I’m still trying to figure out WTF Mitch McConnell is doing with his Senate machinations over USA F-ReDux. Currently, he has both his short-term reauthorization and USA F-ReDux prepped for a vote, which probably means he’ll bring USA F-ReDux up for cloture or a vote, show that it doesn’t have enough support, and then use that to scaremonger the short-term reauthorization through as a way to wring more concessions out of the House.
Still, given what a dead-ender he is on a bill, USA F-ReDux, that gives the Intelligence Community so many goodies, I can’t help but wonder if there’s another explanation for his intransigence. I can think of one other possibility.
The House Judiciary Committee made it clear USA F-ReDux would be the exclusive means to obtain prospective Call Detail Records under Section 215:
This new mechanism is the only circumstance in which Congress contemplates the prospective, ongoing use of Section 501 of FISA in this manner.
But it made it equally clear it is not the exclusive means to obtain Call Detail Records. That’s because the report envisions conducting federated queries including “metadata [the government] already lawfully possess.”
The government may require the production of up to two ‘‘hops’’—i.e., the call detail records associated with the initial seed telephone number and call detail records (CDRs) associated with the CDRs identified in an initial ‘‘hop.’’ Subparagraph (F)(iii) provides that the government can obtain the first set of CDRs using the specific selection term approved by the FISC. In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses. Together, the CDRs produced by the phone companies and those identified independently by the government constitute the first ‘‘hop.’’
But maybe that’s not all it includes. Maybe, the government has devise a way by which AT&T (or some other backbone provider) will still provide phone records in bulk on a daily basis? Maybe — as Richard Burr claimed before he later unclaimed — the government secretly maintains an IP dragnet under some other authority?
If that was the plan (though keep in mind, USA F-ReDux passed the House after the Second Circuit decision), then the Second Circuit may have ruined that effort. The ruling should limit all collection under a “relevant to” standard, not just that conducted under Section 215. And, as Faiza Patel argued, the decision should also affect collection where the government has dodged Fourth Amendment issues by focusing on “searches” rather than “seizures.”
[A]s Jennifer Daskal explained last Friday, “collection matters.” The Second Circuit rejected the government’s contention that there was no cognizable injury until plaintiffs’ phone records were actually analyzed and reviewed. It ruled that collection is properly analyzed as “seizure,” which if unlawful constitutes a separate injury from the “search” that takes place when records are analyzed either by a human being or a computer.
As the Supreme Court has recognized, in Fourth Amendment cases the analysis of standing is intertwined with the merits question of whether there has been an invasion of a protected privacy interest. Thus, the Second Circuit’s position on collection could have serious implications for other government programs beyond the standing question.
I’ve already suggested the decision might create problems for the virgin birth DOJ secretly gave to EO 12333 data used in SPCMA.
But who knows what else it applies to?
After all, USA F-ReDux was written so as to allow other dragnets (which is what EO 12333 is, after all). But the Second Circuit may pose problems for such dragnets that USA F-ReDux did not.
Going back to Richard Burr’s odd colloquy — which his office’s excuses simply cannot rationally explain — I think it (very remotely) possible the government is dragnetting IP addresses (perhaps for cybersecurity rather than counterterrorism purposes), but worries it has lost authority to do so with the Second Circuit decision. If so, it might be using this fight over counterterrorism data collection to lay congressional support for broader dragnet collection, to be able to sustain whatever other dragnets it has in place.
I’m going to make an unpopular argument.
Most observers of USA F-ReDux point to weakened transparency provisions as one of the biggest drawbacks of the latest version of the bill. They’re not wrong: transparency procedures are worse, remarkably so.
But given that I already thought they were not only inadequate but dangerously misleading,* I’m actually grateful to have had the Intelligence Community do another version of transparency provisions, which shows what they’re most intent on hiding and/or hints at what they will really be doing behind the carefully scripted words they’re getting Congress to rubber-stamp.
The most remarkable of the changes in the transparency provision is that they basically took out this language requiring a top level count of Section 702 targets and persons whose communications were affected — this language.
(i) the number of targets of such orders;
(ii) the number of individuals whose communications were collected pursuant to such orders; [sub 500 range]
(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection; [sub 500 range]
This leaves — in addition to the “number of 702 orders” requirement — just this reporting requirement for back door content and metadata searches which (like the Leahy bill) exempts the gross majority of the back door searches, because they are done by the FBI.
(A) the number of search terms concerning a known United States person used to retrieve the unminimized contents of electronic communications or wire communications obtained through acquisitions authorized under such section, excluding the number of search terms used to prevent the return of information concerning a United States person; and [FBI Exemption]
(B) the number of queries concerning a known United States person of unminimized noncontents information relating to electronic communications or wire communications obtained through acquisitions authorized under such section, excluding the number of queries containing information used to prevent the return of information concerning a United States person; [FBI Exemption]
In other words, ODNI was happy to tell us that the number of FISA 702 targets went up by 4% between 2013 and 2014, but not how much those numbers of targets will go up in 2015, when they presumably begin to roll out the new call chaining provision.
I suspect — and these are well educated but nevertheless wildarseguesses — there are several reasons.
First, the reporting provisions as a whole move from tracking “individuals whose communications were collected” to “unique identifiers used to communicate information.” They probably did that because they don’t really have a handle on which of the identifiers all represent the same natural person (and some aren’t natural persons), and don’t plan on ever getting a handle on that number. Under last year’s bill, ONDI could certify to Congress that he couldn’t count that number (and then as an interim measure I understand they were going to let them do that, but require a deadline on when they would be able to count it). Now, they’ve eliminated such certification for all but 702 metadata back door searches (that certification will apply exclusively to CIA, since FBI is exempted). In other words, part of this is just an admission that ODNI does not know and does not planning on knowing how many of the identifiers they target actually fit together to individual targets.
But since they’re breaking things out into identifiers now, I suspect they’re unwilling to give that number because for each of the 93,000 targets they’re currently collecting on, they’re probably collecting on at least 10 unique identifiers and probably usually far, far more.
Just as an example (this is an inapt case because Hassanshahi, as a US person, could not be a PRISM target, but it does show the bare minimum of what a PRISM target would get), the two reports Google provided in response to administrative subpoenas for information on Shantia Hassanshahi, the guy caught using the DEA phone dragnet (these were subpoenas almost certainly used to parallel construct data obtained from the DEA phone dragnet and PRISM targeted at the Iranian, “Sheikhi,” they found him through), included:
So just for this person who might be targeted under the new phone dragnet (though they’d have to play the same game of treating Iran as a terrorist organization that they currently do, but I assume they will), you’d have upwards of 15 unique identifiers obtained just from Google. And that doesn’t include a single cookie, which I’ve seen other subpoenas to Google return.
In other words, one likely reason the IC has decided, now that they’re going to report in terms of unique identifiers, they can’t report the number of identifiers targeted under PRISM is because it would make it clear that those 93,000 targets represent, very conservatively, over a million identifiers — and once you add in cookies, maybe a billion identifiers — targeted. And reporting that would make it clear what kind of identifier soup the IC is swimming in.
There is another reason I think they’ve grown reluctant to show much transparency under 702. Implementing the USA F-ReDux system — in which each provider sets up facilities they can use to chain on non-call detail record session identifying information — means more providers (smaller phone companies, and some new Internet providers, for example) will have what amount to PRISM-lite portals that can also be used for PRISM production. If you build it they will come!
In addition, Verizon and Sprint may be providing more PRISM smart phone materials in addition to upstream collection (AT&T likely already provides a lot of this because that’s how they roll).
So I suspect that, whereas now there’s a gap between the cumulative numbers providers report in their own transparency reports and what we see from ODNI, that number will grow notably, which would lead to questions about where the additional 702 production was coming from. (Until Amazon starts producing transparency reports, though, I’ll just assume they’re providing it all).
Finally, I think that once USA F-ReDux rolls out, the government (read, FBI, where this data will first be sucked in) will have difficulty distinguishing between the 702 and 215 production from a number of providers — probably AT&T, Verizon, Apple, Google, and Microsoft, but that’s just a guess.
Going back to the case of Hassanshahi, for example (and assuming, as I do, that the government has been parallel constructing the fact that they also targeted the Iranian Sheikhi identifier under PRISM, which would have immediately led them to his GMail account, as they very very easily could), the Tehran phone to Google call between Sheikhi and Hassanshahi would likely come in via at least 3 sources: Sheihki PRISM collection, Google USA F-ReDux returns on the Sheikhi number, and AT&T backbone USA F-ReDux returns on the Sheikhi number. And all that’s before you’ve taken a single hop into Hassanshahi’s accounts.
In other words, what you’re actually getting with USA F-ReDux is a way to get to the metadata of US persons identified via incidental collection under PRISM (again, this should just before for targets of a somewhat loosey goosey definition of terrorism targets). It’s basically a way to get a metadata “hop” off of all the Americans already “incidentally” collected under PRISM (note, permission to do this for targets identified under a probable cause warrant is already written into every phone dragnet order; this just extends that, with FISC review, to PRISM targets). And for the big providers that have anything that might be considered “call” service, the portals from which that will derive will likely be very very closely related.
As I noted in this post, the government insists that it did not engage in parallel construction in the case of Shantia Hassanshahi, the Iranian-American busted for sanctions violations using evidence derivative of a search of what the government now claims was a DEA dragnet. “While it would not be improper for a law enforcement agency to take steps to protect the confidentiality of a law enforcement sensitive investigative technique, this case raises no such issue.”
The claim is almost certainly bullshit, true in only the narrowest sense.
Indeed, the changing story the government has offered about how they IDed Hassanshahi based off a single call he had with a phone belonging to a person of interest, “Sheikhi,” in Iran, is instructive not just against the background of the slow reveal of multiple dragnets over the same period. But also for the technological capabilities included in those claims. Basically, the government appears to be claiming they got a VOIP call from a telephony database.
As I lay out below, the story told by the government in various affidavits and declarations (curiously, the version of the first one that appears in the docket is not signed) changed in multiple ways. While there were other changes, the changes I’m most interested in pertain to:
As you can see from the excerpts below, Akronowitz at first claimed to have searched “HSI-accessible law enforcement databases,” plural, and suggested he searched them himself. In July 2014, in response to a motion to suppress (and after Edward Snowden had disclosed the NSA’s phone dragnet), Akronowitz changed that story and said he sent a research request to a single database, implying someone else did a search of just one database. Akronowitz told the same story in yet another revised affidavit submitted last October. In the declaration submitted in December but unsealed in January, DEA Assistant Special Agent Robert Patterson stuck with the single database story and used the passive voice to hide who did the database query.
While Akronowitz’ story didn’t change regarding how he discovered that Hassanshahi’s phone was a Google number, it did get more detailed in the July 2014 affidavit, which explained that he had first checked with another VOIP provider before being referred to Google.
Perhaps most interestingly, the government’s story changed regarding how many calls of interest there were, and between what numbers. In January 2013, Akronowitz said “a number of telephone calls between ‘Sheikhi’s’ known business telephone number and telephone number 818-971-9512 had occurred within a relatively narrow time frame” (though he doesn’t tell us what that time frame was). He also says that his Google subpoena showed “numerous calls to the same Iranian-based telephone number during a relatively finite period of time.” He neither explained that this number was not Sheikhi’s number — it was a different Iranian number — nor what he means by “a relatively finite period of time.” His July and October affidavits said his research showed a contact, “on one occasion, that is, on July 4, 2011,” with Sheikhi’s number. The July affidavit maintained the claim that there were multiple calls between Hassanshahi’s number and an Iranian one: “numerous phone calls between Hassanshahi’s ‘818’ number and one Iranian phone number.” But by October, Akronowitz conceded that the Google records showed only “that Hassanshahi’s ‘818’ number made contact with an Iranian phone number (982144406457) only once, on October 5, 2011″ (as well as a “22932293” number that he bizarrely claimed was a call to Iran). Note, Akronowitz’ currently operative story would mean the government never checked whether there were any calls between Hassanshahi and Sheikhi between August 24 and September 6 (or after October 6), which would be rather remarkable. Patterson’s December affidavit provided no details about the date of the single call discovered using what he identified as DEA’s database, but did specify that the call was made by Hassanshahi’s phone, outbound to Iran. (Patterson didn’t address the later Google production, as that was pursuant to a subpoena.)
To sum up, before Edward Snowden’s leaks alerted us to the scope of NSA’s domestic and international dragnet, Akronowitz claimed he personally had searched multiple databases and found evidence of multiple calls between Hassanshahi’s phone number and Sheikhi’s number, as well as (after getting a month of call records from Google) multiple calls to another Iranian number over unspecified periods of time. After Snowden’s leaks alerted us to the dragnet, after Dianne Feinstein made it clear the NSA can search on Iranian targets in the Section 215 database, which somehow counts as a terrorist purpose, and after Eric Holder decided to shut down just the DEA dragnet, Akronowitz changed his story to claim he had found just one call between Hassanshahi and Shiekhi, and — after a few more months — just one call from another Iranian number to Hassanshahi. Then, two months later, the government claimed that the only database that ever got searched was the DEA one (the one that had already been shut down) which — Patterson told us — was based on records obtained from “United States telecommunications service providers” via a subpoena.
Before I go on, consider that the government currently claims it used just a single phone call of interest — and the absence of any additional calls in a later months’s worth of call records collected that fall — to conduct a warrantless search of a laptop in a state (CA) where such searches require warrants, after having previously claimed there was a potentially more interesting set of call records to base that search on.
Aside from the government’s currently operative claim that it would conduct border searches based on the metadata tied to a single phone call, I find all this interesting for two reasons.
First, the government’s story about how many databases got searched and how many calls got found changed in such a way that the only admission of an unconstitutional search to the judge, in December 2014, involved a database that had allegedly been shut down 15 months earlier.
Maybe they’re telling the truth. Or maybe Akronowitz searched or had searched multiple databases — as he first claimed — and found the multiple calls he originally claimed, but then revised his story to match what could have been found in the DEA database. We don’t know, for example, if the DEA database permits “hops,” but he might have found a more interesting call pattern had he been able to examine hops (for example, it might explain his interest in the other phone number in Iran, which otherwise would reflect no more than an immigrant receiving a call from his home country).
All of this is made more interesting because of my second point: the US side of the call in question was an Internet call, a Google call, not a telephony call. Indeed, at least according to Patterson’s declaration (records of this call weren’t turned over in discovery, as far as I can tell), Hassanshahi placed the call, not Sheikhi.
I have no idea how Google calls get routed, but given that Hassanshahi placed the call, there’s a high likelihood that it didn’t cross a telecom provider’s backbone in this country (and god only knows how DEA or NSA would collect Iranian telephony provider records), which is who Patterson suggests the calls came from (though there’s some room for ambiguity in his use of the term “telecommunications service providers”).
USAT’s story on this dragnet suggests the data all comes from telephone companies.
It allowed agents to link the call records its agents gathered domestically with calling data the DEA and intelligence agencies had acquired outside the USA. (In some cases, officials said the DEA paid employees of foreign telecom firms for copies of call logs and subscriber lists.)
Instead of simply asking phone companies for records about calls made by people suspected of drug crimes, the Justice Department began ordering telephone companies to turn over lists of all phone calls from the USA to countries where the government determined drug traffickers operated, current and former officials said.
Former officials said the operation included records from AT&T and other telecom companies.
But if this call really was placed from a Google number, it’s not clear it would come up under such production, even under production of calls that pass through telephone companies’ backbones. That may reflect — if the claims in this case are remotely honest — that the DEA dragnet, at least, gathered call records not just from telecom companies, but also from Internet companies (remember, too, that DOJ’s Inspector General has suggested DEA had or has more than one dragnet, so it may also have been collecting Internet toll records).
And that — coupled with the government’s evolving claims about how many databases got checked and how many calls that research reflected — may suggest something else. Given that the redactions on the providers obliged under the Section 215 phone dragnet orders haven’t changed going back to 2009, when it was fairly clear there were just 3 providers (AT&T, Sprint, and Verizon), it may be safe to assume that’s still all NSA collects from. A never-ending series of leaks have pointed out that the 215 phone dragnet increasingly has gaps in coverage. And this Google call would be precisely the kind of call we would expect it to miss (indeed, that’s consistent with what Verizon Associate General Counsel — and former DOJ National Security Division and FBI Counsel — Michael Woods testified to before the SSCI last year, strongly suggesting the 215 dragnet missed VOIP). So while FISC has approved use of the “terrorist” Section 215 database for the terrorist group, “Iran,” (meaning NSA might actually have been able to query on Sheikhi), we should expect that this call would not be in that database. Mind you, we should also expect NSA’s EO 12333 dragnet — which permits contact chaining on US persons under SPCMA — to include VOIP calls, even with Iran. But depending on what databases someone consulted, we would expect gaps in precisely the places where the government’s story has changed since it decided it had searched only the now-defunct DEA database.
Finally, note that if the government was sufficiently interested in Sheikhi, it could easily have targeted him under PRISM (he did have a GMail account), which would have made any metadata tied to any of his Google identities broadly shareable within the government (though DHS Inspectors would likely have to go through another agency, quite possibly the CIA). PRISM production should return any Internet phone calls (though there’s nothing in the public record to indicate Sheikhi had an Internet phone number). Indeed, the way the NSA’s larger dragnets work, a search on Sheikhi would chain on all his correlated identifiers, including any communications via another number or Internet identifier, and so would chain on whatever collection they had from his GMail address and any other Google services he used (and the USAT described the DEA dragnet as using similarly automated techniques). In other words, when Akronowitz originally said there had been multiple “telephone calls,” he may have instead meant that Sheikhi and Hassanshahi had communicated, via a variety of different identifiers, multiple times as reflected in his search (and given what we know about DEA’s phone dragnet and my suspicion they also had an Internet dragnet, that might have come up just on the DEA dragnets alone).
The point is that each of these dragnets will have slightly different strengths and weaknesses. Given Akronowitz’ original claims, it sounds like he may have consulted dragnets with slightly better coverage than just the DEA phone dragnet — either including a correlated DEA Internet dragnet or a more extensive NSA one — but the government now claims that it only consulted the DEA dragnet and consequently claims it only found one call, a call it should have almost no reason to have an interest in.
Given the details in yesterday’s USAT story on DEA’s dragnet, I wanted to re-examine the DEA declaration revealing details of the phone dragnet in the Shantia Hassanshahi case which I wrote about here. As I noted then, there’s a footnote modifying the claim that the database in question “was suspended in September 2013″ that is entirely redacted. And the declaration only states that “information is no longer being collected in bulk pursuant to 21 U.S.C. §876,” not that it is no longer being collected.
According to the USAT, DEA moved this collection to more targeted subpoenas that may number in the thousands.
The DEA asked the Justice Department to restart the surveillance program in December 2013. It withdrew that request when agents came up with a new solution. Every day, the agency assembles a list of the telephone numbers its agents suspect may be tied to drug trafficking. Each day, it sends electronic subpoenas — sometimes listing more than a thousand numbers — to telephone companies seeking logs of international telephone calls linked to those numbers, two official familiar with the program said.
The data collection that results is more targeted but slower and more expensive. Agents said it takes a day or more to pull together communication profiles that used to take minutes.
We should expect this move occurred either in the second half of 2013 (after the dragnet first got shut down) or the first half of 2014 (after DEA backed off its request to restart the draget). And we should expect these numbers to show in the telecoms transparency reports.
But they don’t — or don’t appear to.
Both AT&T and Verizon reported their 2013 numbers for the entire year. They both broke out their 2014 numbers semiannually. (Verizon; AT&T 2013; AT&T 2014; h/t Matt Cagle, who first got me looking at these numbers)
Here are the numbers for all subpoenas (see correction below):
Both companies show a decrease in overall criminal subpoenas from 2013 to 2014. And while Verizon shows a continued decline, AT&T’s subpoena numbers went back up in the second half of 2014, but still lower than half of 2013’s numbers.
In any case, both companies report at least 15% fewer subpoenas in 2014, at a time when — according to what USAT got told — they should have been getting thousands of extra subpoenas a day.
It is possible what we’re seeing is just the decreased utility of phone records. As the USAT notes, criminals are increasingly using messaging platforms that use the Internet rather than telecoms.
But it’s possible the DEA’s dragnet went somewhere else entirely.
Though USAT doesn’t mention it (comparing instead with the Section 215 dragnet, which is not a comparable program because it, like Hemisphere as far as we know, focuses solely on domestic records), the NSA has an even bigger phone and Internet dragnet that collects on drug targets. Indeed, President Obama included “transnational criminal threats” among the uses permitted for data collected in bulk under PPD-28, which he issued January 17, 2014. So literally weeks after DEA supposedly moved to subpoena-based collection in December 2013, the President reiterated support for using NSA (or, indeed, any part of the Intelligence Community) bulk collections to pursue transnational crime, of which drug cartels are the most threatening.
There is no technical reason to need to collect this data in the US. Indeed, given the value of location data, the government is better off collecting it overseas to avoid coverage under US v. Jones. Moreover, as absolutely crummy as DOJ is about disclosing these kinds of subpoenas, it has disclosed them, whereas it continues to refuse to disclose any collection under EO 12333.
Perhaps it is the case that DEA really replaced its dragnet with targeted collection. Or perhaps it simply moved it under a new shell, EO 12333 collection, where it will remain better hidden.
Update: I realized I had used criminal subpoenas for AT&T, but not for Verizon (which doesn’t break out criminal and civil). Moreover, it’s not clear whether the telecoms would consider these criminal or civil subpoenas.
I also realized one other possible explanation why these don’t show up in the numbers. USAT reports that DEA uses subpoenas including thousands of numbers, whereas they used to use a subpoena to get all the records. That is, the telecoms may count each of these subpoenas as just one subpoena, regardless of whether it obtains 200 million or 1,000 numbers. Which would have truly horrifying implications for “Transparency.”
Update: There would be limitations to relying on the NSA’s database (though DEA could create its own for countries of particular interest). First, DEA could not search for US person identifiers without Attorney General approval (though under SPMCA, it could conduct chaining it knew to include US persons). Also, as of August 2014, at least, NSA wasn’t sharing raw EO 12333 data with other agencies, per this Charlie Savage story.
The N.S.A. is also permitted to search the 12333 storehouse using keywords likely to bring up Americans’ messages. Such searches must have “foreign intelligence” purposes, so analysts cannot hunt for ordinary criminal activity.
For now, the N.S.A. does not share raw 12333 intercepts with other agencies, like the F.B.I. or the C.I.A., to search for their own purposes. But the administration is drafting new internal guidelines that could permit such sharing, officials said.
Now that the Section 215 Sunset draws nearer, the debate over what reformers should do has shifted away from whether USA Freedom Act is adequate reform to whether it is wise to push for Section 215 to sunset.
That debate, repeatedly, has focused almost entirely on the phone dragnet that Section 215 authorizes. It seems most of the people engaging in this debate or reporting on it are unaware or uninterested in what the other roughly 175 Section 215 orders authorized last year did (just 5 orders authorized the phone dragnet).
But if Section 215 sunsets in June, those other 175 orders will be affected too (though thus far it looks like FISC is approving fewer 215 orders than they did last year). Yet the government won’t tell us what those 175 orders do.
We know — or suspect — some of what these other orders do. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year (and would have been unaffected and hidden in transparency reporting under USA Freedom Act).
The FBI has previously confirmed that it used Section 215 to collect records of explosives precursors — things like large quantities of acetone, hydrogen peroxide, fertilizer, and (probably now) pressure cookers; given that the Presidential Review Group consulted with ATF on its review of Section 215, it’s likely these are programmatic collection. (If the government told us it was, we might then be able to ask why these materials couldn’t be handled the same way Sudafed is handled, too, which might force the government to tie it more closely to actual threats.) This too would have been unaffected by USAF.
The government also probably uses Section 215 to collect hotel records (which is what it was originally designed for, though not in the bulk it is probably accomplished). This use of Section 215 will likely be reinforced if and when SCOTUS affirms the collection of hotel records in Los Angeles v. Patel.
But the majority of those 175 Section 215 orders, we now know, are for some kind of Internet records that may or may not relate to cyber investigations, depending on whether you think FBI talks out of its arse when trying to keep authorities, but which they almost certainly collect in sufficient bulk that FISC imposed minimization procedures on FBI.
Which brings me to my argument that reauthorizing Section 215 will forestall any ECPA reform.
We know most Section 215 orders are for Internet records because someone reliable — DOJ’s Inspector General in last year’s report on National Security Letters — told us that a collection of Internet companies successfully challenged FBI’s use of NSLs to collect this stuff after DOJ published an opinion on ECPA in 2008.
The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.
Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).
That report went on to explain that FBI considered fixing this problem by amending the definition for toll records in Section 2709, but then bagged that plan and just moved all this collection to Section 215, which takes longer.
In the absence of a legislative amendment to Section 2709, [2.5 lines redacted]. [Deputy General Counsel of FBI’s National Security Law Branch] Siegel told us that the process of generating and approving a Section 215 application is similar to the NSL process for the agents and supervisors in the field, but then the applications undergo a review process in NSLB and the Department’s National Security Division, which submits the application to the Foreign Intelligence Surveillance Court (FISA Court). According to Siegel, a request that at one time could be accomplished with an NSL in a matter of hours if necessary, now takes about 30-40 days to accomplish with a standard Section 215 application.
In addition to increasing the time it takes to obtain transactional records, Section 215 requests, unlike NSL requests, require the involvement of FBI Headquarters, NSD, and the FISA Court. Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.
The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.
The government is, according to the report, going through all sorts of hoop-jumping on these records rather than working with Congress to pass ECPA reform.
That’s not all the Report told us. Even earlier than that problem, in 2007, the IG identified other uncertainties about what the FBI should be obtaining with an NSL, and FBI actually put together a proposal to Congress. The proposed definition included both financial information and what could be construed as location data in toll records. That bill has never been passed.
But while Internet companies have shown reluctance to let the FBI secretly expand the meaning of toll record, two telecoms have not (a third, which I suspect is Verizon, backed out of closer cooperation on NSLs in 2009, and presumably a fourth, which probably is T-Mobile, was never a part of it).
And here’s what happened to the kinds of records FBI has been obtaining (almost certainly from AT&T) in the interim:
FBI is collecting 7 kinds of things from (probably) AT&T that the Inspector General doesn’t think fits under ECPA.
Now, I’m not sure precisely why ECPA reform has gone nowhere in the last 8 years, but all this redaction suggests one reason is the government doesn’t want to be bound by a traditional definition of toll record, so much so it’s willing to put up with the aggravation of getting Section 215 orders for (what may be the same kind of) information from Internet companies in order to not be bound by limits on its telecom (or at least AT&T) NSLs.
Don’t get me wrong. I’d rather have the Internet stuff be under Section 215 orders, where it will be treated with some kind of minimization (the FBI is still completely ignoring the 2006 language in Section 215 requiring it to adopt minimization procedures for that section, but FISC has stepped into the void and imposed some itself).
But ultimately what’s going on — in addition to the adoption of a dragnet approach for phone records (that might have been deemed a violation of 18 USC 2302-3 if litigated with an adversary) and financial records (that might have been deemed a violation of 12 USC 3401-3422 if litigated with an adversary), is that the government is also, apparently, far exceeding the common understanding of NSLs without going back to Congress to get them to amend the law (and this goes well beyond communities of interest — two or maybe three hop collection under an NSL — which isn’t entirely redacted in this report).
It may be moot anyway. I actually wonder whether Internet companies will use the immunity of CISA, if and when it passes, to turn whatever they’re turning over without a Section 215 order.
And it’s not like Pat Leahy and Mike Lee have been successful in their efforts to get ECPA reform that protects electronic communications passed. ECPA isn’t happening anyway.
But maybe it might, if Section 215 were to lapse and the government were forced to stop kluging all the programs that have never really been approved by Congress in the first place into Section 215.
In this post, I argued that a likely explanation for the NSA’s limits on collecting domestic cell phone data stem from a decision Verizon made in 2009 to stop participating in an FBI call records program. I’m not sure if I’m right about the cause (I know I’m not right about the timing), but I based part of my argument on how the FISA Court resolved a problem with telecoms turning over foreign data in 2009. And that resolution definitely indicates there’s something different about the way Verizon produces dragnet data from how AT&T does (Sprint is probably a third case, but not as important for these purposes).
Let me be clear: Verizon was not the only telecom to have the problem. It affected at least one other telecom; I believe it may have affected all of them. But the FISC resolved it differently with Verizon, which I believe shows that Verizon complies with the Section 215 orders in different fashion than AT&T and Sprint.
The problem was first identified when, in May 2009, Verizon informed the NSA it had been including foreign-to-foreign records in the data it provided to the NSA. Here’s how David Kris explained it in his report accompanying the phone dragnet end to end report.
NSA advised that for the first time, in May 2009, [redacted–Verizon] stated it produced foreign-to-foreign record pursuant to the Orders. [redacted–Verizon] stopped its production of this set of foreign-to-foreign records on May 29, 2009, after service of the Secondary Order in BR 09-06, which carves out foreign-to-foreign records from the description of records to be produced. (19)
In an accompanying declaration Keith Alexander provided more detail.
In May 2009, during a discussion between NSA and [redacted–Verizon] regarding the production of metadata, a [redacted–Verizon] representative stated that [redacted] produced the records [redacted] pursuant to the BR FISA Orders. This was the first indication that NSA had ever received from [redacted–Verizon] of its contrary understanding. At the May 28, 2009, hearing in docket number BR 09-06, the government informed the Court of [redacted redacted]. To address the issue, based on the government’s proposal, the Court issued a Secondary Order to [redacted] in docket number BR 09-06 that expressly excluded foreign-to-foreign call detail records from the scope of records to be produced. On May 29, 2009, upon service of the Secondary Order in docket number BR 09-06, [redacted–Verizon] ceased providing foreign-to-foreign records [redacted]. (42/PDF67)
Almost every dragnet order since that May 29, 2009 one has broken its production order out into two subparagraphs to reflect this change.
We can be virtually certain that Verizon is this provider, because the Verizon secondary order leaked by Edward Snowden includes the language excluding foreign-to-foreign data. That long redaction likely hides Verizon’s full name under this program, “Verizon Business Network Services, Inc. on behalf of MCI Communication Services Inc., d/b/a Verizon Business Services (individually and collectively “Verizon”), which is the name initially used in the secondary order.
Additionally, ODNI originally released the January 20, 2011 primary order with the paragraph that clarifies this with Verizon’s name unredacted. The paragraph remains in the dragnet orders, even after Verizon and Vodaphone split earlier this year (though if the split affected this issue, they may have hidden the fact by retaining the paragraph, given that they’re now anticipating declassification of the orders).
Less than a month after this incident, on June 25, the NSA finished its End-to-End report, which reported just the Verizon issue. Sometime between then and July 9, the FISC appears to have realized one of the other providers had a similar problem. The July 9, 2009 dragnet order, in the only exception I know to the two-part production order, looked like this:
The production order is to plural custodians of records, meaning at least two providers must be named. But it applies the Verizon rules to all of the named providers.
The order also requires an explanation for inclusion of the foreign-to-foreign records (see the bullet at 16-17). It is redacted in the released order but the DOJ submission (see page 6) shows that Judge Walton ordered,
a full explanation of the extent to which NSA has acquired call detail records of foreign-to-foreign communications from [redacted–too long to just be Verizon] pursuant to orders of the FISC, and whether the NSA’s storage, handling, and dissemination of information in those records, or derived therefrom, complied with the Court’s orders;
The September 3, 2009 order reverts to the two-paragraph structure. But it also orders retroactive production from one of the providers (AT&T or Sprint, probably the latter based on redaction length) named in the first paragraph (I first wrote about this here).
In addition, the Custodian of Records of [redacted] shall produce to NSA upon service of the appropriate Secondary Order an electronic copy of the same tangible things created by [redacted] for the period from 5:11 p.m. on July 9, 2009 to the date of this Order, to the extent those records still exist.
And adds a requirement that NSA report on any significant changes in reapplications, including on any changes to how the government obtains the data from carriers.
Any application to renew or reinstate the authority granted herein shall include a report describing: (1) the queries made since the end of the reporting period of the last report filed with the Court; (ii) the manner in which NSA applied the procedures set forth in paragraph (3)C above; and (iii) any proposed changes in the way in which the call detail records would be received from the carriers and any significant changes to the systems NSA uses to receive, store, process, and disseminate BR metadata. [my emphasis]
The DOJ report provides further evidence that at least one other provider provided foreign-to-foreign records. When Kris introduces this problem (see page 18), he references a three part discussion in Alexander’s declaration.
You can see the heading for the third provider on page 46/PDF 71 of the Alexander declaration.
So the report appears to have commented on all three providers. The problem clearly affected two of them.
But FISC only retains the clarification for Verizon.
As I said, I appear to be wrong about the timing of this. I had suggested it was tied to Verizon deciding not to reup its contract under the FBI phone program in 2009. That almost certainly had to have happened (as Charlie Savage noted to me via Twitter, the Exigent Letter IG Report was focused on AT&T, MCI, and Verizon, and one of the latter two, which means basically one part of Verizon, backed out).
But the End-to-End Report makes it clear Verizon first started turning over this data in January 2007.
This foreign-to-foreign metadata started coming into NSA in January 2007. (15)
There was not even a dragnet order signed in January 2007, so it can’t be tied primarily to the phone dragnet. It also preceded the end of the on-site phone provider program (which ended in December 2007) and even the release of the first NSL IG Report in March 2007, which led the providers to get squirrelly (see page 191 for these dates).
The details regarding the potential problems with Verizon’s provision of foreign-to-foreign records suggests this may have something to do with upstream production (Verizon had been providing upstream records to the NSA for years, but it only came under the oversight of the FISC in January 2007).
Furthermore, because the records are records of foreign-to-foreign communications, almost all of them do not concern the communications of U.S. persons. To the extent any of the records concern the communications of U.S. persons, such communications would be afforded the same protections as any other U.S. person communication [redacted] authorities. Id. at 43. (19)
almost all of them concern the communications of non-U.S. persons located outside the United States. If NSA were to find that any of the records concerned U.S. persons, their dissemination would be governed by the terms of USSID 18 which are the procedures established pursuant to EO 12333, as amended. (68)
The discussion of records that might “concern the communications” sounds like an “about” search (though I’m not sure of what).
All that said, AT&T should have had the same upstream “about” obligations starting in January 2007 that Verizon did. I suspect (based on my guess that Sprint is the production that got shut down) the order in the July 9, 2009 order is the only instruction they ever got to stop providing foreign-to-foreign records. Yet FISC felt the need — still feels the need — to keep that explicit order to Verizon in every single primary order.
Mind you, all this shows that Verizon was able to shut down the foreign production immediately, on the same day. So it’s clear they can shut down certain kinds of production.
All this seems to suggest that — in addition to at least some part of Verizon withdrawing from the FBI’s records program, and to Verizon not retaining records for the same length of time AT&T does — Verizon also produces phone dragnet data differently than AT&T does.
Last week, Dustin Slaughter published a story using a new deck of slides on the Hemisphere program, the Drug Czar program that permits agencies to access additional telecommunications analytical services to identify phones, which then gets laundered through parallel construction to hide both how those phones were found, as well as the existence of the program itself.
It has some significant differences from the deck released by the New York Times last year. I’ve tried to capture the key differences here:
The biggest difference is that the NYT deck — which must date to no earlier than June 2013 — draws only from AT&T data, whereas the Declaration deck draws from other providers as well (or rather, from switches used by other providers).
In addition, the Declaration deck seems to reflect approval for use in fewer states (given the mention of CA court orders and the recent authorization to use Hemisphere in Washington in the AT&T deck), and seems to offer fewer analytical bells and whistles.
Thus, I agree with Slaughter that his deck predates — perhaps by some time — the NYT/AT&T deck released last year. That would mean Hemisphere has lost coverage, even while it has gained new bells and whistles offered by AT&T.
While I’m not yet sure this is my theory of the origin of Hemisphere, some dates are worth noting:
From 2002 to 2006, the FBI had telecoms onsite to provide CDRs directly from their systems (the FBI submitted a great number of its requests without any paperwork). One of the services provided — by AT&T — was community of interest tracking. Presumably they were able to track burner phones (described as dropped phones in these decks) as well.
In 2006, FBI shut down the onsite access, but retained contracts with all 3 providers (AT&T, Verizon, and probably Sprint). In 2009, one telecom — probably Verizon — declined to renew its contract for whatever the contract required.
AT&T definitely still has a contract with FBI, and in recent years, it has added more services to what it offers the FBI.
It’s possible the FBI multi-provider access moved under ONCDP (the Drug Czar) in 2007 as a way to retain its authorities without attracting the attention of DOJ’s excellent Inspector General (who is now investigating this in any case). Though I’m not sure that program provided the local call records the deck at least claims it could have offered. I’m not sure that program got to the telecom switches the way the deck seems to reflect. It’s possible, however, that the phone dragnet in place before it was moved to Section 215 in 2006 did have that direct access to switches, and the program retained this data for some years.
The phone dragnet prior to 2006 and NSL compliance (which is what the contracts with AT&T and one other carrier purportedly provide now) are both authorized in significant part (and entirely, before 2006) through voluntary compliance, per David Kris, the NSA IG Report, and the most recent NSL report. That’s a big reason why the government tried to keep this secret — to avoid any blowback on the providers.
In any case, if I’m right that the program has lost coverage (though gained AT&T’s bells and whistles) in the interim, then it’s probably because providers became unwilling, for a variety of reasons (and various legal decisions on location data are surely one of them) to voluntarily provide such information anymore. I suspect that voluntary compliance got even more circumscribed with the release of the first Horizon deck last year.
Which means the government is surely scrambling to find additional authorities to coerce this continued service.
The ACLU and EFF normally do great work defending the Fourth Amendment. Both have fought the government’s expansive spying for years. Both have fought hard to require the government obtain a warrant before accessing your computer, cell phone, and location data.
But earlier this week, they may have taken action that directly undermines that good work.
On Wednesday, both civil liberties organizations joined in a letter supporting Patrick Leahy’s version of USA Freedom Act, calling it a necessary first step.
We support S. 2685 as an important first step toward necessary comprehensive surveillance reform. We urge the Senate and the House to pass it quickly, and without
making any amendments that would weaken the important changes described above.
ACLU’s Laura Murphy explained why ACLU signed onto the bill in a column at Politico, analogizing it to when, in 2010, ACLU signed onto a bill that lowered, but did not eliminate, disparities in crack sentencing.
Reform advocates were at a crossroads. Maximalists urged opposition despite the fact the bill would, in a very real way, make life better for thousands of people and begin to reduce the severe racial and ethnic inequality in our prison system. Pragmatists, fearing that opposition to the bill would preclude any reform at all, urged support.
It was a painful compromise, but the ACLU ultimately supported the bill. It passed, astoundingly, with overwhelming support in both chambers.
And then something amazing happened. Conservative lawmakers, concerned about government waste, increasingly came to the table to support criminal justice reform. Liberals realized they could vote their conscience on criminal justice without accusations of being “soft on crime.” It has not been easy and there have been many steps backward, but in recent years, we’ve seen greater public opposition to mandatory minimum sentences and real movement on things like reducing penalties for low-level drug offenses.
The analogy is inapt. You don’t end crack disparities by increasing the number of coke dealers in jail. But Leahy’s USA Freedom Act almost certainly will increase the number of totally innocent Americans who will be subjected to the full brunt of NSA’s analytical authorities indefinitely.
That’s because by outsourcing to telecoms, NSA will actually increase the total percentage of Americans’ telephone records that get chained on; sources say it will be more “comprehensive” than the current dragnet and Deputy NSA Director Richard Ledgett agrees the “the actual universe of potential calls that could be queried against is [potentially] dramatically larger.” In addition, the telecoms are unlikely to be able to remove all the noisy numbers like pizza joints — as NSA currently claims to — meaning more people with completely accidental phone ties to suspects will get sucked in. And USA Freedom adopts a standard for data retention — foreign intelligence purpose — that has proven meaningless in the past, so once a person’s phone number gets turned over to the NSA, they’ll be fair game for further NSA spying, the really invasive stuff, indefinitely.
But that’s not the reason I find ACLU and EFF’s early support for USA Freedom so astounding.
I’m shocked ACLU and EFF are supporting this bill because they don’t know what the NSA will be permitted to do at the immunized telecoms. They have blindly signed onto a bill permitting “connection chaining” without first understanding what connection chaining entails.
As I have reported extensively, while every witness who has talked about the phone dragnet has talked about chaining on phone calls made — all the calls Anwar al-Awlaki made, all the calls those people made — the language describing this chaining process has actually been evolving. Dianne Feinstein’s Fake FISA Fix last fall allowed the NSA to chain on actual calls — as witnesses had described — but also on communications (not just calls) “to or from any selector reasonably linked to the selector.” A February modification and the last two dragnet orders permitted NSA to chain on identifiers “with a contact and/or connection” with the seed, making it clear that a “connection” is something different than a “contact.” The House bill USA Freedumber adopted the same language in a legislative report. Leahy’s bill adopts largely the same language for chaining.
(iii) provide that the Government may require the prompt production of call detail records—
(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and
(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;
Now, it’s possible that this language does nothing more than what NSA illegally did until 2009: chain on both the identifier itself, but also on identifiers it has determined to be the same person. Back in 2009, NSA referred to a separate database to determine these other identifiers. Though that’s unlikely, because the bill language suggests the telecoms will be identifying these direct connections.
It’s possible, too, that this language only permits the telecoms to find “burner” phones — a new phone someone adopts after having disposed of an earlier one — and chain on that too.
But it’s also possible that this language would permit precisely what AT&T does for DEA in its directly analogous Hemisphere program: conduct analysis using cell site data. The bill does not permit NSA to receive cell site data, but it does nothing to prohibit NSA from receiving phone numbers identified using cell site data. When Mark Warner asked about this, Ledgett did not answer, and James Cole admitted they could use these orders (with FISC approval) to get access to cell location.
It’s possible, too, that the telecoms will identify direct connections using other data we know NSA uses to identify connections in EO 12333 data, including phone book and calendar data.
The point is, nobody in the public knows what “connections” NSA will be asking its immunized telecom partners to make. And nothing in the bill or even the public record prohibits NSA from asking telecoms to use a range of smart phone information to conduct their analysis, so long as they only give NSA phone identifiers as a result.
In response to questions from Senators about what this means, Leahy’s office promised a letter from James Clapper’s office clarifying what “connections” means (No, I don’t remember the part of Schoolhouse Rock where those regulated by laws get to provide “clarifications” that don’t make it into the laws themselves). That letter was reported to be due on Tuesday, by close of business — several days ago. It hasn’t appeared yet.
I asked people at both EFF and ACLU about this problem. EFF admitted they don’t know what this language means. ACLU calls the language “ambiguous,” but based on nothing they were able to convey to me, insists getting smart phone data under the guise of connection chaining would be an abuse. ACLU also pointed to transparency provisions in the bill, claiming that would alert us if the NSA starting doing something funky with its connection language; that of course ignores that “connection chaining” is an already-approved process, meaning that existing processes won’t ever be need to be released. It also ignores that the Administration has withheld what is probably a directly relevant phone dragnet opinion from both ACLU and EFF in their dragnet FOIA.
I get Laura Murphy’s point about using USA Freedom to start the process of reform. But what I don’t understand is why you’d do that having absolutely no idea whether that “reform” codifies the kind of warrantless probable cause-free access to device data that ACLU and EFF have fought so hard to prevent elsewhere.
ACLU and EFF are supposed to be leaders in protecting the privacy of our devices, including smart phones. I worry with their embrace of this bill, they’re leading NSA right into our smart phones.
A few weeks back, I did a Salon piece laying out how both the US and UK were claiming they can demand data stored in a cloud in any country. The UK is doing that with their new DRIP law, which will increase their ability to demand data from companies within and outside of the UK. The US is doing that by serving warrants on US companies for data stored in their clouds overseas.
The next battle in the latter war will take place on Thursday, at a hearing in NYC. In anticipation, Microsoft’s counsel Brad Smith wrote a WSJ op-ed to make the spat good and public. Here’s how he describes the government’s efforts to use Third Party doctrine to get around border limits on warrants.
Microsoft believes you own emails stored in the cloud, and that they have the same privacy protection as paper letters sent by mail. This means, in our view, that the U.S. government can obtain emails only subject to the full legal protections of the Constitution’s Fourth Amendment. It means, in this case, that the U.S. government must have a warrant. But under well-established case law, a search warrant cannot reach beyond U.S. shores.
The government seeks to sidestep these rules, asserting that emails you store in the cloud cease to belong exclusively to you. In court filings, it argues that your emails become the business records of a cloud provider. Because business records have a lower level of legal protection, the government claims that it can use its broader authority to reach emails stored anywhere in the world.
Courts have long recognized the distinction between a company’s business records and an individual’s personal communications. For example, the government can serve a subpoena on UPS to disclose business records that show where a customer shipped packages, but it must establish probable cause and get a warrant from a judge to look at what a customer put inside.
Microsoft believes the higher legal protection for personal conversations should be preserved for new forms of digital communication, such as emails or text and instant messaging.
This is a battle about cloud storage. But it’s also a proxy war for questions of how the government conducts its more secret surveillance — as well as a very public show of opposing the government’s more expansive claims (the amici in this case include other companies — like AT&T — that have never complained about the government’s surveillance requests but that have good reason to make a good show of complaining here).
Which makes it interesting that Microsoft is so aggressively reaching out to the public.
In a piece for Salon today, I note that both in US domestic warrants for Stored Communication and in the law the UK will push through, DRIP, the US and the Brits are asserting they should be able to demand data stored anywhere in the world. Here’s the US part:
The U.S. data grab started back in December, when the Department of Justice applied for a warrant covering an email account Microsoft held in Ireland as part of a drug-trafficking investigation. Microsoft complied with regards to the information it stored in the U.S. (which consisted of subscriber information and address books), but challenged the order for the content of the emails. After Magistrate Judge James Francis sided with the government – arguing, in part, that Mutual Legal Assistance Treaties, under which one country asks another for help on a legal investigation, were too burdensome — Microsoft appealed, arguing the government had conscripted it to conduct an extraterritorial search and seizure on its behalf.
As part of that, Microsoft Vice President Rajesh Jha described how, since Snowden’s disclosures, “Microsoft partners and enterprise customers around the world and across all sectors have raised concerns about the United States Government’s access to customer data stored by Microsoft.” Jha explained these concerns went beyond NSA’s practices. “The notion of United States government access to such data — particularly without notice to the customer — is extremely troubling to our partners and enterprise customers located outside of the United States.” Some of those customers even raised Magistrate Francis’ decision specifically.
The government’s response, however, argued U.S. legal process is all that is required. DOJ’s brief scoffed at Microsoft for raising the real business concerns that such big-footing would have on the U.S. industry. “The fact remains that there exists probable cause to believe that evidence of a violation of U.S. criminal law, affecting U.S. residents and implicating U.S. interests, is present in records under Microsoft’s control,” the government laid out. It then suggested U.S. protection for Microsoft’s intellectual property is the tradeoff Microsoft makes for complying with legal process. “Microsoft is a U.S.-based company, enjoying all the rights and privileges of doing business in this country, including in particular the protection of U.S. intellectual property laws.” It ends with the kind of scolding usually reserved for children. “Microsoft should not be heard to complain that doing so might harm its bottom line. ”
Click through to find out why the UK data grab is even worse.
Effectively, both English speaking behemoths are arguing that borders don’t matter, they can have any data in the world. And while we know NSA and GCHQ were doing that for spying purposes, here they’re arguing they can do it for crime prevention.
Breathtaking claims, really.