There’s a paper that has been making waves, claiming it has found a formula to debunk conspiracies based on the likelihood if they were real, they would have already been leaked. Never mind that people have already found fault with the math, the study has another glaring flaw. It treats the PRISM program — and not, say, the phone dragnet — as one of its “true” unknown conspiracies.
PRISM — one part of the surveillance program authorized by Section 702 of the FISA Amendments Act — was remarkable in that it was legislated in public. There are certainly parts of Section 702 that were not widely known, such as the details about the “upstream” collection from telecom switches, but even that got explained to us back in 2006 by Mark Klein. There are even details of how the PRISM collection worked — its reliance on network mapping, the full list of participants. There are details that were exposed, such as that the government was doing back door searches on content collected under it, but even those were logical guesses based on the public record of the legislative debates.
Which is why it is so remarkable that — as I noted here and here — House Judiciary Committee Chair Bob Goodlatte has scheduled a classified hearing to cover the program that has been the subject of open hearings going back to at least 2008.
The hearing is taking place as we speak with the following witnesses.
This suggests there is either something about the program we don’t already know, or that the government is asking for changes to the program that would extend beyond the basic concept of spying on foreigners in the US using US provider help.
I guess we’re stuck wildarseguessing what those big new secrets are, given the Intelligence Community’s newfound secrecy about this program.
Some observations about the witnesses. First, between Litt and Evans, these are the lawyers that would oversee the yearly certification applications to FISC. That suggests the government may, in fact, be asking for new authorities or new interpretations of authorities.
Darby would be in charge of the technical side of this program. Since the PRISM as it currently exists is so (technologically) simple, that suggests the new secrets may involve a new application of what the government will request from providers. This might be an expansion of upstream, possibly to bring it closer to XKeyscore deployment overseas, possibly to better exploit Tor. Remember, too, that under USA Freedom Act, Congress authorized the use of data collected improperly, provided that it adheres to the new minimization procedures imposed by the FISC. This was almost certainly another upstream collection, which means there’s likely to be some exotic new upstream application that has caused the government some problems of late.
Note that the sole FBI witness oversees counterterrorism, not cybersecurity. That’s interesting because it would support my suspicions that the government is achieving its cybersecurity collection via other means now. But also that any new programs may be under the counterterrorism function. Remember, the NatSec bosses, including Jim Comey, just went to Silicon Valley to ask for help applying algorithms to identify terrorism content. Remember, too, that such applications would have been useless to prevent the San Bernardino attack if they were focused on the public social media content. So it may be that NSA and FBI want to apply algorithms identifying radicalizers to private content.
Finally, and critically, remember the Apple debate. In a public court case, Apple and the FBI are fighting over whether Apple can be required to decrypt its customers’ smart device communications. The government has argued this is within the legal notion of “assistance to law enforcement.” Apple disagrees. I think it quite possible that the FBI would try to ask for decryption help to be included under the definition of “assistance” under Section 702. Significantly, these witnesses are generally those (including Bob Litt and FBI counterterrorism) who would champion such an interpretation.
Jenna McLaughlin has a report on what I noted here — House Judiciary Committee Chair Bob Goodlatte has scheduled a classified hearing to talk about Section 702 of the FISA Amendments Act on February 2. In it, she includes this unbelievable quote from Jim Sensenbrenner.
“Closed briefings are necessary for members of Congress to ask questions about classified information,” said Judiciary Committee member Jim Sensenbrenner, R-Wisc., in a statement to The Intercept. “However, I would support a subsequent open hearing on Section 702 of the Foreign Intelligence Surveillance Act because transparency and public discussion are critical to the reform and reauthorization of Section 702.”
It’s unbelievable because, after Sensenbrenner made some horseshit claims of ignorance immediately after Edward Snowden revealed the phone dragnet that had been authorized by legislation Sensenbrenner had authored, people started asking why he hadn’t gone to the classified hearings, at which DOJ briefed members about the dragnet (and FBI later lied about the abuses carried out in executing that dragnet).
Sensenbrenner’s spokesperson explained back in 2013 that he didn’t go to those classified hearing because he didn’t want to be restrained by confidentiality.
Asked whether his boss had attended any of those sessions during that period, Sensenbrenner spokesperson Ben Miller said the congressman “does not want to be limited by the restraints of confidentiality. Therefore, he believes in an open dialogue by which legislative solutions can be constructed and passed into law before the public.” Miller said Sensenbrenner had “attended confidential briefings in the past,” but didn’t say how many, which ones, or whether any dealt directly with the “sensitive” application of section 215.
“While some members of Congress were briefed, particularly those on the intelligence committees, most, including myself, were not,” Sensenbrenner wrote in a column for The Guardian newspaper. Sensenbrenner did not disclose, as his spokesperson did for this story, that he chooses not to attend the briefings.
So back in 2013, when Sensenbrenner was disclaiming any responsibility for a dragnet, he didn’t to be restrained by what he gets told in a classified hearing.
But now, at a time when Congress might consider stopping FBI from doing its uncounted back door searches of people it has no evidence against, Sensenbrenner says “closed briefings are necessary.”
Given what 2013 Sensenbrenner said about the importance of conducting these discussions in the light of day, and given that Section 702 has always been debated in public, I would suggest Sensenbrenner’s support for closed hearings now suggests the fix is in.
One wonders what squeals of outrage Sensenbrenner will make in 2023 after new abuses of Section 702 get disclosed?
On May 18, 2011, 48 members of the House (mostly Republicans, but also including MI’s Hansen Clarke) attended a closed briefing given by FBI Director Robert Mueller and General Counsel Valerie Caproni on the USA PATRIOT Act authorities up for reauthorization. The hearing would serve as the sole opportunity for newly elected members to learn about the phone and Internet dragnets conducted under the PATRIOT Act, given Mike Rogers’ decision not to distribute the letter provided by DOJ to inform members on the secret dragnets they were about to reauthorize.
During the hearing, someone asked,
Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?
One of the briefers — the summary released under FOIA does not say who — responded,
To the FBI’s knowledge, those authorities have not been abused.
As a reminder, hearing witness Robert Mueller had to write and sign a declaration for the FISC two years earlier to justify resuming full authorization for the phone dragnet because, as Judge Reggie Walton had discovered, the NSA had conducted “daily violations of the minimization procedures” for over two years. “The minimization procedures proposed by the government in each successive application and approved and adopted as binding by the orders of the FISC have been so frequently and systemically violated that it can fairly be said that this critical element of the overall BR regime has never functioned effectively,” Walton wrote in March 2009.
Now, I can imagine that whichever FBI witness claimed the FBI didn’t know about any “abuses” rationalized the answer to him or herself using the same claim the government has repeatedly made — that these were not willful abuses. But Walton stated then — and more evidence released since has made clear he was right since — that the government simply chose to subject the vast amount of US person data collected under the PATRIOT Act to EO 12333 standards, not more stringent PATRIOT Act ones. That is, the NSA, operating under FBI authorizations, made a willful choice to ignore the minimization procedures imposed by the 2006 reauthorization of the Act.
Whoever answered that question in 2011 lied, and lied all the more egregiously given that the questioner had no way of phrasing it to get an honest answer about violations of minimization procedures.
Which is why the House Judiciary Committee should pointedly refuse to permit the Intelligence Committee to conduct another such closed briefing, as they plan to do on Section 702 on February 2. Holding a hearing in secret permits the IC to lie to Congress, not to mention disinform some members in a venue where their colleagues can not correct the record (as Feingold might have done in 2011 had he learned what the FBI witnesses said in that briefing).
I mean, maybe HJC Chair Bob Goodlatte wants to be lied to? Otherwise, there’s no sound explanation for scheduling this entire hearing in closed session.
Amid posts bewailing Rand Paul because the Senator’s substantial discussions of the problems with EO 12333 and Section 702 spying aren’t the substantial discussions he wants (I’ll return to these once more pressing matters have passed), Steve Vladeck has returned to the USA F-ReDux topic on which he doesn’t keep contradicting himself: the amicus.
As he notes (and I noted here), Mitch McConnell is (as we speak) attempting to water down the already flimsy FISC amicus via amendment. And Vladeck — as he has before — exposed the false claims that the objections to the amicus comes from the judiciary, this time as represented in the letter from Director of the Administrative Offices of US Courts James Duff.
Why is such a radical amendment to a provision in the House bill that was negotiated very carefully so necessary? According to the memo, “Amendment 1451 is responsive to the judiciary’s continual opposition to the amicus structure of the USA Freedom Act,” as manifested in “a letter to Congress from the director of the Administrative Office of the U.S. Courts.”
I don’t mean to belabor the point. If anything, as I suggested yesterday, section 401 of the House-passed USA FREEDOM Act is a terribly weak version of what should have been a very good (and unobjectionable) idea–allowing a security-cleared outside lawyer to participate in the tiny percentage of cases before the FISC that involve applications for anything besides individualized warrants (you know, the cases in which adversarial participation is already authorized).Part of why section 401 is so weak is because members of Congress have consistently allowed themselves to be snookered by (or have found it convenient to hide behind) the objections of the “judiciary.”
On the merits, though, these objections are patently unavailing. And they certainly aren’t the objections of the “judiciary.”
I’ve also tracked how others, like James Clapper, have been using these purported judiciary concerns to undercut the “advocate” that President Obama used to pretend to want.
What’s particularly interesting, however, is one of the recurrent problems the “judges” seem to keep having. Duff emphasizes that one problem with amici is the Executive would lie to the FISC if telling the truth might risk revealing useful information to an amici. And as one part of that, he focuses on USA F-ReDux’s intent to get
Designated amici are required to have access to “all relevant” legal precedent, as well as certain other materials “the court determines are relevant.
We are concerned that a lack of parallel construction in proposed clause (6)(A)(i) (apparently differentiating between access to legal precedent as opposed to access to other materials) could lead to confusion in its application.
This is what Clapper seemed to be going after last September.
Clapper signals he will make the amicus curiae something different. First, he emphasized this amicus will not interfere with ex parte communications between the court and the government. That may violate this passage of Leahy’s bill, which guarantees the special advocate have access to anything that is “relevant” to her duties.
(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—
(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;
Given that in other parts of 50 USC 1861, “relevant” has come to mean “all,” it’s pretty amazing that Clapper says the advocate won’t have access to all communication between the government and the court.
But the really interesting thing — the reason McConnell’s as-we-speak attempt to gut the amicus further — is that the House already fixed some of this. In a manager’s amendment presented as technical clarifications (but which, on this issue, were not), Bob Goodlatte rewrote this passage:
(i) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials that the court determines are relevant to the duties of the amicus curiae;
To read like this, to directly address one of Huff’s stated concerns:
(i) shall have access to any relevant legal precedent, and application, certification, petition, motion, or such other materials that the court determines are relevant to the duties of the amicus curiae;
That is, Goodlatte already gave the court complete discretion over what the amicus could access, up to and including underlying legal precedents.
Of course, all that assumes the courts will get all the information they need, which they have a long history of not doing.
Here’s the real takeaway though. The President likes to claim he supports this reform. But he has already made it clear he didn’t really want an advocate at the FISC, but would instead like the FISC to remain a rubber stamp.
John Conyers, Jim Sensenbrenner, Darrell Issa, Steve Cohen, Jerry Nadler, Sheila Jackson Lee, Trey Gowdy, John Ratcliffe, Bob Goodlatte all voted to postpone the Fourth Amendment today.
At issue was Ted Poe’s amendment to the USA Freedom Act (USA F-ReDux; see the debate starting around 1:15), which prohibited warrantless back door searches and requiring companies from inserting technical back doors.
One after another House Judiciary Committee member claimed to support the amendment and, it seems, agreed that back door searches violate the Fourth Amendment. Though the claims of support from John Ratcliffe, who confessed to using back door searches as a US Attorney, and Bob Goodlatte, who voted against the Massie-Lofgren amendment last year, are suspect. But all of them claimed they needed to vote against the amendment to ensure the USA Freedom Act itself passed.
That judgment may or may not be correct, but it’s a fairly remarkable claim. Not because — in the case of people like Jerry Nader and John Conyers — there’s any question about their support for the Fourth Amendment. But because the committee in charge of guarding the Constitution could not do so because the Intelligence Committee had the sway to override their influence. That was a point made, at length, by both Jim Jordan and Ted Poe, with the latter introducing the point that those in support of the amendment but voting against it had basically agreed to postpone the Fourth Amendment until Section 702 reauthorization in 2017.
(1:37) Jordan: A vote for this amendment is not a vote to kill the bill. It’s not a vote for a poison pill. It’s not a vote to blow up the deal. It’s a vote for the Fourth Amendment. Plain and simple. All the Gentleman says in his amendment is, if you’re going to get information from an American citizen, you need a warrant. Imagine that? Consistent with the Fourth Amendment. And if this committee, the Judiciary Committee, the committee most responsible for protecting the Bill of Rights and the Constitution and fundamental liberties, if we can’t support this amendment, I just don’t see I it. I get all the arguments that you’re making, and they’re all good and the process and everything else but only in Congress does that trump — I mean, that should never trump the Fourth Amendment.
(1:49) Poe; We are it. The Judiciary Committee is it. We are the ones that are protecting or are supposed to protect, and I think we do, that Constitution that we have. And we’re not talking about postponing an Appropriations amount of money. We’re not talking about postponing building a bridge. We’re talking about postponing the Fourth Amendment — and letting it apply to American citizens — for at least two years. This is our opportunity. If the politics says that the Intel Committee — this amendment may be so important to them that they don’t like it they’ll kill the deal then maybe we need to reevaluate our position in that we ought to push forward for this amendment. Because it’s a constitutional protection that we demand occur for American citizens and we want it now. Not postpone it down the road to live to fight another day. I’ve heard that phrase so long in this Congress, for the last 10 years, live to fight another day, let’s kick the can down the road. You know? I think we have to do what we are supposed to do as a Committee. And most of the members of the Committee support this idea, they agree with the Fourth Amendment, that it ought to apply to American citizens under these circumstances. The Federal government is intrusive and abusive, trying to tell companies that they want to get information and the back door comments that Ms. Lofgren has talked about. We can prevent that. I think we should support the amendment and then we should fight to keep this in the legislation and bring the legislation to the floor and let the Intel Committee vote against the Fourth Amendment if that’s what they really want to do. And as far as leadership goes I think we ought to just bring it to the floor. Politely make sure that the law, the Constitution, trumps politics. Or we can let politics trump the Constitution. That’s really the decision.
Nevertheless, only Louie Gohmert, Raul Labrador, Zoe Lofgren, Suzan DelBene, Hakeem Jeffries, David Cicilline, and one other Congressman–possibly Farenthold–supported the amendment.
The committee purportedly overseeing the Intelligence Community and ensuring it doesn’t violate the Constitution has instead dictated to the committee that guards the Constitution it won’t be permitted to do its job.
The House Intelligence Committee passed a bill out of its committee Thursday, HR 3361, that will reportedly solve a problem (or problems) the NSA has been struggling with since 2009. The bill will now move to the full House for a vote.
The public — and surely a great majority of members of Congress — have no idea precisely what problem this bill will solve is: planted leaks suggest it has to do with difficulties dealing with cell phone records, perhaps because they include location data. If that is part of the problem, then it’s a fairly recent development, perhaps arising after US v. Jones raised new concerns about the legality of collecting location data without a warrant. There’s also the presumably-related issue of an automated query function; NSA has been struggling to resume that function since its alert function got shut down as a legal violation in 2009. The ability to tie multiple identities from the same person together as NSA runs those alerts may be a related issue.
The bill has not been reported as a fix for NSA’s long-term legal and technical struggles (though LAT’s Ken Dilanian has asked why civil liberties groups are so happy about this given that it will expose more data to NSA collection). Rather, it has been called the USA Freedom Act and reported as a reform of the phone dragnet program, a successful effort to “end” “bulk collection.”
The bill does have the critically important effect of ending the government’s practice of collecting and storing some significant portion of all US call records, beyond whatever US person call records it collects overseas. That, by itself, is the equivalent of defusing a nuclear bomb. It is a very important improvement on the status quo.
It remains entirely unclear — and unexamined, as far as I can tell — whether the bill will increase or decrease the number of entirely innocent Americans who will be subjected to the full range of NSA’s analytical tradecraft because they got swept up based on the guilt by association principle behind contact-chaining, or whether the bill will actually expose more kinds of US person records to the scrutiny of the NSA.
The bill the press is calling USA Freedom Act may also — though we don’t know this either — have the salutary benefit of changing the way the NSA currently collects data under other Section 215, Pen Register, and NSL collection efforts. The bill requires that all Section 215 (both call record and otherwise), Pen Register, and NSL queries be based on a specific selection term that remains vaguely defined (a definition the House Intelligence Committee considered eliminating before Thursday’s hearing). But it remains unclear how much that rule — even ignoring questions about the definition — will limit any current practices. At Wednesday’s hearing Bob Goodlatte said the bill “preserves the individual use of Section 215 under the existing relevancy standard for all business records,” and at least for several NSL authorities, the new “restrictions” almost certainly present no change (and another NSL authority, the Right to Financial Privacy Act, uses the same “entity” language the bill definition does, suggesting it is unlikely to change either). Plus, at least according to DOJ’s public claims and court filings, it ended the bulk domestic collection under PRTT in 2011. So the language “ending” “bulk collection” may do no more than make it harder for FBI to construct its own phone books of phone company and ISP subscribers using NSLs, if it does even that.
What the bill doesn’t do — because this part of the bill was stripped as part of the compromise — is provide the Intelligence Community’s oversight committees detailed reports of what kind of records the government obtains under Section 215 (and for what agencies), and how many Americans are subject to all the FISA authorities, including Section 215. That is, the compromise eliminated the one thing that could measure whether the bill really did “end” “bulk collection” as you or I would understand it. In its stead, the bill largely codifies an existing reporting agreement that AT&T has already demonstrated to be completely deceptive. In Wednesday’s hearing, Zoe Lofgren called provider reporting “the canary in the coal mine” the committee would rely on to understand what collection occurred.
So this bill that “ends” “bulk collection” still prevents us, or even the oversight committees working in our name, from learning whether it does so.
It does, however, have some interesting features, given its other purpose of solving one or more challenges facing the NSA.
The first of those is immunity.
No cause of action shall lie in any court against a person who produces tangible things or provides information, facilities, or technical assistance pursuant to an order issued or an emergency production required under this section.
This is another part of the bill the underlying reasons for which the public, and probably much of Congress, doesn’t understand. At one level, it seems to immunize the process that may have telecoms playing a role the NSA previously did, analyzing the data; it may also pertain to providing NSA access to the telecoms’ physical facilities. But given the background to the move to telecoms — NSA’s legal-technical problems dealing with cell phone data because it ties to location — it is possible the immunity gives the telecoms protection if they use but don’t turn over data they have already, such as location data or even Internet metadata, to perform the interim analysis.
Consider how the bill describes the call record query process.
[T]he Government may require the production of call detail records—
(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and
(II) using the results of the production under subclause (I) as the basis for production;
So a 2-hop query goes from a “specific selection term” to “the results of the production” to the “call detail record” handed over to the government. While the definition of call detail records clearly prohibits the final production to the government of either content or cell location, nothing in this process description prevents the telecoms from using such things (most Internet metadata is legally content to the telecoms) in that interim hop; indeed, the “results of the production under subclause (I)” available to the telecoms almost certainly would include some of this information, particularly for smart phones. We know the Hemisphere program (the AT&T-specific program for the DEA) uses cell location in its analysis. Remember, too, how NSA is gobbling up smart phone data (including things like address books) in overseas programs; this may permit analysis of similar data — if not collection of it — domestically. So at the very least, this scheme seems to give the NSA access to cell location and possibly a whole lot more data for analysis they otherwise couldn’t get (which David Sanger’s sources confirm).
And consider two more details from Wednesday’s House Judiciary hearing. At it, Lofgren repeated a list of business records the government might obtain under Section 215 she got Deputy Attorney General James Cole to confirm at an earlier hearing. It includes:
So long as the word “entity” in the definition of specific selection term remains undefined, so long as FISC precedents permit the tapping of entire circuits in the name of collecting on an entity, the government may still be able to collect massive amounts of this data, not actually targeted at a suspect but rather something defined as an entity (in both the existing 215 program and the new call records one the bill retains the “relevant to” language that has been blown up beyond meaning).
Finally, consider what happened with Lofgren’s last attempted amendment. After having submitted a number of other failed amendments, Lofgren submitted an amendment to fix what she called an inadvertent error in the manager’s amendment specifically prohibiting the collection of content under Section 215.
I believe this amendment fixes — at least I hope — an error that was created in the manager’s amendment that I cannot believe was intended. As you know we have specified that the content is not included in business records. This amendment clarifies that business records do not include the content of communication. We specify that in the new section about call detail records, but but the specification that content was not included somehow got dropped out of the business records section. It was included in your original bill but it didn’t make it into the manager’s amendment. I think this amendment clarifies the ambiguity that could be created and I hope it was not intentional.
This is a problem I pointed out here.
Almost without missing a beat after she introduced this, Jim Sensenbrenner recessed the hearing, citing votes. While there were, in fact, votes, Luis Pierluisi (who cast the decisive vote in favor of an amendment to redefine counterintelligence) and possibly Lofgren got a lecture at the break about how any such amendments might blow up the deal the Committee had with Mike Rogers and HPSCI. After the break, Lofgren withdrew the amendment, expressing hope it could be treated as a clerical fix.
That purported error was not fixed before HPSCI (which explicitly permitted the collection of content under its bill) voted out the bill.
Perhaps it will be “fixed” before it comes to the floor.
But if it doesn’t, it may expand (or, given Lofgren’s stated concerns about what records Section 215 might cover, sustain) the use of Section 215 to collect content, not just metadata. Imagine the possibility this gets yoked to expanded analysis at telecoms under the new CDR program?
We don’t know. This bill has gotten past two committees of Congress (we didn’t get to see any of the debate at HPSCI) without these details becoming clear. But the questions raised by this bill when you consider it as the fix to one or more problems the NSA has been struggling with, it does raise real questions.
Again, I don’t want to make light of the one thing we know this bill will do — take a database showing all phone-based relationships in the country out of NSA’s hands. That eliminates an intolerably risky program. That is an important fix.
But that shouldn’t lead us to ignore the potential expansion of spying that may come with this bill.
Update: An updated version of the Managers Amendment does define the term:
(2) SPECIFIC SELECTION TERM.—The term ‘specific selection term’ means a term used to uniquely describe a person, entity, or account.
This is far better than nothing. Though I have concerns about “entity” and I suspect there will be some pushback here, since not even phone numbers “uniquely describe a person,” much less IPs. (Update: see my post on my concerns about the definition.)
As I noted in this post, USA Freedumb Act (what I’ve renamed the compromised USA Freedom Act) purports to limit bulk collection by tying all collection to specific selection terms. It does this for Section 215.
No order issued under this subsection may authorize the collection of tangible things without the use of a specific selection term that meets the requirements of subsection (b)(2).
It does it for Pen Register/Trap and Trace.
(3) a specific selection term to be used as the basis for selecting the telephone line or other facility to which the pen register or trap and trace device is to be attached or applied;
And it does for all four NSL types, as here with call records under ECPA.
COUNTERINTELLIGENCE ACCESS TO TELEPHONE TOLL AND TRANSACTIONAL RECORDS.—Section 2709(b) of title 18, United States Code, is amended in the matter preceding paragraph (1) by striking ‘‘may’’ and inserting ‘‘may, using a specific selection term as the basis for a request’’.
In fact, that’s the same mechanism RuppRoge (the House Intelligence Committee’s bill) uses to prevent bulk collection — though it limits bulk collection for fewer categories of things.
It does so for electronic communications records.
Notwithstanding any other provision of law, the Federal Government may not acquire under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) records of any electronic communications without the use of specific identifiers or selection terms.
And it does so for sensitive business records.
Notwithstanding any other provision of law, the Federal Government may not acquire under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) library circulation records, library patron lists, book sales records, book customer lists, firearm sales records, tax return records, education records, or medical records containing information that would identify a person without the use of specific identifiers or selection terms.
And this limitation, both bills proclaim, will prevent bulk collection.
Neither bill defines what they mean by selection term or specific identifier.
Before I consider whether these bills will, in fact, prevent what you and I might consider bulk collection, note what has happened: both of these bills — the crappy Intelligence Committee wish list bill and the allegedly less crappy “reform” bill — have adopted the definition of “bulk collection” used by the notoriously Orwellian Intelligence Community.
This is perhaps best explained in Obama’s President’s Policy Directive on surveillance.
References to signals intelligence collected in “bulk” mean the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).
Now, we’re at a huge disadvantage to be able to assess whether this definition of bulk collection bears any resemblance to what ordinary humans might understand bulk collection to mean, because the government is being very disingenuous about what they claim it to mean.
The government often publicly claims selectors are things “like telephone numbers or email addresses,” as they did repeatedly at the last PCLOB hearing.
I can assure you, however, that when they refer to “selectors like email or telephone,” they’re downplaying their use of things like other IDs (phone handset and SIM card IDs, credit card numbers, Internet IDs or even passwords, IP address, and site cookies). And nothing in the definition says selection terms have to have anything to do with actual people (as the evidence they use malware code as a selector would indicate). Plus, I could envision many things — such as “Area Code 202” or “Western Union transfers over $100” — that would seem to qualify as selection terms.
But we can measure whether limits to selectors or search terms prohibits bulk collection via another means — by looking at the program about which we’ve gotten most details on selector searches: upstream 702 collection.
While we can’t assess how many “innocent” Americans get sucked up in this purportedly non-bulk collection (and I doubt NSA can either!), we do have an idea how many American communications get sucked up who shouldn’t according to the one-end foreign rule on the collection.
Up to 56,000 American communications a year, according to FISC Judge John Bates’ estimate (because the NSA refused to provide him the real numbers).
56,000 American communications that should not, under the law, have been targeted, sucked up using “identifiers” and “selection terms.”
And the government doesn’t consider that bulk collection at all.
That, my friends, is the standard two different Committees in Congress have adapted as well, doing the intelligence community’s bidding, claiming they’ve solved the bulk collection problem.
A number of people have expressed appreciation for this analysis: if you find this useful, please consider donating to support my work.
I’m going to do a series of more finished posts on the “compromised” version of Jim Sensenbrenner’s USA Freedom Act, which I hereby dub the USA Freedumb Act (thanks to Fake John Schindler for the suggestion), because so many of the reforms have been gutted. Here’s the initially proposed bill. Here’s my working thread on USA Freedumb.
You will hear a great many respectable people making positive comments about this bill, comments they normally would not make. That’s because of the carefully crafted timing.
As you recall, Mike Rogers originally got the House Parliamentarian to rule that the bill could go through the House Intelligence Committee. And his bill, which I affectionately call “RuppRoge” after Rogers and Dutch Ruppersberger and Scooby Doo’s “Rut Roh” phase, is genuinely shitty. Not only does it put the NSA onsite at providers and extend call records collection beyond terrorism applications, but it also extends such collection beyond call records generally. It is likely an attempt to get the US back into the Internet dragnet business. Shitty bill.
That said, in key ways RuppRoge is very similar to USA Freedumb. Both “limit” bulk collection by limiting collection to selectors (Freedumb does so across the board, including for NSLs, whereas RuppRoge does so for sensitive Business Records, call records, and Internet metadata). Both propose a similarly (IMO) flimsy FISC advocate. Both propose laughably weak FISC transparency measures. Both will include compensation and immunity for providers they don’t currently have.
Aside from three areas where RuppRoge is better — it forces agencies to update their EO 12333 proposals, doesn’t extend the PATRIOT Act, and provides a (not very useful) way to challenge certificates, all the way up to SCOTUS — and three where it is far worse — it develops more Insider Threat measures, it applies for uses beyond terrorism and beyond call records, and doesn’t include new (but now circumscribed) IG reporting — they’re not all that different. [Correction: USA Freedumb ALSO applies beyond terrorism.]
They’re differently shitty, but both are pretty shitty.
The reason why otherwise respectable people are welcoming the shitty Freedumb bill, however, is that it gives House Judiciary Committee — with a number of real reformers on it — first pass on this bill. It’s a jurisdictional issue. It puts the jurisdiction for surveillance bills back where it belongs, at the Judiciary Committee.
Oh, by the way, one of the more extensive (in terms of text) real changes in Freedumb is it finally includes the House Judiciary Committee, along with the House and Senate Intelligence Committees and Senate Judiciary Committee, among the committees that get certain kinds of reporting. Jurisdiction. (No, I can’t explain to you why it wasn’t included in the first place in 2008, and no, I can’t explain why that detail is not better known.) It gives everyone on HJC a tiny reason to support the bill, because they’ll finally get the reporting they should have gotten in 2008.
The House Intelligence Committee will consider RuppRoge the day after HJC considers Freedumb, Thursday. Which has elicited hasty (overly hasty, IMO) statements of support for Freedumb, as a way to head off the shitty RuppRoge.
Effectively, the National Security State has managed to put two differently shitty bills before Congress and forced reformers to choose. Freedumb is the better (as in less horrible) bill, and it might get better in Committee. But it’s not a runaway call. And the haste has prevented anyone from really figuring out what a central change to both programs means, which limits collection to selectors, which could be defined in very broad terms (and about which — you’ll have to take my word for now — the NSA has lied in public comments).
One more timing issue that I suspect explains the sudden activity surrounding “reform.” The Privacy and Civil Liberties Oversight Board is due to release a report on Section 702 in the next month or so (its comment period for the report closed on April 11). Given the comments of David Medine, James Dempsey, and Patricia Wald at hearings, I strongly suspect PCLOB will recommend reforms — at least — to back door searches, and possibly to upstream collection. Both are items which were gutted as USA Freedom became Freedumb. (In addition, two aspects that would have expanded PCLOB’s authorities — giving it a role in picking the FISC advocate and giving it subpoena power — have been removed.) So in the same way that President Obama rushed to reaffirm NSA’s unified structure, in which the Information Assurance Division and Cybercommand functions are unified with the more general NSA spying function, before his handpicked Review Group recommended they be split, this seems to be a rush to pre-empt any recommendations PCLOB makes.
Ultimately, these two shitty bills are destined to be merged in conference anyway, and reformers seem to have given up 75% of the field before we get started.
Which means just about the only “reform” we’ll get are actually tactical fixes to help the Security State deal with legal and technical issues they’ve been struggling with.
The USA Freedumb Act has become — with DiFi’s Fake FISA Fix and RuppRoge before it — the third fake reform since Edward Snowden’s leaks first got published. Wearing down the reformers seems to be working.
A number of people have expressed appreciation for this analysis: if you’re one of them, please consider donating to support my work.
This post will lay out what the changes are, as a working thread (updated as I read). But the short version is this: the Manager’s Amendment offers us mere shmoes less protection than the original bill did — particularly with regards to upstream and back door searches. But it does add “liability protection” and financial compensation to the providers that wasn’t in the original bill.
The Manager’s Amendment (MA) provides for 2-hop production from providers, akin to President Obama’s reform proposal. Such orders last for 180 days and can be extended.
The Manager’s amendment explicitly limits such protection to international terrorism (which Obama’s reform was wishy-washy on). Correction: it has no such limitation. This would expand the use of the dragnet well beyond terrorism.
It includes really bizarre language on multiple hops:
(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production;
(II) using the results of the production under subclause (I) as the basis for production; and
(III) using the results of the production under subclause (II) as the basis for production;
The bill mandates 5 year destruction for call records — except for those that are relevant to an investigation.
(v) direct the Government to destroy all call detail records produced under the order not later than 5 years after the date of the production of such records, except for records that are relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to protect against international terrorism.
Remember, by FISC opinion, “relevant to” now means “anything even remotely possiby relevant to.” Given that meaning, pretty much all records turned over to the government can be kept forever; strictly by being turned over they’re already more relevant than the definition of relevant the NSA and DOJ currently use.
Other Section 215 Production
The MA tries to limit bulk production differently than USA Freedom did, by requiring the search on a specific selector. I’ll have to reflect on whether this will be more restrictive or open for abuse.
The MA takes out language permitting the FISC to review whether the government has complied with minimization procedures.
The MA provides immunity and compensation where the USA Freedom Act had not.
Inspector General Reports
The MA changes mandated Inspector General Reports from USA Freedom in two interesting ways. First, it only requires reports from 2012 through 2014, whereas the USA Freedom had required them throughout (that is, including 2010 and 2011). I’ll have more to say about this in the future. There’s good reason to believe, however, that there are things the government doesn’t want reviewed that happened in 2010, especially.
Furthermore, it doesn’t require these reports until December 31, 2015
— that is, after PATRIOT Act Reauthorization. The bill also extends the PATRIOT Reauthorization to 2017, so this report would come in before that, but would extend the authorities as a whole for 2 more years.
Finally, it takes out this language:
describe any noteworthy facts or circumstances relating to orders under such title
This would allow IGs to ignore details about the actual practice of these programs.
As with business records, the MA limits bulk collection by requiring the use of a specific selector, not by prohibiting bulk collection.
Interestingly, it does permit the Judge to assess compliance with minimization procedures, unlike with call records.
Here’s the language USA Freedom used to limit back door searches.
(2) CLARIFICATION ON PROHIBITION ON SEARCHING OF COLLECTIONS OF COMMUNICATIONS
23 OF UNITED STATES PERSONS.—
(A) IN GENERAL.—Except as provided in subparagraph (B), no officer or employee of the United States may conduct a search of a collection of communications acquired under this section in an effort to find communications of a particular United States person (other than a corporation).
(B) CONCURRENT AUTHORIZATION AND EXCEPTION FOR EMERGENCY SITUATIONS.—
Subparagraph (A) shall not apply to a search for communications related to a particular
10 United States person if—
(i) such United States person is the subject of an order or emergency authorization authorizing electronic surveillance or physical search under section 105, 304, 703, 704, or 705, or title 18, United States Code, for the effective period of that order;
(ii) the entity carrying out the search has a reasonable belief that the life or safety of such United States person is
21 threatened and the information is sought for the purpose of assisting that person; or
(iii) such United States person has consented to the search.
Here’s the language the MA uses to prohibit back door searches (and I’m not even sure that’s what it does, as opposed to prevent the MCAT collection Bates declared illegal in 2011), which is part of the minimization procedures.
prohibit the use of any discrete, non-target communication that is determined to be to or from a United States person or a person who appears to be located in the United States, except to protect against an immediate threat to human life.
We know they use back door searches to identify which selectors to further investigate. Does this permit such a use?
In any case, I believe — though am not 100% certain — that the MA takes out any protection against back door searches (save for stronger language on reverse targeting that is similar to what USA Freedom had).
The MA takes out language that would have prevented the use of upstream searches for cybersecurity, which I wrote about here.
Remember how RuppRoge had a clause prohibiting the government to store illegally collected data (which they lost in the drafting process).
The MA retains this to Section 702, which appears to prohibit the use of illegally collected data but actually newly permits it. [Update note: most of this was in the USA Freedom]
‘‘(i) IN GENERAL.—Except as provided in clause (ii), no information obtained or evidence derived from an acquisition pursuant to a certification or targeting or minimization procedures subject to an order under subparagraph (B) concerning any United States person shall be received in evidence or otherwise disclosed in any trial, hearing, or other proceeding in or before any court, grand jury, department, office, agency, regulatory body, legislative committee, or other authority of the United States, a State, or political subdivision thereof, and no information cocerning any United States person acquired from the acquisition shall subsequently be used or disclosed in any other manner by Federal officers or employees without the consent of the United States person, except with the approval of the Attorney General if the information indicates a threat of death or serious bodily harm to any person.
(ii) EXCEPTION.—If the Government corrects any deficiency identified by the order of the Court under subparagraph (B), the Court may permit the use or disclosure of information acquired before the date of the correction under such minimization procedures as the Court shall establish for purposes of this clause.’’.
Remember, first of all, that NSA has secretly rewritten “serious bodily harm” to include threats to property, so that clause is already fairly limited.
But then add in the ability to use illegally collected data once you’ve fixed the problems that made it illegal and it makes this pretty broad. At a minimum, this would permit the government to use all the upstream collection John Bates deemed illegal in 2011.
The MA takes out some other changes to FAA, including a new sunset that would have coincided with the PATRIOT Sunset. Actually, the bill just extends PATRIOT so it coincides with FAA.
The MA changes how the FISC Special Advocate is chosen. It had been that PCLOB would pick candidates and the Chief Justice (John Roberts!) would pick who got to be the advocates. The MA changes that to letting the presiding judge pick no less than 5 people, including people with technical as well as civil liberties expertise. The Executive still gets to decide whether those people get access however. And the FISC gets to decide if the Special Advocate participates, in which case she’ll be treated like an amicus curiae.
The new scheme also does not provide for appellate review, suggesting that the Special Advocate would not be in a position to raise challenges to decisions the court had already made.
The whole thing seems like a Super Clerk position, not anything really new.
The MA also waters down the declassification language in USA Freedom, essentially adopting the language the Obama Administration claims to be currently using (under which it only releases opinions if Edward Snowden comes along and leaks them). Though this language is, roughly, the language that Jeff Merkley tried to get them to adopt back in 2012.
The NSLs section repeats the method of prohibiting bulk collection by limiting use to a specific selector.
However, it also takes out limits USA Freedom had put on financial NSLs.
(A) the name of a customer of the financial institution;
(B) the address of a customer of the financial institution;
(C) the length of time during which a person has been, or was, a customer of the financial institution (including the start date) and the type of service provided by the financial institution to the customer; and
(D) any account number or other unique identifier associated with a customer of the financial institution.
(2) LIMITATION.—A request issued under this subsection may not require the production of records or information not listed in paragraph (1).
As well as a new definition of financial institution borrowed from the Bank Secrecy Act.
(c) DEFINITION OF FINANCIAL INSTITUTION.—For purposes of this section (and sections 1115 and 1117, insofar as the sections relate to the operation of this section), the term ‘financial institution’ has the same meaning as in subsections (a)(2) and (c)(1) of section 5312 of title 31, United States Code, except that the term shall include only a financial institution any part of which is located inside any State or territory of the United States, the District of Columbia, Puerto Rico, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, or the United States Virgin Islands.’’.
In addition, whereas the USA Freedom Act had repealed the Counterterrorism NSL for credit reports which permits FBI to get a more extensive credit report in the name of terrorism (adjusting the counterintelligence one such that it targets agents of foreign power) the MA keeps it.
USA Freedom had also put new limits on NSL gags. The MA eliminates those limits.
US Freedom had included the same mandated IG Reports for NSLs as it had for business records. The MA eliminates them.
The law providing reports to Congress on how the government uses Section 215 now mandates reports only for HPSCI, SSCI, and SJC. USA Freedom had added HJC to that. But the HJC MA eliminates that change! Update: I need to check–they may have retained this in another part of the bill.
USA Freedom had required detailed descriptions of what the government was doing with 215 orders, and which agencies were using them. The MA eliminates that requirement.
Most troubling, USA Freedom had this language trying to understand how many people are affected by 215 orders.
(C) a good faith estimate of the total number of individuals whose tangible things were produced under an order entered under section 501, rounded to the nearest 100;
(D) a good faith estimate of the total number of United States persons whose tangible things were produced under an order entered under section 501, rounded to the nearest 100; and
(E) a good faith estimate of the total number of United States persons whose tangible things were produced under an order entered under section 501 and subsequently reviewed or accessed by a Federal officer, employee, or agent, rounded to the nearest 100.;
That language is gone.
That pattern is repeated through the rest of the reporting requirements. Where USA Freedom had tried to quantify the number of people and US persons who got sucked up in surveillance, and how many of those whose records got reviewed, the MA no longer does so. Shouldn’t they be more willing to provide this data if they were really getting rid of bulk surveillance?
In addition to taking PCLOB out of the FISC advocate role, the MA eliminates provision giving PCLOB subpoena authority.
If you’ve spent much time in political party conventions, you likely know that the resolution process largely serves as an opportunity for active members to vent. While party resolutions might represent where the ideological base of the party is, nothing prevents the elected leaders of the party to blow off resolutions (though at times resolutions are deemed toxic enough for leaders to undermine by parliamentary stunts).
Which is why I find the response to the RNC’s resolution renouncing the NSA’s “Surveillance Prorgam” (it mentions PRISM and, implicitly, the phone dragnet) so interesting.
There are responses like this, from Kevin Drum, who spins it as pure politics.
I get that politics is politics, and the grass always looks browner when the other party occupies the Oval Office. And there are plenty of liberals who are less outraged by this program today than they were back when George Bush and Dick Cheney were in charge of it.
But holy cow! The RNC! Officially condemning a national security program that was designedby Republicans to fight terrorism!
Benjy Sarlin, in the account Drum linked, got the politics more clear, reading this, in part, as the influence of libertarians who largely gained ascendance as part of a backlash against Bush policies or at least failures.
But the resolution also is a sign of the increasing influence of the libertarian wing of the party, especially supporters of Ron Paul and his son, Rand Paul, who have made government overreach in pursuit of terrorists a top issue. Both Orrock and fellow Nevada Committeeman James Smack, who presented the resolution on her behalf, supported the elder Paul’s presidential campaign.
But I also think there’s more to it.
There is certainly a great deal of opportunism here (note, Democrats’ utter disdain for tech companies’ concerns about the dragnet make this a monetary, as well as political opportunity for the GOP, one already bearing fruit). And while the GOP establishment is still cautiously trying to regain control over the Tea Party forces that it once encouraged, there has also been a slow change in traditional conservatives’ stance, too, which I measure through Amash-Conyers opponent Bob Goodlatte’s changing position.
Goodlatte has issued three statements in recent weeks (January 9, January 17, and January 23) calling for reform (including more civil liberties protections and attention to tech companies’ concerns) and more transparency. In the most interesting of the statements, Goodlatte suggested that if Obama wanted to keep the dragnet he’d have to explain what purpose it was really serving and then argue that that purpose
Over the course of the past several months, I have urged President Obama to bring more transparency to the National Security Agency’s intelligence-gathering programs in order to regain the trust of the American people. In particular, if the President believes we need a bulk collection program of telephone data, then he needs to break his silence and clearly explain to the American people why it is needed for our national security. The President has unique information about the merits of these programs and the extent of their usefulness. This information is critical to informing Congress on how far to go in reforming the programs. Americans’ civil liberties are at stake in this debate. [my emphasis]
As I’ve been pointing out for some time, no dragnet defenders have yet to explain what purpose it really serves, and I’m struck that Goodlatte seems to suggest the same. Note, too, that Goodlatte was among the 6 Representatives who attended Bruce Schneier’s briefing on what NSA was really doing, along with leading GOP dragnet opponents Jim Sensenbrenner and Justin Amash and 3 Democrats.
I would suggest to Democrats who see this resolution exclusively as an overly cynical attack on Obama there may, in fact, be things that could explain why Republicans specifically or reasonable Americans more generally might have good reason to oppose the dragnet.
Now back to the resolution. As Sarlin notes, “Not a single member rose to object or call for further debate, as occurred for other resolutions.” (I like to think that had Michigan’s retrograde Dave Agema been able to participate rather than fending off calls for his resignation, he might have spoken up for authoritarianism.)
Instead of opposition from the Republican Party then, came first this quote to Sarlin,
“I think it probably does reflect the views of many of the people who really want to turn out the vote and who are viewing the world through the prism of the next election,” Stewart Baker, a former Bush-era Homeland Security official, told msnbc in an email. “It’s a widespread view among Republicans, but I think the ones that know this institution best and for whom national security is a high priority don’t share this view.”
Then what Eli Lake reports as a letter (Lake doesn’t say to whom) from just one elected official — KS Representative and House Intelligence Committee member Mike Pompeo — and 7 Bush officials (including Baker) blasting the resolution. Part of the letter, apparently, serves to waggle National Security seniority, as Baker already had.
Their letter says: “The Republican National Committee plays a vital role in political campaigns, but it has relatively little expertise in national security.”
And part of it serves to correct a technical inaccuracy that may not be one.
In particular the letter takes issue with the resolution’s claim that the NSA’s PRISM program “monitors searching habits of virtually every American on the internet.”
“In fact, there is no program that monitors the searches of all Americans,” the letter says. “And what has become known as the PRISM program is not aimed at collecting the communications of Americans. It is targeted at the international communications of foreign persons located outside the United States and is precisely the type of foreign-targeted surveillance that Congress approved in 2008 and 2012 when it enacted and reauthorized amendments to the Foreign Intelligence Surveillance Act.”
At issue is the language of the resolution, which starts by discussing PRISM, but then talks about what is clearly the phone (though it would encompass the Internet) dragnet, but then explicitly returns to both, by name of the authority that govern them.
WHEREAS, the secret surveillance program called PRISM targets, among other things, the surveillance of U.S. citizens on a vast scale and monitors searching habits of virtually every American on the internet;
WHEREAS, this dragnet program is, as far as we know, the largest surveillance effort ever launched by a democratic government against its own citizens, consisting of the mass acquisition of Americans’ call details encompassing all wireless and landline subscribers of the country’s three largest phone companies.
RESOLVED, the Republican National Committee encourages Republican lawmakers to enact legislation to amend Section 215 of the USA Patriot Act, the state secrets privilege, and the FISA Amendments Act to make it clear that blanket surveillance of the Internet activity, phone records and correspondence — electronic, physical, and otherwise — of any person residing in the U.S. is prohibited by law and that violations can be reviewed in adversarial proceedings before a public court;
RESOLVED, the Republican National Committee encourages Republican lawmakers to call for a special committee to investigate, report, and reveal to the public the extent of this domestic spying and the committee should create specific recommendations for legal and regulatory reform ot end unconstitutional surveillance as well as hold accountable those public officials who are found to be responsible for this unconstitutional surveillance; [my emphasis]
7 Bush officials and 1 HPSCI member (but not, oddly enough, the always boisterous Mike Rogers) have weighed in to say that the NSA doesn’t monitor the searches of some Americans and then trots out the tired “targeted at foreign persons” line, without addressing the question of blanket surveillance of communications more generally.
Sarlin, in his piece, similarly retreats to “targeting” claptrap, claiming only that “lawmakers have accused the agency of overreaching.”
Somehow both the Bush dead-enders and Sarlin neglect to mention backdoor searches, which allow the NSA to use metadata collected under a range of dragnets to obtain US content without even Reasonable Articulable Suspicion.
And while it’s not all that surprising that Sarlin chose not to discuss how NSA can get domestic content, as I will show in a follow-up post the collection of dead-enders (Lake fleshed out the list here) who weighed in to deny that the NSA dragnet gets US person content is particularly instructive, as I’ll show in a follow-up post.