Posts

The Era of Big Pen Register: The Flaw in Jeffrey Miller’s Moalin Decision

As I noted, on Thursday Judge Jeffrey Miller rejected Basaaly Moalin’s bid for a new trial based on disclosures of the Section 215 dragnet. Miller rejected the bid largely by relying on Smith v. Maryland and subsequent decisions that found no Fourth Amendment protection for pen registers.

But Miller resorts to a bit of a gimmick to dismiss Justice Sonia Sotomayor’s comments in US v. Jones.

Miller notes Sotomayor’s comments. But he points to the 170 year history of the pen register and reasons that because pen register technology is so old, they cannot be described as a “product of the so-called digital revolution,” and therefore cannot raise the kind of new privacy concerns Sotomayor had in mind.

As noted by Defendants, Justice Sotomayor stated that the recent rise of the digital era of cell phones, internet, and email communications may ultimately require a reevaluation of “expectation of privacy in information voluntarily disclosed to third parties.” Id. at 957. Defendants extrapolate from this dicta that the court should recognize that Defendant Moalin had a reasonable expectation of privacy cognizable under the Fourth Amendment that the Government would not collect either individual or aggregated metadata.

The difficulty with Defendants’ argument is twofold. First, the use of pen register-like devices – going back to Samuel Morses’s 1840 telegraph patent – predates the digital era and cannot be considered a product of the digital revolution like the internet or cell phones. See Samuel F.G. Morse, Improvement in the Mode of Communicating Information by Signals by the Application of Electro-Magnetism, U.S. Patent 1647, June 20, 1840, page 4 column 2. In short, pen register-like devices predate the internet era by about 150 years and are not a product of the so-called digital revolution – the basis for the concerns articulated by Justice Sotomayor. [my emphasis]

Now, before I pick this apart, let’s look back at an earlier move Miller made.

In assessing the Section 215 dragnet, Miller did not consider whether the collection of Moalin’s phone records as part of a database of every single American’s phone records was constitutional. Instead, he first considered Moalin’s interest in phone records not involving him, then considered Moalin’s protections in phone records involving him (this may suggest the government found Moalin on a second hop).

Defendants argue that the collection of telephony metadata violated Defendant Moalin’s First and Fourth Amendment rights. At issue are two distinct uses of telephone metadata obtained from Section 215. The first use involves telephony metadata retrieved from communications between third parties, that is, telephone calls not involving Defendants. Clearly, Defendants have no reasonable expectation of privacy to challenge any use of telephony metadata for calls between third parties. See Steagald v. United States, 451 U.S. 204, 219 (1981) (Fourth Amendment rights are personal in nature); Rakas v. Illinois, 439 U.S. 128, 133-34 (1978) (“Fourth Amendment rights are personal rights which, like some other constitutional rights, may not be vicariously asserted.”); United States v. Verdugo-Uriquidez, 494 U.S. 259, 265 (1990) (the term “people” described in the Fourth Amendment are persons who are part of the national community or may be considered as such). As noted in Steagald, “the rights [] conferred by the Fourth Amendment are personal in nature, and cannot bestow vicarious protection on those who do not have a reasonable expectation of privacy in the place to be searched.” 451 U.S. at 219. As individuals other than Defendants were parties to the telephony metadata, Defendants cannot vicariously assert Fourth Amendment rights on behalf of these individuals. To this extent, the court denies the motion for new trial.

The second use of telephony metadata involves communications between individuals in Somalia (or other countries) and Defendant Moalin. The following discusses whether Defendant Moalin, and other Defendants through him, have any reasonable expectation of privacy in telephony metadata between Moalin and third parties, including co-defendants.

In other words, Miller takes Moalin’s phone records out of the context in which they were used. In doing so, he turns an enormous database — very much the product of the “so-called digital revolution” — into two pen registers, 170 year old technology.

That move is all the more problematic given repeated Administration explanations (cited by Moalin’s defense and therefore even Miller in his ruling) that Moalin was only identified through indirect contact with an identified selector (presumed to be Somali warlord Aden Ayro).

That is, Moalin would not have been identified without using the features of the database and NSA’s chaining analysis. Moalin was identified not because a single pen register showed him to be in contact with Aden Ayro, but because a network analysis showed his contacts with someone else appeared to be of sufficient value to constitute a likely tie to Ayro himself. And that two-hop connection served either as the basis to listen to already collected conversations involving Moalin via back door searches or, by itself, the basis for probable cause to wiretap Moalin (I suspect it’s the former, and further suspect they used the fruits of that back door search to get the warrant to tap Moalin directly).

Members of the Administration have assured us, over and over, that this chaining analysis is only possible with a complete haystack. Thus, the entire haystack — the database and data analysis that are the quintessential tool of the “so-called digital revolution” — is the instrument of surveillance, not hundreds of millions of individual pen registers. And yet, in their first victory over a defendant with standing, the judge resorted to a gimmick to render that haystack back into hundreds of millions of pieces of hay again.

Update: This passage, from the Administration White Paper, is inconsistent with Miller’s treatment of the dragnet as two separate pen registers.

Although broad in scope, the telephony metadata collection program meets the “relevance” standard of Section 215 because there are “reasonable grounds to believe” that this category of data, when queried and analyzed consistent with the Court-approved standards, will produce information pertinent to FBI investigations of international terrorism, and because certain analytic tools used to accomplish this objective require the collection and storage of a large volume of telephony metadata. This does not mean that Section 215 authorizes the collection and storage of all types of information in bulk: the relevance of any particular data to investigations of international terrorism depends on all the facts and circumstances. For example, communications metadata is different from many other kinds of records because it is inter-connected and the connections between individual data points, which can be reliably identified only through analysis of a large volume of data, are particularly important to a broad range of investigations of international terrorism. [my emphasis]

Like Obi Wan, Osama bin Laden Has Come Back More Powerful Than Ever Before

In a piece that serves only to claim we need even more invasive online surveillance because we’ve made al Qaeda more insidious than before Osama bin Laden died, Michael Hirsh tries to make Abu Musab al-Suri the new boogeyman (who, as J.M. Berger notes, may not even be alive!).

The truth is much grimmer. Intelligence officials and terrorism experts today believe that the death of bin Laden and the decimation of the Qaida “core” in Pakistan only set the stage for a rebirth of al-Qaida as a global threat. Its tactics have morphed into something more insidious and increasingly dangerous as safe havens multiply in war-torn or failed states—at exactly the moment we are talking about curtailing the National Security Agency’s monitoring capability. And the jihadist who many terrorism experts believe is al-Qaida’s new strategic mastermind, Abu Musab al-Suri (a nom de guerre that means “the Syrian”), has a diametrically different approach that emphasizes quantity over quality. The red-haired, blue-eyed former mechanical engineer was born in Aleppo in 1958 as Mustafa Setmariam Nasar; he has lived in France and Spain. Al-Suri is believed to have helped plan the 2004 train bombings in Madrid and the 2005 bombings in London—and has been called the “Clausewitz” of the new al-Qaida.

[snip]

But the agency’s opponents may not realize that the practice they most hope to stop—its seemingly indiscriminate scouring of phone data and emails—is precisely what intelligence officials say they need to detect the kinds of plots al-Suri favors.

[snip]

And the consensus of senior defense and intelligence officials in the U.S. government is that NSA surveillance may well be the only thing that can stop the next terrorist from blowing apart innocent Americans, as happened in Boston last April. “Al-Qaida is far more a problem a dozen years after 9/11 than it was back then,” [Navy Postgraduate School expert John] Arquilla says.

[snip]

Officials also say they need more intelligence than ever to determine which of the multifarious new jihadist groups is a true threat. “The really difficult strategic question for us is which one of these groups do we take on,” [Michael] Hayden says. “If you jump too quickly and you put too much of a generic American face on it, then you may make them mad at us when they weren’t before. So we are going to need a pretty nuanced and sophisticated understanding of where there these new groups are going and where we need to step up and intervene.”

Some officials suggest that to do that—to discriminate carefully between the terrorists who are directly targeting U.S. interests and those who aren’t—the United States needs to step up, not slow down, the NSA’s monitoring of potential targets. [my emphasis]

Hirsh doesn’t seem to notice it, but even while he quotes former and current architects of our counterterrorism strategy like Michael Hayden and Mike Rogers, if his tale is to be believed, you have to also believe those former and current counterterrorism leaders committed these grave counterterrorism failures:

  • Allowing no fewer than 25 failed states to flourish, especially in Yemen, Somalia, Syria, Libya, and Iraq
  • Failing to win or even establish governance in Afghanistan
  • Rendering al-Suri to Syria where he may or may not have been let free
  • Taking on Bashar al-Assad (who the article admits provided us counterterrorism support, including presumably proxy torturing al-Suri) even while not backing dictators who provide counterterrorism support during the Arab Spring
  • Abandoning Syrian rebels to Assad

Then Hirsh goes on to recite the debunked claims about how useful the Section 215 dragnet is (though curiously, he doesn’t mention Basaaly Moalin, perhaps because elsewhere Harold Koh admits that even most members of al-Shabaab aren’t members of al Qaeda, much less those who materially support al-Shabaab), how that would have (and, the implication is) and is the only thing that might have prevented 9/11.

Hirsh doesn’t even seem to notice that he repeats the claim that only NSA dragnets can prevent a Boston Marathon attack, yet NSA dragnets didn’t prevent the Boston Marathon attack.

Obviously, the whole thing is just as Mike Rogers/Michael Hayden sponsored advertisement to pass DiFi’s Fake FISA Fix (the article doesn’t address why she doesn’t just accept the status quo).

But in the process, Hirsh has instead laid out solid evidence we should never trust the people who’ve been running our war on terror for the last 12 years, because, if even a fraction of what he claims is true, they’ve actually made us far less safe.

Basaaly Moalin Denied New Trial

As I noted the other day, Basaaly Moalin argued for a new trial Wednesday, arguing that disclosures that his entire prosecution stems from indirect phone contacts with a Somali warlord under the Section 215 phone dragnet program raises questions about the validity of the evidence used to convict him.

One day after that hearing, Judge Jeffrey Miller denied Moalin a new trial.

Miller argues that the all the new disclosures about the phone dragnet present no new issues in the trial. He even suggests the multiple discussions of Moalin’s case in testimony before Congress and the documents released by the government may not be admissible (even though he relies on the most recent FISC order, which addresses the program as it exists now, not as it exists in 2007 when FBI was tipped to Moalin).

Setting aside the issue of admissibility of the public revelations of the NSA program of securing telephone metadata, the public disclosure of the NSA program adds no new facts to alter the court’s FISA and CIPA rulings. Because the court has already considered and addressed many of the FISA and CIPA arguments from a federal and constitutional law perspective, the present motion is akin to a motion for reconsideration.

Given the Judge’s quick turnaround, it’s clear he had no intention of granting a new trial, regardless of what Moalin presented yesterday. Miller determined that the phone dragnet was proper in secret a year ago — based on what I am certain was impartial information — and he refuses to consider the possibility that his determination was incorrect.

I will look closer at Miller’s thinking later today — while his legal analysis is better than, say, Claire Eagan’s, there are still at least two obvious holes in his analysis.

But for the moment, realize that the government has won the ability to base an entire conviction off even indirect phone contacts identified via the phone dragnet.

I suspect we’ll see this case again at the 9th Circuit.

The Phone Dragnet Did Not (and May Still Not) Meet the PATRIOT Act’s Minimization Requirements

While a number of the changes to Section 215 passed just before the government started relying on it to create a database of all phone-based relationships in the United States watered down the law, one provision made the law stricter.

The 2006 Reauthorization required the Attorney General to establish minimization procedures for the data collected under the program.

(g) Minimization Procedures and Use of Information- Section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) is further amended by adding at the end the following new subsections:

(g) Minimization Procedures-

(1) IN GENERAL- Not later than 180 days after the date of the enactment of the USA PATRIOT Improvement and Reauthorization Act of 2005, the Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this title.

(2) DEFINED- In this section, the term `minimization procedures’ means–

(A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 101(e)(1), shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and

(C) notwithstanding subparagraphs (A) and (B), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.

(h) Use of Information- Information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title concerning any United States person may be used and disclosed by Federal officers and employees without the consent of the United States person only in accordance with the minimization procedures adopted pursuant to subsection (g). No otherwise privileged information acquired from tangible things received by the Federal Bureau of Investigation in accordance with the provisions of this title shall lose its privileged character. No information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title may be used or disclosed by Federal officers or employees except for lawful purposes.’.

But from the very start, the FISA Court and the Administration set out to ignore this requirement. After all, well before anyone did any analysis about the foreign intelligence value of the phone dragnet data, the FBI disseminated all of it, by having the telecoms hand it over directly to the NSA. And phone numbers are US person identifiers (best demonstrated by NSA’s use of phone numbers as identifiers to conduct searches in other contexts).

Thus, before any Agency even touched the data, the phone dragnet scheme violated this provision by disseminating non-publicly available information about US person identifiers on every single American without their consent.

According to FISC’s original Section 215 phone dragnet order, the NSA only had to abide by the existing SID-18 minimization procedures.

[D]issemination of U.S. person information shall follow the standard NSA minimization procedures found in the Attorney General-approved guidelines (U.S. Signals Intelligence Directive 18). [link added]

And the FBI only applied the minimization procedures it used to fulfill the statute after the NSA had already run queries on it.

With respect to any information the FBI receives as a result of this Order (information that is passed or “tipped” to it by NSA), the FBI shall follow as minimization procedures the procedures set forth in The Attorney General’s Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (October 31, 2003). [link added]

Even after this initial order, the Attorney General did not comply with the mandate to come up with minimization procedures specific to Section 215. Instead, then Attorney General Alberto Gonzales just adopted four sections of the National Security Investigations Guidelines.

In analysis included in a 2008 review of the FBI’s use of Section 215, DOJ Inspector General Glenn Fine deemed this measure to fall short of the statute’s requirements.

These interim minimization procedures use general hortatory language stating that all activities conducted in relation to national security investigations must be “carried out in conformity with the Constitution.” However, we believe this broad standard does not provide the specific guidance for minimization procedures that the Reauthorization Act appears to contemplate.

[snip]

[T]he Reauthorization Act required the Department to adopt “specific procedures” reasonably designed to “minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” We believe that the interim procedures do not adequately address this requirement, and we recommend that the Department continue its efforts to construct specific minimization procedures relating to Section 215 orders, rather than rely on general language in the Attorney General’s NSI Guidelines.

As I’ll show in a follow-up post, presumably in response to Fine’s report, Attorney General Michael Mukasey adopted new, arguably even more general guidelines to fulfill this requirement, the AG Guidelines for Domestic FBI Operations. (I strongly suspect the August 20, 2008 FISC opinion the government won’t release authorizes the language that would appear in those Guidelines).

But the implications of this have more immediate significance.

After all, the only known American who got busted based on a Section 215 tip, Basaaly Moalin, argues for a new trial tomorrow. And he was tipped based on dissemination that took place in 2007 — that is, before DOJ even tried to address these problematic minimization procedures. He was tipped based on dissemination that — under the letter of the PATRIOT Act — should never have happened.

Update: With regards to Moalin’s case, this seems pertinent.

As of early December 2007, the [Director of National Intelligence] working group [trying to harmonize defintions] had not defined “U.S. person identifying information.

This means that, at the time he was identified in the dragnet, the entire intelligence community was still fighting over whether phone numbers constituted US person identifying information entitled to additional protection.

Update: In an address to the EU Parliament, Jim Sensenbrenner accuses NSA of ignoring civil liberty protections in the PATRIOT Act.

“I firmly believe the Patriot Act saved lives by strengthening the ability of intelligence agencies to track and stop potential terrorists, but in the past few years, the National Security Agency has weakened, misconstrued and ignored the civil liberty protections we drafted into the law,” he said, adding that the NSA “ignored restrictions painstakingly crafted by lawmakers and assumed a plenary authority we never imagined.”

Is the Government Hiding FISC’s “Erroneous” 215 Opinion Until After Basaaly Moalin’s Hearing for a New Trial?

As I mentioned in this post, the government is due to turn over the remaining documents in the ACLU FOIA for Section 215 documents on November 18. Among the documents it may release is a February 24, 2006 FISC opinion. This may be the only comprehensive opinion written to authorize the Section 215 dragnet … and if it’s not, no comprehensive opinion authorized the opinion until August 29, 2013.

In short, that release will answer a lot of questions about what former Assistant Attorney General David Kris suggests may have been an erroneous decision authorizing the entire phone dragnet. We’ll learn more November 18.

But that won’t help Basaaly Moalin, who on Wednesday, November 13, will argue he should have a new trial in light of disclosures that the government only started wiretapping him after being tipped by the Section 215 dragnet. If the Judge in his case, Jeffrey Miller, decides he doesn’t merit a new trial, then he will be sentenced on November 18. And then, later that same day, the government will release what could be evidence that the very foundations of the Section 215 dragnet that caught Moalin are “erroneous.”

That seems to be the way things have gone for Moalin since June 18, when the government pushback on the Snowden leaks first led Moalin to learn his entire prosecution rested on the Section 215 dragnet, and since August 28, when Moalin first started pushing for a delay in sentencing so he could push for a new trial.

Back in July, the ACLU demanded the government turn over all responsive documents by August 12. That would have brought the release of all documents a month before Moalin’s then-scheduled sentencing. Instead, the government asked to have until September 15, the day before the date scheduled for his sentencing. That request would have been almost two weeks after the 60 day extension James Clapper asked for on July 5, 2013.

On August 16, Judge Pauley set up this production schedule.

The Government will review the Foreign Intelligence Surveillance Court (FISC) Opinions at issue and release any segreable information not exempt under FOIA by September 10, 2013. The Government will review a second tranche of documents and release any segreable information not exempt under FOIA by October 10, 2013. The Government will review the remaining documents at issue, excluding the FISC orders in the final row of the Government’s Vaughn index, and release any segreable information not exempt under FOIA by 10/31/2013. The parties will submit a status report to the Court by 11/8/2013.

The October 10 and 31 dates got pushed back because of the shut-down (which, of course, was not DOJ’s fault).

But the results has been to limit the argument Moalin should be able to make. In the Motion for a new trial (submitted on September 5), for example, Moalin’s team relies on the October 3, 2011 John Bates opinion (released on August 21) rather than the slew of documents showing systemic problems with the very program that tipped Moalin admitted in 2009 (released September 10). The government even taunts them about it in their Response.

Defendants’ reliance on an October 3, 2011 FISC Opinion is misplaced. The opinion documented the FISC’s judicial review of the Government’s Certifications of Collection and Interception pursuant to Section 702 of FISA and is hence irrelevant here were Section 702 is not at issue.

Of course. But the only reason the defendants weren’t able to make the very same argument — that the NSA had almost no meaningful controls over the querying they were doing of the Section 215 dragnet — and make it with collection closer to the time when the dragnet tipped Moalin is because ODNI sat on the Section 215 disclosures until after Moalin submitted his motion.

Of particular concern is the delay in revealing details of contact chaining (and that at the time Moalin was tipped, it was possible to chain a fourth hop in). The defense clearly focused on the government’s admission that Moalin had been indirectly in contact with Aden Ayro. That’s a point the government almost entirely ignored in their response. Add in that the government is still largely hiding how it uses the phone dragnet to find burner phones (and the evidence the government used Moalin’s calls with Ayro to find the warlords new phone after he had ditched an old one), and the defense was only given delayed access to some of the details that might best undermine the case that such indirect contacts might constitute probable cause for a FISA warrant.

The defense integrated some of the revelations about the 2009 disclosures in their reply, submitted October 10. That left unavailable the documents released on October 28, some of which showed the government in violation of FISA Amendment’s Act’s requirement to provide all significant FISC opinions on the topic at hand to the Intelligence and Judiciary Committees. Those documents would also present additional challenges to the legitimacy of the two reauthorizations of the dragnet since 2006.

Now, maybe this is just coincidental, that the one person who might challenge his conviction through the use of Section 215 would be prevented from using documents that might show the program itself is “erroneous.”

But as people like Dianne Feinstein squawk that the program is “legal,” they’d be well advised to consider the remarkable way that Moalin was deprived of the documents that might allow a challenge to the law as erroneous from the very start.

DiFi’s “Surveillance” Dictionary Makes Her Beloved Phone Dragnet Illegal

Ut oh.

Dianne Feinstein’s been writing op-eds again.

This one mostly rehashes the old arguments.

There’s the claim that stopping a guy less dangerous than Peter King once was is worth creating a database of all the phone-based relationships in the United States.

In fact, since its inception, this program has played a role in stopping roughly a dozen terror incidents in the United States. And it continues to contribute to our safety.

There’s the claim her deceitful legislation would make things better. (See here, here, here, here, and here for some details of why it will make things worse.)

On Oct. 31, the Senate Intelligence Committee took the first step to restore that confidence and bridge the gap between preventing terrorism and protecting civil liberties by passing the bipartisan Foreign Intelligence Surveillance Act Improvements Act.

And there’s the claim that “drip, drip, drip” and a higher standard of honesty that government officials has the ability to erode the mighty US military’s credibility.

This drip, drip, drip of disclosures – often without proper context and frequently just plain wrong – has eroded the confidence of the American people in the dedicated men and women of our intelligence community and the strong legal and constitutional protections already in place to prevent improper behavior.

But those arguments have all gotten stale by now.

What’s truly amusing is DiFi’s attempt to rebut the well-deserved mockery for her claim that creating a database of every phone-based relationship in the US to catch just two people with terrorist ties does not constitute surveillance.

This is not a surveillance program.

Merriam-Webster’s dictionary defines “surveillance” as “the act of carefully watching someone or something especially in order to prevent or detect a crime.”

In the case of the call-records program, neither individuals nor their phone conversations are being listened to. No one is being monitored. And no one is being watched under the call-record program.

Nevermind that Merriam-Webster provides this, as an example:

  • government surveillance of suspected terrorists

What’s so funny about DiFi’s op-ed is her desperate reliance on Merriam-Webster to defuse mockery.

Because — as I’ve noted — if the Administration had to rely on Merriam-Webster for their own definitional claims, it would destroy their claims that “substantially all” phone records in the United States are “relevant” — that is, “having significant and demonstrable bearing on the matter at hand” — to the hunt for terrorists.

To create this dragnet, after all, the Administration has had to blow up the meaning of “relevant” beyond all meaning. And they had to dig up an old British tome for this particular, all-important definition?

So I looked up how the American Merriam-Webster online dictionary defines “relevant.” Here are the first two definitions:

a : having significant and demonstrable bearing on the matter at hand

b : affording evidence tending to prove or disprove the matter at issue or under discussion <relevant testimony>

“Having significant and demonstrable bearing on the matter and hand.” Not, “possibly maybe having a teeny fraction bearing on the matter and hand.” But a “significant and demonstrable bearing” on a terrorist investigation, in context.

The same dictionary that DiFi clings to to justify her “surveillance” claim also shows why her beloved dragnet is illegal, a stretch of the word “relevant” so absurd that only old Englishmen would buy it.

So which is it DiFi? Your “not-surveillance” claim, or your dragnet?

What’s the Relationship Database About?

Atrios asks what the whole dragnet is about.

It’s actually a serious question. Maybe it’s just a full employment program for spooks. Maybe they just do it because they can. But the only “real” point to such an extensive surveillance system is to abuse that surveillance (the surveillance itself is already an abuse of course).

At best it’s a colossal fucking waste of money. At worst?

I actually think there are understandable answers for much of this.

Since Michael Hayden took over the NSA, contractors have assumed an increasingly dominant role in the agency, meaning you’ve got a former DIRNSA at Booz Allen Hamilton pitching future Booz VPs on solutions to keep the country safe that just happen to make them fabulously profitable and don’t happen to foreground privacy. As Thomas Drake showed, we’re pursuing the biggest and most privacy invasive solutions because contractors are embedded with the agency.

I think there’s the One Percent approach we got from Dick Cheney, that endorses maximal solutions to hunt terrorists even while avoiding any real accountability (both for past failures and to review efficacy) because of secrecy. We’re slowly beginning to wean ourselves from this Cheney hangover, but it is taking time (and boosters for his approach are well-funded and publicized).

And, at the same time, criminals and other countries have attacked our weak network security underbelly, targeting the companies that have the most political sway, DOD contractors and, increasingly, financial companies, which is setting off panic that is somewhat divorced from the average American’s security. The accountability for cybersecurity is measured in entirely different ways than it is for terrorism (otherwise Keith Alexander, who claims the country is being plundered like a colony, would have been fired years ago). In particular, there is no punishment or even assessment of past rash decisions like StuxNet. But here, as with terrorism, the notion of cost-benefit assessment doesn’t exist. And this panicked effort to prevent attacks even while clinging to offensive cyberweapons increasingly drives the overaggressive collection, even though no one wants to admit that.

Meanwhile, I think we grab everything we can overseas out of hubris we got while we were the uncontested world power, and only accelerated now that we’re losing that uncontested position. If we’re going to sustain power through coercion — and we developed a nasty habit of doing so, especially under Bush — then we need to know enough to coerce successfully. So we collect. Everything. Even if doing so makes us stupider and more reliant on coercion.

So I can explain a lot of it without resorting to bad faith, even while much of that explanation underscores just how counterproductive it all is.

But then there’s the phone dragnet, the database recording all US phone-based relationships in the US for the last 5 years. Read more

On the 12th Day of Christmas, the NSA Gave to Me … 12 “Terrorism Supporters”

Dianne Feinstein is writing op-eds again. Of course, I’m not actually recommending you read her defense of the phone dragnet program — though I do recommend this rebuttal of her claims from ACLU’s Mike German.

In other words, the problem was not that the government lacked the right tools to do its job (it had ample authority to trace Mihdhar’s calls). The problem was that the government apparently failed to use them.

But I do want to look at how DiFi dances around the debunked claims about all the plots the dragnet have stopped.

Since its inception, this program has played a role in stopping roughly a dozen terror plots and identifying terrorism supporters in the U.S.

Her claim is grammatically false, of course. Of the 2 known of these 12 cases where Section 215 was useful, with just one — when it was used to identify an unknown phone of one already identified accomplice of Najibullah Zazi — was a plot actually stopped. In the other, all Section 215 did was identify a supporter of terrorism, Basaaly Moalin. And even there, the FBI itself believed Moalin sent money to al-Shabaab not so much to support terrorism, but to support expelling (US backed) Ethiopian invaders of Somalia.

So while she could say that on 12 occasions Section 215 has helped stop a plot or identified terrorism supporters, what she has said is — surprise surprise! — a lie.

But I am rather amused at how close DiFi gets to arguing a dragnet of every Americans’ phone based relationships is worthwhile because it has found 12 guys who support, but do not engage in, terrorism.

12 Years Later, DOJ Is Still Struggling Through Dragnet Discovery Issues

As I noted earlier, Charlie Savage describes how, after Don Verrilli made false representations to the Supreme Court about whether defendants get an opportunity to challenge FISA Amendments Act derived evidence, it set off a discussion in DOJ about their discovery obligations.

Mr. Verrilli sought an explanation from national security lawyers about why they had not flagged the issue when vetting his Supreme Court briefs and helping him practice for the arguments, according to officials.

The national security lawyers explained that it was a misunderstanding, the officials said. Because the rules on wiretapping warrants in foreign intelligence cases are different from the rules in ordinary criminal investigations, they said, the division has long used a narrow understanding of what “derived from” means in terms of when it must disclose specifics to defendants.

In national security cases involving orders issued under the Foreign Intelligence Surveillance Act of 1978, or FISA, prosecutors alert defendants only that some evidence derives from a FISA wiretap, but not details like whether there had just been one order or a chain of several. Only judges see those details.

After the 2008 law, that generic approach meant that prosecutors did not disclose when some traditional FISA wiretap orders had been obtained using information gathered through the warrantless wiretapping program. Division officials believed it would have to disclose the use of that program only if it introduced a recorded phone call or intercepted e-mail gathered directly from the program — and for five years, they avoided doing so.

For Mr. Verrilli, that raised a more fundamental question: was there any persuasive legal basis for failing to clearly notify defendants that they faced evidence linked to the 2008 warrantless surveillance law, thereby preventing them from knowing that they had an opportunity to argue that it derived from an unconstitutional search? [my emphasis]

It’s not entirely true that only judges learn if there are a series of orders leading up to a traditional FISA that incriminates a person. For example, we know it took 11 dockets and multiple orders to establish probable cause to wiretap Basaaly Moalin, the one person allegedly caught using Section 215. We also know there was a 2-month delay between the time they identified his calls with (probably) Somali warlord Aden Ayrow and the time they started wiretapping him under traditional FISA. Even before that point, Ayrow would have been — and almost certainly was — a legal FISA Amendments Act target. Meaning it’d be very easy for the government to watch Moalin’s side of their conversations in those two months to develop probable cause — or even to go back and read historical conversations (note, Ken Wainstein may have signed some of the declarations in question, which would make a lot of sense if they took place during the transition between Attorneys General earlier in 2007).

But Moalin’s attorneys didn’t — and still haven’t — learned whether that’s what happened. (Note, I’m overdue to lay out the filings in the case since I last covered it; consider it pending.)

Read more

“Folksy and Firm” Flummoxes Fancy NYT Journalists

Less than 10 days ago, Keith Alexander admitted to Patrick Leahy that the single solitary case in which the phone dragnet proved critical was that of Basaaly Moalin. But that was not an attack. Rather, it was an effort to send money to al-Shabaab (and others) because they were protecting Somalia against a US backed Ethiopian invasion.

And yet two crack “journalists” used this as the lead of their “interview” with Alexander with not a hint of pushback.

The director of the National Security Agency, Gen. Keith B. Alexander, said in an interview that to prevent terrorist attacks he saw no effective alternative to the N.S.A.’s bulk collection of telephone and other electronic metadata from Americans.

The phone dragnet has never — never! — been more than one tool in preventing any attack, and yet Alexander gets to imply, unchallenged, it is critical going forward.

Instead of actual reporting, we get platitudes like this.

General Alexander was by turns folksy and firm in the interview. But he was unapologetic about the agency’s strict culture of secrecy and unabashed in describing its importance to defending the nation.

That culture is embodied by two installations that greet visitors to Fort Meade. One is a wall to honor N.S.A. personnel killed on overseas missions. The other is a tribute to the Enigma program, the code-breaking success that helped speed the end of World War II and led to the creation of the N.S.A. The intelligence community kept Enigma secret for three decades.

The only thing remotely resembling a challenge came when these “reporters” note Alexander’s claim to have willingly shut down the Internet metadata program (which the NSA has largely kept secret, in spite of having been disclosed) ignores NSA claims it (like the phone dragnet now, purportedly) was critical.

But he said the agency had not told its story well. As an example, he said, the agency itself killed a program in 2011 that collected the metadata of about 1 percent of all of the e-mails sent in the United States. “We terminated it,” he said. “It was not operationally relevant to what we needed.”

However, until it was killed, the N.S.A. had repeatedly defended that program as vital in reports to Congress.

The rest consists of more of the same kind of rebuttal by redefinition. The claim that NSA shares data with Israel is wrong, this “journalism” says, because “the probability of American content in the shared data was extremely small” (which of course says nothing about the way it would violate minimization procedures in any case). The claim that NSA launched 200 offensive cyberattacks in 2011 is wrong because many of those were actually other “electronic missions.” Besides, Alexander claims,

“I see no reason to use offensive tools unless you’re defending the country or in a state of war, or you want to achieve some really important thing for the good of the nation and others,” he said. [my link, for shits and giggles]

We are not now nor were we in 2006 when StuxNet started “in a state of war” with Iran, so how credible are any of these claims?

Mostly though, this appears to be an attempt, four months after highlighting the importance of PRISM against cyberattacks but then going utterly silent about that function, to reassert the importance of NSA’s hacking to prevent hacking.

Even there, though, Alexander presented dubious claims that got no challenge.

General Alexander said that confronting what he called the two biggest threats facing the United States — terrorism and cyberattacks — would require the application of expanded computer monitoring. In both cases, he said, he was open to much of that work being done by private industry, which he said could be more efficient than government.

In fact, he said, a direct government role in filtering Internet traffic into the United States, in an effort to stop destructive attacks on Wall Street, American banks and the theft of intellectual property, would be inefficient and ineffective.

“I think it leads people to the wrong conclusion, that we’re reading their e-mails and trying to listen to their phone calls,” he said.

The NSA already is filtering Internet traffic into the United States (and also searching on and reading incidentally collected Internet traffic without a warrant) under Section 702 certificates supporting counterterrorism, counterproliferation and … cyberattacks.

But nosiree, Alexander can’t envision doing what he’s already doing — and had been doing in a way that violated statute and the Fourth Amendment for three years already by 2011 — in the name of protecting the banksters who’ve gutted our economy. Only all of that — including the retention of US person data in the name of protecting property (presumably including intellectual property) is baked right into the NSA’s minimization procedures.

And that bit about violating Section 702 and the Fourth Amendment for over three years with a practice that was also baked into NSA’s minimization procedures? Here’s the claim the NYT’s crack journalists allow Alexander to end this charade with.

“We followed the law, we follow our policies, we self-report, we identify problems, we fix them,” he said. “And I think we do a great job, and we do, I think, more to protect people’s civil liberties and privacy than they’ll ever know.”