016, through and including June 7, 2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Intemet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Intemet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Intemet Protocol addresses;
2. Information about each communication sent or received by tbe Account, including tbe date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers). Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address as either of the accounts listed in Part I; and
3. Records of any accounts that are linked to either of the accounts listed in Part I by machine cookies (meaning all Facebook/Instagram user IDs that logged into any Facebook/Instagram account by the same machine as either of the accounts in Part I).

Twitter

Twitter, Inc. is required to disclose the following records and other information, if available, to the United States for each account or identifier listed in Part 1 of this Attachment (“Account”), for the time period beginning June 1,2016, through and including June 7,2017:

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Internet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Internet Protocol addresses;
2. Information about each communication sent or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers).
3. Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address the account listed in Part I; and
4. Records of any accounts that are linked to the account listed in Part I by machine cookies (meaning all Google [sic] user IDs that logged into any Google [sic] account by the same machine as the account in Part I).

Hemisphere 2.0

As I note in an update to this post, Charlie Savage is very cross I did some math. On top of making a hilariously bad misreading of my original post — claiming I said a number was implausible even though I said it was plausible on at least five occasions, including the headline — and making a number of other errors about how the phone dragnet works, he bitches that I go through the effort of laying out what the 151 million call event might actually mean. (As always, Charlie doesn’t hold himself to the standards of correction he demands I do, either in the NYT or on posts like this.)

The reason you do that is to lay out assumptions.

And I’ve realized two things about how we’re counting numbers. First, one source of redundancy no one has considered is a SIM/handset redundancy.

One thing phone dragnets are designed to do is correlate identities: track the various identities a suspect and his associates are using, so as to ensure you’re tracking all their possible communications. With cell phones, one thing you want to track is whether someone is swapping out SIM cards. This collection starts with identifiers from EO 12333 collection, which we know is stored logically by IMEI/IMSI. It is possible that providers get both those identifiers as separate identifiers and provide two separate streams of data, especially if they don’t coincide.

If that were the standard practice, it would mean there’d often be a dual set of identical call records.

The more interesting issue is telecom retention. As I Con the Record notes, a request will return historical, current, and prospective call records. We’ve talked a lot about minimum retention (and the two year data handshake that Verizon and T-Mobile agreed to). But we haven’t talked about maximal retention.

As I noted, AT&T has call records going back decades, collected on any call that crossed its lines. We know that under the Hemisphere program, it usually could come up with call records for phones, whether or not they were AT&T customers. That means that the government could always submit requests to AT&T (again, whether or not the target used AT&T as a provider, because the target would surely have used AT&T’s backbone), and get years of records for the handset and SIM, if they existed, as well as for the two hops. This data would effectively create a mini-Hemisphere for the cluster around a given target, including call records for far more than the five years NSA used to be able to obtain data (though they might only retain that decades old data for 5 years).

I’m not saying I think they’re doing that — I don’t. In public testimony, NSA and other agency officials have conceded that data really is most valuable in the first two years, so obtaining 20 years of data would just load down NSA with false positives.

But it is a possibility — one that I hope Congress considers.

NSA Conducts FISA Section 704 Collection Using Transit Collection

Please consider donating to support this work. It’s going to be a long four years. 

The Intercept has a fascinating new story confirming what many people already intuited: AT&T’s spooky building at 33 Thomas Street is a key NSA collection point, and the NSA has equipment inside the building (it’s almost certainly not just NSA; this is probably also where AT&T collects much of their Hemisphere database and it likely includes AT&T’s special service center for FBI NSLs).

The Intercept released a bunch of documents with the story, including this one on FAIRVIEW.

It shows that FISA Section 704/705a are among the authorities used with FAIRVIEW, ostensibly collected under “Transit” authority, but with the collection done at TITANPOINT (which is the code name for 33 Thomas Street).

screen-shot-2016-11-16-at-3-05-47-pm

As I explain in this post, there are three authorities in the FISA Amendments Act that are supposed to cover US persons: 703 (spying with the help of domestic partners on Americans who are overseas), 704 (spying on Americans who are overseas, using methods for which they would have an expectation of privacy), and 705, which is a hybrid.

But Snowden documents — and this IG Report — make it clear only 704 and 705b are used.

Screen Shot 2016-05-13 at 3.38.08 AM

Unsurprisingly, the disclosure standards are higher for 703 — the authority they don’t use — than they are for 704. In other words, they’re using the authority to spy on Americans overseas that is weaker. Go figure.

But here’s the other problem. 704/705b are two different authorities and — as reflected in Intelligence Oversight Board reports — they are treated as such. Which means they are using 704 to spy on targets that are overseas, not just defaulting to 705b hybrid orders (which would require the person to be in the US some of the time).

But they are doing it within the US, using the fiction that the collection is only “transiting” the US (that is, transiting from one foreign country to another). This seems to indicate the NSA is conducting electronic surveillance on US persons located overseas — which seems clearly to fall under 703 — but doing it under 704 by claiming traffic transiting the US isn’t really collection in the US. Correction: Because the person is located overseas, it doesn’t count as electronic surveillance. In any case, this seems to be effectively a way around the intent of 703.

Wednesday: Feliz Dia de los Muertos — Happy Day of the Dead!

In this Day of the Dead roundup: World Series Game 7, Rule 41, AT&T and net neutrality, Google spanks Microsoft, Slack smacks.

Happy All Saints’ Day Two — the second day of observation through Latin America as el Dia de los Muertos.

Was thinking of death and dying when I saw a post about one of my favorite movie soundtracks by one of my favorite contemporary composers. The Fountain, composed by Clint Mansell, was released today on vinyl. The 2006 film directed by Darren Aronofsky may not be everybody’s cup of tea, but the score surely must have wider appeal. The score features collaborative work of the contemporary classical chamber group Kronos Quartet and post-rock quartet Mogwai. The former provides most of the string work and the latter most of the rhythm, melding into some truly haunting music.

I think The Fountain is some of Mansell’s finest work; it was nominated for multiple awards including a Golden Globe. But do check out some of Mansell’s other film work, including that for Requiem for a Dream (especially the cut Lux Aeterna) and Black Swan. Stoker did not receive the recognition it should have; its presence is another character in the film. Granted, Mansell’s score for Stoker was only part of a soundtrack featuring other artists’ compositions.

World Series – Great Lakes Edition
So Game 7 is underway. I’d rather see Chicago Cubs up against Detroit Tigers, but the summer kitties let me down. I’m hoping for a Cubs win just because. What about you?

Cyber-y stuff

  • Less than a month before Rule 41 deadline (ZDNet) — Congress has diddled around after the Supreme Court created a potentially awful opportunity for law enforcement overreach. I can’t even imagine the foreign policy snafus this could create, let alone the fuckups which could happen from searching machines with spoofed identities and locations. I can think of a case where a political entity plopped on an IP address belonging to a major corporation — now imagine some huckleberry charging into that situation. FIX THIS, CONGRESS.
  • That’s not the airport, that’s the Kremlin! (MoscowTimes) — Speaking of spoofed identities, apparently the Kremlin’s location has been masked by a beacon emitting the GPS and GLONASS geolocation coordinates for the Vnokovo airport to prevent drones from snooping. An interesting bit, this…I wonder where/when else geolocation coordinates have been spoofed?
  • AT&T ‘zero-rating’ on DirecTV content should be reviewed (WSJ) — Favoring DirecTV — owned by AT&T — by lifting data caps on its content isn’t net neutrality when content streamed from other providers like Netflix does count against data limits.
  • AT&T already in the hot seat with USDOJ on Dodgers’ games (Bloomberg) — USDOJ sued AT&T and DirecTV for colluding with competitors to influence negotiations for Los Angeles Dodgers’ ball games. Imagine what this network will do if it owns content? Definitely not net neutrality — a perfect example of the conflict of interest between ISPs/network carriers and content creators.
  • Google takes Microsoft to the woodshed in full view of public (Threatpost) — I think Google is fed up with Microsoft’s buggy software and slow response which causes Google a mess of heartburn to plug on their end. Google told Microsoft of a new major zero-day vulnerability being actively exploited and then told the public 10 days after they told Microsoft. Apparently, MSFT hadn’t gotten a grip on a fix yet nor issued an advisory to warn users. By the way, guess when the next Patch Tuesday is? Election Day in the U.S. Uh-huh.
  • Slack takes out a full-page ad to welcome/razz Microsoft (WinBeta) — Microsoft is currently working on a competing group communication tool called Team, aimed at Slack’s market share. Slack welcomed the competition and gave MSFT some free pointers. Based on my experience, these pointers will go right over the head of MSFT’s management as they don’t mesh with their corporate culture.

That all for now, off to finish watching the Cubs who are giving it to Cleveland in a really fast-paced game that won’t last much longer at this rate. Must be all that Great Lakes water.

Friday Morning: Nasty Habits

I got nasty habits; I take tea at three.
— Mick Jagger

Hah. Just be careful what water you use to make that tea, Mick. Could be an entirely different realm of nasty.

Late start here, too much to read this morning. I’ll keep updating this as I write. Start your day off, though, by reading Marcy’s post from last night. The claws are coming out, the life boats are getting punctured.

Many WordPress-powered sites infected with ransomware
Your next assignment this morning: check and update applications as out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer are most prone to this new wave of ransomware affecting WordPress sites. Back up all your data files to offline media in case you are hit with ransomware, and make it a habit to back up data files more frequently.

Planes inbound to the UK from regions with Zika virus may be sprayed
Take one tightly-closed oversized can, spray interior with insecticide, then insert humans before sealing for several hours. This sounds like a spectacularly bad idea to me. What about you? Yet this is what the UK is poised to do with planes flying in from areas with frequent Zika infections.

Comcast a possible smartphone service provider
NO. I don’t even have Comcast, yet I think this company is one of the worst suited to offering smartphones and service to their users. The company has expressed interest in bidding on spectrum for wireless, however. Comcast has struggled for years with one of — if not THE — worst reps for customer service. How do they think they will manage to expand their service offering without pissing off more customers?

AT&T obstructing muni broadband
No surprise here that AT&T is lobbying hard against more broadband, especially that offered by communities. The public knows there’s a problem with marketplace competition when they don’t have multiple choices for broadband, and they want solutions even if they have to build it themselves. When AT&T annoys a Republican lawmaker while squelching competition, they’ve gone too far. Keep an eye on this one as it may shape muni broadband everywhere.

Volkswagen roundup
VW delayed both its earnings report scheduled March 10th and its annual meeting scheduled April 21. The car maker says it needs more time to assess impact of the emissions control scandal on its books. New dates for the report and meeting have not been announced.

Volkswagen Financial Services, the banking arm of VW’s holding company structure which finances auto sales and leases, suffers from the ongoing scandal. Ratings firms have downgraded both the bank and parent firm. Not mentioned in the article: potential negative impact of emissions control scandal on VW’s captive reinsurer, Volkswagen Insurance Company Ltd (VICO).

Both the Justice Department and the Environmental Protection Agency filed a civil suit against VW in Detroit this week. Separate criminal charges are still possible.

That’s a wrap, I’m all caught up on my usual read-feed. Get nasty as you want come 5:00 p.m. because it’s Friday!

FBI’s Open NSL Requests

DOJ’s Inspector General just released a report of all the recommendations it made prior to September 15, 2015 that are not yet closed. As it explained in the release, the IG compiled the report in response to a congressional request, but they’ve posted (and will continue to post, every 6 months) the report for our benefit as well.

Specifically, we have posted a report listing all recommendations from OIG audits, evaluations, and reviews that we had not closed as of September 30, 2015.  As you will see, most of the recommendations show a status of “resolved,” which indicates that the Department of Justice has agreed with our recommendation, but we have not yet concluded that they have fully implemented it.

As that release made clear, most of the recommendations that have not yet been closed are not open, but resolved, which means DOJ has agreed with the IG’s recommendation but has not fully implemented a fix for that recommendation.

Which leaves the “open” recommendations, which might include recommendations DOJ hasn’t agreed to address or hasn’t told the IG how they’ll address. There are 20 open recommendations in the report, most of which date to 2014. That’s largely because every single one of the 10 recommendations made in the 2014 report on National Security Letters remains open. Here are some of my posts on that report (one, two, three, four, five), but the recommendations pertain to not ingesting out-of-scope information, counting the NSL’s accurately, and maintaining paperwork so as to be able to track NSLs. [Update: as the update below notes, the FBI response to the released report claimed it was responding, in whole or in part, to all 10 recommendations, which means the “open” category here means that FBI has not had time to go back and certify that FBI has done what it said.]

Three of the other still-open recommendations pertain to hiring; they pertain to nepotism, applicants for the civil rights division wanting to enforce civil rights laws (!), and the use of political tests for positions hiring career attorneys (this was the Monica Goodling report). Another still open recommendation suggests DOJ should document why US Attorneys book hotels that are outside cost limits (this pertains, ironically, to Chris Christie’s travel while US Attorney).

The remaining 2 recommendations, both of which date to 2010, are of particular interest.

1/19/2010: A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records

The OIG recommends that the FBI should issue guidance specifically directing FBI personnel that they may not use the practices known as hot number [classified and redacted] to obtain calling activity information from electronic communications service providers.

The first pertains to the IG Report on exigent letters. The report described (starting on PDF 94) how FBI contracted with two providers for “hot number” services that would let them alert the FBI when certain numbers were being used. FBI first contracted for the service with MCI or Verizon, not AT&T (as happened with most tech novelties in this program). The newly released version of the report make it clear that redactions are redacted for b1 (classification), b4 (trade secrets), b7A (enforcement proceedings), and b7E (law enforcement technique). At one point, then General Counsel now lifetime appointed judge Valerie Caproni said the practice did not require Pen Registers.

I find this practice — and FBI’s longstanding unwillingness to forswear it — interesting for two reasons. First, most references to the practice follow “hot number” by a short redaction.

Screen Shot 2016-01-21 at 2.02.30 PM

That suggests “hot number” may just be a partial name. Given that this section makes it clear this was often used with fugitives — just as Stingrays are often most often used — I wonder whether this involved “number” and “site.” That’s especially true since Company C (again, MCI or Verizon) also tracked whether calls were being made from a particular area code or [redacted], suggesting some location tracking function.

I’m also interested in this because “hot numbers” tracks the unauthorized “alert” function the NSA was using with the phone dragnet up until 2009. As you recall, NSA analysts would get an alert if any of thousands of phone numbers got used in a given day, none of which it counted as a contact-chaining session.

In other words, this practice might be related to one or both of these things. And 6 years later, the FBI doesn’t want to forswear the practice.

9/20/2010, A Review of the FBI’s Investigations of Certain Domestic Advocacy Groups

The OIG recommends that the FBI seek to ensure that it is able to identify and document the source of facts provided to Congress through testimony and correspondence, and to the public.

This report (see one of my posts on it) reviewed why the FBI had investigated a bunch of peace and other advocacy groups as international terrorist groups dating back to 2004. ACLU had FOIAed some documents on investigations into Pittsburgh’s peace community. In response, Patrick Leahy started asking for answers, which led to obvious obfuscation from the FBI. And as I noted, even the normally respectable Glenn Fine produced a report that was obviously scoped not to find what it was looking for.

Nevertheless, a key part of the report pertained to FBI’s inability (or unwillingess) to respond to Leahy’s inquiries about what had started this investigation or to explain where the sources of information for their responses came from. (See PDF 56) The FBI, to this day, has apparently refused to agree to commit to be able to document where the information it responds to Congress comes from.

I will have more to say on this now, but I believe this is tantamount to retaining the ability to parallel construct answers for Congress. I’m quite confident that’s what happened here, and it seems that FBI has spent 6 years refusing to give up the ability to do that.

Update:

I didn’t read it when I originally reported in the NSL IG report, but it, like most IG reports, has a response from FBI, which in this case is quite detailed. The FBI claims that it had fulfilled most recommendations well before the report was released.

The response to the open exigent letter recommendation is at PDF 224. It’s not very compelling; it only promised to consider issuing a statement to say “hot number [redacted]” was prohibited.

The response to the 2014 report recommendations start on PDF 226. Of those, the FBI didn’t say they agreed with one part of one recommendations:

  • That the NSL subsystem generate reminders if an agent hasn’t verified return data for manual NSLs (which are sensitive)

In addition, with respect to the data requested with NSLs, FBI has taken out expansive language from manual models for NSLs (this includes an attachment the other discussion of which is redacted), but had not yet from the automated system.

AT&T Says Its Voluntary Sharing of Customer Data Is Classified

Back in October, I wondered whether companies would be able to claim they had chosen not to participate in CISA’s voluntary data sharing in their transparency reports. While CISA prohibits the involuntary disclosure of such participation, I don’t know that anything prohibits the voluntary disclosure, particularly of non-participation.

A related question is playing out right now over a shareholder resolution filed by Arjuna Capital asking AT&T to reveal its voluntary sharing with law enforcement and intelligence agencies.

The resolution asks only for a report on sharing that is not legally mandated, and exempts any information that is legally protected.

Resolved, shareholders request that the Company issue a report, at reasonable
expense and excluding proprietary or legally protected information, clarifying the
Company’s policies regarding providing information to law enforcement and
intelligence agencies, domestically and internationally, above and beyond what is legally required by court order or other legally mandated process, whether and how
the policies have changed since 2013, and assessing risks to the Company’s finances
and operations arising from current and past policies and practices.

AT&T has asked the SEC for permission to ignore this resolution based, in part, on the claim that its voluntary cooperation would be a state secret that requires AT&T to effectively Glomar its own shareholders.

Screen Shot 2016-01-14 at 10.08.35 AM

The Sidley Austin opinion cites the Espionage Act for its claim that this information is a state secret. It also pretends this is all about the NSA, when FBI and DEA play a critical role in some of the surveillance AT&T is believed to willingly participate in.

The resolution doesn’t seem to include any question specifically addressing OmniCISA participation, though it was written before final passage of OmniCISA last month.

The response from AT&T raises interesting questions about whether a telecom (or other electronic communications service provider) can be obligated for voluntary activity.

What We Know about the Section 215 Phone Dragnet and Location Data

Last month’s squabble between Marco Rubio and Ted Cruz about USA Freedom Act led a number of USAF boosters to belatedly understand what I’ve been writing for years: that USAF expanded the universe of people whose records would be collected under the program, and would therefore expose more completely innocent people, along with more potential suspects, to the full analytical tradecraft of the NSA, indefinitely.

In an attempt to explain why that might be so, Julian Sanchez wrote this post, focusing on the limits on location data collection that restricted cell phone collection. Sanchez ignores two other likely factors — the probable inclusion of Internet phone calls and the ability to do certain kinds of connection chaining — that mark key new functionalities in the program which would have posed difficulties prior to USAF. But he also misses a lot of the public facts about location collection and cell phones under the Section 215 dragnet.  This post will lay those out.

The short version is this: the FISC appears to have imposed some limits on prospective cell location collection under Section 215 even as the phone dragnet moved over to it, and it was not until August 2011 that NSA started collecting cell phone records — stripped of location — from AT&T under Section 215 collection rules. The NSA was clearly getting “domestic” records from cell phones prior to that point, though it’s possible they weren’t coming from Section 215 data. Indeed, the only known “successes” of the phone dragnet — Basaaly Moalin and Adis Medunjanin — identified cell phones. It’s not clear whether those came from EO 12333, secondary database information that didn’t include location, or something else.

Here’s the more detailed explanation, along with a timeline of key dates:

There is significant circumstantial evidence that by February 17, 2006 — two months before the FISA Court approved the use of Section 215 of the PATRIOT Act to aspire to collect all Americans’ phone records — the FISA Court required briefing on the use of “hybrid” requests to get real-time location data from targets using a FISA Pen Register together with a Section 215 order. The move appears to have been a reaction to a series of magistrates’ rulings against a parallel practice in criminal cases. The briefing order came in advance of the 2006 PATRIOT Act reauthorization going into effect, which newly limited Section 215 requests to things that could be obtained with a grand jury subpoena. Because some courts had required more than a subpoena to obtain location, it appears, FISC reviewed the practice in the FISC — and, given the BR/PR numbers reported in IG Reports, ended, sometime before the end of 2006 though not immediately.

The FISC taking notice of criminal rulings and restricting FISC-authorized collection accordingly would be consistent with information provided in response to a January 2014 Ron Wyden query about what standards the FBI uses for obtaining location data under FISA. To get historic data (at least according to the letter), FBI used a 215 order at that point. But because some district courts (this was written in 2014, before some states and circuits had weighed in on prospective location collection, not to mention the 11th circuit ruling on historical location data under US v. Davis) require a warrant, “the FBI elects to seek prospective CSLI pursuant to a full content FISA order, thus matching the higher standard imposed in some U.S. districts.” In other words, as soon as some criminal courts started requiring a warrant, FISC apparently adopted that standard. If FISC continued to adopt criminal precedents, then at least after the first US v. Davis ruling, it would have and might still require a warrant (that is, an individualized FISA order) even for historical cell location data (though Davis did not apply to Stingrays).

FISC doesn’t always adopt the criminal court standard; at least until 2009 and by all appearances still, for example, FISC permits the collection, then minimization, of Post Cut Through Dialed Digits collected using FISA Pen Registers, whereas in the criminal context FBI does not collect PCTDD. But the FISC does take notice of, and respond to — even imposing a higher national security standard than what exists at some district levels — criminal court decisions. So the developments affecting location collection in magistrate, district, and circuit courts would be one limit on the government’s ability to collect location under FISA.

That wouldn’t necessarily prevent NSA from collecting cell records using a Section 215 order, at least until the Davis decision. After all, does that count as historic (a daily collection of records each day) or prospective (the approval to collect data going forward in 90 day approvals)? Plus, given the PCTDD and some other later FISA decisions, it’s possible FISC would have permitted the government to collect but minimize location data. But the decisions in criminal courts likely gave FISC pause, especially considering the magnitude of the production.

Then there’s the chaos of the program up to 2009.

At least between January 2008 and March 2009, and to some degree for the entire period preceding the 2009 clean-up of the phone and Internet dragnets, the NSA was applying EO 12333 standards to FISC-authorized metadata collection. In January 2008, NSA co-mingled 215 and EO 12333 data in either a repository or interface, and when the shit started hitting the fan the next year, analysts were instructed to distinguish the two authorities by date (which would have been useless to do). Not long after this data was co-mingled in 2008, FISC first approved IMEI and IMSI as identifiers for use in Section 215 chaining. In other words, any restrictions on cell collection in this period may have been meaningless, because NSA wasn’t heeding FISC’s restrictions on PATRIOT authorized collection, nor could it distinguish between the data it got under EO 12333 and Section 215.

Few people seem to get this point, but at least during 2008, and probably during the entire period leading up to 2009, there was no appreciable analytical border between where the EO 12333 phone dragnet ended and the Section 215 one began.

There’s no unredacted evidence (aside from the IMEI/IMSI permission) the NSA was collecting cell phone records under Section 215 before the 2009 process, though in 2009, both Sprint and Verizon (even AT&T, though to a much less significant level) had to separate out their entirely foreign collection from their domestic, meaning they were turning over data subject to EO 12333 and Section 215 together for years. That’s also roughly the point when NSA moved toward XML coding of data on intake, clearly identifying where and under what authority it obtained the data. Thus, it’s only from that point forward where (at least according to what we know) the data collected under Section 215 would clearly have adhered to any restrictions imposed on location.

In 2010, the NSA first started experimenting with smaller collections of records including location data at a time when Verizon Wireless was named on primary orders. And we have two separate documents describing what NSA considered its first collection of cell data under Section 215 on August 29, 2011. But it did so only after AT&T had stripped the location data from the records.

It appears Verizon never did the same (indeed, Verizon objected to any request to do so in testimony leading up to USAF’s passage). The telecoms used different methods of delivering call records under the program. In fact, in August 2, 2012, NSA’s IG described the orders as requiring telecoms to produce “certain call detail records (CDRs) or telephony metadata,” which may differentiate records that (which may just be AT&T) got processed before turning over. Also in 2009, part of Verizon ended its contract with the FBI to provide special compliance with NSLs. Both things may have affected Verizon’s ability or willingness to custom what it was delivering to NSA, as compared to AT&T.

All of which suggests that at least Verizon could not or chose not to do what AT&T did: strip location data from its call records. Section 215, before USAF, could only require providers to turn over records they kept, it could not require, as USAF may, provision of records under the form required by the government. Additionally, under Section 215, providers did not get compensated after the first two dragnet orders.

All that said, the dragnet has identified cell phones! In fact, the only known “successes” under Section 215 — the discovery of Basaaly Moalin’s T-Mobile cell phone and the discovery of Adis Medunjanin’s unknown, but believed to be Verizon, cell phone — did, and they are cell phones from companies that didn’t turn over records. In addition, there’s another case, cited in a 2009 Robert Mueller declaration preceding the Medunjanin discovery, that found a US-based cell phone.

There are several possible explanations for that. The first is that these phones were identified based off calls from landlines and/or off backbone records (so the phone number would be identified, but not the cell information). But note that, in the Moalin case, there are no known land lines involved in the presumed chain from Ayro to Moalin.

Another possibility — a very real possibility with some of these — is that the underlying records weren’t collected under Section 215 at all, but were instead collected under EO 12333 (though Moalin’s phone was identified before Michael Mukasey signed off on procedures permitting the chaining through US person records). That’s all the more likely given that all the known hits were collected before the point in 2009 when the FISC started requiring providers to separate out foreign (EO 12333) collection from domestic and international (Section 215) collection. In other words, the Section 215 phone dragnet may have been working swimmingly up until 2009 because NSA was breaking the rules, but as soon as it started abiding by the rules — and adhering to FISC’s increasingly strict limits on cell location data — it all of a sudden became virtually useless given the likelihood that potential terrorism targets would use exclusively cell and/or Internet calls just as they came to bypass telephony lines. Though as that happened, the permissions on tracking US persons via records collected under EO 12333, including doing location analysis, grew far more permissive.

In any case, at least in recent years, it’s clear that by giving notice and adjusting policy to match districts, the FISC and FBI made it very difficult to collect prospective location records under FISA, and therefore absent some means of forcing telecoms to strip their records before turning them over, to collect cell data.

Read more

Marco Rubio Leaks that the Phone Dragnet Has Expanded to “A Large Number of Companies”

Last night, Marco Rubio went on Fox News to try to fear-monger over the phone dragnet again.

He repeated the claim that the AP also idiotically parroted uncritically — that the government can only get three years of records for the culprits in the San Bernardino attack.

In the case of these individuals that conducted this attack, we cannot see any phone records for the first three years in which — you can only see them up to three years. You’ll not be able to see the full five-year picture.

Again, he’s ignoring the AT&T backbone records that cover virtually all of Syed Rizwan Farook’s 28-year life that are available, that 215 phone dragnet could never have covered Tashfeen Malik’s time in Pakistan and Saudi Arabia, and that EO 12333 collection not only would cover Malik’s time before she came to the US, but would also include Farook’s international calls going back well over 5 years.

So he’s either an idiot or he’s lying on that point.

I’m more interested in what he said before that, because he appears to have leaked a classified detail about the ongoing USA Freedom dragnet: that they’ve been issuing orders to a “large and significant number of companies” under the new dragnet.

There are large and significant number of companies that either said, we are not going to collect records at all, we’re not going to have any records if you come asking for them, or we’re only going to keep them on average of 18 months. When the intelligence community or law enforcement comes knocking and subpoenas those records, in many cases there won’t be any records because some of these companies already said they’re not going to hold these records. And the result is that we will not be able in many cases to put together the full puzzle, the full picture of some of these individuals.

Let me clear: I’m certain this fact, that the IC has been asking for records from “a large number of companies,” is classified. For a guy trying to run for President as an uber-hawk, leaking such details (especially in appearance where he calls cleared people who leak like Edward Snowden “traitors”) ought to be entirely disqualifying.

But that detail is not news to emptywheel readers. As I noted in my analysis of the Intelligence Authorization the House just passed, James Clapper would be required to do a report 30 days after the authorization passes telling Congress which “telecoms” aren’t holding your call records for 18 months.

Section 307: Requires DNI to report if telecoms aren’t hoarding your call records

This adds language doing what some versions of USA Freedom tried to requiring DNI to report on which “electronic communications service providers” aren’t hoarding your call records for at least 18 months. He will have to do a report after 30 days listing all that don’t (bizarrely, the bill doesn’t specify what size company this covers, which given the extent of ECSPs in this country could be daunting), and also report to Congress within 15 days if any of them stop hoarding your records.

That there would be so many companies included Clapper would need a list surprised me, a bit. When I analyzed the House Report on the bill, I predicted USAF would pull in anything that might be described as a “call.”

We have every reason to believe the CDR function covers all “calls,” whether telephony or Internet, unlike the existing dragnet. Thus, for better and worse, far more people will be exposed to chaining than under the existing dragnet. It will catch more potential terrorists, but also more innocent people. As a result, far more people will be sucked into the NSA’s maw, indefinitely, for exploitation under all its analytical functions. This raises the chances that an innocent person will get targeted as a false positive.

At the same time, I thought that the report’s usage of “phone company” might limit collection to the providers that had been included — AT&T, Verizon, and Sprint — plus whatever providers cell companies aren’t already using their backbone, as well as the big tech companies that by dint of being handset manufacturers, that is, “phone” companies, could be obligated to turn over messaging records — things like iMessage and Skype metadata.

Nope. According to uber-hawk who believes leakers are traitors Marco Rubio, a “large number” of companies are getting requests.

From that I assume that the IC is sending requests to the entire universe of providers laid out by Verizon Associate General Counsel Michael Woods in his testimony to SSCI in 2014:

Screen Shot 2015-12-08 at 1.17.27 AM

Woods describes Skype (as the application that carried 34% of international minutes in 2012), as well as applications like iMessage and smaller outlets of particular interest like Signal as well as conferencing apps.

So it appears the intelligence committees, because they’re morons who don’t understand technology (and ignored Woods) got themselves in a pickle, because they didn’t realize that if you want full coverage from all “phone” communication, you’re going to have to go well beyond even AT&T, Verizon, Sprint, Apple, Microsoft, and Google (all of which have compliance departments and the infrastructure to keep such records). They are going to try to obtain all the call records, from every little provider, whether or not they actually have the means with which to keep and comply with such requests. Some — Signal might be among them — simply aren’t going to keep records, which is what Rubio is complaining about.

That’s a daunting task — and I can see why Rubio, if he believes that’s what needs to happen, is flustered by it. But, of course, it has nothing to do with the end of the old gap-filled dragnet. Indeed, that daunting problem arises because the new program aspires to be more comprehensive.

In any case, I’m grateful Rubio has done us the favor of laying out precisely what gaps the IC is currently trying to fill, but hawks like Rubio will likely call him a traitor for doing so.