Posts

On the Nonsense of Norms about Secrets

At a panel on secrecy yesterday, Bob Litt proclaimed that the NYT “disgraced itself” for publishing names, some of which were widely known, of the people who were conducting our equally widely known secret war on drones.

Sadly, Litt did not get asked the question implied by the Washington Post’s Greg Miller (who has, in the past, caught heat for not publishing some of the same names).

So CIA tried to convince not to name CTC chief, but helped do profile of CTC women with names and photos??

Did the NYT “disgrace itself” for publishing a column by Maureen Dowd that covers over some of the more unsavory female CIA officers — notably, Alfreda Bikowsky — who have nevertheless been celebrated by the Agency?

I’d submit that, yes, the latter was a far more disgraceful act, regardless of the credit some of the more sane female CIA officers deserve, because it was propaganda delivered on demand, and delivered for an agency that would squawk Espionage Act had the NYT published the same details in other circumstances.

Keep that in mind as you read this post from Jack Goldsmith, claiming — without offering real evidence — that this reflects a new “erosion of norms” against publishing classified information.

I mean, sure, I agree the NYT decision was notable. But it’s only notable because comes after a long series of equally notable events — events upping the tension underlying the secrecy system — that Goldsmith doesn’t mention.

There’s the norm — broken by some of the same people the NYT names, as well as Jose Rodriguez before them — that when you take on the most senior roles at CIA, you drop your cover. By all appearances, as CIA has engaged in more controversial and troubled programs, it has increasingly protected the architects of those programs by claiming they’re still undercover, when that cover extends only to the public, and not to other countries, even adversarial ones. That is, CIA has broken the old norm to avoid any accountability for its failures and crimes.

Then there’s the broken norm — exhibited most spectacularly in the Torture Report — of classifying previously unclassified details, such as the names of all the lawyers who were involved in the torture program.

There’s the increasing amounts of official leaking — up to and including CIA cooperating with Zero Dark Thirty to celebrate the work of Michael D’Andrea — all while still pretending that D’Andrea was still under cover.

Can we at least agree that if CIA has decided a Hollywood propagandistic version of D’Andrea’s is not classified, then newspapers can treat his actual career as such? Can we at least agree that as soon as CIA has invited Hollywood into Langley to lionize people, the purportedly classified identities of those people — and the actual facts of their career — will no longer be granted deference?

And then, finally, there’s CIA’s (and the Intelligence Community generally) serial lying. When Bob Litt’s boss makes egregious lies to Congress to cover up for the even more egregious lies Keith Alexander offered up when he played dress-up hacker at DefCon, and when Bob Litt continues to insist that James Clapper was not lying when everyone knows he was lying, then Litt’s judgement about who “disgraced” themselves or not loses sway.

All the so-called norms Goldsmith nostalgically presents without examination rest on a kind of legitimacy that must be earned. The Executive has squandered that legitimacy, and with it any trust for its claims about the necessity of the secrets it keeps.

Goldsmith and Litt are asking people to participate with them in a kind of propagandistic dance, sustaining assertions as “true” when they aren’t. That’s the habit of a corrupt regime. They’d do well to reflect on what kind of sickness they’re actually asking people to embrace before they start accusing others of disgraceful behavior.

On Mitch’s PATRIOT Gambit

Mitch McConnell, as you’ve probably heard, has just introduced a bill to reauthorize the expiring provisions of the PATRIOT Act until 2020.

The move has elicited a bunch of outraged comments — as if anyone should ever expect anything but dickishness from Mitch McConnell. But few interesting analytical comments.

For example, Mitch is doing this under Rule 14, meaning it bypasses normal committee process. But that’s not as unusual, in ultimate effect, as people are making out. After all, last year the House Judiciary Committee was forced to adopt a much more conservative opening bill under threat of having its jurisdiction stripped entirely — something that Bob Goodlatte surely liked because it helped him rein in the reformers on his committee. Particularly given Chuck Grassley’s dawdling, I suspect something similar is at issue, an effort to give him leverage to rein in last year’s USA Freedom Act in order to undercut Mitch’s ploy.

Moreover, I think it would be utterly naive to believe Mitch and Richard Burr when they claim they would prefer straight reauthorization.

That’s because we know the IC can’t do everything they want to do under Section 215 right now. While reports that they only get 30% of calls are misleading (not least because NSA gets plenty of international calls into the US under EO 12333), for legal or technical or some other reason, the NSA isn’t currently getting all the records it needs to have full coverage. But it could get all or almost all if it worked with providers.

In addition — and this may be related — the NSA has never been able to turn its automated processes back on for US collected telephone data since they had to turn them off in 2009. They gave up trying last year, when Obama decided to move data to the providers. I suspect that the combination of mandated assistance, record delivery in optimal form, and immunity will permit NSA to dump this data into its existing automated system.

So while Mitch and Burr may pretend they’d love straight reauthorization, it is far, far more likely they’re using this gambit to demand changes to USAF that permit the IC to claim more authorities while pretending to reluctantly adopt reform.

And chief on that list is likely to be data retention, something reformers have been conspicuously silent about since Dianne Feinstein revealed USAF would have had a data retention handshake, but not a mandate. Data retention is why most SSCI members opposed USAF last year, it’s why Bill Nelson (working off his dated understanding of the program from when he served on SSCI) voted against it, and Bob Litt has renewed his emphasis on data retention.

Moreover, given the debates about encryption of the last year, especially Jim Comey’s concerns that Apple would have an unfair advantage over Verizon if it can shield iMessage data, I suspect that by data retention they also mean “forced retention of non-telephony messaging metadata.” I’m not sure whether they would be able to pull this off, but I wouldn’t be surprised if the IC plans to use “NSA reform” as an opportunity to force Apple to keep iMessage metadata.

So that’s what I expect this is about: I expect Mitch deliberately caused outright panic among those fighting straight reauthorization that even he doesn’t really want to demand more things from this “reform” bill.

 

Section 215’s Multiple Programs and Where They Might Hide after June 1

In an column explicitly limited to the phone dragnet, Conor Friedersdorf pointed to a post I wrote about Section 215 generally and suggested I thought the phone dragnet was about to get hidden under a new authority.

Marcy Wheeler is suspicious that the Obama Administration is planning to continue the dragnet under different authorities.

But my post was about more that just the phone dragnet. It was about two things: First, the way that, rather than go “cold turkey” after it ended the Internet dragnet in 2011 as the AP had claimed, NSA had instead already started doing the same kind of collection using other authorities that — while they didn’t collect all US traffic — had more permissive rules for the tracking they were doing. That’s an instructive narrative for the phone dragnet amid discussions it might lapse, because it’s quite possible that the Intelligence Community will move to doing far less controlled tracking, albeit on fewer Americans, under a new approach.

In addition, I noted that there are already signs that the IC is doing what Keith Alexander said he could live with a year ago: ending the phone dragnet in exchange for cybersecurity information sharing. I raised that in light of increasing evidence that the majority of Section 215 orders are used for things related to cybersecurity (though possibly obtained by FBI, not NSA). If that’s correct, Alexander’s comment would make sense, because it would reflect that it is working cybersecurity investigations under protections — most notably, FISC-supervised minimization — all involved would rather get rid of.

Those two strands are important, taken together, for the debate about Section 215 expiration, because Section 215 is far more than the dragnet. And the singular focus of everyone — from the press to activists and definitely fostered by NatSec types leaking — on the phone dragnet as Section 215 sunset approaches makes it more likely the government will pull off some kind of shell game, moving the surveillances they care most about (that is, not the phone dragnet) under some new shell while using other authorities to accomplish what they need to sustain some kind of  phone contact and connection chaining.

So in an effort to bring more nuance to the debate about Section 215 sunset, here is my best guess — and it is a guess — about what they’re doing with Section 215 and what other authorities they might be able to use to do the same collection.

Here are the known numbers on how Section 215 orders break out based on annual reports and this timeline.

215 Tracker

The Phone Dragnet

Since its transfer under Section 215 in 2006, the phone dragnet has generally made up 4 or 5 orders a year (Reggie Walton imposed shorter renewal periods in 2009 as he was working through the problems in the program). 2009 is the one known year where many of the modified orders — which generally involve imposed minimization procedures — were phone dragnet orders.

We  know that the government believes that if Section 215 were to sunset, it would still have authority to do the dragnet. Indeed, it not only has a still-active Jack Goldsmith memo from 2004 saying it can do the dragnet without any law, it sort of waved it around just before the USA Freedom  Act debate last year as if to remind those paying attention that they didn’t necessarily think they needed USAF (in spite of comments from people like Bob Litt that they do need a new law to do what they’d like to do).

But that depends on telecoms being willing to turn over the dragnet data voluntarily. While we have every reason to believe AT&T does that, the government’s inability to obligate Verizon to turn over phone records in the form it wants them is probably part of the explanation for claims the current dragnet is not getting all the cell records of Americans.

A number of people — including, in part, Ron Wyden and other SSCI skeptics in a letter written last June — think the government could use FISA’s PRTT authority (which does not sunset) to replace Section 215, and while they certainly could get phone records using it, if they could use PRTT to get what it wants, they probably would have been doing so going back to 2006 (the difference in authority is that PRTT gets actual activity placed, whereas 215 can only get records maintained (and Verizon isn’t maintaining the records the government would like it to, and PRTT could not get 2 hops).

For calls based off a foreign RAS, the government could use PRISM to obtain the data, with the added benefit that using PRISM would include all the smart phone data — things like address books, video messaging, and location — that the government surely increasingly relies on. Using PRISM to collect Internet metadata is one of two ways the government replaced the PRTT Internet dragnet. The government couldn’t get 2 hops and couldn’t chain off of Americans, however.

I also suspect that telecoms’ embrace of supercookies may provide other options to get the smart phone data they’re probably increasingly interested in.

For data collected offshore, the government could use SPCMA, the other authority the government appears to have replaced the PRTT Internet dragnet with. We know that at least one of the location data programs NSA has tested out works with SPCMA, so that would offer the benefit of including location data in the dragnet. If cell phone location data is what has prevented the government from doing what they want to do with the existing phone dragnet, SPCMA’s ability to incorporate location would be a real plus for NSA, to the extent that this data is available (and cell phone likely has more offshore availability than land line).

The government could obtain individualized data using NSLs — and it continues to get not just “community of interest” (that is, at least one hop) from AT&T, but also 7 other things that go beyond ECPA that FBI doesn’t want us to know about. But using NSLs may suffer from a similar problem to the current dragnet, that providers only have to provide as much as ECPA requires. Thus, there, too, other providers are probably unwilling to provide as much data as AT&T.

Telecoms might be willing to provide data the government is currently getting under 215 under CISA and CISA collection won’t be tied in any way to ECPA definitions, though its application is a different topic, cybersecurity (plus leaks and IP theft) rather than terrorism. So one question I have is whether, because of the immunity and extended secrecy provisions of CISA, telecoms would be willing to stretch that?

Other Dragnets

In addition to the phone dragnet, FBI and other IC agencies seem to operate other dragnets under Section 215. It’s probably a decent guess that the 8-13 other 215 orders prior to 2009 were for such things. NYT and WSJ reported on a Western Union dragnet that would probably amount to 4-5 orders a year. Other items discussed involve hotel dragnets and explosives precursor dragnets, the latter of which would have been expanded after the 2009 Najibullah Zazi investigation. In other words, there might be up to 5 dragnets, each representing 4-5 orders a year (assuming they work on the same 90-day renewal cycle), so a total of around 22 of the roughly 175 orders a year that aren’t the phone dragnet (the higher numbers for 2006 are known to be combination orders both obtaining subscription data for PRTT orders and location data with a PRTT order; those uses stopped in part with the passage of PATRIOT reauthorization in 2006 and in part with FISC’s response to magistrate rulings on location data from that year).

Some of these dragnets could be obtained, in more limited fashion, with NSLs (NSLs currently require reporting on how many US persons are targeted, so we will know if they move larger dragnets to NSLs). Alternately, the FBI may be willing to do these under grand jury subpoenas or other orders, given the way they admitted they had done a Macy’s Frago Elite pressure cooker dragnet after the Boston Marathon attack. The three biggest restrictions on this usage would be timeliness (some NSLs might not be quick enough), the need to have a grand jury involved for some subpoenas, and data retention, but those are all probably manageable hurdles.

The Internet content

Finally, there is the Internet content — which we know makes up for a majority of Section 215 orders — that moved to that production from NSLs starting in 2009. It’s probably a conservative bet that over 100 of current dragnet orders are for this kind of content. And we know the modification numbers for 2009 through 2011 — and therefore, probably still — are tied to minimization procedure requirements imposed by the FISC.

A recent court document from a Nicholas Merrill lawsuit suggests this production likely includes URL and data flow requests. And the FBI has recently claimed –for what that’s worth — that they rely on Section 215 for cybersecurity investigations.

Now, for some reason, the government has always declined to revise ECPA to restore their ability to use NSLs to obtain this collection, which I suspect is because they don’t want the public to know how extensive the collection is (which is why they’re still gagging Merrill, 11 years after he got an NSL).

But the data here strongly suggests that going from NSL production to Section 215 production has not only involved more cumbersome application processes, but also added a minimization requirement.

And I guarantee you, FBI or NSA or whoever is doing this must hate that new requirement. Under NSLs, they could just horde data, as we know both love to do, the FBI even more so than the NSA. Under 215s, judges made them minimize it.

As I noted above, this is why I think Keith Alexander was willing to do a CISA for 215 swap. While CISA would require weak sauce Attorney General derived “privacy guidelines,” those would almost certainly be more lenient than what FISC orders, and wouldn’t come with a reporting requirement. Moreover, whereas at least for the phone dragnet, FISC has imposed very strict usage requirements (demanding that a counterterrorism dragnet be used only for counterterrorism purposes), CISA has unbelievably broad application once that data gets collected — not even requiring that terrorist usages be tied to international terrorism, which would seem to be a violation of the Keith Supreme Court precedent).

All of this is to suggest that for cybersecurity, IP theft, and leak investigations, CISA would offer FBI their ideal collection approach. It would certainly make sense that Alexander (or now, Admiral Mike Rogers and Jim Comey) would be willing to swap a phone dragnet they could largely achieve the same paltry results for using other authorities if they in exchange got to access cybersecurity data in a far, far more permissive way. That’d be a no-brainer.

There’s just one limitation on this formula, potentially a big one. CISA does not include any obligation. Providers may share data, but there is nothing in the bill to obligate them to do so. And to the extent that providers no longer provide this data under NSLs, it suggests they may have fought such permissive obligation in the past. It would seem that those same providers would be unwilling to share it willingly.

But my thoughts on CISA’s voluntary nature are for another post.

One final thought. If the government is contemplating some or all of this, then it represents an effort — one we saw in all versions of dragnet reform to greater (RuppRoge) or lesser degrees (USAF) — to bypass FISC. The government and its overseers clearly seem to think FISC-ordered minimization procedures are too restrictive, and so are increasingly (and have been, since 2009) attempting to replace the role played by an utterly dysfunctional secret court with one entirely within the Executive.

This is the reason why Section 215 sunset can’t be treated in a vacuum: because, to the extent that the government could do this in other authorities, it would largely involve bypassing what few restrictions exist on this spying. Sunsetting Section 215 would be great, but only if we could at the same time prevent the government from doing similar work with even fewer controls.

In February, the Government Turned in Its Dragnet Homework Late

Last Wednesday, I Con the Record released the latest dragnet order, signed on February 26.

This order actually has several changes of note.

As I predicted, yet another new FISC judge signed the order, James Boasberg, who only joined the court last May. I suspect they’ve been ensuring that every new approval is approved by a different FISC judge, so they can boast to other courts about how many judges have approved the dragnet.

In what may be related detail, the application for this was late, having been submitted just 3 days before the renewal request was due (and therefore 4 days late). FISC judges have one week terms, so they may have stalled until Boasberg, as a new judge, was presiding.

Whatever the reason, Boasberg scolded DOJ for turning in their homework late, and warned them not to do it again for the next renewal, if there is one.

With two exceptions, neither of which applies here, Rule 9 of this Court’s Rules of Procedure requires the government to submit a proposed application no later than seven days before it seeks to have a matter entertained by the Court. The Court notes that the government filed its proposed application in this matter four days late. If the government seeks to renew the authorities approved herein prior to their expiration on June 1, 2015, the government is directed to file the proposed renewal application no later than Friday, May 22, 2015.

Curiously, Boasberg doesn’t discuss the five-day longer period of collection under this order, he just sets it.

Boasberg also laid out how the government must proceed under each of three scenarios.

First, if any of the 3 Appellate Courts reviewing the dragnet issue an opinion, “the government is directed to inform the Court promptly if the government’s implementation of this Order has changed as a result.”

Equally important, if Congress does pass some kind of new law, it must tell the court about anything the Court hasn’t already considered.

If Congress has enacted legislation amending 50 U.S.C. § 1861 prior to a request for renewed authorities, the government is directed to provide, along with its request, a legal memorandum pursuant to Rule 11(d) of this Court’s Rules of Procedure addressing any issues of law raised by the legislation and not previously considered by the Court.

This last bit is important. Some things — connection rather than contact chaining — would be codified if USA Freedom Act were to pass. But the Court has already considered it; it has been part of dragnet orders for over a year. Some USAF supporters had assumed new definitions in the bill would elicit new opinions that would be treated under the bill’s transparency provisions, but that’s only if the government believes the FISC has never reviewed it. So (for example) we might never know how the FISC has permitted the government to interpret selection term if it deems that the same as selection term it is using.

Finally, in language that might address the possibility Charlie Savage raised in November — that the government would continue doing what it is doing, because the underlying “investigation” remains the same, and therefore no extension is required — if nothing happens, the Court requires a memo of law explaining that.

If Congress, conversely, has not enacted legislation amending § 1861 or extending its sunset date, established by Section 102(b) of Public Law 109-177, 120 Stat. 195, as most recently amended by Section 2(a) of Public Law 112-14, 125 Stat. 216, the government is directed to provide a legal memorandum pursuant to Rule 11(d) addressing the power of the Court to grant such authority beyond June 1, 2015.

Section 102(b) of Public Law 109-177 is the section Savage pointed to that might permit the dragnet to continue.

(2) Exception.–With respect to any particular foreign intelligence investigation that began before the date on which the provisions referred to in paragraph (1) cease to have effect, or with respect to any particular offense or potential offense that began or occurred before the date on which such provisions cease to have effect, such provisions shall continue in effect.

That basically says the Court is aware of this discussion, either because it reads the NYT or because the government has mentioned it. This order doesn’t tip a hand on how FISC would regard this claim, but it does make clear it considers it a distinct possibility.

Note, unless I’m missing something, no language like this appears in any of the unredacted sections of previous dragnet orders, not even when Congress was giving the government straight renewals. We can’t be sure, but that certainly seems to suggest the Court has been having conversations — either by itself or with the government — about alternatives in a way Bob Litt and others are not having publicly.

Which brings me back to the government’s late homework again. There are other possibilities to explain the delayed submission. For example, it’s possible they delayed to make the extension of the 90-day period less odd (though I’m not sure why). It’s possible they honestly considered not renewing the order, already putting into place whatever they’re going to unilaterally do once Congress does nothing. Or perhaps they were still debating how to proceed with the Court.

When I used to turn in homework late (okay — it probably only happened once), I had to have a good excuse. What was the government’s?

There’s one more tiny change of note. This order moves its definition for connection chaining to footnote 7 (and the order consolidated some other footnotes). That’s likely just cosmetic, unless the FISC had some concern that the government was using a flexible definition of “connection chaining” for its emergency approvals.

Bob Litt Tried to Stuff Ron Wyden down Alice In Wonderland’s Rabbit Hole

Screen Shot 2015-03-05 at 5.59.31 PM

Man, I must have written about this letter Ron Wyden sent to John Brennan during his confirmation process 15 times (of which just a few are linked below). Which is why I’m so fascinated by the back and forth between Wyden’s office (the staffer’s name is redacted) and ODNI, largely Bob Litt, both before and after Wyden sent the letter on January 14, 2013. (Many many kudos to Zack Sampson who FOIAed it through MuckRock.)

Wyden’s office submitted the letter for a declassification review on January 11, 2013. Wyden’s office did not get an answer before he sent it. And on January 15, Bob Litt complained,

I have a concern that there are several references in this letter that are not only classified but compartmented.

So the staffer writes back letting Litt know that he or she had unclassified comments by Executive Branch officials for all the references, and he or she will happily share it. To which Litt responded (on January 17),

Although I am dubious, since there are statements in there that assume as fact things that we have recently succeeded in convincing a judge remain classified, I’ll take a look.

It went on for a while (the email thread is from page 21 to 24), with Litt complaining some more, promising Brennan wouldn’t answer questions about it, and the staffer ultimately pointing out that the reason they keep asking publicly is because ODNI won’t provide answers even in classified form (this exchange precedes Clapper’s lies about the dragnet — about which most of the other documents released under this FOIA pertain — by two months).

What Litt was talking about, clearly, was the Administration’s killing of Anwar al-Awlaki, the memos authorizing which Judge Colleen McMahon, citing Alice in Wonderland for the bizarreness of it all, had just ruled remained exempt from FOIA on January 2, 2013.

In other words, Litt was suggesting that Wyden should not have said the following — which cites McMahon!! — because McMahon had ruled that the government did not have to give the OLC memos authorizing the Awlaki killing to ACLU and NYT, which is rather different from ruling they didn’t have to share such information with the Intelligence Committee or claiming that Wyden could not refer to official comments in a letter to someone who made those comments because citing back those comments made them classified.

I have asked repeatedly over the past two years to see the secret legal opinions that contain the executive branch’s understanding of the President’s authority to kill American citizens in the course of counterterrorism operations. Senior intelligence officials have said publicly that they have the authority to knowingly use lethal force against Americans in the course of counterterrorism operations, and have indicated that there are secret legal opinions issued by the Justice Department’s Office of Legal Counsel that explain the basis for this authority. I have asked repeatedly to see these opinions and I have been provided with some relevant information on the topic, but I have yet to see the opinions themselves.

Both you and the Attorney General gave public speeches on this topic early last year, and these speeches were a welcome step in the direction of more transparency and openness, but as I noted at the time, these speeches left a large number of important questions unanswered. A federal judge recently noted in a Freedom of Information Act case that “no lawyer worth his salt would equate Mr. Holder’s statements with the sort of robust analysis that one finds in a properly constructed legal opinion,” and I assume that Attorney General Holder would agree that this was not his intent.

As Wyden noted, both Brennan and Holder had given big dog-and-pony shows that were clearly about killing Awlaki, and yet Bob Litt wanted to prevent Wyden from pressuring Brennan to turn over the actual legal authorizations to the Intelligence Community’s oversight committee? Really?

Ah well, it all worked out for the forces of good, as when the Committee threatened to hold up Brennan’s confirmation, someone leaked the White Paper to Mike Isikoff that therefore had to be shared with Jason Leopold that ultimately led McMahon to liberate the opinions themselves.

Which is probably precisely what Bob Litt was worried about.
Read more

Bob Litt: No Contingency Plans for Section 215

A month into the new Congress, neither USA Freedom Act nor a replacement has been reintroduced. Which has led to a discussion of what will happen if Section 215 sunsets in June.

I hope to do my own piece on all of what happens if Section 215 sunsets in the June. But in the meantime, I want to point to three things Bob Litt said in his speech on the topic yesterday. In his prepared speech, Litt defended the program and then re-endorsed USA Freedom with the caveats of his letter to Patrick Leahy on it. First, note a few details here.

Finally, the President directed specific steps to address concerns about the bulk collection of telephone metadata pursuant to FISA Court order under Section 215 of the USA PATRIOT Act. You’ll recall that this was the program set up to fix a gap identified in the wake of 9/11, to provide a tool that can identify potential domestic confederates of foreign terrorists. I won’t explain in detail this program and the extensive controls it operates under, because by now most of you are familiar with it, but there is a wealth of information about it available at IContheRecord.

Litt doubles down on the claim the phone dragnet closes a “gap” that never existed. And he suggests this is solely about “identifying potential domestic confederates” of foreigners. Not only does that obscure that it also serves to identify networks here in the US (as it did after the Marathon bombing, and with Najibullah Zazi) but that two court filings admit that it is also about identifying potential informants on networks of interest, not finding confederates.  It also helps NSA to identify which conversations to prioritize for translation or other analysis (meaning it necessarily ties directly to content).

Which is why I find it interesting that Litt follows that disingenuous description of the use of the phone dragnet.

Some have claimed that this program is illegal or unconstitutional, though the vast majority of judges who have considered it to date have determined that it is lawful. People have also claimed that the program is useless because they say it’s never stopped a terrorist plot. While we have provided examples where the program has proved valuable, I don’t happen to think that the number of plots foiled is the only metric to assess it; it’s more like an insurance policy, which provides valuable protection even though you may never have to file a claim. And because the program involves only metadata about communications and is subject to strict limitations and controls, the privacy concerns that it raises, while not non-existent, are far less substantial than if we were collecting the full content of those communications.

Twenty months after Snowden first revealed the phone dragnet, the IC is not admitting what or how this is used (and is maintaining the charade that there aren’t legal problems with having proclaimed everything relevant to terrorism in secret).

Even so, the President recognized the public concerns about this program and ordered that several steps be taken immediately to limit it. In particular, except in emergency situations NSA must now obtain the FISA court’s advance agreement that there is a reasonable articulable suspicion that a number being used to query the database is associated with specific foreign terrorist organizations. And the results that an analyst actually gets back from a query are now limited to numbers in direct contact with the query number and numbers in contact with those numbers – what we call “two hops” instead of three, as it used to be.

Fact check: The current language of the dragnet orders permits chaining on “connections,” not “contacts.”

Longer term, the President directed us to find a way to preserve the essential capabilities of this program without having the government hold the metadata in bulk. In furtherance of this direction, we worked extensively with Congress, on a bipartisan basis, and with privacy and civil liberties groups, on the USA FREEDOM Act. This was not a perfect bill. It went further than some proponents of national security would wish, and it did not go as far as some advocacy groups would wish. But it was the product of a series of compromises, and if enacted it would have accomplished the President’s goal: it would have prohibited bulk collection under Section 215 and several other authorities, while authorizing a new mechanism that – based on telecommunications providers’ current practice in retaining telephone metadata – would have preserved the essential capabilities of the existing program. Having invested a great deal of time in those negotiations, I was personally disappointed that the Senate failed by two votes to advance this bill, and with Section 215 sunsetting on June 1 of this year, I hope that the Congress acts expeditiously to pass the USA FREEDOM Act or another bill that accomplishes the President’s goal.

As a reminder, when Bob Litt says, “bulk collection,” he is not using common English usage. He is instead referring to the collection of stuff with no discriminators. So the aspiration to collect “all” phone records is bulk under his definition, but the aspiration to collect all US-to-foreign money transfers is not because the latter uses a discriminator (US-to-foreign).

Also note that Litt claims this is based on “telecommunications providers’ current practices,” which is when (during the speech) I started tweeting requests for a divorce lawyer to subpoena some 20-month old Verizon records. Last summer, Verizon said in sworn testimony they only kept records 12 to 18 months, though during the debate Dianne Feinstein revealed they and another carrier had agreed “voluntarily” to keep their phone records 2 years. So has Verizon already extended how long it keeps these records? Or is Bob Litt fibbing here? (My bet is they haven’t because my bet is that “voluntary” retention would have been worked into the new compensation mechanisms of USA Freedom Act.)

After that endorsement for USAF or another bill to pass before the Section 215 sunset, Litt got two more questions on the topic (in addition to one on the FISC advocate, to which he responded he’d like the weak tea advocate of his interpretation of the bill).

In the first question, Cameron Kerry asked what happens if Section 215 sunsets. Litt responded (my transcription):

Good question. The President said he wants to have a mechanism that preserves the essential capabilities of the bulk collection program that we have now without the bulk collection. There’s a proposal up there that would accomplish that. I’m hopeful that we will get that passed. If it sunsets, if it goes away, obviously the program will end. We’ll also lose other authorities that are under the same section, which have nothing to do with bulk collection whatsoever. So at this point we’re still far enough away that I think that we’re not doing extensive contingency planning other than trying to map out the legislative way to get something passed that will accomplish the President’s goals.

One thing to emphasize here — which no one I saw noted — is Litt focuses on the “essential capabilities” of the existing program. That’s not just phone records for contact chaining, as I pointed out above. It includes connection chaining, which I strongly suspect is part of the problem with current compliance.

That is, it would not be enough to just get phone records, because that likely doesn’t give all the parameters for “connections” that are currently in place.

Furthermore, as Litt points out but others have not, if Section 215 sunsets, the IC loses the current authorization they’re using for the phone dragnet, but also the authorizations for what are probably several other bulky programs (the aforementioned money transfer one, one targeted at hotel rooms which might be imperiled anyway because of a pending SCOTUS case, and one or ones targeted at the purchase records of explosive precursors like fertilizer, acetone, hydrogen peroxide, and possibly pressure cookers). In addition, the FBI would lose the ability to get certain Internet records that providers have been able to refuse NSLs for; these currently make up the majority of Section 215 orders (given that I Con the Record said the IC had had 161 phone dragnet targets last year and there were around 180 Section 215 orders, there may well have been more of these Internet requests last year than phone dragnet targets).

Even if there are alternatives for the phone dragnet (I see problems with meeting the government’s goals, rather than just getting phone records, using either PRTT or NSLs), alternatives would be more difficult for the others, including the Internet one (for reasons I don’t understand). That is, a sunset of Section 215 comes with additional costs for the government that not passing USAF (which would close existing gaps) doesn’t.

Not long after this exchange, another questioner asked, “Does this mean government won’t take advantage of ways to extend phone dragnet,” apparently referring to this Charlie Savage report suggesting the government could just continue because the underlying investigations are.

Litt responded by saying there’d be problems to continue to do the dragnet “under this authority.”

I don’t think we’ve thought a lot about contingency plans. I think that if, there’s obviously, I don’t think I’m revealing any deep secrets here. There’s obviously a somewhat more substantial political hurdle in saying, Yes Congress, we know you didn’t reauthorize this but we’re going to go ahead and do it anyway under this authority. We’ll just — I’m hopeful we’ll never have to confront those issues.

While that definitely suggests Litt would advise against continuing the dragnet under Section 215, he was very specific about using Section 215 here, as opposed to some other authority.

Which brings me back to my take. I do believe the government could get some subset of phone records using PRTT or NSLs. But there is a reason why the Administration has resisted calls — specifically saying there are non-technical (suggesting legal) problems with doing so. At the very least, they’re holding out to get the immunity and compensation and provider assistance Congress would be trading for a few small reforms.

But I think they need that package — immunity, compensation, and provider assistance — to do what they want to be done. And they’re not going to get it under PRTT or NSL.

The 702 Crimes Include Cybersecurity, Infrastructure, and “Transnational Crimes”

Bob Litt is giving a speech. In it he described what “serious crimes” FBI can use 702-derived information to investigate and prosecute. They include:

Can use for 702: Crimes involving death, kidnapping, bodily harm, v minor, infrastructure, cybersecurity, transnational crimes.

Both cybersecurity and infrastructure are big, and potentially egregiously interpreted. They surely can include a whole slew of innocent protestors who are deemed a threat to things like fracking or city infrastructure.

But also, if FBI can use 702 to investigate “transnational crime” then why isn’t Jamie Dimon in prison?

Section 309: A Band-Aid for a Gaping Wound in Democracy

Someone surveilling our conversation "connection chained" Bob Litt and I while chatting at CATO.

Metadata: Someone surveilling our conversation “connection chained” Bob Litt and me chatting about spying on Americans in the Hayek Auditorium at CATO on 12/12/14.

On Friday, officials from James Clapper’s office confirmed in a number of different ways that the government obtains “vast troves” of Americans’ communication overseas. And rather than enforce Dianne Feinstein and Mark Udall’s suggestion that the intelligence community treat it under FISA — as the spirit of FISA Amendment Acts, which extended protection to Americans abroad, would support — Congress instead passed Section 309, a measure to impose limited protections on vast unregulated spying on Americans.

This all happened at CATO’s conference on surveillance, an awesome conference set up by Julian Sanchez.

My panel (moderated very superbly by Charlie Savage) revisited at length the debate between former State Department whistleblower John Napier Tye and Director of National Intelligence Civil Liberties Officer Alex Joel (into which I stuck my nose). As he did in his Politico post responding to Tye’s alarms about the risk of EO 123333 collection against Americans to democracy, Joel pointed to the topical limits on bulk collection Obama imposed in his Presidential Policy Directive 28, which read,

The United States must consequently collect signals intelligence in bulk in certain circumstances in order to identify these threats. Routine communications and communications of national security interest increasingly transit the same networks, however, and the collection of signals intelligence in bulk may consequently result in the collection of information about persons whose activities are not of foreign intelligence or counterintelligence value. The United States will therefore impose new limits on its use of signals intelligence collected in bulk. These limits are intended to protect the privacy and civil liberties of all persons, whatever their nationality and regardless of where they might reside.

In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.

I noted — as I did in my Salon piece on the topic — that bulk collection for even just one topic means the collection of everything, as counterterrorism serves as the excuse to get all phone records in the US in the phone dragnet. Joel did not dispute that, explaining that PPD-28 only limits the use of data that has been bulk collected to these six purposes. PPD-28 does nothing to limit bulk collection itself. Though the fact that these limitations have forced a change in how the NSA operates is testament that they were using data collected in bulk for even more reasons before January.

The NSA is, then, aspiring to collect it all, around the world.

Which was a point confirmed in an exchange between Joel and Tye. Joel claimed we weren’t collecting nearly all of the Internet traffic out there, saying it was just a small fraction. Tye said that was disingenuous, because 80% of Internet traffic is actually things like Netflix. Tye stated that the NSA does collect a significant percentage of the remainder (he implied most, but I’d want to see the video before I characterize how strongly he said that).

Again, collect it all.

Our panel didn’t get around to talking about Section 309 of the Intelligence Authorization, which I examined here. The Section imposes a 5 year retention limit on US person data except for a number of familiar purposes — foreign intelligence, evidence of a crime, encryption, all foreign participants, tech assurance or compliance, or an Agency head says he needs to retain it longer (which requires notice to Congress). Justin Amash had argued, in an unsuccessful attempt to defeat the provision, that the measure provides affirmative basis for sharing US person content collected under EO 12333.

In a later panel at the CATO conference, DNI General Counsel Bob Litt said that the measure doesn’t change anything about what the IC is already doing.  Read more

Should Alfreda Bikowsky’s Lawyer Really Be in Charge of Declassifying the Torture Report?

It took McClatchy 21 paragraphs to illustrate why it was such a big conflict of interest for Director of National Intelligence General Counsel to lead negotiations over how much of the torture report would be declassified, as he currently is doing.

According to reports in The Washington Post, Litt previously represented a CIA analyst, Alfreda Frances Bikowsky, who played a central role in the bungled rendition of Khaled el-Masri. El-Masri, who was revealed to be innocent, claimed to have been tortured by the agency.

As the rest of the article explains, Litt reviewed his role brokering the declassification process with ODNI’s Ethics officer — who is his subordinate — and she approved his participation.

But it still probably conflicts with Litt’s promises, made during his confirmation process, to recuse himself from matters affecting his former clients. And given the centrality of CIA’s absurd demand to hide even the pseudonyms making clear that the same woman who got El-Masri tortured also went out of her way to watch Khalid Sheikh Mohammed be tortured (among a fairly substantial list of other things — here’s a reminder of details on how she got promoted after the El-Masri debacle), it is a problem that Litt is brokering this process.

Don’t worry, National Security Council spokesperson Caitlin Hayden insists (fresh off insisting it’s a good thing that the White House cybersecurity czar doesn’t have a technical background), Bob Litt — the same guy hiding known dates in Internet dragnet documents, almost certainly to avoid legal repercussions — is one of the administration’s strongest proponents of what it calls “transparency.”™

“Bob Litt is one of the administration’s strongest proponents of transparency in intelligence, consistent with our national security, and he and we are fully committed to ensuring there is no conflict of interest as the administration continues to work to see the results of the committee’s review made public,” Hayden said in a statement.

Calling Bob Litt a proponent of “transparency”™ is itself cause for concern.

The Unaudited Tech Analyst Access to US Person Data

In addition to its exposure of the sheer senselessness of much of the spying NSA engages in, yesterday’s WaPo story also shows that the government’s assurances that Edward Snowden could not access raw data have been misplaced.

For close to a year, NSA and other government officials have appeared to deny, in congressional testimony and public statements, that Snowden had any access to the material.

As recently as May, shortly after he retired as NSA director, Gen. Keith Alexander denied that Snowden could have passed FISA content to journalists.

“He didn’t get this data,” Alexander told a New Yorker reporter. “They didn’t touch —”

“The operational data?” the reporter asked.

“They didn’t touch the FISA data,” Alexander replied. He added, “That database, he didn’t have access to.”

Robert S. Litt, the general counsel for the Office of the Director of National Intelligence, said in a prepared statement that Alexander and other officials were speaking only about “raw” intelligence, the term for intercepted content that has not yet been evaluated, stamped with classification markings or minimized to mask U.S. identities.

“We have talked about the very strict controls on raw traffic, the training that people have to have, the technological lockdowns on access,” Litt said. “Nothing that you have given us indicates that Snowden was able to circumvent that in any way.”

In the interview, Snowden said he did not need to circumvent those controls, because his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center gave him “unusually broad, unescorted access to raw SIGINT [signals intelligence] under a special ‘Dual Authorities’ role,” a reference to Section 702 for domestic collection and Executive Order 12333 for collection overseas. Those credentials, he said, allowed him to search stored content — and “task” new collection — without prior approval of his search terms.

No one should ever have believed those assurances.

That’s because the documentation on the Section 215 program makes it clear how little oversight there is over tech people just like Snowden. The current phone dragnet order, for example, makes it clear that:

  • Tech personnel may access the phone dragnet data to tweak it in preparation for contact-chaining
  • Unlike intelligence analysts, tech personnel may query the phone dragnet data with selectors that have not been RAS-approved
  • Tech personnel may also conduct regular queries using RAS-approved selectors
  • Tech personnel may access the dragnet data to search for high volume numbers — this may require access to raw data
  • Some of the tech personnel (those in charge of infrastructure and receiving data from the telecoms) are exempt from special training on the phone dragnet data

The audit language in the dragnet order applies only to “foreign intelligence analysis purposes or using foreign intelligence analysis tools,” suggesting the tech analysis role access to the dragnet data is not audited.

Language in the order defining “NSA” suggests contractors may access the data (though it’s unclear whether they do so in a technical or intelligence analysis function); something made explicit in Dianne Feinstein’s bill.

That is, it is at least possible that Booz analysts are currently conducting audit-free tech massaging of the raw phone dragnet data.

And NSA knew this access was a vulnerability. As recently as 2012, tech analysts were found to have 3,000 files worth of phone dragnet data (it’s unclear how much data each file included) on an improper server past its required destruction date. NSA destroyed that data before definitively researching what it was doing there.

Thus, the risk of tech analyst breach is very real, and no one — not NSA, and not Congress, which has only codified this arrangement — seems to be addressing it.

Indeed, it is likely that some kind of Booz-type contractors will continue to have direct access to this data after it gets outsourced to the telecoms, otherwise USA Freedumber would not extend immunity to such second-level contractors.

For months, intelligence officials claimed not only that Snowden had not accessed raw data, but could not. That was always a dubious claim; even if Snowden couldn’t have accessed that data, other contractors just like him could and still can, with less oversight than NSA’s intelligence analysts get.

But it turns out Snowden could and did. And thanks to that, we now know many of the other claims made by government witnesses are also false.