Posts

What Claims Did the Intelligence Community Make about the Paris Attack to Get the White House to Change on Encryption?

I’m going to do a series of posts laying out the timeline behind the Administration’s changed approach to encryption. In this, I’d like to make a point about when the National Security Council adopted a “decision memo” more aggressively seeking to bypass encryption. Bloomberg reported on the memo last week, in the wake of the FBI’s demand that Apple help it brute force Syed Rezwan Farook’s work phone.

But note the date: The meeting at which the memo was adopted was convened “around Thanksgiving.”

Silicon Valley celebrated last fall when the White House revealed it would not seek legislation forcing technology makers to install “backdoors” in their software — secret listening posts where investigators could pierce the veil of secrecy on users’ encrypted data, from text messages to video chats. But while the companies may have thought that was the final word, in fact the government was working on a Plan B.

In a secret meeting convened by the White House around Thanksgiving, senior national security officials ordered agencies across the U.S. government to find ways to counter encryption software and gain access to the most heavily protected user data on the most secure consumer devices, including Apple Inc.’s iPhone, the marquee product of one of America’s most valuable companies, according to two people familiar with the decision.

The approach was formalized in a confidential National Security Council “decision memo,” tasking government agencies with developing encryption workarounds, estimating additional budgets and identifying laws that may need to be changed to counter what FBI Director James Comey calls the “going dark” problem: investigators being unable to access the contents of encrypted data stored on mobile devices or traveling across the Internet. Details of the memo reveal that, in private, the government was honing a sharper edge to its relationship with Silicon Valley alongside more public signs of rapprochement. [my emphasis]

That is, the meeting was convened in the wake of the November 13 ISIS attack on Paris.

We know that last August, Bob Litt had recommended keeping options open until such time as a terrorist attack presented the opportunity to revisit the issue and demand that companies back door encryption.

Privately, law enforcement officials have acknowledged that prospects for congressional action this year are remote. Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

Litt was commenting on a draft paper prepared by National Security Council staff members in July, which also was obtained by The Post, that analyzed several options. They included explicitly rejecting a legislative mandate, deferring legislation and remaining undecided while discussions continue.

It appears that is precisely what happened — that the intelligence community, in the wake of a big attack on Paris, went to the White House and convinced them to change their approach.

So I want to know what claims the intelligence community made about the use of encryption in the attack that convinced the White House to change approach. Because there is nothing in the public record that indicates encryption was important at all.

It is true that a lot of ISIS associates were using Telegram; shortly after the attack Telegram shut down a bunch of channels they were using. But reportedly Telegram’s encryption would be easy for the NSA to break. The difficulty with Telegram — which the IC should consider seriously before they make Apple back door its products — is that its offshore location probably made it harder for our counterterrorism analysts to get the metadata.

It is also true that an ISIS recruit whom French authorities had interrogated during the summer (and who warned them very specifically about attacks on sporting events and concerts) had been given an encryption key on a thumb drive.

But it’s also true the phone recovered after the attack — which the attackers used to communicate during the attack — was not encrypted. It’s true, too, that French and Belgian authorities knew just about every known participant in the attack, especially the ringleader. From reports, it sounds like operational security — the use of a series of burner phones — was more critical to his ability to move unnoticed through Europe. There are also reports that the authorities had a difficult time translating the dialect of (probably) Berber the attackers used.

From what we know, though, encryption is not the reason authorities failed to prevent the French attack. And a lot of other tools that are designed to identify potential attacks — like the metadata dragnet — failed.

I hate to be cynical (though comments like Litt’s — plus the way the IC used a bogus terrorist threat in 2004 to get the torture and Internet dragnet programs reauthorized — invite such cynicism). But it sure looks like the IC failed to prevent the November attack, and immediately used their own (human, unavoidable) failure to demand a new approach to encryption.

Update: In testimony before the House Judiciary Committee today, Microsoft General Counsel Brad Smith repeated a claim MSFT witnesses have made before: they provided Parisian law enforcement email from the Paris attackers within 45 minutes. That implies, of course, that the data was accessible under PRISM and not encrypted.

What Secrets Are the Spooks Telling HJC about Section 702?

There’s a paper that has been making waves, claiming it has found a formula to debunk conspiracies based on the likelihood if they were real, they would have already been leaked. Never mind that people have already found fault with the math, the study has another glaring flaw. It treats the PRISM program — and not, say, the phone dragnet — as one of its “true” unknown conspiracies.

PRISM — one part of the surveillance program authorized by Section 702 of the FISA Amendments Act — was remarkable in that it was legislated in public. There are certainly parts of Section 702 that were not widely known, such as the details about the “upstream” collection from telecom switches, but even that got explained to us back in 2006 by Mark Klein. There are even details of how the PRISM collection worked — its reliance on network mapping, the full list of participants. There are details that were exposed, such as that the government was doing back door searches on content collected under it, but even those were logical guesses based on the public record of the legislative debates.

Which is why it is so remarkable that — as I noted here and here — House Judiciary Committee Chair Bob Goodlatte has scheduled a classified hearing to cover the program that has been the subject of open hearings going back to at least 2008.

The hearing is taking place as we speak with the following witnesses.

  • Mr. Robert S. Litt
    General Counsel
    Office of the Director of National Intelligence
  • Mr. Jon Darby
    Deputy Director for Analysis and Production, Signals Intelligence Directorate
    National Security Agency
  • Mr. Stuart J. Evans
    Deputy Assistant Attorney General for Intelligence, National Security Division
    U.S. Department of Justice
  • Mr. Michael B. Steinbach
    Assistant Director for Counterterrorism
    Federal Bureau of Investigation

This suggests there is either something about the program we don’t already know, or that the government is asking for changes to the program that would extend beyond the basic concept of spying on foreigners in the US using US provider help.

I guess we’re stuck wildarseguessing what those big new secrets are, given the Intelligence Community’s newfound secrecy about this program.

Some observations about the witnesses. First, between Litt and Evans, these are the lawyers that would oversee the yearly certification applications to FISC. That suggests the government may, in fact, be asking for new authorities or new interpretations of authorities.

Darby would be in charge of the technical side of this program. Since the PRISM as it currently exists is so (technologically) simple, that suggests the new secrets may involve a new application of what the government will request from providers. This might be an expansion of upstream, possibly to bring it closer to XKeyscore deployment overseas, possibly to better exploit Tor. Remember, too, that under USA Freedom Act, Congress authorized the use of data collected improperly, provided that it adheres to the new minimization procedures imposed by the FISC. This was almost certainly another upstream collection, which means there’s likely to be some exotic new upstream application that has caused the government some problems of late.

Note that the sole FBI witness oversees counterterrorism, not cybersecurity. That’s interesting because it would support my suspicions that the government is achieving its cybersecurity collection via other means now. But also that any new programs may be under the counterterrorism function. Remember, the NatSec bosses, including Jim Comey, just went to Silicon Valley to ask for help applying algorithms to identify terrorism content. Remember, too, that such applications would have been useless to prevent the San Bernardino attack if they were focused on the public social media content. So it may be that NSA and FBI want to apply algorithms identifying radicalizers to private content.

Finally, and critically, remember the Apple debate. In a public court case, Apple and the FBI are fighting over whether Apple can be required to decrypt its customers’ smart device communications. The government has argued this is within the legal notion of “assistance to law enforcement.” Apple disagrees. I think it quite possible that the FBI would try to ask for decryption help to be included under the definition of “assistance” under Section 702. Significantly, these witnesses are generally those (including Bob Litt and FBI counterterrorism) who would champion such an interpretation.

The Intelligence Community Continues to Pretend Ignorance of Its Deliberate 702 Spying

As I noted in an update to this post, over the last several months, the Brennan Center has led an effort among privacy organizations to get the Intelligence Community to provide the transparency over its Section 702 surveillance that it dodged under the USA Freedom Act. On October 29, 2015, it send James Clapper a letter asking for:

  • A public estimate of the number of communications or transactions involving American citizens and residents subject to Section 702 surveillance on a yearly basis.
  • The number of times each year that the FBI uses a U.S. person identifier to query databases that include Section 702 data, and the number of times the queries return such data.
  • Policies governing agencies’ notification of individuals that they intend to use information “derived from” Section 702 surveillance in judicial or administrative proceedings.

On December 23, Privacy Officer Alex Joel responded on behalf of Clapper, largely dodging the requests but offering to have a meeting at which he could further dodge the request. Then yesterday, Brennan replied, calling out some of those dodges and posing new questions in advance of any meeting.

While the reply asks some worthwhile new questions, I wanted to look at some underlying background to the response Joel and ODNI gave.

The number of communications or transactions involving American citizens and residents subject to Section 702 surveillance on a yearly basis

In response to Brennan’s request for the number of US persons sucked up in 702, Joel points back to the PCLOB 702 report (which was far more cautious than the earlier 215 report) and its report on the status of recommendations from January 2015 and basically says, “we’re still working on that.” Brennan deemed the response non-responsive and noted that the IC is still working on 4 of PCLOB’s 5 recommendations 18 months after they issued it.

I would add one important caveat to that: PCLOB’s fifth recommendation was that the government provide,

the number of instances in which the NSA disseminates non-public information about U.S. persons, specifically distinguishing disseminations that includes names, titles, or other identifiers potentially associated with individuals.

We’ve just learned — through curiously timed ODNI declassification — that the numbers FBI gives to Congress on 702 dissemination are dodgy, or at least were dodgy in 2012, in part because they had been interpreting what constituted US person information very narrowly. For whatever reason, PCLOB didn’t include FBI in this recommendation, but they should be included, especially given the issues of notice to defendants dealt with below.

More importantly, there’s something to remember, as the IC dawdles in its response to this recommendation. In 2010, John Bates issued a ruling stating that knowingly collecting US person content constituted an illegal wiretap under 50 USC 1809(a). Importantly, he said that if the government didn’t know it was conducting electronic surveillance, that was okay, but it shouldn’t go out of its way to remain ignorant that it was doing so.

When it is not known, and there is no reason to know, that a piece of information was acquired through electronic surveillance that was not authorized by the Court’s prior orders, the information is not subject to the criminal prohibition in Section 1809(a)(2). Of course, government officials may not avoid the strictures of Section 1809(a)(2) by cultivating a state of deliberate ignorance when reasonable inquiry would likely establish that information was indeed obtained through unauthorized electronic surveillance.

The following year, Bates held that when it collected entirely domestic communications via upstream Section 702 collection, that collection was intentional (and therefore electronic surveillance), not incidental, though Clapper’s lawyer Bob Litt likes to obfuscate on this point. The important takeaway, though, is that the IC can illegally collect US person data so long as it avoids getting affirmative knowledge it is doing so, but it can’t be too obvious in its efforts to remain deliberately ignorant.

I’d say 18 months begins to look like willful ignorance.

The number of times each year that the FBI uses a U.S. person identifier to query databases that include Section 702 data, and the number of times the queries return such data

Brennan asked for solid numbers on back door searches, and Joel pointed to PCLOB’s recommendations that pertain to updated minimization procedures, a totally different topic.

And even there Joel was disingenuous in a way that the Brennan letter did not note.

Joel asserts that “with the recent reauthorization of the 702 Certification … this recommendation 2 [has] been implemented.” The recommendation included both additional clarity in FBI’s minimization procedures as well as further limits on what non-national security crimes FBI can use 702 data for.

Back in February 2015, Bob Litt revealed the latter information, what FBI could use 702 data for:

crimes involving death, kidnapping, substantial bodily harm, conduct that is a specified offense against a minor as defined in a particular statute, incapacitation or destruction of critical infrastructure, cyber security, transnational crimes, or human trafficking.

But after Litt made that disclosure, and either after or during the process of negotiating new 702 certificates, the ODNI released updated minimization procedures. But they where the MPs for 2014, not 2015! (See this post for a discussion of new disclosures in those documents.) Joel’s answer makes clear that FBI’s minimization procedures were updated significantly in the 2015 application beyond what they had been in 2014 (because that’s the only way they could have not fulfilled that recommendation last January but have since done so).

In other words, Joel answers Brennan’s question by boasting about fulfilling PCLOB’s recommendations, but not Brennan’s answer. But even there, if ODNI had just released the current FBI MPs, rather than year-old ones, part of Brennan’s questions would be answered — that is, what the current practice is.

I think the recent new disclosures about the limits on FBI’s very limited disclosure reporting (at least until 2012) provide some additional explanation for why FBI doesn’t count its back door searches. We know:

  • At least until 2012, it appears FBI did not consider reports based off the content of a message (“about”) not including the US person mentioned, certain kinds of identifiers (probably including phone numbers and Internet identifiers), or metadata to be sharing non-public US person information.
  • At least until the most recent certification, FBI was permitted to use metadata to analyze communications and transfer “all such metadata to other FBI electronic and data storage systems for authorized and foreign intelligence purposes” (page 11) without marking it as disseminated Section 702 data (footnote 2). This likely increases the chance that FBI does not treat metadata derived from Section 702 — and analysis integrating it and other data — to be 702 derived (especially given its apparent belief that such metadata does not equate to person identifying information).
  • FBI’s databases surely include redundant information for people whose communications are collected — either as target or incidentally — under both Section 702 and traditional FISA (and possibly even under Title III warrants). If, as Charlie Savage reported last year, FBI is now acquiring raw EO 12333 data, it may be in the same databases as well. This is undoubtedly even more true with respect to metadata. Given known practice on the NSA side, FBI likely uses the multiple designations to avoid disclosure rules.

In other words, there is a great deal of room to launder where data comes from, particularly if it has been used for metadata link analysis as an interim step. To try to count the specifically Section 702 queries, even just of content, though all the more so of metadata, would require revealing these overlaps, which FBI surely doesn’t want to do.

Policies governing agencies’ notification of individuals that they intend to use information “derived from” Section 702 surveillance in judicial or administrative proceedings

All that’s also background to Brennan’s request for information about notice to defendants. Joel pretty much repeated DOJ’s unhelpful line, though he did direct Brennan to this OLC memo on notice to those who lose clearance. Not only does that memo reserve the right to deem something otherwise subject to FISA’s notice requirements privileged, it also cites from a 1978 House report excluding those mentioned in, but not a party to, electronic surveillance from notice.

[A]s explained in a FISA House Report, “[t]he term specifically does not include persons, not parties to a communication, who may be mentioned or talked about by others.”

That, of course, coincides with one of the categories of people that it appears FBI was not counting in FISA dissemination reports until at least 2012 (and, of course, metadata does not count as electronic surveillance).

All of which is to say this appears to hint at the scope of how FBI has collected and identified people using 702 derived data that nevertheless don’t get 702 notice.

None of that excuses ODNI for refusing to respond to these obvious questions. But it does seem to indicate that the heart of FBI’s silence about its own 702 practices has a lot to do with its ability to arbitrage the multiple authorities it uses to spy.

Kiddie Porn, Computer and Building Destruction, and Section 702

At the end of September, I Con the Record released a bunch of documents relating to 2014’s Section 702 certification process including the August 26, 2014 Thomas Hogan opinion that, among other things, authorized an expansion of FBI’s minimization procedures.

The memo reflects a 2013 change to FBI minimization procedures (it was first approved on September 20, 2012) that permits it to disseminate information that,

is evidence of a crime and that it reasonably believes may assist in the mitigation or prevention of computer intrusions or attacks to private entities or individuals that have been or are at risk of being victimized by such intrusions or attacks, or to private entities or individuals … capable of providing assistance in mitigating or preventing such intrusions or attacks. Wherever reasonably practicable, such disseminations should not include United States person identifying information unless the FBI reasonably believes it is necessary to enable the recipient to assist in the mitigation or prevention of computer intrusion or attacks. (18)

This order expands that dissemination permission to include “dissemination of Section 702 information to someone in the private sector in order to mitigate other forms of serious harm, such as ‘a plot to destroy a building or monument.” The change “enables the FBI to disseminate information to private parties in less extreme cases.” Update: Since this language appears to exist only in the FBI minimization procedures, it should refer only to PRISM data, not upstream data, since FBI doesn’t get the latter in unminimized form, unless that has changed in some way that is not obvious in the minimization procedures.

Finally, Hogan approved a change to the FBI minimization procedures that permitted dissemination of 702-collected information to the National Center for Missing and Exploited Children if it is “evidence of a crime related to child exploitation material, including child pornography,” or for the purpose of obtaining technical assistance (the NCMEC keeps databases of images of child porn to track when new images are released).

While these are all generally included in the serious bodily harm provision of Section 702 — to say nothing of NSA’s broad inclusion of “property” in “bodily harm” — they show three clear expansions of the use of Section 702 for criminal investigations in recent years (and the computer intrusion language impacts my questions about how CISA interacts with Section 702).

Not only are those expansions worth noting in their own right, but they’re also worth considering in light of Bob Litt’s disclosure on February 4, 2015 (that is, chronologically after this change, but before this change got publicly released) of the crimes that FBI may use Section 702 information to prosecute.

And so today I want to say that in fact the list of crimes other than national security crimes for which we can use Section 702 information about U.S. persons is crimes involving death, kidnapping, substantial bodily harm, conduct that is a specified offense against a minor as defined in a particular statute, incapacitation or destruction of critical infrastructure, cyber security, transnational crimes, or human trafficking.

Litt’s list seems broader than, though clearly related to, the items approved in the unredacted parts of the FBI minimization procedures, though the language from the minimization procedures seems to explain what “incapacitation” of critical infrastructure is. As always, remember that “transnational crime” is a politicized subsection of mob crimes that never includes the crimes implicating our nations mob-banksters.

And keep in mind. This language would have been operative in the weeks leading up to the Sony hack. And yet the ability to share such intelligence with Sony did not prevent the hack.

In any case, I’m going to do a series of posts on the Snooper’s Charter released yesterday in the UK, and I wanted to clarify precisely what the available uses of Section 702 to investigate crimes are.

Michael Mosman’s Deadlines Raise (More) Questions about the FISC Advocate

In the series of letters purporting to speak for “the judiciary,” Director of the Administrative Office of US Courts John Bates and (after Duff replaced him) James Duff expressed concern about how a FISC amicus would affect the timeliness of proceedings before the court. Bates worried that any involvement of an amicus would require even more lead time than the current one week requirement in FISC applications. He also worried that the presumption an amicus (and potentially tech experts) would have access to information might set off disputes with the Executive over whether they could really have it. Duff apparently worried that the perception that an amicus would oppose the government would lead the government to delay in handing over materials to the FISC.

Which is why I’m interesting in the briefing order Chief FISC Judge Thomas Hogan, signing for Michael Mosman, issued on Wednesday (see below for a timeline).

Back on September 17, Mosman appointed spook lawyer Preston Burton amicus. As part of that order, he gave the government 4 days to refuse to share information with Burton, but otherwise required Burton receive the application and primary order in this docket.

(Pursuant to 50 U.S.C. § 1803(i)(6)(A)(i), the Court has determined that the government’s application (including exhibits and attachments) and the full, unredacted Primary Order in this docket are relevant to the duties of the amicus. By September 22, 2015, or after receiving confirmation from SEPS that the amicus has received the appropriate clearances and access approvals for such materials, whichever is later, the Clerk of the Court shall make these materials available to the amicus.

Yet even after the almost month long delay in deciding to appoint someone and deciding that someone would be Burton, it still took Mosman two weeks after the date when Burton was supposed to have received the relevant information on this issue before setting deadlines. And in setting his deadlines, Mosman has basically left himself only 2 weeks during which time he will have to to decide the issue and the government will have to prepare to keep or destroy the data in question (in past data destruction efforts it has taken a fairly long time). That could be particularly problematic if Mosman ends up requiring the government to pull the data from EFF’s clients from the data retained under their protection order.

On November 28, the order authorizing the retention of this data expires.

To be fair, Mosman is definitely making a more concerted effort to comply with the appearance if not the intent of USA F-ReDux’s amicus provision than, say, Dennis Saylor (who blew if off entirely). And there may be aspects of this process — and FISC’s presumed effort to start coming up with a panel of amici by November 29 — that will take more time than future instances down the road.

Still, it’s hard to understand the almost 3 week delay in setting a briefing schedule.

Unless the government slow-walked giving even a spook lawyer not explicitly ordered to represent the interests of privacy approval to receive and then a packet of documents to review.

I suspect this represents a stall by the government, not FISC (though again, the month long delay in deciding to appoint an amicus didn’t help things, and FISC’s thus far 4 month delay in picking amici likely doesn’t help either). But whatever the cause of the delay, it may indicate a reluctance on someone’s part to use the amicus as intended.

Timeline

July 27: ODNI declares that “NSA has determined” that “NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months”

By August 20: Government asks for permission to retain data past November 28 (the government must submit major FISA orders at least a week in advance)

August 27: Mosman approves dragnet order, defers decision on data retention

September 17: Mosman appoints Burton and orders the government to cough up its application and the full order

September 21: Last date by which government can complain about sharing information with Burton

September 22: Date by which Burton must receive application and order

October 7: Mosman sets deadlines

October 29: Deadline for Burton’s first brief

November 6: Deadline for Government response

November 10: Deadline for Burton reply, if any

November 28: Expiration of authorization to retain data

The Costs of Politically Free Cybersecurity Failures

Ben Wittes looks at the WaPo article and accompanying National Security Council Draft Options paper on how the White House should respond to FBI’s campaign against encryption and declares that “Industry has already won.”

[T]he document lays out three options for the administration—three options that notably do not include seeking legislation on encryption.

They are:

  • “Option 1: Disavow Legislation and Other Compulsory Actions”;
  • “Option 2: Defer on Legislation and Other Compulsory Actions”; and
  • “Option 3: Remain Undecided on Legislation or Other Compulsory Actions.”

In all honesty, it probably doesn’t matter all that much which of these options Obama chooses. If these are the choices on the table, industry has already won.

What’s most fascinating about the white paper is that it lays bare how the NSC itself sees this issue — and they don’t see it like Wittes does, nor in the way the majority of people clamoring for back doors have presented it. As the NSC defines the issue, this is not “industry” versus law enforcement. For each assessed scenario, NSC measures the impact on:

  • Public safety and national security
  • Cybersecurity
  • Economic competitiveness
  • Civil liberties and human rights

Arguably, there’s a fifth category for each scenario — foreign relations — that shows up in analysis of reaction by stakeholders that weighs the interests of foreign governments, including allies that want back doors (UK, France, Netherlands), allies that don’t (Germany and Estonia), and adversaries like Russia and China that want back doors to enable repression (and, surely, law enforcement, but the analysis doesn’t consider this).

That, then, is the real network of interests on this issue and not — as Wittes, Sheldon Whitehouse, and many though not all defenders of back doors have caricatured — simply hippies and Apple versus Those Who Keep Us Safe.

NSC not only judges the market demand for encryption — and foreign insistence that US products not appear to be captive to America’s national security state — to be real, but recognizes that those demands underlie US economic competitiveness generally.

And, as a number of people point out, the NSC readily admits that encryption helps cybersecurity. As the white paper explains,

Pro-encryption statements from the government could also encourage broader use of encryption, which would also benefit global cybersecurity. Further, because any new access point to encrypted data increases risk, eschewing mandated technical changes ensures the greatest technical security. At the same time, the increased use of encryption could stymie law enforcement’s ability to investigate and prosecute cybercriminals, though the extent of this threat over any other option is unclear as sophisticated criminals will use inaccessible encryption.

Shorter the NSC: If encryption is outlawed, only the sophisticated cyber-outlaws will have encryption.

This is the discussion we have not been having, as Jim Comey repeatedly talks in terms of Bad Guys and Good Guys, the complex trade-offs that are far more than “safety versus privacy.”

What’s stunning, however, is that NSC — an NSC that was already in the thick of responding to the OPM hack when this paper was drafted in July — sees cybersecurity as a separate category from public safety and national security. Since 2013, the Intelligence Community has judged that cybersecurity is a bigger threat than terrorism (though I’m not sure if the IC has revised that priority given ISIS’ rise). Yet the NSC still thinks of this as a separate issue from public safety and national security (to say nothing of the fact that NSC doesn’t consider the crime that encryption would prevent, such as smart phone theft).

I’m not surprised that NSC considers these different categories, mind you. Cybersecurity failures are still considered (with the sole exception of Katherine Archuleta, who was forced to resign as OPM head after the hack) politically free, such that men like John Brennan (when he was Homeland Security Czar on NSC) and Keith Alexander can have, by their own admission, completely failed to keep us safe from cyberattack without being considered failures themselves (and without it impacting Brennan’s perceived fitness to be CIA Director).

The political free ride cybersecurity failures get is a problem given the other reason that Wittes’ claim that “industry has already won” is wrong. WaPo reports that NSC still hasn’t come up with a preferred plan, ostensibly because it is so busy with other things.

Some White House aides had hoped to have a report on the issue to give to the president months ago. But “the complexity of this issue really makes it a very challenging area to arrive at any sort of policy on,” the senior official said. A Cabinet meeting to be chaired by National Security Adviser Susan Rice, ostensibly to make a decision, initially was scheduled for Wednesday, but it has been postponed.

The senior official said that the delays are due primarily to scheduling issues — “there are a lot of other things going on in the world” — that are pressing on officials’ time.

But WaPo also presents evidence that those who want back doors are just playing for time, until some kidnapping or terrorist attack investigation gets thwarted by encryption.

Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”

So long as the final decision never gets made, those who want back doors will be waiting for the moment when some event changes the calculus that currently weighs in favor of encryption. And, of course, we’ll all be relying on people like Jim Comey to explain why encryption made it impossible to catch a “bad guy,” which means the measure will probably ignore the other ways law enforcement can get information.

We are still living in Dick Cheney’s world, where missing a terrorist attack (other than the big one or the anthrax attack) is assumed to be career ending, even while failing to address other threats to the US (climate change and increasingly cybersecurity) are not. So long as that’s true, those waiting to use the next spectacular failure to make ill-considered decisions about back doors will await their day, putting some kinds of national security above others.

Update: Like me, Susan Landau thinks Wittes misunderstood what the White Paper said about who “won” this fight.

But the National Security Council draft options paper never mentions national-security threats as a concern in the option of disavowing legislation controlling encryption (it does acknowledge potential problems for law enforcement). The draft says that no-legislation approach would help foster “the greatest technical security.” That broad encryption use is in our national security interest is why the administration is heading to support the technology’s broad use. That’s the story here — and not the one about Silicon Valley.

Section 702 Used for Cybersecurity: You Read It Here First

I have been reporting for years that the government uses Section 702 for cybersecurity purposes, including its upstream application.

ProPublica and NYT have now confirmed and finally liberated related Snowden documents on the practice. They show that DOJ tried to formalize the process in 2012 (though I have reasons to doubt that the NSA documents released tell all of the story, as I hope to show in upcoming posts).

Without public notice or debate, the Obama administration has expanded the National Security Agency’s warrantless surveillance of Americans’ international Internet traffic to search for evidence of malicious computer hacking, according to classified NSA documents.

In mid-2012, Justice Department lawyers wrote two secret memos permitting the spy agency to begin hunting on Internet cables, without a warrant and on American soil, for data linked to computer intrusions originating abroad — including traffic that flows to suspicious Internet addresses or contains malware, the documents show.

The Justice Department allowed the agency to monitor only addresses and “cybersignatures” — patterns associated with computer intrusions — that it could tie to foreign governments. But the documents also note that the NSA sought to target hackers even when it could not establish any links to foreign powers.

The disclosures, based on documents provided by Edward J. Snowden, the former NSA contractor, and shared with the New York Times and ProPublica, come at a time of unprecedented cyberattacks on American financial institutions, businesses and government agencies, but also of greater scrutiny of secret legal justifications for broader government surveillance.

Jonathan Mayer, whom ProPublica and NYT cite in the article, has his own worthwhile take on what the documents say.

Stay tuned!

How the Second Circuit, FISC, and the Telecoms Might Respond to McConnell’s USA F-ReDux Gambit

Update: Jennifer Granick (who unlike me, is a lawyer) says telecoms will be subject to suit if they continue to comply with dragnet orders. 

Any company that breaches confidentiality except as required by law is liable for damages and attorneys’ fees under 47 U.S.C. 206. And there is a private right of action under 47 U.S.C. 207.

Note that there’s no good faith exception in the statute, no immunity for acting pursuant to court order. Rather, the company is liable unless it was required by law to disclose. So Verizon could face a FISC 215 dragnet order on one side and an order from the Southern District of New York enjoining the dragnet on the other. Is Verizon required by law to disclose in those circumstances? If not, the company could be liable. And did I mention the statute provides for attorneys’ fees?

Everything is different now than it was last week. Reauthorization won’t protect the telecoms from civil liability. It won’t enable the dragnet. As of last Thursday, the dragnet is dead, unless a phone company decides to put its shareholders’ money on the line to maintain its relationships with the intelligence community.

Last night, Mitch McConnell introduced a bill for a 2-month straight reauthorization of the expiring PATRIOT provisions as well as USA F-ReDux under a rule that bypasses Committee structure, meaning he will be able to bring that long-term straight reauthorization, that short term one, or USA F-ReDux to the floor next week.

Given that a short term reauthorization would present a scenario not envisioned in Gerard Lynch’s opinion ruling the Section 215 dragnet unlawful, it has elicited a lot of discussion about how the Second Circuit, FISC, and the telecoms might respond in case of a short term reauthorization. But these discussions are almost entirely divorced from some evidence at hand. So I’m going to lay out what we know about both past telecom and FISA Court behavior.

Because of the details I lay out below, I predict that so long as Congress looks like it is moving towards an alternative, both the telecoms and the FISC will continue the phone dragnet in the short term, and the Second Circuit won’t weigh in either.

The phone dragnet will continue for another six months even under USA F-ReDux

As I pointed out here, even if USA F-ReDux passed tomorrow, the phone dragnet would continue for another 6 months. That’s because the bill gives the government 180 days — two dragnet periods — to set up the new system.

(a) IN GENERAL.—The amendments made by sections 101 through 103 shall take effect on the date that is 180 days after the date of the enactment of this Act.

(b) RULE OF CONSTRUCTION.—Nothing in this Act shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 24 1861 et seq.) as in effect prior to the effective date described in subsection (a) during the period ending on such effective date.

The Second Circuit took note of USA F-ReDux specifically in its order, so it would be hard to argue that it doesn’t agree Congress has the authority to provide time to put an alternative in place. Which probably means (even though I oppose Mitch’s short-term reauth in most scenarios) that the Second Circuit isn’t going to balk — short of the ACLU making a big stink — at a short term reauth for the purported purpose of better crafting a bill that reflects the intent of Congress. (Though the Second Circuit likely won’t look all that kindly on Mitch’s secret hearing the other day, which violates the standards of debate the Second Circuit laid out.)

Heck, the Second Circuit waited 8 months — and one failed reform effort — to lay out its concerns about the phone dragnet’s legality that were, in large part, fully formed opinions at least September’s hearing. The Second Circuit wants Congress to deal with this and they’re probably okay with Congress taking a few more months to do so.

FISC has already asked for briefing on any reauthorization

A number of commentators have also suggested that the Administration could just use the grandfather clause in the existing sunset to continue collection or might blow off the Appeals Court decision entirely.

But the FISC is not sitting dumbly by, oblivious to the debate before Congress and the Courts. As I laid out here, in his February dragnet order, James Boasberg required timely briefing from the government in each of 3 scenarios:

  • A ruling from an Appellate Court
  • Passage of USA F-ReDux introduces new issues of law that must be considered
  • A plan to continue production under the grandfather clause

And to be clear, the FISC has not issued such an order in any of the publicly released dragnet orders leading up to past reauthorizations, not even in advance of the 2009-2010 reauthorizations, which happened at a much more fraught time from the FISC’s perspective (because FISC had had to closely monitor the phone dragnet production for 6 months and actually shut down the Internet dragnet in fall 2009). The FISC clearly regards this PATRIOT sunset different than past ones and plans to at least make a show of considering the legal implications of it deliberately.

FISC does take notice of other courts

Of course, all that raises questions about whether FISC feels bound by the Second Circuit decision — because, of course, it has its very own appellate court (FISCR) which would be where any binding precedent would come from.

There was an interesting conversation on that topic last week between (in part) Office of Director of National Intelligence General Counsel Bob Litt and ACLU’s Patrick Toomey (who was part of the team that won the Second Circuit decision). That conversation largely concluded that FISC would probably not be bound by the Second Circuit, but Litt’s boss, James Clapper (one of the defendants in the suit) would be if the Second Circuit ever issued an injunction.

Sunlight Foundation’s Sean Vitka: Bob, I have like a jurisdictional question that I honestly don’t know the answer to. The Court of Appeals for the Second Circuit. They say that this is unlawful. Obviously there’s the opportunity to appeal to the Supreme Court. But, the FISA Court of Review is also an Appeals Court. Does the FISC have to listen to that opinion if it stands?

Bob Litt: Um, I’m probably not the right person to ask that. I think the answer is no. I don’t think the Second Circuit Court of Appeals has direct authority over the FISA Court. I don’t think it’s any different than a District Court in Idaho wouldn’t have to listen to the Second Circuit’s opinion. It would be something they would take into account. But I don’t think it’s binding upon them.

Vitka: Is there — Does that change at all given that the harms that the Second Circuit acknowledged are felt in that jurisdiction?

Litt: Again, I’m not an expert in appellate jurisdiction. I don’t think that’s relevant to the question of whether the Second Circuit has binding authority over a court that is not within the Second Circuit. I don’t know Patrick if you have a different view on that?

Third Way’s Mieke Eoyang: But the injunction would be, right? If they got to a point where they issued an injunction that would be binding…

Litt: It wouldn’t be binding on the FISA Court. It would be binding on the persons who received the —

Eoyong: On the program itself.

Patrick Toomey: The defendants in the case are the agency officials. And so an injunction issued by the Second Circuit would be directed at those officials.

But there is reason to believe — even beyond FISC’s request for briefing on this topic — that FISC will take notice of the Second Circuit’s decision, if not abide by any injunction it eventually issues.

That’s because, twice before, it has even taken notice of magistrate judge decisions.

The first known example came in the weeks before the March 2006 reauthorization of the PATRIOT Act would go into effect. During 2005, several magistrate judges had ruled that the government could not add a 2703(d) order to a pen register to obtain prospective cell site data along with other phone data. By all appearances, the government was doing the same with the equivalent FISA orders (this application of a “combined” Business Record and Pen Register order is redacted in the 2008 DOJ IG Report on Section 215, but contextually it’s fairly clear this is close to what happened). Those magistrate decisions became a problem when, in 2005, Congress limited Section 215 order production to that which could be obtained with a grand jury subpoena. Effectively, the magistrates had said you couldn’t get prospective cell site location with just a subpoena, which therefore would limit whether FBI could get cell site location with a Section 215 order.

While it is clear that FISC required briefing on this point, it’s not entirely clear what FISC’s response was. For a variety of reasons, it appears FISC stopped these combined application sometime in 2006 — the reauthorization went into effect in March 2006 — though not immediately (which suggests, in the interim, DOJ just found a new shell to put its location data collection under).

The other time FISC took notice of magistrate opinions pertained to Post Cut Through Dialed Digits (those are the things like pin and extension numbers you dial after your call or Internet connection has been established). From 2006 through 2009, some of the same magistrates ruled the government must set its pen register collection to avoid collecting PCTDD. By that point, FISC appears to have already ruled the government could collect that data, but would have to deal with it through minimization. But the FISC appears to have twice required the government to explain whether and how its minimization of PCTDD did not constitute the collection of content, though it appears that in each case, FISC permitted the government to go on collecting PCTDD under FISA pen registers. (Note, this is another ruling that may be affected by the Second Circuit’s focus on the seizure, not access, of data.)

In other words, even on issues not treating FISC decisions specifically, the FISC has historically taken notice of decisions made in courts that have no jurisdiction over its decisions (and in one case, FISC appears to have limited government production as a result). So it would be a pretty remarkable deviation from that past practice for FISC to completely blow off the Second Circuit decision, even if it may not feel bound by it.

Verizon responds to court orders, but in half-assed fashion

Finally, there’s the question of how the telecoms will react to the Second Circuit decision. And even there, we have some basis for prediction.

In January 2014, after receiving the Secondary Order issued in the wake of Judge Richard Leon’s decision in Klayman v. Obama that the dragnet was unconstitutional, Verizon made a somewhat half-assed challenge to the order.

Leon issued his decision December 16. Verizon did not ask the FISC for guidance (which makes sense because they are only permitted to challenge orders).

Verizon got a new Secondary Order after the January 3 reauthorization. It did not immediately challenge the order.

It only got around to doing so on January 22 (interestingly, a few days after ODNI exposed Verizon’s role in the phone dragnet a second time), and didn’t do several things — like asking for a hearing or challenging the legality of the dragnet under 50 USC 1861 as applied — that might reflect real concern about anything but the public appearance of legality. (Note, that timing is of particular interest, given that the very next day, on January 23, PCLOB would issue its report finding the dragnet did not adhere to Section 215 generally.)

Indeed, this challenge might not have generated a separate opinion if the government weren’t so boneheaded about secrecy.

Verizon’s petition is less a challenge of the program than an inquiry whether the FISC has considered Leon’s opinion.

It may well be the case that this Court, in issuing the January 3,2014 production order, has already considered and rejected the analysis contained in the Memorandum Order. [redacted] has not been provided with the Court’s underlying legal analysis, however, nor [redacted] been allowed access to such analysis previously, and the order [redacted] does not refer to any consideration given to Judge Leon’s Memorandum Opinion. In light of Judge Leon’s Opinion, it is appropriate [redacted] inquire directly of the Court into the legal basis for the January 3, 2014 production order,

As it turns out, Judge Thomas Hogan (who will take over the thankless presiding judge position from Reggie Walton next month) did consider Leon’s opinion in his January 3 order, as he noted in a footnote.

Screen Shot 2014-04-28 at 10.49.42 AM

And that’s about all the government said in its response to the petition (see paragraph 3): that Hogan considered it so the FISC should just affirm it.

Verizon didn’t know that Hogan had considered the opinion, of course, because it never gets Primary Orders (as it makes clear in its petition) and so is not permitted to know the legal logic behind the dragnet unless it asks nicely, which is all this amounted to at first.

Ultimately, Verizon asked to see proof that FISC had considered Leon’s decision. But it did not do any of the things people think might happen here — it did not immediately cease production, it did not itself challenge the legality of the dragnet, and it did not even ask for a hearing.

Verizon just wanted to make sure it was covered; it did not, apparently, show much concern about continued participation in it.

And this is somewhat consistent with the request for more information Sprint made in 2009.

So that’s what Verizon would do if it received another Secondary Order in the next few weeks. Until such time as the Second Circuit issues an injunction, I suspect Verizon would likely continue producing records, even though it might ask to see evidence that FISC had considered the Second Circuit ruling before issuing any new orders.

USA F-ReDux: Dianne Feinstein Raises the Data Handshake Again

As I noted last November, in her defense of USA Freedom Act last year, Dianne Feinstein suggested the telecoms (principally, Verizon) had agreed to retain their data for longer than their business purposes required without any mandate — what I dubbed the “data handshake.”

On Tuesday, Nov. 18, Feinstein explained how she had resolved the problem presented by telecoms like Verizon that don’t hold these records as long as the NSA currently does. She and Chambliss had written the country’s four biggest telecom companies a letter — she didn’t say when — asking whether the companies would retain phone records longer than they currently do. Two said yes; two said no. “Since that time, the situation has changed,” Feinstein said. “Not in writing, but by personal testament from two of the companies that they will hold the data for at least two years for business reasons.” President Barack Obama even vouched for the telecom companies’ willingness to hold the data. “The fact is that the telecoms have agreed to hold the data. The president himself has assured me of this,” Feinstein said.

Taken in context, Feinstein’s comments reveal how proponents of the USA Freedom Act solved the intelligence community’s problem with the reform bill — that the period of time that records would be held would shrink dramatically. Rather than a legal mandate requiring that telecoms hold onto the data — which some members of the Senate Intelligence Committee demanded in June — the reform bill would use a “data handshake.”

The terms of the data handshake are the most interesting part. This promise is not in writing. According to Feinstein, it is a “personal testament.” (And of course it wasn’t in the bill, where privacy advocates might have objected to it.) The telecom companies could say they were retaining the data for business purposes, though, until now, they’ve had no business purpose to keep the records.

While some, like Bob Litt, have suggested one challenge for having telecoms retain phone records concerned whether telecoms would retain enough of their call records to do pattern analysis, the issue of data retention has largely been unspoken in this round of debate over USA F-ReDux.

But Dianne Feinstein just raised it again this morning on Meet the Press, again endorsing a “data handshake” behind USA F-ReDux and seemingly referring to the assurances the President got from telecoms they would keep the data.

CHUCK TODD:

Senator, while I have you, the Patriot Act, obviously the big, bulk data collection was struck down, in Court. Not quite saying it was unconstitutional, basically saying that the law doesn’t cover what the administration has said it covers, which is this idea of bulk data collection. And says, “If Congress wants to be able to do this, then they need to explicitly pass a law that forces telephone companies to do this or not.” Where are you on this? Are you willing to pass a specific law that allows for bulk data collection, whether held by the phone companies or the government?

SENATOR DIANNE FEINSTEIN:

I think here’s the thing. The president, the House and a number of members of the Senate believe that we need to change that program. And the way to change it is simply to go to the FISA Court for a query, permission to go to a telecom and get that data. The question is whether the telecoms will hold the data. And the answer to that question is somewhat mixed. I know the president believes that the telecoms will hold the data. I think we should try that.

CHUCK TODD:

An act of Congress could force them to do that, correct?

SENATOR DIANNE FEINSTEIN:

An act of Congress could force them to do that.

CHUCK TODD:

And can that pass this Congress?

SENATOR DIANNE FEINSTEIN:

Well, that’s the problem. The House does not have it in their bill. Senator Leahy does not have that in his bill.

If I had to bet on the most likely outcome for the USA F-ReDux bill, it would be USA F-ReDux, with some more shit added in because USA F-ReDux boosters are reluctant to talk about how much more it gives the Intelligence Community than what they have now, and with data retention mandates. As I have said, I think that’s one of the ultimate purposes of Mitch McConnell’s PATRIOT gambit.

One thing is clear, however, which is that Intelligence insiders like Feinstein are talking about data mandates among themselves, even if they’re not discussing them publicly.

Bob Litt: That Bill I Wrote Looks Great on First Read

Supporters of USA F-ReDux are hailing Bob Litt’s comments approving of the bill.

“On first read, the new version of the USA Freedom Act looks like it accomplishes the president’s goals and will preserve important intelligence capabilities,” Robert Litt, the general counsel at the Office of the Director of National Intelligence, said on Friday.

“The administration has worked very closely with members of Congress, their staff — both parties in both houses — to come up with this bill,” he added.

But as even his comments make clear, to say nothing of the comments made during markup yesterday, he didn’t just “on first read it” Tuesday after it was released.

He largely wrote it.

In fact, when the Judiciary Committee tried to add things to the bill yesterday to make it comply with the Constitution, they claimed to be impotent to do so because that would blow up the bill. And so they bowed to IC demands.

No wonder Litt is fond of it.